Merge pull request #231 from tclahr/new_artifacts

New artifacts
tclahr · May 22, 2024 · a857cda · a857cda
2 parents c636c4b + 907ec52
commit a857cda
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,4 +26,10 @@
 - live_response/packages/pkg.yaml: Updated collection support for information about installed packages [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
 - live_response/packages/xbps.yaml: Added collection support for packages installed through XBPS package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
 - live_response/packages/yay.yaml: Added collection support for packages installed through Yay [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- live_response/process/procfs_information.yaml: Added collection support for entries corresponding to memory-mapped files [linux].
+- live_response/process/procfs_information.yaml: Added collection support for listing the contents of /proc/modules [linux].
+- live_response/process/procfs_information.yaml: Added collection support for listing Unix sockets [linux].
+- live_response/system/ebpf.yaml: Added collection support for listing pinned eBPF progs [linux].
+- live_response/system/kernel_modules.yaml: Added collection support for listing available parameters per kernel module [linux].
+- live_response/system/kernel_modules.yaml: Added collection support for listing loaded kernel modules to compare with /proc/modules [linux].
 - live_response/system/modinfo.yaml: Added collection support for information about loaded kernel modules [linux, solaris] (by [sanderu](https://github.com/sanderu)).
diff --git a/artifacts/files/logs/solaris.yaml b/artifacts/files/logs/solaris.yaml
@@ -1,4 +1,4 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: Collect lastlog log file.

diff --git a/artifacts/live_response/process/procfs_information.yaml b/artifacts/live_response/process/procfs_information.yaml
@@ -1,4 +1,4 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: Collect current running processes information.
@@ -8,9 +8,9 @@ artifacts:
     output_file: ls_-l_proc.txt
   -
     description: Collect running processes executable path.
-    supported_os: [freebsd, macos, openbsd]
+    supported_os: [aix]
     collector: command
-    command: ps -eo args | grep ^/ | awk '{print $1}' | sort -u
+    command: ls -l /proc/[0-9]*/object/a.out
     output_file: running_processes_full_paths.txt
   -
     description: Collect running processes executable path.
@@ -20,15 +20,15 @@ artifacts:
     output_file: running_processes_full_paths.txt
   -
     description: Collect running processes executable path.
-    supported_os: [netscaler]
+    supported_os: [freebsd, macos, openbsd]
     collector: command
-    command: ls -l /proc/[0-9]*/file
+    command: ps -eo args | grep ^/ | awk '{print $1}' | sort -u
     output_file: running_processes_full_paths.txt
   -
     description: Collect running processes executable path.
-    supported_os: [aix]
+    supported_os: [netscaler]
     collector: command
-    command: ls -l /proc/[0-9]*/object/a.out
+    command: ls -l /proc/[0-9]*/file
     output_file: running_processes_full_paths.txt
   -
     description: Collect running processes executable path.
@@ -98,6 +98,14 @@ artifacts:
     command: ls -la /proc/%line%/fd
     output_directory: proc/%line%
     output_file: fd.txt
+  -
+    description: Collect information about entries corresponding to memory-mapped files.
+    supported_os: [linux]
+    collector: command
+    foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+    command: ls -la /proc/%line%/map_files
+    output_directory: proc/%line%
+    output_file: map_files.txt
   -
     description: Collect the initial process' stack trace.
     supported_os: [android, linux]
@@ -114,6 +122,14 @@ artifacts:
     command: cat /proc/%line%/status
     output_directory: proc/%line%
     output_file: status.txt
+  -
+    description: Display the list of UNIX sockets.
+    supported_os: [linux]
+    collector: command
+    foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+    command: cat /proc/%line%/net/unix
+    output_directory: proc/%line%/net
+    output_file: unix.txt
   -
     description: Collect running process information.
     supported_os: [aix, solaris]
@@ -123,18 +139,21 @@ artifacts:
     output_directory: proc/%line%
     output_file: psinfo.txt
   -
-    description: Collect the list of files which the process has open.
-    supported_os: [solaris]
+    description: Collect information about all file descriptors opened by a process.
+    supported_os: [aix]
     collector: command
     foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
-    command: pfiles -F %line%
+    command: procfiles -n -c %line%
     output_directory: proc/%line%
-    output_file: pfiles.txt
+    output_file: procfiles.txt
   -
-    description: Collect information about all file descriptors opened by a process.
-    supported_os: [aix]
+    description: Collect the list of files which the process has open.
+    supported_os: [solaris]
     collector: command
     foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
-    command: procfiles -n -c %line%
+    command: pfiles -F %line%
     output_directory: proc/%line%
-    output_file: procfiles.txt
+    output_file: pfiles.txt
+
+# References:
+# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
diff --git a/artifacts/live_response/system/ebpf.yaml b/artifacts/live_response/system/ebpf.yaml
@@ -0,0 +1,11 @@
+version: 1.0
+artifacts:
+  -
+    description: List pinned eBPF progs.
+    supported_os: [linux]
+    collector: command
+    command: ls -la /sys/fs/bpf
+    output_file: ls_-la_sys_fs_bpf.txt
+
+# References:
+# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
diff --git a/artifacts/live_response/system/kernel_modules.yaml b/artifacts/live_response/system/kernel_modules.yaml
@@ -0,0 +1,19 @@
+version: 1.0
+artifacts:
+  -
+    description: Display the loaded kernel modules (compare with /proc/modules).
+    supported_os: [linux]
+    collector: command
+    command: ls -la /sys/module
+    output_file: ls_-la_sys_module.txt
+  -
+    description: Display available parameters per kernel module.
+    supported_os: [linux]
+    collector: command
+    foreach: for module in /sys/module/* ; do echo ${module} | sed -e 's:/sys/module/::'; done
+    command: ls -la /sys/module/%line%/parameters
+    output_directory: module/%line%
+    output_file: parameters.txt
+
+# References:
+# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf