From e1cc72bf3d94cdea79424d1f6d73a465751cb6b7 Mon Sep 17 00:00:00 2001 From: Jim Clausing Date: Fri, 8 Nov 2024 16:39:17 -0500 Subject: [PATCH 1/4] Add offline_triage profile to only collect the files that ir_triage collects --- profiles/offline_triage.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 profiles/offline_triage.yaml diff --git a/profiles/offline_triage.yaml b/profiles/offline_triage.yaml new file mode 100644 index 00000000..d685c2f1 --- /dev/null +++ b/profiles/offline_triage.yaml @@ -0,0 +1,15 @@ +name: ir_triage +description: Incident response triage collection. +artifacts: + - bodyfile/bodyfile.yaml + - chkrootkit/chkrootkit.yaml + - hash_executables/hash_executables.yaml + - files/applications/git.yaml + - files/applications/lesshst.yaml + - files/applications/viminfo.yaml + - files/applications/wget.yaml + - files/logs/* + - files/packages/* + - files/shell/* + - files/ssh/* + - files/system/* From 9fc9fe63073465956416920e7f6cda11de3d4f78 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Tue, 10 Dec 2024 08:44:26 -0300 Subject: [PATCH 2/4] Update and rename offline_triage.yaml to offline_ir_triage.yaml --- profiles/{offline_triage.yaml => offline_ir_triage.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename profiles/{offline_triage.yaml => offline_ir_triage.yaml} (94%) diff --git a/profiles/offline_triage.yaml b/profiles/offline_ir_triage.yaml similarity index 94% rename from profiles/offline_triage.yaml rename to profiles/offline_ir_triage.yaml index d685c2f1..1a675618 100644 --- a/profiles/offline_triage.yaml +++ b/profiles/offline_ir_triage.yaml @@ -1,4 +1,4 @@ -name: ir_triage +name: offline_ir_triage description: Incident response triage collection. artifacts: - bodyfile/bodyfile.yaml From c50b60e2958a9cdf686de8ac342fede4026550b4 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Tue, 10 Dec 2024 08:46:08 -0300 Subject: [PATCH 3/4] Update offline_ir_triage.yaml --- profiles/offline_ir_triage.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/offline_ir_triage.yaml b/profiles/offline_ir_triage.yaml index 1a675618..eba41292 100644 --- a/profiles/offline_ir_triage.yaml +++ b/profiles/offline_ir_triage.yaml @@ -1,5 +1,5 @@ name: offline_ir_triage -description: Incident response triage collection. +description: Offline incident response triage collection. artifacts: - bodyfile/bodyfile.yaml - chkrootkit/chkrootkit.yaml From 057a1b264106e2063613f8636b3e2c6881770bad Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Wed, 8 Jan 2025 19:47:50 -0300 Subject: [PATCH 4/4] refactor: add new profile --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a782a73f..3bd4beb9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,10 @@ - live_response/system/ulimit.yaml: Added collection of all resource limits information [all] ([mnrkbys](https://github.com/mnrkbys)). - memory_dump/coredump.yaml: Added collection of core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd] ([mnrkbys](https://github.com/mnrkbys)). +### Profiles + +- profiles/offline_ir_triage.yaml: New 'offline_ir_triage' profile that can be used during offline triage collections ([clausing](https://github.com/clausing)). + ### New Artifacts Properties - Added the new 'redirect_stderr_to_stdout' property, an optional feature available exclusively for the command collector. When set to true, this property redirects all error messages (stderr) to standard output (stdout), ensuring they are written to the output file.