artif: new artifact

Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles
tclahr · Nov 27, 2024 · 8bceef6 · 8bceef6
1 parent 101b85e
commit 8bceef6
Show file tree

Hide file tree

Showing 6 changed files with 105 additions and 193 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 ## DEVELOPMENT VERSION
 
+### Artifacts
+
+- live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)).
+- live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)).
+
 ### New Artifacts Properties
 
 - Added the new 'redirect_stderr_to_stdout' property, an optional feature available exclusively for the command collector. When set to true, this property redirects all error messages (stderr) to standard output (stdout), ensuring they are written to the output file.

diff --git a/artifacts/live_response/packages/dpkg.yaml b/artifacts/live_response/packages/dpkg.yaml
@@ -14,123 +14,3 @@ artifacts:
     collector: command
     command: dpkg -V
     output_file: dpkg_-V.txt
-  -
-    description: List filenames under /sbin/.
-    supported_os: [linux]
-    collector: find
-    path: /sbin/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/sbin/.
-    supported_os: [linux]
-    collector: find
-    path: /usr/sbin/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /bin/.
-    supported_os: [linux]
-    collector: find
-    path: /bin/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/bin/.
-    supported_os: [linux]
-    collector: find
-    path: /usr/bin/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /lib/.
-    supported_os: [linux]
-    collector: find
-    path: /lib/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/lib/.
-    supported_os: [linux]
-    collector: find
-    path: /usr/lib/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /lib32/.
-    supported_os: [linux]
-    collector: find
-    path: /lib32/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/lib32/.
-    supported_os: [linux]
-    collector: find
-    path: /usr/lib32/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /lib64/.
-    supported_os: [linux]
-    collector: find
-    path: /lib64/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/lib64/.
-    supported_os: [linux]
-    collector: find
-    path: /usr/lib64/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /libx32/.
-    supported_os: [linux]
-    collector: find
-    path: /libx32/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/libx32/.
-    supported_os: [linux]
-    collector: find
-    path: /usr/libx32/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /opt/.
-    supported_os: [linux]
-    collector: find
-    path: /opt/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/local/.
-    supported_os: [linux]
-    collector: find
-    path: /usr/local/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: Search for a filename from installed packages.
-    supported_os: [linux]
-    collector: command
-    foreach: cat /%temp_directory%/live_response/packages/binary_files.txt
-    command: dpkg -S "%line%" 2>&1
-    output_directory: /live_response/packages
-    output_file: dpkg_-S.txt
diff --git a/artifacts/live_response/packages/package_owns_file.yaml b/artifacts/live_response/packages/package_owns_file.yaml
@@ -0,0 +1,97 @@
+version: 1.0
+condition: command_exists "dpkg" || command_exists "pacman" || command_exists "rpm"
+output_directory: /live_response/packages
+artifacts:
+  -
+    description: List filenames under /bin/.
+    supported_os: [linux]
+    collector: find
+    path: /bin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /sbin/.
+    supported_os: [linux]
+    collector: find
+    path: /sbin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /usr/bin/.
+    supported_os: [linux]
+    collector: find
+    path: /usr/bin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /usr/sbin/.
+    supported_os: [linux]
+    collector: find
+    path: /usr/sbin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /usr/local/bin/.
+    supported_os: [linux]
+    collector: find
+    path: /usr/local/bin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /usr/local/sbin/.
+    supported_os: [linux]
+    collector: find
+    path: /usr/local/sbin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /opt/bin/.
+    supported_os: [linux]
+    collector: find
+    path: /opt/bin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /opt/sbin/.
+    supported_os: [linux]
+    collector: find
+    path: /opt/sbin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: Determine which installed package owns a specific file or command.
+    supported_os: [linux]
+    collector: command
+    condition: command_exists "dpkg"
+    foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt
+    command: dpkg -S "%line%"
+    output_directory: /live_response/packages
+    output_file: dpkg_-S.txt
+    redirect_stderr_to_stdout: true
+  -
+    description: Determine which installed package owns a specific file or command.
+    supported_os: [linux]
+    collector: command
+    condition: command_exists "pacman"
+    foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt
+    command: pacman -Q -o "%line%"
+    output_directory: /live_response/packages
+    output_file: pacman_-Q_-o.txt
+    redirect_stderr_to_stdout: true
+  -
+    description: Determine which installed package owns a specific file or command.
+    supported_os: [linux]
+    collector: command
+    condition: command_exists "rpm"
+    foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt
+    command: rpm -q -f "%line%" | sed -e "s|$|: %line%|"
+    output_directory: /live_response/packages
+    output_file: rpm_-q_-f.txt
diff --git a/artifacts/live_response/packages/rpm.yaml b/artifacts/live_response/packages/rpm.yaml
@@ -1,4 +1,4 @@
-version: 3.1
+version: 3.0
 condition: command_exists "rpm"
 output_directory: /live_response/packages
 artifacts:
@@ -20,75 +20,3 @@ artifacts:
     collector: command
     command: rpm -V -a
     output_file: rpm_-V_-a.txt
-  -
-    description: List filenames under /usr/sbin/.
-    supported_os: [aix, linux]
-    collector: find
-    path: /usr/sbin/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/bin/.
-    supported_os: [aix, linux]
-    collector: find
-    path: /usr/bin/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/lib/.
-    supported_os: [aix, linux]
-    collector: find
-    path: /usr/lib/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/lib32/.
-    supported_os: [aix, linux]
-    collector: find
-    path: /usr/lib32/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/lib64/.
-    supported_os: [aix, linux]
-    collector: find
-    path: /usr/lib64/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/libx32/.
-    supported_os: [aix, linux]
-    collector: find
-    path: /usr/libx32/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /opt/.
-    supported_os: [aix, linux]
-    collector: find
-    path: /opt/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: List filenames under /usr/local/.
-    supported_os: [aix, linux]
-    collector: find
-    path: /usr/local/*
-    file_type: [f, l]
-    output_directory: /%temp_directory%/live_response/packages
-    output_file: binary_files.txt
-  -
-    description: Search for a filename from installed packages.
-    supported_os: [aix, linux]
-    collector: command
-    foreach: cat /%temp_directory%/live_response/packages/binary_files.txt
-    command: rpm -q -f "%line%" | sed 's|$|: %line%|'
-    output_directory: /live_response/packages
-    output_file: rpm_-q_-f.txt
diff --git a/profiles/full.yaml b/profiles/full.yaml
@@ -20,6 +20,7 @@ artifacts:
   - live_response/system/*
   - live_response/hardware/*
   - live_response/packages/*
+  - !live_response/packages/package_owns_file.yaml
   - live_response/storage/*
   - live_response/containers/*
   - live_response/vms/*

diff --git a/profiles/ir_triage.yaml b/profiles/ir_triage.yaml
@@ -20,6 +20,7 @@ artifacts:
   - live_response/system/*
   - live_response/hardware/*
   - live_response/packages/*
+  - !live_response/packages/package_owns_file.yaml
   - live_response/storage/*
   - live_response/containers/*
   - live_response/vms/*