Create Linux.Forensics.Targets.yaml (#970)

content/exchange/artifacts/Linux.Forensics.Targets.yaml

@@ -0,0 +1,279 @@
+name: Linux.Forensics.Targets
+author: Cedric MAURUGEON - @kidrek
+description: |
+  This artifact collects all necessary artifacts files and directories from Linux operating system. 
+  
+reference:
+  - https://github.com/ForensicArtifacts/artifacts/blob/main/artifacts/data/linux.yaml
+
+parameters:
+  - name: BootTargets
+    type: csv
+    default: |
+      Glob
+      /boot/grub/grub.cfg
+      /boot/grub2/grub.cfg
+      /boot/initramfs*
+      /boot/initrd*
+      /etc/init.d/**
+      /etc/insserv.conf
+      /etc/insserv.conf.d/**
+
+  - name: CertificateTargets
+    type: csv
+    default: |
+      Glob
+      /etc/ca-certificates.conf
+      /etc/ssl/certs/ca-certificates.crt
+      /usr/share/ca-certificates/**
+      /usr/local/share/ca-certificates/**
+
+  - name: CronTargets
+    type: csv
+    default: |
+      Glob
+      /etc/anacrontab
+      /etc/at.allow
+      /etc/at.deny
+      /etc/cron.allow
+      /etc/cron.d/**
+      /etc/cron.daily/**
+      /etc/cron.deny
+      /etc/cron.hourly/**
+      /etc/cron.monthly/**
+      /etc/cron.weekly/**
+      /etc/crontab
+      /var/at/tabs/**
+      /var/spool/anacron/cron.*
+      /var/spool/at/**
+      /var/spool/cron/**
+
+  - name: LogTargets
+    type: csv
+    default: |
+      Glob
+      /etc/rsyslog.conf
+      /etc/rsyslog.d/**
+      /var/log/apache2/**
+      /var/log/apt/history.log*
+      /var/log/apt/term.log*
+      /var/log/auth*
+      /var/log/cron.log*
+      /var/log/daemon*
+      /var/log/journal/**
+      /var/log/kern*
+      /var/log/lastlog
+      /var/log/mail*
+      /var/log/messages*
+      /var/log/secure*
+      /var/log/syslog*
+      /var/log/nginx/**
+      /var/log/ufw.log*
+
+  - name: NetworkTargets
+    type: csv
+    default: |
+      Glob
+      /etc/netplan/*.yaml
+      /etc/network/if-up.d/**
+      /etc/network/if-down.d/**
+      /etc/network/interfaces
+      /etc/resolv.conf
+      /etc/default/ufw
+      /etc/ufw/sysctl.conf
+      /etc/ufw/*.rules
+      /etc/ufw/applications.d/**
+
+  - name: PackageTargets
+    type: csv
+    default: |
+      Glob
+      /etc/apt/sources.list
+      /etc/apt/sources.list.d/*
+      /etc/apt/trusted.gpg
+      /etc/apt/trusted.gpg.d/*
+      /etc/apt/trustdb.gpg
+      /etc/yum.conf
+      /etc/yum.repos.d/*.repo
+      /usr/share/keyrings/*
+      /var/lib/dpkg/status
+
+  - name: ServiceTargets
+    type: csv
+    default: |
+      Glob
+      /etc/systemd/system.control/*.timer
+      /etc/systemd/systemd.attached/*.timer
+      /etc/systemd/system/*.timer
+      /etc/systemd/user/*.timer
+      /lib/systemd/system/*.timer
+      /lib/systemd/user/*.timer
+      /run/systemd/generator.early/*.timer
+      /run/systemd/generator.late/*.timer
+      /run/systemd/generator/*.timer
+      /run/systemd/system.control/*.timer
+      /run/systemd/systemd.attached/*.timer
+      /run/systemd/system/*.timer
+      /run/systemd/transient/*.timer
+      /run/systemd/user/*.timer
+      /run/user/*/systemd/generator.early/*.timer
+      /run/user/*/systemd/generator.late/*.timer
+      /run/user/*/systemd/generator/*.timer
+      /run/user/*/systemd/transient/*.timer
+      /run/user/*/systemd/user.control/*.timer
+      /run/user/*/systemd/user/*.timer
+      /usr/lib/systemd/system/*.timer
+      /usr/lib/systemd/user/*.timer
+      /home/*/.config/systemd/user.control/*.timer
+      /home/*/.config/systemd/user/*.timer
+      /home/*/.local/share/systemd/user/*.timer
+      /root/.config/systemd/user.control/*.timer
+      /root/.config/systemd/user/*.timer
+      /root/.local/share/systemd/user/*.timer
+      /etc/systemd/system.control/*.service
