From 41c50d4a69597c4f13c13b36fcaeae40408e2ee3 Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Tue, 10 Sep 2024 14:50:36 +0900 Subject: [PATCH 01/19] artif: /etc/ld.so.preload via debugfs Add a new artifact to collect /etc/ld.so.preload. Although LD_PRELOAD rootkits may hide /etc/ld.so.preload, it can be read via debugfs. --- artifacts/chkrootkit/debugfs.yaml | 13 +++++++++++++ profiles/ir_triage.yaml | 3 +-- profiles/offline.yaml | 2 +- 3 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 artifacts/chkrootkit/debugfs.yaml diff --git a/artifacts/chkrootkit/debugfs.yaml b/artifacts/chkrootkit/debugfs.yaml new file mode 100644 index 00000000..ff079464 --- /dev/null +++ b/artifacts/chkrootkit/debugfs.yaml @@ -0,0 +1,13 @@ +version: 1.0 +condition: command_exists "debugfs" +output_directory: /live_response/storage +# Collect /etc/ld.so.preload even if it is hidden by LD_PRELOAD Rootkits. +# ref 1: https://www.youtube.com/watch?v=3UrEJzqqPYQ +# ref 2: https://righteousit.com/wp-content/uploads/2024/04/ld_preload-rootkits.pdf +artifacts: + - + description: Collect ld.so.preload. + supported_os: [linux] + collector: command + command: [ -f /etc/ld.so.preload ] && debugfs -R 'cat /etc/ld.so.preload' `df -T /etc | awk '$2 == "ext4" {print $1}'` + output_file: debugfs_-R_cat_etc_ld.so.preload.txt diff --git a/profiles/ir_triage.yaml b/profiles/ir_triage.yaml index f5b3284f..8e258f8f 100644 --- a/profiles/ir_triage.yaml +++ b/profiles/ir_triage.yaml @@ -23,7 +23,7 @@ artifacts: - live_response/storage/* - live_response/containers/* - live_response/vms/* - - chkrootkit/chkrootkit.yaml + - chkrootkit/* - hash_executables/hash_executables.yaml - files/applications/lesshst.yaml - files/applications/viminfo.yaml @@ -33,4 +33,3 @@ artifacts: - files/shell/* - files/ssh/* - files/system/* - \ No newline at end of file diff --git a/profiles/offline.yaml b/profiles/offline.yaml index 710323f1..0451b770 100644 --- a/profiles/offline.yaml +++ b/profiles/offline.yaml @@ -2,6 +2,6 @@ name: offline description: Offline artifacts collection. artifacts: - bodyfile/bodyfile.yaml - - chkrootkit/chkrootkit.yaml + - chkrootkit/* - hash_executables/hash_executables.yaml - files/* From 51b1a2a21f1d1f939302f4a0a2b79c7f1456570f Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Thu, 12 Sep 2024 17:12:44 +0900 Subject: [PATCH 02/19] artif: Dump /etc/ld.so.preload with xfs_db Add a new artifact to dump /etc/ld.so.preload. If the file system where /etc is located is XFS, we need to use xfs_db instead of debugfs. --- artifacts/chkrootkit/debugfs.yaml | 6 +- artifacts/chkrootkit/xfs_db.yaml | 14 ++++ bin/linux/linux_dump_ldsopreload.sh | 109 ++++++++++++++++++++++++++++ 3 files changed, 126 insertions(+), 3 deletions(-) create mode 100644 artifacts/chkrootkit/xfs_db.yaml create mode 100644 bin/linux/linux_dump_ldsopreload.sh diff --git a/artifacts/chkrootkit/debugfs.yaml b/artifacts/chkrootkit/debugfs.yaml index ff079464..8e61e1fd 100644 --- a/artifacts/chkrootkit/debugfs.yaml +++ b/artifacts/chkrootkit/debugfs.yaml @@ -1,13 +1,13 @@ version: 1.0 condition: command_exists "debugfs" -output_directory: /live_response/storage +output_directory: /live_response/chkrootkit # Collect /etc/ld.so.preload even if it is hidden by LD_PRELOAD Rootkits. # ref 1: https://www.youtube.com/watch?v=3UrEJzqqPYQ # ref 2: https://righteousit.com/wp-content/uploads/2024/04/ld_preload-rootkits.pdf artifacts: - - description: Collect ld.so.preload. + description: Dump /etc/ld.so.preload with debugfs. supported_os: [linux] collector: command - command: [ -f /etc/ld.so.preload ] && debugfs -R 'cat /etc/ld.so.preload' `df -T /etc | awk '$2 == "ext4" {print $1}'` + command: debugfs -R 'cat /etc/ld.so.preload' `df -T /etc | awk '$2 == "ext4" {print $1}'` output_file: debugfs_-R_cat_etc_ld.so.preload.txt diff --git a/artifacts/chkrootkit/xfs_db.yaml b/artifacts/chkrootkit/xfs_db.yaml new file mode 100644 index 00000000..37190c4c --- /dev/null +++ b/artifacts/chkrootkit/xfs_db.yaml @@ -0,0 +1,14 @@ +version: 1.0 +condition: command_exists "xfs_db" +output_directory: /live_response/chkrootkit +# Collect /etc/ld.so.preload even if it is hidden by LD_PRELOAD Rootkits. +# ref 1: https://www.youtube.com/watch?v=3UrEJzqqPYQ +# ref 2: https://righteousit.com/wp-content/uploads/2024/04/ld_preload-rootkits.pdf +# ref 3: https://www.youtube.com/watch?v=-K9hhqv21P8 +artifacts: + - + description: Dump /etc/ld.so.preload with xfs_db. + supported_os: [linux] + collector: command + command: linux_dump_ldsopreload.sh + output_file: xfs_db_etc_ld.so.preload.txt diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh new file mode 100644 index 00000000..6257b89f --- /dev/null +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -0,0 +1,109 @@ +#!/bin/bash +# Copyright 2024 Minoru Kobayashi (@unkn0wnbit) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# reference: https://www.youtube.com/watch?v=-K9hhqv21P8 + +usage() { + cat <<"EOM" +Dump /etc/ld.so.preload (first sector only) via xfs_db + +Usage: $0 [-d dumpdir] + + -d dumpdir Specify the output directory +EOM + exit 1; +} + + +find_ldsopreload_inumber() { + xfs_db -r $1 -c "daddr $2" -c "type dir3" -c "print" | awk ' + { + if ($0 ~ /du\[([0-9]+)\].inumber = ([0-9]+)/) { + match($0, /du\[([0-9]+)\].inumber = ([0-9]+)/, arr); + inumber[arr[1]] = arr[2]; # arr[1] = NUM, arr[2] = inumber + } + + if ($0 ~ /du\[([0-9]+)\].name = "ld.so.preload"/) { + match($0, /du\[([0-9]+)\].name = "ld.so.preload"/, arr); + num = arr[1]; # arr[1] = NUM + if (num in inumber) { + # print "name: " $0 ", inumber: " inumber[num]; + print inumber[num]; + found = 1; + } + } + } + + END { + if (!found) { + print 0; + } + } + ' +} + + +while getopts "d:" opts; do + case ${opts} in + d) outputdir=${OPTARG} + ;; + *) usage + ;; + esac +done + +# Which device has /etc directory? +etc_dev=`df -T /etc | awk '$2 == "xfs" {print $1}'` +# echo "etc_dev: ${etc_dev}" + +# Get inode number of /etc directory itself. +etc_inumber=`ls -id /etc | awk '{print $1}'` +# echo "etc_inumber: ${etc_inumber}" + +# Get fsblock numbers of /etc directory. +etc_fsblocks=`xfs_db -r ${etc_dev} -c "inode ${etc_inumber}" -c "bmap" | awk '{print $5}'` +# echo "etc_fsblocks: ${etc_fsblocks}" + +# Find inode number of /etc/ld.so.preload file. +for etc_fsblock in ${etc_fsblocks}; do + etc_daddr=`xfs_db -r ${etc_dev} -c "convert fsblock ${etc_fsblock} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p'` + # echo "etc_daddr: ${etc_daddr}" + ldsopreload_inumber=`find_ldsopreload_inumber ${etc_dev} ${etc_daddr}` + # echo "ldsopreload_inumber: ${ldsopreload_inumber}" + if [ ${ldsopreload_inumber} -ne 0 ]; then + break + fi +done + +if [ ${ldsopreload_inumber} -eq 0 ]; then + echo "/etc/ld.so.preload not found." + exit 1 +fi + +# Get fsblock numbers of /etc/ld.so.preload file. +# In many cases, there is only one fsblock. +ldsopreload_fsblocks=`xfs_db -r ${etc_dev} -c "inode ${ldsopreload_inumber}" -c "bmap" | awk '{print $5}'` +# echo "ldsopreload_fsblocks: ${ldsopreload_fsblocks}" + +# Convert fsblock numbers to daddr. +ldsopreload_daddr=`xfs_db -r ${etc_dev} -c "convert fsblock ${ldsopreload_fsblocks} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p'` +# echo "ldsopreload_daddr: ${ldsopreload_daddr}" + +# Dump /etc/ld.so.preload file. +# I believe