artif: create bpftool.yaml

Move the new eBPF artifacts into bpftool.yaml. ebpf.yaml is reverted.
tclahr · Aug 19, 2024 · 82012c0 · 82012c0
1 parent 8ca75f9
commit 82012c0
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 38 deletions.
diff --git a/artifacts/live_response/system/bpftool.yaml b/artifacts/live_response/system/bpftool.yaml
@@ -0,0 +1,33 @@
+version: 1.0
+condition: command_exists "bpftool"
+output_directory: /live_response/system
+  -
+    description: List loaded eBPF programs.
+    supported_os: [linux]
+    collector: command
+    command: bpftool prog list
+    output_file: bpftool_prog_list.txt
+  -
+    description: Show information of pinned eBPF programs.
+    supported_os: [linux]
+    collector: command
+    foreach: ls -A /sys/fs/bpf | cut -c1-8
+    command: bpftool prog show name "%line%"
+    output_directory: /live_response/system/ebpf/%line%
+    output_file: show.txt
+  -
+    description: Dump xlated eBPF programs.
+    supported_os: [linux]
+    collector: command
+    foreach: ls -A /sys/fs/bpf | cut -c1-8
+    command: bpftool prog dump xlated name "%line%"
+    output_directory: /live_response/system/ebpf/%line%
+    output_file: xlated.txt
+  -
+    description: Dump jited eBPF programs.
+    supported_os: [linux]
+    collector: command
+    foreach: ls -A /sys/fs/bpf | cut -c1-8
+    command: bpftool prog dump jited name "%line%"
+    output_directory: /live_response/system/ebpf/%line%
+    output_file: jited.txt
diff --git a/artifacts/live_response/system/ebpf.yaml b/artifacts/live_response/system/ebpf.yaml
@@ -1,4 +1,4 @@
-version: 2.1
+version: 2.0
 output_directory: /live_response/system
 artifacts:
   -
@@ -7,41 +7,6 @@ artifacts:
     collector: command
     command: ls -la /sys/fs/bpf
     output_file: ls_-la_sys_fs_bpf.txt
-
+  
 # References:
-# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
-
-  -
-    description: List loaded eBPF progs.
-    supported_os: [linux]
-    condition: command_exists "bpftool"
-    collector: command
-    command: bpftool prog list
-    output_file: bpftool_prog_list.txt
-  -
-    description: Show information of pinned eBPF progs.
-    supported_os: [linux]
-    condition: command_exists "bpftool"
-    collector: command
-    foreach: ls -A /sys/fs/bpf | cut -c1-8
-    command: bpftool prog show name "%line%"
-    output_directory: /live_response/system/ebpf/%line%
-    output_file: show.txt
-  -
-    description: Dump xlated eBPF progs.
-    supported_os: [linux]
-    condition: command_exists "bpftool"
-    collector: command
-    foreach: ls -A /sys/fs/bpf | cut -c1-8
-    command: bpftool prog dump xlated name "%line%"
-    output_directory: /live_response/system/ebpf/%line%
-    output_file: xlated.txt
-  -
-    description: Dump jited eBPF progs.
-    supported_os: [linux]
-    condition: command_exists "bpftool"
-    collector: command
-    foreach: ls -A /sys/fs/bpf | cut -c1-8
-    command: bpftool prog dump jited name "%line%"
-    output_directory: /live_response/system/ebpf/%line%
-    output_file: jited.txt
+# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf