Merge pull request #253 from mnrkbys/rpm-dpkg-search-filename

Updated to collect dpkg.log and verify installed files. Also, search for package name that contains installed files.

CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Artifacts
 
+- live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)).
+- live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)).
 - live_response/system/getcap.yaml: Added functionality to collect the list of files with associated process capabilities [linux] ([mnrkbys](https://github.com/mnrkbys)).
 
 ### New Artifacts Properties

artifacts/files/packages/dpkg.yaml

@@ -1,9 +1,14 @@
-version: 1.0
+version: 1.1
 artifacts:
   -
     description: Collect dpkg packages status file.
     supported_os: [linux]
     collector: file
     path: /var/lib/dpkg/status
     ignore_date_range: true
-
+  -
+    description: Collect dpkg packages log file.
+    supported_os: [linux]
+    collector: file
+    path: /var/log/dpkg.log
+    ignore_date_range: true

artifacts/live_response/packages/dpkg.yaml

@@ -1,4 +1,4 @@
-version: 2.0
+version: 2.1
 condition: command_exists "dpkg"
 output_directory: /live_response/packages
 artifacts:
@@ -8,3 +8,9 @@ artifacts:
     collector: command
     command: dpkg -l
     output_file: dpkg_-l.txt
+  -
+    description: Verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database.
+    supported_os: [linux]
+    collector: command
+    command: dpkg -V
+    output_file: dpkg_-V.txt

artifacts/live_response/packages/package_owns_file.yaml

@@ -0,0 +1,97 @@
+version: 1.0
+condition: command_exists "dpkg" || command_exists "pacman" || command_exists "rpm"
+output_directory: /live_response/packages
+artifacts:
+  -
+    description: List filenames under /bin/.
+    supported_os: [linux]
+    collector: find
+    path: /bin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /sbin/.
+    supported_os: [linux]
+    collector: find
+    path: /sbin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /usr/bin/.
+    supported_os: [linux]
+    collector: find
+    path: /usr/bin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /usr/sbin/.
+    supported_os: [linux]
+    collector: find
+    path: /usr/sbin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /usr/local/bin/.
+    supported_os: [linux]
+    collector: find
+    path: /usr/local/bin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /usr/local/sbin/.
+    supported_os: [linux]
+    collector: find
+    path: /usr/local/sbin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /opt/bin/.
+    supported_os: [linux]
+    collector: find
+    path: /opt/bin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: List filenames under /opt/sbin/.
+    supported_os: [linux]
+    collector: find
+    path: /opt/sbin/*
+    file_type: [f, l]
+    output_directory: /%temp_directory%/live_response/packages
+    output_file: binary_files.txt
+  -
+    description: Determine which installed package owns a specific file or command.
+    supported_os: [linux]
+    collector: command
+    condition: command_exists "dpkg"
+    foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt
+    command: dpkg -S "%line%"
+    output_directory: /live_response/packages
+    output_file: dpkg_-S.txt
+    redirect_stderr_to_stdout: true
+  -
+    description: Determine which installed package owns a specific file or command.
+    supported_os: [linux]
+    collector: command
+    condition: command_exists "pacman"
+    foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt
+    command: pacman -Q -o "%line%"
+    output_directory: /live_response/packages
+    output_file: pacman_-Q_-o.txt
+    redirect_stderr_to_stdout: true
+  -
+    description: Determine which installed package owns a specific file or command.
+    supported_os: [linux]
+    collector: command
+    condition: command_exists "rpm"
+    foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt
+    command: rpm -q -f "%line%" | sed -e "s|$|: %line%|"
+    output_directory: /live_response/packages
+    output_file: rpm_-q_-f.txt

artifacts/live_response/packages/rpm.yaml

@@ -20,4 +20,3 @@ artifacts:
     collector: command
     command: rpm -V -a
     output_file: rpm_-V_-a.txt
-

profiles/full.yaml

@@ -20,6 +20,7 @@ artifacts:
   - live_response/system/*
   - live_response/hardware/*
   - live_response/packages/*
+  - !live_response/packages/package_owns_file.yaml
   - live_response/storage/*
   - live_response/containers/*
   - live_response/vms/*

profiles/ir_triage.yaml

@@ -20,6 +20,7 @@ artifacts:
   - live_response/system/*
   - live_response/hardware/*
   - live_response/packages/*
+  - !live_response/packages/package_owns_file.yaml
   - live_response/storage/*
   - live_response/containers/*
   - live_response/vms/*