that /etc/ld.so.preload is not so large. +sector_size=`xfs_db -r /dev/mapper/rl-root -c "sb 0" -c "print" | grep -E "^sectsize" | awk '{print $3}'` +# echo "sector_size: ${sector_size}" +dd if=${etc_dev} bs=${sector_size} skip=${ldsopreload_daddr} count=1 From 45e6eef74a95e4a14487a0c7735f9a42c0161dca Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Thu, 12 Sep 2024 19:40:16 +0900 Subject: [PATCH 03/19] artif: modify command --- artifacts/chkrootkit/debugfs.yaml | 2 +- artifacts/chkrootkit/xfs_db.yaml | 2 +- bin/linux/linux_dump_ldsopreload.sh | 18 ++++++++++++++++-- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/artifacts/chkrootkit/debugfs.yaml b/artifacts/chkrootkit/debugfs.yaml index 8e61e1fd..37876ec6 100644 --- a/artifacts/chkrootkit/debugfs.yaml +++ b/artifacts/chkrootkit/debugfs.yaml @@ -9,5 +9,5 @@ artifacts: description: Dump /etc/ld.so.preload with debugfs. supported_os: [linux] collector: command - command: debugfs -R 'cat /etc/ld.so.preload' `df -T /etc | awk '$2 == "ext4" {print $1}'` + command: dev=$(df -T /etc | awk '$2 == "ext4" {print $1}') && [ -n "${dev}" ] && debugfs -R 'cat /etc/ld.so.preload' "${dev}" output_file: debugfs_-R_cat_etc_ld.so.preload.txt diff --git a/artifacts/chkrootkit/xfs_db.yaml b/artifacts/chkrootkit/xfs_db.yaml index 37190c4c..5473516c 100644 --- a/artifacts/chkrootkit/xfs_db.yaml +++ b/artifacts/chkrootkit/xfs_db.yaml @@ -10,5 +10,5 @@ artifacts: description: Dump /etc/ld.so.preload with xfs_db. supported_os: [linux] collector: command - command: linux_dump_ldsopreload.sh + command: dev=$(df -T /etc | awk '$2 == "xfs" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh -v "${dev}" output_file: xfs_db_etc_ld.so.preload.txt diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh index 6257b89f..48854967 100644 --- a/bin/linux/linux_dump_ldsopreload.sh +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -23,6 +23,7 @@ Dump /etc/ld.so.preload (first sector only) via xfs_db Usage: $0 [-d dumpdir] -d dumpdir Specify the output directory + -v device Specify the device which has /etc directory EOM exit 1; } @@ -56,17 +57,30 @@ find_ldsopreload_inumber() { } -while getopts "d:" opts; do +while getopts "d:v:" opts; do case ${opts} in d) outputdir=${OPTARG} ;; + v) etc_dev=${OPTARG} + ;; *) usage ;; esac done # Which device has /etc directory? -etc_dev=`df -T /etc | awk '$2 == "xfs" {print $1}'` +if [ -z "${etc_dev}" ]; then + etc_dev=`df -T /etc | awk '$2 == "xfs" {print $1}'` + if [ -z "${etc_dev}" ]; then + echo "/etc is not on XFS filesystem." + exit 1 + fi +else + if [ `df -T "${etc_dev}" | awk '$2 != "Type" {print $2}'` != "xfs" ]; then + echo "${etc_dev} is not XFS filesystem." + exit 1 + fi +fi # echo "etc_dev: ${etc_dev}" # Get inode number of /etc directory itself. From 04d85b9073b58e5f8a6df2f7275277b910cc18bc Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Fri, 13 Sep 2024 10:25:35 +0900 Subject: [PATCH 04/19] refactor: tidy up linux_dump_ldsopreload.sh Refactor command options. --- artifacts/chkrootkit/xfs_db.yaml | 2 +- bin/linux/linux_dump_ldsopreload.sh | 58 ++++++++++++++++++----------- 2 files changed, 37 insertions(+), 23 deletions(-) diff --git a/artifacts/chkrootkit/xfs_db.yaml b/artifacts/chkrootkit/xfs_db.yaml index 5473516c..9d882313 100644 --- a/artifacts/chkrootkit/xfs_db.yaml +++ b/artifacts/chkrootkit/xfs_db.yaml @@ -10,5 +10,5 @@ artifacts: description: Dump /etc/ld.so.preload with xfs_db. supported_os: [linux] collector: command - command: dev=$(df -T /etc | awk '$2 == "xfs" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh -v "${dev}" + command: dev=$(df -T /etc | awk '$2 == "xfs" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh -d "${dev}" output_file: xfs_db_etc_ld.so.preload.txt diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh index 48854967..e46571a8 100644 --- a/bin/linux/linux_dump_ldsopreload.sh +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -18,17 +18,27 @@ usage() { cat <<"EOM" -Dump /etc/ld.so.preload (first sector only) via xfs_db +Dump /etc/ld.so.preload (first sector only) with xfs_db Usage: $0 [-d dumpdir] - -d dumpdir Specify the output directory - -v device Specify the device which has /etc directory + -d device Specify the device which has /etc directory + -h Show this help message + -l sector_count Specify the sector count to dump (default: 1) + -o outputfile Specify the output file + -v Enable verbose mode EOM exit 1; } +print_msg() { + if [ ${verbose_mode} -eq 1 ]; then + echo $1 + fi +} + + find_ldsopreload_inumber() { xfs_db -r $1 -c "daddr $2" -c "type dir3" -c "print" | awk ' { @@ -57,11 +67,19 @@ find_ldsopreload_inumber() { } -while getopts "d:v:" opts; do +sector_count=1 +verbose_mode=0 +while getopts "d:hl:o:v" opts; do case ${opts} in - d) outputdir=${OPTARG} + d) etc_dev=${OPTARG} + ;; + h) usage ;; - v) etc_dev=${OPTARG} + l) sector_count=${OPTARG} + ;; + o) outputfile=${OPTARG} + ;; + v) verbose_mode=1 ;; *) usage ;; @@ -72,52 +90,48 @@ done if [ -z "${etc_dev}" ]; then etc_dev=`df -T /etc | awk '$2 == "xfs" {print $1}'` if [ -z "${etc_dev}" ]; then - echo "/etc is not on XFS filesystem." - exit 1 + print_msg "/etc is not on XFS filesystem." + exit 2 fi else - if [ `df -T "${etc_dev}" | awk '$2 != "Type" {print $2}'` != "xfs" ]; then - echo "${etc_dev} is not XFS filesystem." - exit 1 + if [ `df -T "${etc_dev}" | awk 'NR==2 {print $2}'` != "xfs" ]; then + print_msg "${etc_dev} is not XFS filesystem." + exit 2 fi fi -# echo "etc_dev: ${etc_dev}" # Get inode number of /etc directory itself. etc_inumber=`ls -id /etc | awk '{print $1}'` -# echo "etc_inumber: ${etc_inumber}" # Get fsblock numbers of /etc directory. etc_fsblocks=`xfs_db -r ${etc_dev} -c "inode ${etc_inumber}" -c "bmap" | awk '{print $5}'` -# echo "etc_fsblocks: ${etc_fsblocks}" # Find inode number of /etc/ld.so.preload file. for etc_fsblock in ${etc_fsblocks}; do etc_daddr=`xfs_db -r ${etc_dev} -c "convert fsblock ${etc_fsblock} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p'` - # echo "etc_daddr: ${etc_daddr}" ldsopreload_inumber=`find_ldsopreload_inumber ${etc_dev} ${etc_daddr}` - # echo "ldsopreload_inumber: ${ldsopreload_inumber}" if [ ${ldsopreload_inumber} -ne 0 ]; then break fi done if [ ${ldsopreload_inumber} -eq 0 ]; then - echo "/etc/ld.so.preload not found." - exit 1 + print_msg "/etc/ld.so.preload not found." + exit 3 fi # Get fsblock numbers of /etc/ld.so.preload file. # In many cases, there is only one fsblock. ldsopreload_fsblocks=`xfs_db -r ${etc_dev} -c "inode ${ldsopreload_inumber}" -c "bmap" | awk '{print $5}'` -# echo "ldsopreload_fsblocks: ${ldsopreload_fsblocks}" # Convert fsblock numbers to daddr. ldsopreload_daddr=`xfs_db -r ${etc_dev} -c "convert fsblock ${ldsopreload_fsblocks} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p'` -# echo "ldsopreload_daddr: ${ldsopreload_daddr}" # Dump /etc/ld.so.preload file. # I believe that /etc/ld.so.preload is not so large. sector_size=`xfs_db -r /dev/mapper/rl-root -c "sb 0" -c "print" | grep -E "^sectsize" | awk '{print $3}'` -# echo "sector_size: ${sector_size}" -dd if=${etc_dev} bs=${sector_size} skip=${ldsopreload_daddr} count=1 +if [ -z "${outputfile}" ]; then + dd if="${etc_dev}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count}" +else + dd if="${etc_dev}" of="${outputfile}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count}" +fi From 8f1b5eb2d9c2494526d691949fe6c889102f764c Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Fri, 13 Sep 2024 14:54:29 +0900 Subject: [PATCH 05/19] refactor: suppress the status message of dd --- bin/linux/linux_dump_ldsopreload.