This artifact collects all necessary artifacts files and directories from Linux operating system.
name: Linux.Forensics.Targets
author: Cedric MAURUGEON - @kidrek
description: |
This artifact collects all necessary artifacts files and directories from Linux operating system.
reference:
- https://github.com/ForensicArtifacts/artifacts/blob/main/artifacts/data/linux.yaml
parameters:
- name: BootTargets
type: csv
default: |
Glob
/boot/grub/grub.cfg
/boot/grub2/grub.cfg
/boot/initramfs*
/boot/initrd*
/etc/init.d/**
/etc/insserv.conf
/etc/insserv.conf.d/**
- name: CertificateTargets
type: csv
default: |
Glob
/etc/ca-certificates.conf
/etc/ssl/certs/ca-certificates.crt
/usr/share/ca-certificates/**
/usr/local/share/ca-certificates/**
- name: CronTargets
type: csv
default: |
Glob
/etc/anacrontab
/etc/at.allow
/etc/at.deny
/etc/cron.allow
/etc/cron.d/**
/etc/cron.daily/**
/etc/cron.deny
/etc/cron.hourly/**
/etc/cron.monthly/**
/etc/cron.weekly/**
/etc/crontab
/var/at/tabs/**
/var/spool/anacron/cron.*
/var/spool/at/**
/var/spool/cron/**
- name: LogTargets
type: csv
default: |
Glob
/etc/rsyslog.conf
/etc/rsyslog.d/**
/var/log/apache2/**
/var/log/apt/history.log*
/var/log/apt/term.log*
/var/log/auth*
/var/log/cron.log*
/var/log/daemon*
/var/log/journal/**
/var/log/kern*
/var/log/lastlog
/var/log/mail*
/var/log/messages*
/var/log/secure*
/var/log/syslog*
/var/log/nginx/**
/var/log/ufw.log*
- name: NetworkTargets
type: csv
default: |
Glob
/etc/netplan/*.yaml
/etc/network/if-up.d/**
/etc/network/if-down.d/**
/etc/network/interfaces
/etc/resolv.conf
/etc/default/ufw
/etc/ufw/sysctl.conf
/etc/ufw/*.rules
/etc/ufw/applications.d/**
- name: PackageTargets
type: csv
default: |
Glob
/etc/apt/sources.list
/etc/apt/sources.list.d/*
/etc/apt/trusted.gpg
/etc/apt/trusted.gpg.d/*
/etc/apt/trustdb.gpg
/etc/yum.conf
/etc/yum.repos.d/*.repo
/usr/share/keyrings/*
/var/lib/dpkg/status
- name: ServiceTargets
type: csv
default: |
Glob
/etc/systemd/system.control/*.timer
/etc/systemd/systemd.attached/*.timer
/etc/systemd/system/*.timer
/etc/systemd/user/*.timer
/lib/systemd/system/*.timer
/lib/systemd/user/*.timer
/run/systemd/generator.early/*.timer
/run/systemd/generator.late/*.timer
/run/systemd/generator/*.timer
/run/systemd/system.control/*.timer
/run/systemd/systemd.attached/*.timer
/run/systemd/system/*.timer
/run/systemd/transient/*.timer
/run/systemd/user/*.timer
/run/user/*/systemd/generator.early/*.timer
/run/user/*/systemd/generator.late/*.timer
/run/user/*/systemd/generator/*.timer
/run/user/*/systemd/transient/*.timer
/run/user/*/systemd/user.control/*.timer
/run/user/*/systemd/user/*.timer
/usr/lib/systemd/system/*.timer
/usr/lib/systemd/user/*.timer
/home/*/.config/systemd/user.control/*.timer
/home/*/.config/systemd/user/*.timer
/home/*/.local/share/systemd/user/*.timer
/root/.config/systemd/user.control/*.timer
/root/.config/systemd/user/*.timer
/root/.local/share/systemd/user/*.timer
/etc/systemd/system.control/*.service
/etc/systemd/systemd.attached/*.service
/etc/systemd/system/*.service
/etc/systemd/user/*.service
/lib/systemd/system/*.service
/lib/systemd/user/*.service
/run/systemd/generator.early/*.service
/run/systemd/generator.late/*.service
/run/systemd/generator/*.service
/run/systemd/system.control/*.service
/run/systemd/systemd.attached/*.service
/run/systemd/system/*.service
/run/systemd/transient/*.service
/run/systemd/user/*.service
/run/user/*/systemd/generator.early/*.service
/run/user/*/systemd/generator.late/*.service
/run/user/*/systemd/generator/*.service
/run/user/*/systemd/transient/*.service
/run/user/*/systemd/user.control/*.service
/run/user/*/systemd/user/*.service
/usr/lib/systemd/system/*.service
/usr/lib/systemd/user/*.service
/home/*/.config/systemd/user.control/*.service
/home/*/.config/systemd/user/*.service
/home/*/.local/share/systemd/user/*.service
/root/.config/systemd/user.control/*.service
/root/.config/systemd/user/*.service
/root/.local/share/systemd/user/*.service
- name: SystemTargets
type: csv
default: |
Glob
/dev/shm/**
/etc/fstab
/etc/hostname
/etc/issue
/etc/issue.net
/etc/ld.so.preload
/etc/localtime
/etc/ntp.conf
/etc/modprobe.d/*
/etc/modules.conf
/etc/ssh/**
/etc/timezone
/etc/udev/rules.d/*
/usr/lib/udev/rules.d/*
- name: SystemVersionTargets
type: csv
default: |
Glob
/etc/debian_version
/etc/centos-release
/etc/enterprise-release
/etc/oracle-release
/etc/redhat-release
/etc/rocky-release
/etc/SuSE-release
/etc/system-release
/etc/lsb-release
/etc/os-release
/usr/lib/os-release
- name: UserTargets
type: csv
default: |
Glob
/etc/passwd
/etc/shadow
/etc/sudoers
/etc/sudoers.d/**
/etc/group
/home/*/.config/mozilla/**
/home/*/snap/firefox/common/.mozilla/**
/home/*/.config/google-chrome/**
/home/*/snap/chromium/common/chromium/Default/**
/home/*/.aliases
/home/*/.profile
/home/*/.*_history
/home/*/.*rc
/home/*/.ssh/*
/home/*/.wget-hsts
/root/.config/mozilla/**
/root/snap/firefox/common/.mozilla/**
/root/.config/google-chrome/**
/root/snap/chromium/common/chromium/Default/**
/root/.aliases
/root/.profile
/root/.*_history
/root/.*rc
/root/.ssh/*
/root/.wget-hsts
precondition: SELECT OS From info() where OS = 'linux'
sources:
- name: BootTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=BootTargets.Glob)
- name: CertificateTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=CertificateTargets.Glob)
- name: CronTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=CronTargets.Glob)
- name: LogTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=LogTargets.Glob)
- name: NetworkTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=NetworkTargets.Glob)
- name: PackageTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=PackageTargets.Glob)
- name: ServiceTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=ServiceTargets.Glob)
- name: SystemTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=SystemTargets.Glob)
- name: SystemVersionTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=SystemVersionTargets.Glob)
- name: UserTargets
query: |
SELECT OSPath, upload(file=OSPath) AS Upload
FROM glob(globs=UserTargets.Glob)