From d1d2e1d14a3307deb102e7acbed619557b05104b Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Mon, 22 Jul 2024 16:00:33 +0900 Subject: [PATCH 1/3] artif: new artifacts related to dpkg and rpm Updated to collect dpkg.log and verify installed files. Also, search for package name that contains installed files. --- artifacts/files/packages/dpkg.yaml | 9 ++- artifacts/live_response/packages/dpkg.yaml | 64 +++++++++++++++++++++- artifacts/live_response/packages/rpm.yaml | 43 ++++++++++++++- 3 files changed, 111 insertions(+), 5 deletions(-) diff --git a/artifacts/files/packages/dpkg.yaml b/artifacts/files/packages/dpkg.yaml index e2d7a078..c1f11b08 100644 --- a/artifacts/files/packages/dpkg.yaml +++ b/artifacts/files/packages/dpkg.yaml @@ -1,4 +1,4 @@ -version: 1.0 +version: 1.1 artifacts: - description: Collect dpkg packages status file. @@ -6,4 +6,9 @@ artifacts: collector: file path: /var/lib/dpkg/status ignore_date_range: true - \ No newline at end of file + - + description: Collect dpkg packages log file. + supported_os: [linux] + collector: file + path: /var/log/dpkg.log + ignore_date_range: true diff --git a/artifacts/live_response/packages/dpkg.yaml b/artifacts/live_response/packages/dpkg.yaml index f150ec6d..7a97aa2b 100644 --- a/artifacts/live_response/packages/dpkg.yaml +++ b/artifacts/live_response/packages/dpkg.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 2.1 condition: command_exists "dpkg" output_directory: /live_response/packages artifacts: @@ -8,3 +8,65 @@ artifacts: collector: command command: dpkg -l output_file: dpkg_-l.txt + - + description: Verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database. + supported_os: [linux] + collector: command + command: dpkg -V + output_file: dpkg_-V.txt + - + description: List filenames under /sbin/. + supported_os: [linux] + collector: find + path: /sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/sbin/. + supported_os: [linux] + collector: find + path: /usr/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /bin/. + supported_os: [linux] + collector: find + path: /bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/bin/. + supported_os: [linux] + collector: find + path: /usr/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/. + supported_os: [linux] + collector: find + path: /opt/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/. + supported_os: [linux] + collector: find + path: /usr/local/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: Search for a filename from installed packages. + supported_os: [linux] + collector: command + foreach: cat /%temp_directory%/live_response/packages/binary_files.txt + command: dpkg -S "%line%" 2>&1 + output_directory: /live_response/packages + output_file: dpkg_-S.txt diff --git a/artifacts/live_response/packages/rpm.yaml b/artifacts/live_response/packages/rpm.yaml index 83cad07a..fec8a616 100644 --- a/artifacts/live_response/packages/rpm.yaml +++ b/artifacts/live_response/packages/rpm.yaml @@ -1,4 +1,4 @@ -version: 3.0 +version: 3.1 condition: command_exists "rpm" output_directory: /live_response/packages artifacts: @@ -20,4 +20,43 @@ artifacts: collector: command command: rpm -V -a output_file: rpm_-V_-a.txt - \ No newline at end of file + - + description: List filenames under /usr/sbin/. + supported_os: [aix, linux] + collector: find + path: /usr/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/bin/. + supported_os: [aix, linux] + collector: find + path: /usr/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/. + supported_os: [aix, linux] + collector: find + path: /opt/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/. + supported_os: [aix, linux] + collector: find + path: /usr/local/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: Search for a filename from installed packages. + supported_os: [aix, linux] + collector: command + foreach: cat /%temp_directory%/live_response/packages/binary_files.txt + command: rpm -q -f "%line%" | sed 's|$|: %line%|' + output_directory: /live_response/packages + output_file: rpm_-q_-f.txt From 03476edbb4d74b8c13512ee621e314c50ef9bdf4 Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Wed, 18 Sep 2024 16:53:03 +0900 Subject: [PATCH 2/3] artif: add lib directories Add /usr/lib, /usr/lib32, /usr/lib64, /usr/libx32 --- artifacts/live_response/packages/dpkg.yaml | 64 ++++++++++++++++++++++ artifacts/live_response/packages/rpm.yaml | 32 +++++++++++ 2 files changed, 96 insertions(+) diff --git a/artifacts/live_response/packages/dpkg.yaml b/artifacts/live_response/packages/dpkg.yaml index 7a97aa2b..4da23ec9 100644 --- a/artifacts/live_response/packages/dpkg.yaml +++ b/artifacts/live_response/packages/dpkg.yaml @@ -46,6 +46,70 @@ artifacts: file_type: [f, l] output_directory: /%temp_directory%/live_response/packages output_file: binary_files.txt + - + description: List filenames under /lib/. + supported_os: [linux] + collector: find + path: /lib/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib/. + supported_os: [linux] + collector: find + path: /usr/lib/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /lib32/. + supported_os: [linux] + collector: find + path: /lib32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib32/. + supported_os: [linux] + collector: find + path: /usr/lib32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /lib64/. + supported_os: [linux] + collector: find + path: /lib64/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib64/. + supported_os: [linux] + collector: find + path: /usr/lib64/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /libx32/. + supported_os: [linux] + collector: find + path: /libx32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/libx32/. + supported_os: [linux] + collector: find + path: /usr/libx32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt - description: List filenames under /opt/. supported_os: [linux] diff --git a/artifacts/live_response/packages/rpm.yaml b/artifacts/live_response/packages/rpm.yaml index fec8a616..0d08c7cd 100644 --- a/artifacts/live_response/packages/rpm.yaml +++ b/artifacts/live_response/packages/rpm.yaml @@ -36,6 +36,38 @@ artifacts: file_type: [f, l] output_directory: /%temp_directory%/live_response/packages output_file: binary_files.txt + - + description: List filenames under /usr/lib/. + supported_os: [aix, linux] + collector: find + path: /usr/lib/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib32/. + supported_os: [aix, linux] + collector: find + path: /usr/lib32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib64/. + supported_os: [aix, linux] + collector: find + path: /usr/lib64/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/libx32/. + supported_os: [aix, linux] + collector: find + path: /usr/libx32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt - description: List filenames under /opt/. supported_os: [aix, linux] From 8bceef61da913f9dba3cc006f3f15f4a4eee2659 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Wed, 27 Nov 2024 08:05:07 -0300 Subject: [PATCH 3/3] artif: new artifact Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles --- CHANGELOG.md | 5 + artifacts/live_response/packages/dpkg.yaml | 120 ------------------ .../packages/package_owns_file.yaml | 97 ++++++++++++++ artifacts/live_response/packages/rpm.yaml | 74 +---------- profiles/full.yaml | 1 + profiles/ir_triage.yaml | 1 + 6 files changed, 105 insertions(+), 193 deletions(-) create mode 100644 artifacts/live_response/packages/package_owns_file.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index fd660e1e..110dc0c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ ## DEVELOPMENT VERSION +### Artifacts + +- live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). + ### New Artifacts Properties - Added the new 'redirect_stderr_to_stdout' property, an optional feature available exclusively for the command collector. When set to true, this property redirects all error messages (stderr) to standard output (stdout), ensuring they are written to the output file. diff --git a/artifacts/live_response/packages/dpkg.yaml b/artifacts/live_response/packages/dpkg.yaml index 4da23ec9..07e373ab 100644 --- a/artifacts/live_response/packages/dpkg.yaml +++ b/artifacts/live_response/packages/dpkg.yaml @@ -14,123 +14,3 @@ artifacts: collector: command command: dpkg -V output_file: dpkg_-V.txt - - - description: List filenames under /sbin/. - supported_os: [linux] - collector: find - path: /sbin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/sbin/. - supported_os: [linux] - collector: find - path: /usr/sbin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /bin/. - supported_os: [linux] - collector: find - path: /bin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/bin/. - supported_os: [linux] - collector: find - path: /usr/bin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /lib/. - supported_os: [linux] - collector: find - path: /lib/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib/. - supported_os: [linux] - collector: find - path: /usr/lib/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /lib32/. - supported_os: [linux] - collector: find - path: /lib32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib32/. - supported_os: [linux] - collector: find - path: /usr/lib32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /lib64/. - supported_os: [linux] - collector: find - path: /lib64/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib64/. - supported_os: [linux] - collector: find - path: /usr/lib64/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /libx32/. - supported_os: [linux] - collector: find - path: /libx32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/libx32/. - supported_os: [linux] - collector: find - path: /usr/libx32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /opt/. - supported_os: [linux] - collector: find - path: /opt/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/local/. - supported_os: [linux] - collector: find - path: /usr/local/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: Search for a filename from installed packages. - supported_os: [linux] - collector: command - foreach: cat /%temp_directory%/live_response/packages/binary_files.txt - command: dpkg -S "%line%" 2>&1 - output_directory: /live_response/packages - output_file: dpkg_-S.txt diff --git a/artifacts/live_response/packages/package_owns_file.yaml b/artifacts/live_response/packages/package_owns_file.yaml new file mode 100644 index 00000000..ed231c31 --- /dev/null +++ b/artifacts/live_response/packages/package_owns_file.yaml @@ -0,0 +1,97 @@ +version: 1.0 +condition: command_exists "dpkg" || command_exists "pacman" || command_exists "rpm" +output_directory: /live_response/packages +artifacts: + - + description: List filenames under /bin/. + supported_os: [linux] + collector: find + path: /bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /sbin/. + supported_os: [linux] + collector: find + path: /sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/bin/. + supported_os: [linux] + collector: find + path: /usr/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/sbin/. + supported_os: [linux] + collector: find + path: /usr/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/bin/. + supported_os: [linux] + collector: find + path: /usr/local/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/sbin/. + supported_os: [linux] + collector: find + path: /usr/local/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/bin/. + supported_os: [linux] + collector: find + path: /opt/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/sbin/. + supported_os: [linux] + collector: find + path: /opt/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: Determine which installed package owns a specific file or command. + supported_os: [linux] + collector: command + condition: command_exists "dpkg" + foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt + command: dpkg -S "%line%" + output_directory: /live_response/packages + output_file: dpkg_-S.txt + redirect_stderr_to_stdout: true + - + description: Determine which installed package owns a specific file or command. + supported_os: [linux] + collector: command + condition: command_exists "pacman" + foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt + command: pacman -Q -o "%line%" + output_directory: /live_response/packages + output_file: pacman_-Q_-o.txt + redirect_stderr_to_stdout: true + - + description: Determine which installed package owns a specific file or command. + supported_os: [linux] + collector: command + condition: command_exists "rpm" + foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt + command: rpm -q -f "%line%" | sed -e "s|$|: %line%|" + output_directory: /live_response/packages + output_file: rpm_-q_-f.txt diff --git a/artifacts/live_response/packages/rpm.yaml b/artifacts/live_response/packages/rpm.yaml index 0d08c7cd..cd172e40 100644 --- a/artifacts/live_response/packages/rpm.yaml +++ b/artifacts/live_response/packages/rpm.yaml @@ -1,4 +1,4 @@ -version: 3.1 +version: 3.0 condition: command_exists "rpm" output_directory: /live_response/packages artifacts: @@ -20,75 +20,3 @@ artifacts: collector: command command: rpm -V -a output_file: rpm_-V_-a.txt - - - description: List filenames under /usr/sbin/. - supported_os: [aix, linux] - collector: find - path: /usr/sbin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/bin/. - supported_os: [aix, linux] - collector: find - path: /usr/bin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib/. - supported_os: [aix, linux] - collector: find - path: /usr/lib/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib32/. - supported_os: [aix, linux] - collector: find - path: /usr/lib32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib64/. - supported_os: [aix, linux] - collector: find - path: /usr/lib64/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/libx32/. - supported_os: [aix, linux] - collector: find - path: /usr/libx32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /opt/. - supported_os: [aix, linux] - collector: find - path: /opt/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/local/. - supported_os: [aix, linux] - collector: find - path: /usr/local/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: Search for a filename from installed packages. - supported_os: [aix, linux] - collector: command - foreach: cat /%temp_directory%/live_response/packages/binary_files.txt - command: rpm -q -f "%line%" | sed 's|$|: %line%|' - output_directory: /live_response/packages - output_file: rpm_-q_-f.txt diff --git a/profiles/full.yaml b/profiles/full.yaml index 1bdaaceb..49c02a3c 100644 --- a/profiles/full.yaml +++ b/profiles/full.yaml @@ -20,6 +20,7 @@ artifacts: - live_response/system/* - live_response/hardware/* - live_response/packages/* + - !live_response/packages/package_owns_file.yaml - live_response/storage/* - live_response/containers/* - live_response/vms/* diff --git a/profiles/ir_triage.yaml b/profiles/ir_triage.yaml index f0008c80..c1fdecbd 100644 --- a/profiles/ir_triage.yaml +++ b/profiles/ir_triage.yaml @@ -20,6 +20,7 @@ artifacts: - live_response/system/* - live_response/hardware/* - live_response/packages/* + - !live_response/packages/package_owns_file.yaml - live_response/storage/* - live_response/containers/* - live_response/vms/*