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh index e46571a8..bfb6eed4 100644 --- a/bin/linux/linux_dump_ldsopreload.sh +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -131,7 +131,7 @@ ldsopreload_daddr=`xfs_db -r ${etc_dev} -c "convert fsblock ${ldsopreload_fsbloc # I believe that /etc/ld.so.preload is not so large. sector_size=`xfs_db -r /dev/mapper/rl-root -c "sb 0" -c "print" | grep -E "^sectsize" | awk '{print $3}'` if [ -z "${outputfile}" ]; then - dd if="${etc_dev}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count}" + dd if="${etc_dev}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count}" status=none else - dd if="${etc_dev}" of="${outputfile}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count}" + dd if="${etc_dev}" of="${outputfile}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count}" status=none fi From 125e3b88ce8ca7bdd416aa70e80dc080e37d09f3 Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Mon, 16 Sep 2024 21:55:51 +0900 Subject: [PATCH 06/19] artif: merge artifacts Merge debugfs.yaml and xfs_db.yaml into one file. --- artifacts/chkrootkit/debugfs.yaml | 13 -- .../{xfs_db.yaml => hiding_ldsopreload.yaml} | 12 +- bin/linux/linux_dump_ldsopreload.sh | 113 +++++++++++------- 3 files changed, 77 insertions(+), 61 deletions(-) delete mode 100644 artifacts/chkrootkit/debugfs.yaml rename artifacts/chkrootkit/{xfs_db.yaml => hiding_ldsopreload.yaml} (54%) diff --git a/artifacts/chkrootkit/debugfs.yaml b/artifacts/chkrootkit/debugfs.yaml deleted file mode 100644 index 37876ec6..00000000 --- a/artifacts/chkrootkit/debugfs.yaml +++ /dev/null @@ -1,13 +0,0 @@ -version: 1.0 -condition: command_exists "debugfs" -output_directory: /live_response/chkrootkit -# Collect /etc/ld.so.preload even if it is hidden by LD_PRELOAD Rootkits. -# ref 1: https://www.youtube.com/watch?v=3UrEJzqqPYQ -# ref 2: https://righteousit.com/wp-content/uploads/2024/04/ld_preload-rootkits.pdf -artifacts: - - - description: Dump /etc/ld.so.preload with debugfs. - supported_os: [linux] - collector: command - command: dev=$(df -T /etc | awk '$2 == "ext4" {print $1}') && [ -n "${dev}" ] && debugfs -R 'cat /etc/ld.so.preload' "${dev}" - output_file: debugfs_-R_cat_etc_ld.so.preload.txt diff --git a/artifacts/chkrootkit/xfs_db.yaml b/artifacts/chkrootkit/hiding_ldsopreload.yaml similarity index 54% rename from artifacts/chkrootkit/xfs_db.yaml rename to artifacts/chkrootkit/hiding_ldsopreload.yaml index 9d882313..9beac2f8 100644 --- a/artifacts/chkrootkit/xfs_db.yaml +++ b/artifacts/chkrootkit/hiding_ldsopreload.yaml @@ -1,14 +1,22 @@ version: 1.0 -condition: command_exists "xfs_db" output_directory: /live_response/chkrootkit # Collect /etc/ld.so.preload even if it is hidden by LD_PRELOAD Rootkits. # ref 1: https://www.youtube.com/watch?v=3UrEJzqqPYQ # ref 2: https://righteousit.com/wp-content/uploads/2024/04/ld_preload-rootkits.pdf # ref 3: https://www.youtube.com/watch?v=-K9hhqv21P8 +# ref 4: https://righteousit.com/wp-content/uploads/2024/04/xfs_db-ftw.pdf artifacts: + - + description: Dump /etc/ld.so.preload with debugfs. + supported_os: [linux] + collector: command + condition: command_exists "debugfs" + command: dev=$(df -T /etc | awk '$2 ~ "^ext" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh -d "${dev}" + output_file: etc_ld.so.preload.txt - description: Dump /etc/ld.so.preload with xfs_db. supported_os: [linux] collector: command + condition: command_exists "xfs_db" command: dev=$(df -T /etc | awk '$2 == "xfs" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh -d "${dev}" - output_file: xfs_db_etc_ld.so.preload.txt + output_file: etc_ld.so.preload.txt diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh index bfb6eed4..4ed4e771 100644 --- a/bin/linux/linux_dump_ldsopreload.sh +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -18,13 +18,13 @@ usage() { cat <<"EOM" -Dump /etc/ld.so.preload (first sector only) with xfs_db +Dump /etc/ld.so.preload on XFS or EXT-based filesystem. -Usage: $0 [-d dumpdir] +Usage: $0 [-d device] [-h] [-l sector_count] [-o outputfile] [-v] -d device Specify the device which has /etc directory -h Show this help message - -l sector_count Specify the sector count to dump (default: 1) + -l sector_count Specify the sector count to dump (only for XFS, default: 1) -o outputfile Specify the output file -v Enable verbose mode EOM @@ -39,7 +39,7 @@ print_msg() { } -find_ldsopreload_inumber() { +find_xfs_ldsopreload_inumber() { xfs_db -r $1 -c "daddr $2" -c "type dir3" -c "print" | awk ' { if ($0 ~ /du\[([0-9]+)\].inumber = ([0-9]+)/) { @@ -67,6 +67,60 @@ find_ldsopreload_inumber() { } +dump_xfs_ldsopreload() { + etc_dev_l=$1 + outputfile_l=$2 + sector_count_l=$3 + # Get inode number of /etc directory itself. + etc_inumber=$(ls -id /etc | awk '{print $1}') + + # Get fsblock numbers of /etc directory. + etc_fsblocks=$(xfs_db -r ${etc_dev_l} -c "inode ${etc_inumber}" -c "bmap" | awk '{print $5}') + + # Find inode number of /etc/ld.so.preload file. + for etc_fsblock in ${etc_fsblocks}; do + etc_daddr=$(xfs_db -r ${etc_dev_l} -c "convert fsblock ${etc_fsblock} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p') + ldsopreload_inumber=$(find_xfs_ldsopreload_inumber ${etc_dev_l} ${etc_daddr}) + if [ ${ldsopreload_inumber} -ne 0 ]; then + break + fi + done + + if [ ${ldsopreload_inumber} -eq 0 ]; then + print_msg "/etc/ld.so.preload not found." + exit 3 + fi + + # Get fsblock numbers of /etc/ld.so.preload file. + # In many cases, there is only one fsblock. + ldsopreload_fsblocks=$(xfs_db -r ${etc_dev_l} -c "inode ${ldsopreload_inumber}" -c "bmap" | awk '{print $5}') + + # Convert fsblock numbers to daddr. + ldsopreload_daddr=$(xfs_db -r ${etc_dev_l} -c "convert fsblock ${ldsopreload_fsblocks} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p') + + # Dump /etc/ld.so.preload file. + # I believe that /etc/ld.so.preload is not so large. + sector_size=$(xfs_db -r /dev/mapper/rl-root -c "sb 0" -c "print" | grep -E "^sectsize" | awk '{print $3}') + if [ -z "${outputfile_l}" ]; then + dd if="${etc_dev_l}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count_l}" status=none + else + dd if="${etc_dev_l}" of="${outputfile_l}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count_l}" status=none + fi +} + + +dump_ext_ldsopreload() { + etc_dev_l=$1 + outputfile_l=$2 + # debugfs -R 'cat /etc/ld.so.preload' "${etc_dev_l}" + if [ -z "${outputfile_l}" ]; then + debugfs -R 'cat /etc/ld.so.preload' "${etc_dev_l}" + else + debugfs -R "dump /etc/ld.so.preload \"${outputfile_l}\"" "${etc_dev_l}" + fi +} + + sector_count=1 verbose_mode=0 while getopts "d:hl:o:v" opts; do @@ -88,50 +142,17 @@ done # Which device has /etc directory? if [ -z "${etc_dev}" ]; then - etc_dev=`df -T /etc | awk '$2 == "xfs" {print $1}'` - if [ -z "${etc_dev}" ]; then - print_msg "/etc is not on XFS filesystem." - exit 2 - fi + read etc_dev fs_type <<< $(df -T /etc | awk 'NR==2 {print $1, $2}') else - if [ `df -T "${etc_dev}" | awk 'NR==2 {print $2}'` != "xfs" ]; then - print_msg "${etc_dev} is not XFS filesystem." - exit 2 - fi + fs_type=$(df -T "${etc_dev}" | awk 'NR==2 {print $2}') fi -# Get inode number of /etc directory itself. -etc_inumber=`ls -id /etc | awk '{print $1}'` - -# Get fsblock numbers of /etc directory. -etc_fsblocks=`xfs_db -r ${etc_dev} -c "inode ${etc_inumber}" -c "bmap" | awk '{print $5}'` - -# Find inode number of /etc/ld.so.preload file. -for etc_fsblock in ${etc_fsblocks}; do - etc_daddr=`xfs_db -r ${etc_dev} -c "convert fsblock ${etc_fsblock} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p'` - ldsopreload_inumber=`find_ldsopreload_inumber ${etc_dev} ${etc_daddr}` - if [ ${ldsopreload_inumber} -ne 0 ]; then - break - fi -done - -if [ ${ldsopreload_inumber} -eq 0 ]; then - print_msg "/etc/ld.so.preload not found." - exit 3 -fi - -# Get fsblock numbers of /etc/ld.so.preload file. -# In many cases, there is only one fsblock. -ldsopreload_fsblocks=`xfs_db -r ${etc_dev} -c "inode ${ldsopreload_inumber}" -c "bmap" | awk '{print $5}'` - -# Convert fsblock numbers to daddr. -ldsopreload_daddr=`xfs_db -r ${etc_dev} -c "convert fsblock ${ldsopreload_fsblocks} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p'` - -# Dump /etc/ld.so.preload file. -# I believe that /etc/ld.so.preload is not so large. -sector_size=`xfs_db -r /dev/mapper/rl-root -c "sb 0" -c "print" | grep -E "^sectsize" | awk '{print $3}'` -if [ -z "${outputfile}" ]; then - dd if="${etc_dev}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count}" status=none +# Check filesystem type and dump /etc/ld.so.preload +if [ "${fs_type}" = "xfs" ]; then + dump_xfs_ldsopreload "${etc_dev}" "${outputfile}" "${sector_count}" +elif [[ "${fs_type}" =~ ^ext ]]; then + dump_ext_ldsopreload "${etc_dev}" "${outputfile}" else - dd if="${etc_dev}" of="${outputfile}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count}" status=none + print_msg "/etc is not on XFS or EXT filesystem." + exit 2 fi From f65765a66977af55625b57a366d8418163aedbe9 Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Tue, 17 Sep 2024 10:27:50 +0900 Subject: [PATCH 07/19] refactor: optimize awk code --- bin/linux/linux_dump_ldsopreload.sh | 34 ++++++++++++++++++----------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh index 4ed4e771..7f62fe18 100644 --- a/bin/linux/linux_dump_ldsopreload.sh +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -14,7 +14,10 @@ # limitations under the License. # -# reference: https://www.youtube.com/watch?v=-K9hhqv21P8 +# ref 1: https://www.youtube.com/watch?v=3UrEJzqqPYQ +# ref 2: https://righteousit.com/wp-content/uploads/2024/04/ld_preload-rootkits.pdf +# ref 3: https://www.youtube.com/watch?v=-K9hhqv21P8 +# ref 4: https://righteousit.com/wp-content/uploads/2024/04/xfs_db-ftw.pdf usage() { cat <<"EOM" @@ -41,25 +44,30 @@ print_msg() { find_xfs_ldsopreload_inumber() { xfs_db -r $1 -c "daddr $2" -c "type dir3" -c "print" | awk ' + BEGIN { + found_filename = 0; + found_entry = 0; + } + { - if ($0 ~ /du\[([0-9]+)\].inumber = ([0-9]+)/) { - match($0, /du\[([0-9]+)\].inumber = ([0-9]+)/, arr); - inumber[arr[1]] = arr[2]; # arr[1] = NUM, arr[2] = inumber + if ($0 ~ /du\[[0-9]+\].inumber = [0-9]+/) { + match($0, /du\[[0-9]+\].inumber = ([0-9]+)/, arr); + inumber = arr[1]; + } + + if ($0 ~ /du\[[0-9]+\].name = "ld.so.preload"/) { + found_filename = 1; } - if ($0 ~ /du\[([0-9]+)\].name = "ld.so.preload"/) { - match($0, /du\[([0-9]+)\].name = "ld.so.preload"/, arr); - num = arr[1]; # arr[1] = NUM - if (num in inumber) { - # print "name: " $0 ", inumber: " inumber[num]; - print inumber[num]; - found = 1; - } + if (found_filename && $0 ~ /du\[[0-9]+\].filetype = (1|7)/) { + print inumber; + found_entry = 1; + exit; } } END { - if (!found) { + if (!found_entry) { print 0; } } From 6a3efea5fdc431bd54399087a34decc414ebde14 Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Wed, 18 Sep 2024 14:36:35 +0900 Subject: [PATCH 08/19] refactor: calculate offset based on blocksize --- bin/linux/linux_dump_ldsopreload.sh | 33 ++++++++++++++++------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh index 7f62fe18..258ba3c8 100644 --- a/bin/linux/linux_dump_ldsopreload.sh +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -25,11 +25,11 @@ Dump /etc/ld.so.preload on XFS or EXT-based filesystem. Usage: $0 [-d device] [-h] [-l sector_count] [-o outputfile] [-v] - -d device Specify the device which has /etc directory - -h Show this help message - -l sector_count Specify the sector count to dump (only for XFS, default: 1) - -o outputfile Specify the output file - -v Enable verbose mode + -d device Specify the device which has /etc directory + -h Show this help message + -l block_count Specify the block count to dump (only for XFS, default: 1) + -o outputfile Specify the output file + -v Enable verbose mode EOM exit 1; } @@ -78,7 +78,7 @@ find_xfs_ldsopreload_inumber() { dump_xfs_ldsopreload() { etc_dev_l=$1 outputfile_l=$2 - sector_count_l=$3 + block_count_l=$3 # Get inode number of /etc directory itself. etc_inumber=$(ls -id /etc | awk '{print $1}') @@ -103,16 +103,20 @@ dump_xfs_ldsopreload() { # In many cases, there is only one fsblock. ldsopreload_fsblocks=$(xfs_db -r ${etc_dev_l} -c "inode ${ldsopreload_inumber}" -c "bmap" | awk '{print $5}') - # Convert fsblock numbers to daddr. - ldsopreload_daddr=$(xfs_db -r ${etc_dev_l} -c "convert fsblock ${ldsopreload_fsblocks} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p') + # Convert fsblock to agno. + ldsopreload_agno=$(xfs_db -r ${etc_dev_l} -c "convert fsblock ${ldsopreload_fsblocks} agno" | sed -n 's/.*(\([0-9]*\)).*/\1/p') + + # Convert fsblock to agblock. + ldsopreload_agblock=$(xfs_db -r ${etc_dev_l} -c "convert fsblock ${ldsopreload_fsblocks} agblock" | sed -n 's/.*(\([0-9]*\)).*/\1/p') # Dump /etc/ld.so.preload file. # I believe that /etc/ld.so.preload is not so large. - sector_size=$(xfs_db -r /dev/mapper/rl-root -c "sb 0" -c "print" | grep -E "^sectsize" | awk '{print $3}') + eval $(xfs_db -r /dev/mapper/rl-root -c "sb 0" -c "print" | awk -F " = " '$1 == "blocksize" {print "block_size="$2} $1 == "agblocks" {print "agblocks="$2}') + skip_len=$(("${ldsopreload_agno}"*"${agblocks}"+"${ldsopreload_agblock}")) if [ -z "${outputfile_l}" ]; then - dd if="${etc_dev_l}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count_l}" status=none + dd if="${etc_dev_l}" bs="${block_size}" skip="${skip_len}" count="${block_count_l}" status=none else - dd if="${etc_dev_l}" of="${outputfile_l}" bs="${sector_size}" skip="${ldsopreload_daddr}" count="${sector_count_l}" status=none + dd if="${etc_dev_l}" of="${outputfile_l}" bs="${block_size}" skip="${skip_len}" count="${block_count_l}" status=none fi } @@ -120,7 +124,6 @@ dump_xfs_ldsopreload() { dump_ext_ldsopreload() { etc_dev_l=$1 outputfile_l=$2 - # debugfs -R 'cat /etc/ld.so.preload' "${etc_dev_l}" if [ -z "${outputfile_l}" ]; then debugfs -R 'cat /etc/ld.so.preload' "${etc_dev_l}" else @@ -129,7 +132,7 @@ dump_ext_ldsopreload() { } -sector_count=1 +block_count=1 verbose_mode=0 while getopts "d:hl:o:v" opts; do case ${opts} in @@ -137,7 +140,7 @@ while getopts "d:hl:o:v" opts; do ;; h) usage ;; - l) sector_count=${OPTARG} + l) block_count=${OPTARG} ;; o) outputfile=${OPTARG} ;; @@ -157,7 +160,7 @@ fi # Check filesystem type and dump /etc/ld.so.preload if [ "${fs_type}" = "xfs" ]; then - dump_xfs_ldsopreload "${etc_dev}" "${outputfile}" "${sector_count}" + dump_xfs_ldsopreload "${etc_dev}" "${outputfile}" "${block_count}" elif [[ "${fs_type}" =~ ^ext ]]; then dump_ext_ldsopreload "${etc_dev}" "${outputfile}" else From 3f6f95ceb81ff9ef0c224a258ac03a942869673c Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Thu, 19 Sep 2024 16:42:28 +0900 Subject: [PATCH 09/19] refactor: improve versatility Any file can be dumped. --- artifacts/chkrootkit/hiding_ldsopreload.yaml | 4 +- bin/linux/linux_dump_ldsopreload.sh | 288 ++++++++++++++----- 2 files changed, 215 insertions(+), 77 deletions(-) diff --git a/artifacts/chkrootkit/hiding_ldsopreload.yaml b/artifacts/chkrootkit/hiding_ldsopreload.yaml index 9beac2f8..25414c5c 100644 --- a/artifacts/chkrootkit/hiding_ldsopreload.yaml +++ b/artifacts/chkrootkit/hiding_ldsopreload.yaml @@ -11,12 +11,12 @@ artifacts: supported_os: [linux] collector: command condition: command_exists "debugfs" - command: dev=$(df -T /etc | awk '$2 ~ "^ext" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh -d "${dev}" + command: dev=$(df -T /etc | awk '$2 ~ "^ext" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh output_file: etc_ld.so.preload.txt - description: Dump /etc/ld.so.preload with xfs_db. supported_os: [linux] collector: command condition: command_exists "xfs_db" - command: dev=$(df -T /etc | awk '$2 == "xfs" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh -d "${dev}" + command: dev=$(df -T /etc | awk '$2 == "xfs" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh output_file: etc_ld.so.preload.txt diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh index 258ba3c8..b4d14e31 100644 --- a/bin/linux/linux_dump_ldsopreload.sh +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -27,7 +27,6 @@ Usage: $0 [-d device] [-h] [-l sector_count] [-o outputfile] [-v] -d device Specify the device which has /etc directory -h Show this help message - -l block_count Specify the block count to dump (only for XFS, default: 1) -o outputfile Specify the output file -v Enable verbose mode EOM @@ -36,112 +35,255 @@ EOM print_msg() { + local msg=$1 if [ ${verbose_mode} -eq 1 ]; then - echo $1 + echo "${msg}" >&2 fi } -find_xfs_ldsopreload_inumber() { - xfs_db -r $1 -c "daddr $2" -c "type dir3" -c "print" | awk ' - BEGIN { - found_filename = 0; - found_entry = 0; - } +get_device_fstype() { + local file=$1 + local device + local fs_type - { - if ($0 ~ /du\[[0-9]+\].inumber = [0-9]+/) { - match($0, /du\[[0-9]+\].inumber = ([0-9]+)/, arr); - inumber = arr[1]; - } + read device fs_type <<< $(df -T "${file}" | awk 'NR==2 {print $1, $2}') + echo "${device}" "${fs_type}" +} + + +get_xfs_inumber_local() { + local device=$1 + local root_inumber=$2 + local path=$3 - if ($0 ~ /du\[[0-9]+\].name = "ld.so.preload"/) { - found_filename = 1; + xfs_db -r ${device} -c "inode ${root_inumber}" -c "print" | awk -v path="${path}" ' + BEGIN { + found_filename = 0; + found_entry = 0; + filetype = 0; } - if (found_filename && $0 ~ /du\[[0-9]+\].filetype = (1|7)/) { - print inumber; - found_entry = 1; - exit; + { + if ($0 ~ "u3.sfdir3.list\\[[0-9]+\\].name = \"" path "\"") { + found_filename = 1; + } + + if (found_filename && $0 ~ /u3.sfdir3.list\[[0-9]+\].inumber.i4 = [0-9]+/) { + match($0, /u3.sfdir3.list\[[0-9]+\].inumber.i4 = ([0-9]+)/, arr); + inumber = arr[1]; + } + + # filetype: 1 (regular file), 2 (directory), 7 (symlink) + if (found_filename && $0 ~ /u3.sfdir3.list\[[0-9]+\].filetype = (1|2|7)/) { + match($0, /u3.sfdir3.list\[[0-9]+\].filetype = ([0-9]+)/, arr); + filetype = arr[1]; + found_entry = 1; + exit; + } } - } - END { - if (!found_entry) { - print 0; + END { + if (!found_entry) { + inumber = 0; + } + print inumber, filetype; } - } ' } -dump_xfs_ldsopreload() { - etc_dev_l=$1 - outputfile_l=$2 - block_count_l=$3 - # Get inode number of /etc directory itself. - etc_inumber=$(ls -id /etc | awk '{print $1}') - - # Get fsblock numbers of /etc directory. - etc_fsblocks=$(xfs_db -r ${etc_dev_l} -c "inode ${etc_inumber}" -c "bmap" | awk '{print $5}') - - # Find inode number of /etc/ld.so.preload file. - for etc_fsblock in ${etc_fsblocks}; do - etc_daddr=$(xfs_db -r ${etc_dev_l} -c "convert fsblock ${etc_fsblock} daddr" | sed -n 's/.*(\([0-9]*\)).*/\1/p') - ldsopreload_inumber=$(find_xfs_ldsopreload_inumber ${etc_dev_l} ${etc_daddr}) - if [ ${ldsopreload_inumber} -ne 0 ]; then - break +get_xfs_inumber_extents() { + local device=$1 + local fsblocks=$2 + local path=$3 + local fsblock + + for fsblock in ${fsblocks}; do + local result=$(xfs_db -r ${device} -c "fsblock ${fsblock}" -c "type dir3" -c "print" | awk -v path="${path}" ' + BEGIN { + found_name = 0; + found_entry = 0; + } + + { + if ($0 ~ /(du|bu)\[[0-9]+\].inumber = [0-9]+/) { + match($0, /(du|bu)\[[0-9]+\].inumber = ([0-9]+)/, arr); + inumber = arr[2]; + } + + if ($0 ~ "(du|bu)\\[[0-9]+\\].name = \"" path "\"") { + found_name = 1; + } + + if (found_name && $0 ~ /(du|bu)\[[0-9]+\].filetype = (1|2|7)/) { + match($0, /(du|bu)\[[0-9]+\].filetype = ([0-9]+)/, arr); + filetype = arr[2]; + found_entry = 1; + exit; + } + } + + END { + if (!found_entry) { + inumber = 0; + } + print inumber, filetype; + } + ') + if [ "$(echo ${result} | awk '{print $1}')" -ne 0 ]; then + echo ${result} + return + fi + done + echo 0 0 +} + + +get_xfs_child_inumber() { + local device=$1 + local parent_inumber=$2 + local path=$3 + local fsblocks=$(xfs_db -r ${device} -c "inode ${parent_inumber}" -c "bmap" | awk '{print $5}') + local fsblock + + if [ -z "${fsblocks}" ]; then + read inumber filetype <<< $(get_xfs_inumber_local "${device}" "${parent_inumber}" "${path}") + echo "${inumber} ${filetype}" + return + else + read inumber filetype <<< $(get_xfs_inumber_extents "${device}" "${fsblocks}" "${path}") + echo "${inumber} ${filetype}" + return + fi +} + + +get_xfs_inumber_from_path() { + local full_path=$(realpath -s $1) + local device + local fs_type + read device fs_type <<< $(get_device_fstype "${full_path}") + + local root_inumber=$(xfs_db -r ${device} -c "sb 0" -c "print" | awk -F " = " '$1 == "rootino" {print $2}') + local parent_inumber=${root_inumber} + local inumber=0 + local filetype=0 + + IFS='/' read -a path_array <<< "${full_path}" + for idx in "${!path_array[@]}"; do + if [ ${idx} -eq 0 ]; then + continue + elif [ ${idx} -ge 1 ]; then + read inumber filetype <<< $(get_xfs_child_inumber "${device}" "${parent_inumber}" "${path_array[$idx]}") + if [ ${inumber} -eq 0 ]; then + print_msg "${path_array[$idx]} not found." + break + elif [ ${filetype} -eq 7 ]; then # If the file is a symlink, get the target file's inode number. + local symlink_target=$(xfs_db -r ${device} -c "inode ${inumber}" -c "print" | sed -n 's/u3.symlink = "\(.*\)"/\1/p') + print_msg "symlink target: ${symlink_target}" + symlink_target=$(realpath -s "${symlink_target}") + read inumber filetype <<< $(get_xfs_inumber_from_path "${symlink_target}") + echo ${inumber} ${filetype} + return + fi + parent_inumber=${inumber} fi done - if [ ${ldsopreload_inumber} -eq 0 ]; then - print_msg "/etc/ld.so.preload not found." + echo ${inumber} ${filetype} +} + + +dump_xfs_ldsopreload() { + local file=$1 + local outputfile=$2 + local device=$3 + local fs_type + local block_count + local inumber + local filetype + local fsblock_item + local fsblock + + if [ -z "${device}" ]; then + read device fs_type <<< $(get_device_fstype "${file}") + fi + + # Get an inode number of the file. + read inumber filetype <<< $(get_xfs_inumber_from_path "${file}") + + if [ ${inumber} -eq 0 ]; then + print_msg "${file} not found." exit 3 fi - # Get fsblock numbers of /etc/ld.so.preload file. + # Get fsblock numbers of the file. # In many cases, there is only one fsblock. - ldsopreload_fsblocks=$(xfs_db -r ${etc_dev_l} -c "inode ${ldsopreload_inumber}" -c "bmap" | awk '{print $5}') + local fsblock_items=$(xfs_db -r ${device} -c "inode ${inumber}" -c "bmap" | awk '{print $5, $8}') - # Convert fsblock to agno. - ldsopreload_agno=$(xfs_db -r ${etc_dev_l} -c "convert fsblock ${ldsopreload_fsblocks} agno" | sed -n 's/.*(\([0-9]*\)).*/\1/p') + if [ -z "${fsblock_items}" ]; then + print_msg "${file}: bmap not found." + exit 4 + fi - # Convert fsblock to agblock. - ldsopreload_agblock=$(xfs_db -r ${etc_dev_l} -c "convert fsblock ${ldsopreload_fsblocks} agblock" | sed -n 's/.*(\([0-9]*\)).*/\1/p') + for fsblock_item in "${fsblock_items}"; do + read fsblock block_count <<< "${fsblock_item}" - # Dump /etc/ld.so.preload file. - # I believe that /etc/ld.so.preload is not so large. - eval $(xfs_db -r /dev/mapper/rl-root -c "sb 0" -c "print" | awk -F " = " '$1 == "blocksize" {print "block_size="$2} $1 == "agblocks" {print "agblocks="$2}') - skip_len=$(("${ldsopreload_agno}"*"${agblocks}"+"${ldsopreload_agblock}")) - if [ -z "${outputfile_l}" ]; then - dd if="${etc_dev_l}" bs="${block_size}" skip="${skip_len}" count="${block_count_l}" status=none - else - dd if="${etc_dev_l}" of="${outputfile_l}" bs="${block_size}" skip="${skip_len}" count="${block_count_l}" status=none - fi + # Convert fsblock to agno. + local agno=$(xfs_db -r ${device} -c "convert fsblock ${fsblock} agno" | sed -n 's/.*(\([0-9]*\)).*/\1/p') + + if [ -z "${agno}" ]; then + print_msg "${file}: agno not found." + exit 5 + fi + + # Convert fsblock to agblock. + local agblock=$(xfs_db -r ${device} -c "convert fsblock ${fsblock} agblock" | sed -n 's/.*(\([0-9]*\)).*/\1/p') + + if [ -z "${agblock}" ]; then + print_msg "${file}: agblock not found." + exit 6 + fi + + # Dump file data. + eval $(xfs_db -r /dev/mapper/rl-root -c "sb 0" -c "print" | awk -F " = " '$1 == "blocksize" {print "block_size="$2} $1 == "agblocks" {print "agblocks="$2}') + skip_len=$(("${agno}"*"${agblocks}"+"${agblock}")) + if [ -z "${outputfile}" ]; then + dd if="${device}" bs="${block_size}" skip="${skip_len}" count="${block_count}" status=none + else + dd if="${device}" of="${outputfile}" bs="${block_size}" skip="${skip_len}" count="${block_count}" status=none + fi + done } dump_ext_ldsopreload() { - etc_dev_l=$1 - outputfile_l=$2 - if [ -z "${outputfile_l}" ]; then - debugfs -R 'cat /etc/ld.so.preload' "${etc_dev_l}" + local file=$1 + local outputfile=$2 + local device=$3 + local fs_type + + if [ -z "${device}" ]; then + read device fs_type <<< $(get_device_fstype "${file}") + fi + + if [ -z "${outputfile}" ]; then + debugfs -R "cat \"${file}\"" "${device}" else - debugfs -R "dump /etc/ld.so.preload \"${outputfile_l}\"" "${etc_dev_l}" + debugfs -R "dump \"${file}\" \"${outputfile}\"" "${device}" fi } -block_count=1 +file="/etc/ld.so.preload" verbose_mode=0 -while getopts "d:hl:o:v" opts; do +while getopts "f:ho:v" opts; do case ${opts} in - d) etc_dev=${OPTARG} + f) file=${OPTARG} ;; h) usage ;; - l) block_count=${OPTARG} - ;; o) outputfile=${OPTARG} ;; v) verbose_mode=1 @@ -151,18 +293,14 @@ while getopts "d:hl:o:v" opts; do esac done -# Which device has /etc directory? -if [ -z "${etc_dev}" ]; then - read etc_dev fs_type <<< $(df -T /etc | awk 'NR==2 {print $1, $2}') -else - fs_type=$(df -T "${etc_dev}" | awk 'NR==2 {print $2}') -fi +# # Which device has /etc/ld.so.preload directory? +read device fs_type <<< $(get_device_fstype "${file}") # Check filesystem type and dump /etc/ld.so.preload if [ "${fs_type}" = "xfs" ]; then - dump_xfs_ldsopreload "${etc_dev}" "${outputfile}" "${block_count}" + dump_xfs_ldsopreload "${file}" "${outputfile}" "${device}" elif [[ "${fs_type}" =~ ^ext ]]; then - dump_ext_ldsopreload "${etc_dev}" "${outputfile}" + dump_ext_ldsopreload "${file}" "${outputfile}" "${device}" else print_msg "/etc is not on XFS or EXT filesystem." exit 2 From 6100e27f02029dc82f9e49047010e6a632b2f70c Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Wed, 25 Sep 2024 10:52:33 +0900 Subject: [PATCH 10/19] refactor: fix problems detected by ShellCheck Fix problems detected by ShellCheck and a bug regarding tracking of symbolic links --- bin/linux/linux_dump_ldsopreload.sh | 164 +++++++++++++++++++--------- 1 file changed, 115 insertions(+), 49 deletions(-) diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh index b4d14e31..77ca52c4 100644 --- a/bin/linux/linux_dump_ldsopreload.sh +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -19,16 +19,18 @@ # ref 3: https://www.youtube.com/watch?v=-K9hhqv21P8 # ref 4: https://righteousit.com/wp-content/uploads/2024/04/xfs_db-ftw.pdf +set -euo pipefail + usage() { - cat <<"EOM" + cat < Date: Sat, 5 Oct 2024 00:13:03 +0900 Subject: [PATCH 11/19] refactor: remove the mount point string from file path on EXT4 filesystem --- bin/linux/linux_dump_ldsopreload.sh | 53 +++++++++++++++-------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_ldsopreload.sh index 77ca52c4..b98b8bee 100644 --- a/bin/linux/linux_dump_ldsopreload.sh +++ b/bin/linux/linux_dump_ldsopreload.sh @@ -45,11 +45,8 @@ print_msg() { get_real_path() { - local path - local processed_path - - path=$1 - processed_path=$2 + local path=$1 + local processed_path=$2 if [[ ! "$path" =~ ^(/|./|../) ]]; then if [[ "${processed_path}" == "/" ]]; then @@ -77,11 +74,12 @@ join_remain_path() { get_device_fstype() { - local file=$1 + local path=$1 local device local fs_type + local mount_point - read -r device fs_type mount_point <<< "$(df -T "${file}" | awk 'NR==2 {print $1, $2, $NF}')" + read -r device fs_type mount_point <<< "$(df -T "$(dirname "${path}")" | awk 'NR==2 {print $1, $2, $NF}')" echo "${device}" "${fs_type}" "${mount_point}" } @@ -201,13 +199,6 @@ get_xfs_inumber_from_path() { local device local fs_type local mount_point - - full_path=$(get_real_path "$1" "${processed_path}") - read -r device fs_type mount_point <<< "$(get_device_fstype "${full_path}")" - # Remove mount_point from full_path if it starts with mount_point - if [[ "${mount_point}" != "/" && "$full_path" == "$mount_point"* ]]; then - full_path="${full_path/#${mount_point}/}" - fi local root_inumber local parent_inumber local inumber=0 @@ -218,6 +209,13 @@ get_xfs_inumber_from_path() { local path_array local old_IFS + full_path=$(get_real_path "$1" "${processed_path}") + read -r device fs_type mount_point <<< "$(get_device_fstype "${full_path}")" + # Remove mount_point from full_path if it starts with mount_point + if [[ "${mount_point}" != "/" && "$full_path" == "$mount_point"* ]]; then + full_path="${full_path/#${mount_point}/}" + fi + root_inumber=$(xfs_db -r "${device}" -c "sb 0" -c "print" | awk -F " = " '$1 == "rootino" {print $2}') parent_inumber=${root_inumber} @@ -243,7 +241,13 @@ get_xfs_inumber_from_path() { if [ -n "${sub_path}" ]; then symlink_target="${symlink_target}/${sub_path}" fi + read -r inumber filetype <<< "$(get_xfs_inumber_from_path "${symlink_target}")" + if [[ ! "${inumber}" =~ ^[0-9]+$ ]]; then + print_msg "${symlink_target} not found." + return 3 + fi + echo "${inumber}" "${filetype}" return fi @@ -260,8 +264,6 @@ dump_xfs_ldsopreload() { local file=$1 local outputfile=$2 local device=$3 - local fs_type - local mount_point local block_count local inumber local filetype @@ -270,10 +272,6 @@ dump_xfs_ldsopreload() { local agno local agblock - if [ -z "${device}" ]; then - read -r device fs_type mount_point <<< "$(get_device_fstype "${file}")" - fi - # Get an inode number of the file. read -r inumber filetype <<< "$(get_xfs_inumber_from_path "${file}")" @@ -323,20 +321,23 @@ dump_xfs_ldsopreload() { dump_ext_ldsopreload() { - local file=$1 + local full_path=$1 local outputfile=$2 local device=$3 local fs_type local mount_point - if [ -z "${device}" ]; then - read -r device fs_type mount_point <<< "$(get_device_fstype "${file}")" + read -r device fs_type mount_point <<< "$(get_device_fstype "${full_path}")" + + # Remove mount_point from full_path if it starts with mount_point + if [[ "${mount_point}" != "/" && "$full_path" == "$mount_point"* ]]; then + full_path="${full_path/#${mount_point}/}" fi if [ -z "${outputfile}" ]; then - debugfs -R "cat \"${file}\"" "${device}" + debugfs -R "cat \"${full_path}\"" "${device}" else - debugfs -R "dump \"${file}\" \"${outputfile}\"" "${device}" + debugfs -R "dump \"${full_path}\" \"${outputfile}\"" "${device}" fi } @@ -368,6 +369,6 @@ if [ "${fs_type}" = "xfs" ]; then elif [[ "${fs_type}" =~ ^ext ]]; then dump_ext_ldsopreload "${file}" "${outputfile:-}" "${device}" else - print_msg "/etc is not on XFS or EXT filesystem." + print_msg "${file} is not on XFS or EXT filesystem." exit 2 fi From c4741d9434e857bc544b5f09e2ce612ef111fcab Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sat, 14 Dec 2024 14:28:46 +0100 Subject: [PATCH 12/19] Create apk.yaml --- artifacts/live_response/packages/apk.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 artifacts/live_response/packages/apk.yaml diff --git a/artifacts/live_response/packages/apk.yaml b/artifacts/live_response/packages/apk.yaml new file mode 100644 index 00000000..02eebbec --- /dev/null +++ b/artifacts/live_response/packages/apk.yaml @@ -0,0 +1,10 @@ +version: 2.0 +condition: command_exists "apk" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: apk info -vv + output_file: apk_query_list.txt From 8a32af3f66c9ac769054e92ad6755a78dcb53ff8 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sat, 11 Jan 2025 08:39:01 -0300 Subject: [PATCH 13/19] artif: add stat and rename files Add collection of stat even if the file is hidden. Change the output file as any files that are written to disk that matches ld.so.preload is modified by the rootkit. Moved the condition from command to condition. --- CHANGELOG.md | 1 + .../chkrootkit/hidden_etc_ld_so_preload.yaml | 28 +++++++++++++++++++ artifacts/chkrootkit/hiding_ldsopreload.yaml | 22 --------------- ...oad.sh => linux_dump_etc_ld_so_preload.sh} | 0 profiles/full.yaml | 2 +- profiles/offline_ir_triage.yaml | 2 +- 6 files changed, 31 insertions(+), 24 deletions(-) create mode 100644 artifacts/chkrootkit/hidden_etc_ld_so_preload.yaml delete mode 100644 artifacts/chkrootkit/hiding_ldsopreload.yaml rename bin/linux/{linux_dump_ldsopreload.sh => linux_dump_etc_ld_so_preload.sh} (100%) mode change 100644 => 100755 diff --git a/CHANGELOG.md b/CHANGELOG.md index 3bd4beb9..7b74f797 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Artifacts +- chkrootkit/hidden_etc_ld_so_preload.yaml: Added collection of hidden /etc/ld.so.preload using debugfs and xfs_db tools [linux] ([mnrkbys](https://github.com/mnrkbys)). - files/applications/ark.yaml: Added collection of metadata about recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd]. - files/applications/dolphin.yaml: Added collection of session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd]. - files/applications/dragon_player.yaml: Added collection of paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd]. diff --git a/artifacts/chkrootkit/hidden_etc_ld_so_preload.yaml b/artifacts/chkrootkit/hidden_etc_ld_so_preload.yaml new file mode 100644 index 00000000..b0db2e7b --- /dev/null +++ b/artifacts/chkrootkit/hidden_etc_ld_so_preload.yaml @@ -0,0 +1,28 @@ +version: 1.0 +output_directory: /chkrootkit +# Collect /etc/ld.so.preload even if it is hidden by LD_PRELOAD Rootkits. +# ref 1: https://www.youtube.com/watch?v=3UrEJzqqPYQ +# ref 2: https://righteousit.com/wp-content/uploads/2024/04/ld_preload-rootkits.pdf +# ref 3: https://www.youtube.com/watch?v=-K9hhqv21P8 +# ref 4: https://righteousit.com/wp-content/uploads/2024/04/xfs_db-ftw.pdf +artifacts: + - + description: Dump /etc/ld.so.preload with debugfs. + supported_os: [linux] + collector: command + condition: command_exists "debugfs" && df -T %mount_point%/etc | tail -n +2 | awk '{print $2}' | grep -q "ext" + command: linux_dump_ldsopreload.sh -f %mount_point%/etc/ld.so.preload + output_file: etc_ld_so_preload.txt + - + description: Dump /etc/ld.so.preload with xfs_db. + supported_os: [linux] + collector: command + condition: command_exists "xfs_db" && df -T %mount_point%/etc | tail -n +2 | awk '{print $2}' | grep -q "xfs" + command: linux_dump_ldsopreload.sh -f %mount_point%/etc/ld.so.preload + output_file: etc_ld_so_preload.txt + - + description: Collect file stats for /etc/ld.so.preload even if it is hidden. + supported_os: [linux] + collector: stat + path: /etc/ld.so.preload + output_file: stat_etc_ld_so_preload.txt \ No newline at end of file diff --git a/artifacts/chkrootkit/hiding_ldsopreload.yaml b/artifacts/chkrootkit/hiding_ldsopreload.yaml deleted file mode 100644 index 25414c5c..00000000 --- a/artifacts/chkrootkit/hiding_ldsopreload.yaml +++ /dev/null @@ -1,22 +0,0 @@ -version: 1.0 -output_directory: /live_response/chkrootkit -# Collect /etc/ld.so.preload even if it is hidden by LD_PRELOAD Rootkits. -# ref 1: https://www.youtube.com/watch?v=3UrEJzqqPYQ -# ref 2: https://righteousit.com/wp-content/uploads/2024/04/ld_preload-rootkits.pdf -# ref 3: https://www.youtube.com/watch?v=-K9hhqv21P8 -# ref 4: https://righteousit.com/wp-content/uploads/2024/04/xfs_db-ftw.pdf -artifacts: - - - description: Dump /etc/ld.so.preload with debugfs. - supported_os: [linux] - collector: command - condition: command_exists "debugfs" - command: dev=$(df -T /etc | awk '$2 ~ "^ext" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh - output_file: etc_ld.so.preload.txt - - - description: Dump /etc/ld.so.preload with xfs_db. - supported_os: [linux] - collector: command - condition: command_exists "xfs_db" - command: dev=$(df -T /etc | awk '$2 == "xfs" {print $1}') && [ -n "${dev}" ] && linux_dump_ldsopreload.sh - output_file: etc_ld.so.preload.txt diff --git a/bin/linux/linux_dump_ldsopreload.sh b/bin/linux/linux_dump_etc_ld_so_preload.sh old mode 100644 new mode 100755 similarity index 100% rename from bin/linux/linux_dump_ldsopreload.sh rename to bin/linux/linux_dump_etc_ld_so_preload.sh diff --git a/profiles/full.yaml b/profiles/full.yaml index 49c02a3c..5a517dc0 100644 --- a/profiles/full.yaml +++ b/profiles/full.yaml @@ -24,7 +24,7 @@ artifacts: - live_response/storage/* - live_response/containers/* - live_response/vms/* - - chkrootkit/chkrootkit.yaml + - chkrootkit/* - hash_executables/hash_executables.yaml - files/* \ No newline at end of file diff --git a/profiles/offline_ir_triage.yaml b/profiles/offline_ir_triage.yaml index eba41292..e45c4c11 100644 --- a/profiles/offline_ir_triage.yaml +++ b/profiles/offline_ir_triage.yaml @@ -2,7 +2,7 @@ name: offline_ir_triage description: Offline incident response triage collection. artifacts: - bodyfile/bodyfile.yaml - - chkrootkit/chkrootkit.yaml + - chkrootkit/* - hash_executables/hash_executables.yaml - files/applications/git.yaml - files/applications/lesshst.yaml From b0a6f9774933587b687e5871da45e05a7929bf27 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sat, 11 Jan 2025 08:53:05 -0300 Subject: [PATCH 14/19] Update hidden_etc_ld_so_preload.yaml Change script name to linux_dump_etc_ld_so_preload.sh --- artifacts/chkrootkit/hidden_etc_ld_so_preload.