+      /etc/systemd/systemd.attached/*.service
+      /etc/systemd/system/*.service
+      /etc/systemd/user/*.service
+      /lib/systemd/system/*.service
+      /lib/systemd/user/*.service
+      /run/systemd/generator.early/*.service
+      /run/systemd/generator.late/*.service
+      /run/systemd/generator/*.service
+      /run/systemd/system.control/*.service
+      /run/systemd/systemd.attached/*.service
+      /run/systemd/system/*.service
+      /run/systemd/transient/*.service
+      /run/systemd/user/*.service
+      /run/user/*/systemd/generator.early/*.service
+      /run/user/*/systemd/generator.late/*.service
+      /run/user/*/systemd/generator/*.service
+      /run/user/*/systemd/transient/*.service
+      /run/user/*/systemd/user.control/*.service
+      /run/user/*/systemd/user/*.service
+      /usr/lib/systemd/system/*.service
+      /usr/lib/systemd/user/*.service
+      /home/*/.config/systemd/user.control/*.service
+      /home/*/.config/systemd/user/*.service
+      /home/*/.local/share/systemd/user/*.service
+      /root/.config/systemd/user.control/*.service
+      /root/.config/systemd/user/*.service
+      /root/.local/share/systemd/user/*.service
+
+
+  - name: SystemTargets
+    type: csv
+    default: |
+      Glob
+      /dev/shm/**
+      /etc/fstab
+      /etc/hostname
+      /etc/issue
+      /etc/issue.net
+      /etc/ld.so.preload
+      /etc/localtime
+      /etc/ntp.conf
+      /etc/modprobe.d/*
+      /etc/modules.conf
+      /etc/ssh/**
+      /etc/timezone
+      /etc/udev/rules.d/*
+      /usr/lib/udev/rules.d/*
+
+  - name: SystemVersionTargets
+    type: csv
+    default: |
+      Glob
+      /etc/debian_version
+      /etc/centos-release
+      /etc/enterprise-release
+      /etc/oracle-release
+      /etc/redhat-release
+      /etc/rocky-release
+      /etc/SuSE-release
+      /etc/system-release
+      /etc/lsb-release
+      /etc/os-release
+      /usr/lib/os-release
+
+  - name: UserTargets
+    type: csv
+    default: |
+      Glob
+      /etc/passwd
+      /etc/shadow
+      /etc/sudoers
+      /etc/sudoers.d/**
+      /etc/group
+      /home/*/.config/mozilla/**
+      /home/*/snap/firefox/common/.mozilla/**
+      /home/*/.config/google-chrome/**
+      /home/*/snap/chromium/common/chromium/Default/**
+      /home/*/.aliases
+      /home/*/.profile
+      /home/*/.*_history
+      /home/*/.*rc
+      /home/*/.ssh/*
+      /home/*/.wget-hsts
+      /root/.config/mozilla/**
+      /root/snap/firefox/common/.mozilla/**
+      /root/.config/google-chrome/**
+      /root/snap/chromium/common/chromium/Default/**
+      /root/.aliases
+      /root/.profile
+      /root/.*_history
+      /root/.*rc
+      /root/.ssh/*
+      /root/.wget-hsts
+
+precondition: SELECT OS From info() where OS = 'linux'
+
+sources:
+  - name: BootTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=BootTargets.Glob)
+
+  - name: CertificateTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=CertificateTargets.Glob)
+
+  - name: CronTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=CronTargets.Glob)
+
+  - name: LogTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=LogTargets.Glob)
+
+  - name: NetworkTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=NetworkTargets.Glob)
+
+  - name: PackageTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=PackageTargets.Glob)
+
+  - name: ServiceTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=ServiceTargets.Glob)
+
+  - name: SystemTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=SystemTargets.Glob)
+
+  - name: SystemVersionTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=SystemVersionTargets.Glob)
+
+  - name: UserTargets
+    query: |
+      SELECT OSPath, upload(file=OSPath) AS Upload
+      FROM glob(globs=UserTargets.Glob)