Collect system configurations and upload them. Based on TriageSystemConfiguration from forensicartifacts.com
name: Linux.Collection.SysConfig
author: alternate
description: |
Collect system configurations and upload them.
Based on TriageSystemConfiguration from forensicartifacts.com
reference:
- https://github.com/ForensicArtifacts/artifacts/blob/main/data/triage.yaml
precondition: SELECT OS FROM info() WHERE OS = "linux"
parameters:
- name: APTSources
default: |
["/etc/apt/sources.list", "/etc/apt/sources.list.d/*.list"]
- name: APTTrustKeys
default: |
["/etc/apt/trusted.gpg.d/*.gpg", "/etc/apt/trustdb.gpg", "/usr/share/keyrings/*.gpg", "/etc/apt/trusted.gpg"]
- name: CronAtAllowDenyFiles
default: |
["/etc/at.allow", "/etc/cron.allow", "/etc/cron.deny", "/etc/at.deny"]
- name: DebianPackagesStatus
default: /var/lib/dpkg/status
- name: DebianVersion
default: /etc/debian_version
- name: KernelModules
default: |
["/etc/modules.conf", "/etc/modprobe.d/*"]
- name: LinuxCACertificates
default: |
["/usr/local/share/ca-certificates/*", "/etc/ssl/certs/ca-certificates.crt", "/usr/share/ca-certificates/*"]
- name: LinuxASLREnabled
default: /proc/sys/kernel/randomize_va_space
- name: LinuxDSDTTable
default: /sys/firmware/acpi/tables/DSDT
- name: LinuxDHCPConfigurationFile
default: /etc/dhcp/dhcp.conf
- name: LinuxFstab
default: /etc/fstab
- name: LinuxGrubConfiguration
default: |
["/boot/grub/grub.cfg", "/boot/grub2/grub.cfg"]
- name: LinuxInitrdFiles
default: |
["/boot/initramfs*", "/boot/initrd*"]
- name: LinuxIssueFile
default: |
["/etc/issue.net", "/etc/issue"]
- name: LinuxKernelBootloader
default: |
["/proc/sys/kernel/bootloader_type", "/proc/sys/kernel/bootloader_version"]
- name: LinuxKernelModuleRestrictions
default: |
["/proc/sys/kernel/modules_disabled", "/proc/sys/kernel/kexec_load_disabled"]
- name: LinuxKernelModuleTaintStatus
default: /proc/sys/kernel/tainted
- name: LinuxLoaderSystemPreloadFile
default: /etc/ld.so.preload
- name: LinuxLocalTime
default: /etc/localtime
- name: LinuxLSBInit
default: |
["/etc/init.d/*", "/etc/insserv.conf.d/**", "/etc/insserv.conf"]
- name: LinuxLSBRelease
default: /etc/lsb-release
- name: LinuxNetworkManager
default: |
["/usr/lib/NetworkManager/conf.d/name.conf", "/run/NetworkManager/conf.d/name.conf",
"/var/lib/NetworkManager/*", "/var/lib/NetworkManager/NetworkManager-intern.conf",
"/etc/NetworkManager/conf.d/name.conf", "/etc/NetworkManager/NetworkManager.conf"]
- name: LinuxPamConfigs
default: |
["/etc/pam.d/common-password", "/etc/pam.conf", "/etc/pam.d/*"]
- name: LinuxPasswdFile
default: /etc/passwd
- name: LinuxProcMounts
default: /proc/mounts
- name: LinuxRelease
default: |
["/etc/enterprise-release", "/etc/system-release", "/etc/oracle-release", "/etc/lsb-release", "/etc/redhat-release"]
- name: LinuxRestrictedDmesgReadPrivileges
default: /proc/sys/kernel/dmesg_restrict
- name: LinuxRestrictedKernelPointerReadPrivileges
default: /proc/sys/kernel/kptr_restrict
- name: LinuxRsyslogConfigs
default: |
["/etc/rsyslog.d", "/etc/rsyslog.d/*", "/etc/rsyslog.conf"]
- name: LinuxSecureFsLinks
default: |
["/proc/sys/fs/protected_symlinks", "/proc/sys/fs/protected_hardlinks"]
- name: LinuxSecureSuidCoreDumps
default: /proc/sys/fs/suid_dumpable
- name: LinuxSSDTTables
default: /sys/firmware/acpi/tables/SSDT*
- name: LinuxSysctlConfigurationFiles
default: |
["/etc/sysctl.d/*.conf", "/etc/sysctl.con", "/usr/lib/sysctl.d/*.conf",
"/run/sysctl.d/*.conf", "/lib/sysctl.d/*.conf", "/usr/local/lib/sysctl.d/*.conf"]
- name: LinuxSyslogNgConfigs
default: |
["/etc/syslog-ng/conf-d/*.conf", "/etc/syslog-ng/syslog-ng.conf"]
- name: LinuxSystemdJournalConfig
default: /etc/systemd/journald.conf
- name: LinuxSystemdOSRelease
default: |
["/usr/lib/os-release", "/etc/os-release"]
- name: LinuxTimezoneFile
default: /etc/timezone
- name: LinuxXinetd
default: |
["/etc/xinetd.d/**", "/etc/xinetd.conf"]
- name: LocateDatabase
default: |
["/etc/updatedb.conf", "/var/lib/mlocate/mlocate.db"]
- name: LoginPolicyConfiguration
default: |
["/etc/passwd", "/etc/shadow", "/root/.k5login", "/etc/netgroup", "/etc/nsswitch.conf", "/etc/security/access.conf"]
- name: NetgroupConfiguration
default: /etc/netgroup
- name: NfsExportsFile
default: |
["/private/etc/exports", "/etc/exports"]
- name: NtpConfFile
default: /etc/ntp.conf
- name: PCIDevicesInfoFiles
default: |
["/sys/bus/pci/devices/*/config", "/sys/bus/pci/devices/*/vendor",
"/sys/bus/pci/devices/*/device", "/sys/bus/pci/devices/*/class"]
- name: SambaConfigFile
default: /etc/samba/smb.conf
- name: SecretsServiceDatabaseFile
default: |
["/var/lib/sss/secrets/.secrets.mkey", "/var/lib/sss/secrets/secrets.ldb"]
- name: SshdConfigFile
default: |
["/etc/ssh/sshd_config", "/private/etc/ssh/sshd_config"]
- name: SSHHostPubKeys
default: /etc/ssh/ssh_host_*_key.pub
- name: UnixGroupsFile
default: |
["/etc/group", "/private/etc/group"]
- name: UnixLocalTimeConfigurationFile
default: |
["/private/etc/localtime", "/etc/localtime"]
- name: UnixPasswdFile
default: |
["/private/etc/passwd", "/etc/passwd"]
- name: UnixShadowFile
default: |
["/private/etc/shadow", "/etc/shadow"]
- name: UnixSudoersConfigurationFile
default: |
["/etc/sudoers", "/private/etc/sudoers"]
- name: YumSources
default: |
["/etc/yum.conf", "/etc/yum.repos.d/*.repo"]
sources:
- name: uploadAPTSources
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=APTSources))
- name: uploadAPTTrustKeys
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=APTTrustKeys))
- name: uploadCronAtAllowDenyFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=CronAtAllowDenyFiles))
- name: uploadDebianPackagesStatus
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=DebianPackagesStatus)
- name: uploadDebianVersion
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=DebianVersion)
- name: uploadKernelModules
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=KernelModules))
- name: uploadLinuxASLREnabled
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxASLREnabled)
- name: uploadLinuxCACertificates
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxCACertificates))
- name: uploadLinuxDHCPConfigurationFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxDHCPConfigurationFile)
- name: uploadLinuxDSDTTable
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxDSDTTable)
- name: uploadLinuxFstab
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxFstab)
- name: uploadLinuxGrubConfiguration
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxGrubConfiguration))
- name: uploadLinuxInitrdFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxInitrdFiles))
- name: uploadLinuxIssueFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxIssueFile))
- name: uploadLinuxKernelBootloader
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxKernelBootloader))
- name: uploadLinuxKernelModuleRestrictions
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxKernelModuleRestrictions))
- name: uploadLinuxKernelModuleTaintStatus
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxKernelModuleTaintStatus)
- name: uploadLinuxLoaderSystemPreloadFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxLoaderSystemPreloadFile)
- name: uploadLinuxLocalTime
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxLocalTime)
- name: uploadLinuxLSBInit
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxLSBInit))
- name: uploadLinuxLSBRelease
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxLSBRelease)
- name: uploadLinuxNetworkManager
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxNetworkManager))
- name: uploadLinuxPamConfigs
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxPamConfigs))
- name: uploadLinuxPasswdFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxPasswdFile)
- name: uploadLinuxProcMounts
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxProcMounts)
- name: uploadLinuxRelease
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxRelease))
- name: uploadLinuxRestrictedDmesgReadPrivileges
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxRestrictedDmesgReadPrivileges)
- name: uploadLinuxRestrictedKernelPointerReadPrivileges
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxRestrictedKernelPointerReadPrivileges)
- name: uploadLinuxRsyslogConfigs
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxRsyslogConfigs))
- name: uploadLinuxSecureFsLinks
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxSecureFsLinks))
- name: uploadLinuxSecureSuidCoreDumps
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxSecureSuidCoreDumps)
- name: uploadLinuxSSDTTables
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=LinuxSSDTTables)
- name: uploadLinuxSysctlConfigurationFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxSysctlConfigurationFiles))
- name: uploadLinuxSyslogNgConfigs
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxSyslogNgConfigs))
- name: uploadLinuxSystemdJournalConfig
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxSystemdJournalConfig)
- name: uploadLinuxSystemdOSRelease
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxSystemdOSRelease))
- name: uploadLinuxTimezoneFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxTimezoneFile)
- name: uploadLinuxXinetd
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxXinetd))
- name: uploadLocateDatabase
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LocateDatabase))
- name: uploadLoginPolicyConfiguration
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LoginPolicyConfiguration))
- name: uploadNetgroupConfiguration
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=NetgroupConfiguration)
- name: uploadNfsExportsFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=NfsExportsFile))
- name: uploadNtpConfFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=NtpConfFile)
- name: uploadPCIDevicesInfoFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=PCIDevicesInfoFiles))
- name: uploadSambaConfigFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=SambaConfigFile)
- name: uploadSecretsServiceDatabaseFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=SecretsServiceDatabaseFile))
- name: uploadSshdConfigFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=SshdConfigFile))
- name: uploadSSHHostPubKeys
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=SSHHostPubKeys)
- name: uploadUnixGroupsFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=UnixGroupsFile))
- name: uploadUnixLocalTimeConfigurationFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=UnixLocalTimeConfigurationFile))
- name: uploadUnixPasswdFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=UnixPasswdFile))
- name: uploadUnixShadowFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=UnixShadowFile))
- name: uploadUnixSudoersConfigurationFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=UnixSudoersConfigurationFile))
- name: uploadYumSources
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=YumSources))