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/artifacts/chkrootkit/hidden_etc_ld_so_preload.yaml b/artifacts/chkrootkit/hidden_etc_ld_so_preload.yaml index b0db2e7b..41dbb442 100644 --- a/artifacts/chkrootkit/hidden_etc_ld_so_preload.yaml +++ b/artifacts/chkrootkit/hidden_etc_ld_so_preload.yaml @@ -11,18 +11,18 @@ artifacts: supported_os: [linux] collector: command condition: command_exists "debugfs" && df -T %mount_point%/etc | tail -n +2 | awk '{print $2}' | grep -q "ext" - command: linux_dump_ldsopreload.sh -f %mount_point%/etc/ld.so.preload + command: linux_dump_etc_ld_so_preload.sh -f %mount_point%/etc/ld.so.preload output_file: etc_ld_so_preload.txt - description: Dump /etc/ld.so.preload with xfs_db. supported_os: [linux] collector: command condition: command_exists "xfs_db" && df -T %mount_point%/etc | tail -n +2 | awk '{print $2}' | grep -q "xfs" - command: linux_dump_ldsopreload.sh -f %mount_point%/etc/ld.so.preload + command: linux_dump_etc_ld_so_preload.sh -f %mount_point%/etc/ld.so.preload output_file: etc_ld_so_preload.txt - description: Collect file stats for /etc/ld.so.preload even if it is hidden. supported_os: [linux] collector: stat path: /etc/ld.so.preload - output_file: stat_etc_ld_so_preload.txt \ No newline at end of file + output_file: stat_etc_ld_so_preload.txt From 036a8f4b71c01c1152d948b893b2c19adb6d3e48 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:59:46 +0100 Subject: [PATCH 15/19] Create nano.yaml --- artifacts/files/applications/nano.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 artifacts/files/applications/nano.yaml diff --git a/artifacts/files/applications/nano.yaml b/artifacts/files/applications/nano.yaml new file mode 100644 index 00000000..d49444fe --- /dev/null +++ b/artifacts/files/applications/nano.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect nano history files. + supported_os: [all] + collector: file + path: /%user_home% + name_pattern: [".nano_history"] + max_depth: 4 + From beb5d162a17dca99e990e050273a678b7827b8d2 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:02:55 +0100 Subject: [PATCH 16/19] Create atftp.yaml --- artifacts/files/applications/atftp.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 artifacts/files/applications/atftp.yaml diff --git a/artifacts/files/applications/atftp.yaml b/artifacts/files/applications/atftp.yaml new file mode 100644 index 00000000..00b66d46 --- /dev/null +++ b/artifacts/files/applications/atftp.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect atftp history files. + supported_os: [all] + collector: file + path: /%user_home% + name_pattern: [".atftp_history"] + max_depth: 4 + From 51774718a0e0320fad063c854efd1b2a404ffd3d Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Mon, 20 Jan 2025 08:46:07 -0300 Subject: [PATCH 17/19] artif: change output_file and add CHANGELOG --- CHANGELOG.md | 1 + artifacts/live_response/packages/apk.yaml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c2a620b..92cbd77d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ - files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux]. - files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux]. - live_response/packages/0install.yaml: Added collection of the list of installed packages managed by Zero Install package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). +- live_response/packages/apk.yaml: Added collection of the list of installed packages managed by the apk package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). diff --git a/artifacts/live_response/packages/apk.yaml b/artifacts/live_response/packages/apk.yaml index 02eebbec..eaf055f1 100644 --- a/artifacts/live_response/packages/apk.yaml +++ b/artifacts/live_response/packages/apk.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 1.0 condition: command_exists "apk" output_directory: /live_response/packages artifacts: @@ -7,4 +7,4 @@ artifacts: supported_os: [linux] collector: command command: apk info -vv - output_file: apk_query_list.txt + output_file: apk_info_-vv.txt From 84a1ae5c57a7ecb323c90e1576492f5ae00ab3a7 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Mon, 20 Jan 2025 08:50:16 -0300 Subject: [PATCH 18/19] artif: add CHANGELOG --- CHANGELOG.md | 1 + artifacts/files/applications/nano.yaml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 92cbd77d..6f7d7696 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ - files/applications/gedit.yaml: Added collection of metadata about recently opened files in Gedit text editor [freebsd, linux, netbsd, openbsd]. - files/applications/gnome_text_editor.yaml: Added collection of metadata about recently opened files in Gnome Text Editor [freebsd, linux, netbsd, openbsd]. - files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd]. +- files/applications/nano.yaml: Added collection of nano history file [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd]. - files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd]. - files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd]. diff --git a/artifacts/files/applications/nano.yaml b/artifacts/files/applications/nano.yaml index d49444fe..148ed3eb 100644 --- a/artifacts/files/applications/nano.yaml +++ b/artifacts/files/applications/nano.yaml @@ -7,4 +7,3 @@ artifacts: path: /%user_home% name_pattern: [".nano_history"] max_depth: 4 - From 04c6832ded9631fa4acabac845dbf57b03daa03e Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Mon, 20 Jan 2025 08:53:45 -0300 Subject: [PATCH 19/19] artif: add CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f7d7696..89ce5d85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - chkrootkit/hidden_etc_ld_so_preload.yaml: Added collection of hidden /etc/ld.so.preload using debugfs and xfs_db tools [linux] ([mnrkbys](https://github.com/mnrkbys)). - files/applications/ark.yaml: Added collection of metadata about recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd]. +- files/applications/atftp.yaml: Added collection of atftp history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - files/applications/dolphin.yaml: Added collection of session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd]. - files/applications/dragon_player.yaml: Added collection of paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd]. - files/applications/geany.yaml: Added collection of metadata about recently opened files in Geany text editor [freebsd, linux, netbsd, openbsd].