Merge pull request #254 from tclahr/new_artifacts

artif: new artifacts
tclahr · Jul 22, 2024 · 3c10215 · 3c10215
2 parents 776202d + d881976
commit 3c10215
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,13 +28,15 @@
 - files/applications/whatsapp.yaml: Added collection of WhatsApp Desktop files [macos].
 - files/logs/additional_logs.yaml: Artifact was renamed to advanced_log_search.yaml.
 - files/logs/relink.yaml: Added collection of the kernel relink log file [openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/logs/run_log.yaml: Added collection of /run/log directory.
 - files/system/acct.yaml: Added collection of system accounting files [freebsd, netbsd, openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
 - files/system/dev_db.yaml: Added collection of the database file used for device lookups [netbsd, openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
 - files/system/dev_shm.yaml: Updated to increase max_file_size to 10MB.
 - files/system/locate_db.yaml: Added collection of the database file used by locate command, representing a snapshot of the virtual file system accessible with minimal permissions [freebsd, netbsd, openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
 - files/system/netscaler.yaml: Updated to increase max_file_size to 10MB.
 - files/system/run_shm.yaml: Updated to increase max_file_size to 10MB.
 - files/system/security_backups.yaml: Added collection of file backups and hashes created by the integrated security script [freebsd, netbsd, openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/systemd.yaml: Updated to add new locations for configuration files.
 - files/system/tmp.yaml: Updated to increase max_file_size to 10MB.
 - files/system/var_tmp.yaml: Updated to increase max_file_size to 10MB.
 - hash_executables/hash_executables.yaml: Updated to remove max_depth and max_file_size properties.
@@ -66,10 +68,12 @@
 - '--s3-presigned-url-log-file' was renamed to '--aws-s3-presigned-url-log-file'.
 - '--ibm-cos-url', '--ibm-cos-url-log-file' and '--ibm-cloud-api-key' were removed and now transfers to IBM cloud should be done using '--s3-provider', '--s3-region', '--s3-bucket' and '--s3-token' options.
 
-### Artifacts Properties
+### Artifacts Properties Changes
 
-- The 'output_directory' property is now mandatory for the following collectors: command, find, hash and stat.
 - Introduced a new 'condition' property that ensures the collection runs only if the specified condition returns true.
+- The 'output_directory' property is now mandatory for the following collectors: command, find, hash and stat.
+- The 'file_type' property is now an array.
+- The 'permissions' property is now an array.
 
 ### uac.conf
 

diff --git a/artifacts/files/logs/apache.yaml b/artifacts/files/logs/apache.yaml
@@ -1,27 +1,27 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: Collect Apache logs.
-    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    supported_os: [all]
     collector: file
     path: /var/log
     name_pattern: ["access_log*", "access.log*", "error_log*", "error.log*"]
     max_file_size: 1073741824 # 1GB
   -
     description: Collect Apache logs.
-    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    supported_os: [all]
     collector: file
     path: /var/log/apache
     max_file_size: 1073741824 # 1GB
   -
     description: Collect Apache logs.
-    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    supported_os: [all]
     collector: file
     path: /var/log/apache2
     max_file_size: 1073741824 # 1GB
   -
     description: Collect Apache logs.
-    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    supported_os: [all]
     collector: file
     path: /var/log/httpd
     max_file_size: 1073741824 # 1GB
diff --git a/artifacts/files/logs/journal.yaml b/artifacts/files/logs/journal.yaml
@@ -0,0 +1,8 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect journal log files.
+    supported_os: [linux]
+    collector: file
+    path: /
+    name_pattern: ["*.journal"]
diff --git a/artifacts/files/logs/nginx.yaml b/artifacts/files/logs/nginx.yaml
@@ -2,14 +2,14 @@ version: 1.0
 artifacts:
   -
     description: Collect nginx logs.
-    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    supported_os: [all]
     collector: file
     path: /var/log
     name_pattern: ["*access_log*", "*access.log*", "*error_log*", "*error.log*"]
     max_file_size: 1073741824 # 1GB
   -
     description: Collect nginx logs.
-    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    supported_os: [all]
     collector: file
     path: /var/log/nginx
     max_file_size: 1073741824 # 1GB

diff --git a/artifacts/files/logs/run_log.yaml b/artifacts/files/logs/run_log.yaml
@@ -0,0 +1,9 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect /run/log files.
+    supported_os: [linux]
+    collector: file
+    path: /run/log
+    max_file_size: 1073741824 # 1GB
+
diff --git a/artifacts/files/logs/tomcat.yaml b/artifacts/files/logs/tomcat.yaml
@@ -1,8 +1,8 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: Collect Apache Tomcat logs.
-    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    supported_os: [all]
     collector: file
     path: /
     name_pattern: ["access_log*", "error_log*", "httpd-access.log*", "httpd-error.log*", "catalina.out"]

diff --git a/artifacts/files/system/systemd.yaml b/artifacts/files/system/systemd.yaml
@@ -1,37 +1,73 @@
-version: 2.1
+version: 3.0
 artifacts:
   -
     description: Collect systemd configuration files.
     supported_os: [linux]
     collector: file
-    path: /lib/systemd/system
-    ignore_date_range: true
+    path: /etc/systemd
   -
     description: Collect systemd configuration files.
     supported_os: [linux]
     collector: file
-    path: /usr/lib/systemd/system
+    path: /lib/systemd/system
     ignore_date_range: true
   -
     description: Collect systemd sessions files.
     supported_os: [linux]
     collector: file
     path: /run/systemd/sessions
     file_type: [f]
+  -
+    description: Collect systemd files.
+    supported_os: [linux]
+    collector: file
+    path: /run/systemd/system
   -
     description: Collect systemd scope and transient timer files.
     supported_os: [linux]
     collector: file
     path: /run/systemd/transient
     name_pattern: ["*.scope", "*.service", "*.timer"]
   -
-    description: Collect systemd per-user transient timers.
+    description: Collect systemd configuration files.
     supported_os: [linux]
     collector: file
-    path: /run/user/*/systemd/transient
-    name_pattern: ["*.service", "*.timer"]
+    path: /usr/lib/systemd
+    ignore_date_range: true
+  -
+    description: Collect systemd configuration files.
+    supported_os: [linux]
+    collector: file
+    path: /usr/local/lib/systemd/system
+  -
+    description: Collect systemd configuration files.
+    supported_os: [linux]
+    collector: file
+    path: /usr/local/lib/systemd/user
+  -
+    description: Collect systemd configuration files.
+    supported_os: [linux]
+    collector: file
+    path: /usr/local/share/systemd/user
+  -
+    description: Collect systemd configuration files.
+    supported_os: [linux]
+    collector: file
+    path: /usr/share/systemd/user
+  -
+    description: Collect systemd per-user configuration.
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.config/systemd
   -
     description: Collect systemd per-user configuration.
     supported_os: [linux]
     collector: file
-    path: /%user_home%/.config/systemd
+    path: /%user_home%/.local/share/systemd
+  -
+    description: Collect systemd per-user transient timers.
+    supported_os: [linux]
+    collector: file
+    path: /run/user/*/systemd/transient
+    name_pattern: ["*.scope", "*.service", "*.timer"]
+