Linux.Collection.UserConfig :: Velociraptor

Linux.Collection.UserConfig
Collect user configurations and upload them. Based on TriageUserConfiguration from forensicartifacts.com

name: Linux.Collection.UserConfig
author: alternate
description: |
  Collect user configurations and upload them.
  Based on TriageUserConfiguration from forensicartifacts.com

reference:
  - https://github.com/ForensicArtifacts/artifacts/blob/main/data/triage.yaml

precondition: SELECT OS FROM info() WHERE OS = 'linux'

parameters:
- name: BashShellConfigurationFile
  default: |
    ["/{root,home/*}/.bash_logout","/{root,home/*}/.bash_profile","/{root,home/*}/.bashrc",
     "/etc/bash.bashrc","/etc/bashrc"]

- name: ChromePreferences
  default: |
    ["/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Preferences",
     "/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Secure Preferences",
     "/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/Preferences",
     "/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/Secure Preferences",
     "/{root,home/*}/.config/chromium/*/Preferences",
     "/{root,home/*}/.config/chromium/*/Secure Preferences",
     "/{root,home/*}/.config/google-chrome/*/Preferences",
     "/{root,home/*}/.config/google-chrome/*/Secure Preferences"]

- name: CShellConfigurationFile
  default: |
    ["/{root,home/*}/.cshrc","/etc/csh.cshrc","/etc/csh.login","/etc/csh.logout"]

- name: FishShellConfigurationFile
  default: |
    ["/{root,home/*}/.local/share/fish/fish_history",
     "/{root,home/*}/.config/fish/conf.d/config.fish",
     "/{root,home/*}/.config/fish/config.fish",
     "/etc/fish/config.fish,/etc/fish/conf.d/*.fish"]

- name: JupyterConfigFile
  default: /{root,home/*}/.jupyter/jupyter_notebook_config.py

- name: KornShellConfigurationFile
  default: |
    ["/{root,home/*}/.ksh","/etc/kshrc"]

- name: RHostsFile
  default: /{root,home/*}/.rhosts

- name: ShellLogoutFile
  default: /{root,home/*}/.logout

- name: ShellProfileFile
  default: | 
    ["/{root,home/*}/.profile","/etc/profile"]

- name: SignalApplicationContent
  default: |
    ["/{root,home/*}/.var/app/org.signal.Signal/*/attachments.noindex/*",
     "/{root,home/*}/.var/app/org.signal.Signal/*/Cache/*",
     "/{root,home/*}/.var/app/org.signal.Signal/*/logs/*",
     "/{root,home/*}/.var/app/org.signal.Signal/config.json"]

- name: SSHAuthorizedKeysFiles
  default: |
    ["/{root,home/*}/.ssh/authorized_keys","/{root,home/*}/.ssh/authorized_keys2"]

- name: SSHKnownHostsFiles
  default: | 
    ["/{root,home/*}/.ssh/known_hosts","/etc/ssh/known_hosts"]

- name: SSHUserConfigFile
  default: /{root,home/*}/.ssh/config

- name: TeeShellConfigurationFile
  default: /{root,home/*}/.tcsh

- name: ZShellConfigurationFile
  default: |
    ["/{root,home/*}/.zlogin","/{root,home/*}/.zlogout","/{root,home/*}/.zprofile",
     "/etc/zshenv,/etc/zshrc","/etc/zsh/zlogin","/etc/zsh/zlogout","/etc/zsh/zprofile",
     "/etc/zsh/zshenv","/etc/zsh/zshrc"]

sources:
- name: uploadBashShellConfigurationFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=BashShellConfigurationFile))

- name: uploadChromePreferences
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=ChromePreferences))

- name: uploadCShellConfigurationFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=CShellConfigurationFile))

- name: uploadFishShellConfigurationFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=FishShellConfigurationFile))

- name: uploadJupyterConfigFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=JupyterConfigFile)

- name: uploadKornShellConfigurationFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=KornShellConfigurationFile))

- name: uploadRHostsFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=RHostsFile)

- name: uploadShellLogoutFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=ShellLogoutFile)

- name: uploadShellProfileFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=ShellProfileFile))

- name: uploadSignalApplicationContent
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=SignalApplicationContent))

- name: uploadSSHAuthorizedKeysFiles
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=SSHAuthorizedKeysFiles))

- name: uploadSSHKnownHostsFiles
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=SSHKnownHostsFiles))

- name: uploadSSHUserConfigFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=SSHUserConfigFile)

- name: uploadTeeShellConfigurationFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=TeeShellConfigurationFile)

- name: uploadZShellConfigurationFile
  query: |
    SELECT OSPath,
           Mtime,
           upload(file=OSPath) AS Upload
    FROM glob(globs=parse_json_array(data=ZShellConfigurationFile))