-
Notifications
You must be signed in to change notification settings - Fork 129
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #172 from tclahr/release/2.7.0
Release/2.7.0
- Loading branch information
Showing
18 changed files
with
390 additions
and
57 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,42 +1,22 @@ | ||
| # Changelog | ||
|
|
||
| ## 2.6.0 (2023-05-31) | ||
| ## 2.7.0 (2023-09-20) | ||
|
|
||
| ### Artifacts | ||
|
|
||
| - live_response/containers/lxc.yaml: Added the collection of information about all active and inactive Linux containers and virtual machines (LXD), including their configuration, network, and storage information [linux]. | ||
| - live_response/containers/pct.yaml: Added the collection of information about all active and inactive Linux containers (LXC) running on Proxmox VE [linux]. | ||
| - live_response/containers/pct.yaml: Added the collection of the current configuration of Linux containers (LXC) running on Proxmox VE [linux]. | ||
| - live_response/containers/pct.yaml: Added the collection of the list of assigned CPU sets for each Linux container (LXC) running on Proxmox VE [linux]. | ||
| - live_response/process/deleted.yaml: Added the collection of files being hidden in a memfd socket [linux]. | ||
| - live_response/storage/arcstat.yaml: Added the collection of ZFS ARC and L2ARC statistics [freebsd, linux, netbsd, openbsd, solaris]. | ||
| - live_response/storage/findmnt.yaml: Added the collection of all mounted filesystems in the tree-like format [linux]. | ||
| - live_response/storage/iostat.yaml: Updated the collection of device I/O statistics [aix, freebsd, linux, openbsd, solaris]. | ||
| - live_response/storage/iscsiadm.yaml: Added the collection of information about iSCSI connected devices [linux]. | ||
| - live_response/storage/ls_dev_disk.yaml: Added the collection of the mapping of logical volumes with physical disks [linux]. | ||
| - live_response/storage/pvesm.yaml: Added the collection of status for all Proxmox VE datastores [linux]. | ||
| - live_response/system/ha-manager.yaml: Added the collection of information about Proxmox VE HA manager status [linux]. | ||
| - live_response/system/hidden_directories.yaml: Updated max_depth value to 6 [all]. | ||
| - live_response/system/hidden_files.yaml: Updated max_depth value to 6 [all]. | ||
| - live_response/system/kernel_tainted_state.yaml: Added the collection of the kernel tainted state [linux]. | ||
| - live_response/system/kernel_tainted_state.yaml: Added the collection of the list of what modules are marked at tainting the kernel [linux]. | ||
| - live_response/system/pvecm.yaml: Added the collection of information about Proxmox VE local view of the cluster nodes [linux]. | ||
| - live_response/system/pvecm.yaml: Added the collection of information about Proxmox VE local view of the cluster status [linux]. | ||
| - live_response/system/pvesubscription.yaml: Added the collection of Proxmox VM subscription information [linux]. | ||
| - live_response/system/pveum.yaml: Added the collection of Proxmox VE users and groups list [linux]. | ||
| - live_response/system/pveversion.yaml: Added the collection of version information for Proxmox VE packages [linux]. | ||
| - live_response/system/sgid.yaml: Updated max_depth value to 6 [all]. | ||
| - live_response/system/socket_files.yaml: Updated max_depth value to 6 [all]. | ||
| - live_response/system/suid.yaml: Updated max_depth value to 6 [all]. | ||
| - live_response/system/world_writable_directories.yaml: Updated max_depth value to 6 [all]. | ||
| - live_response/system/world_writable_files.yaml: Updated max_depth value to 6 [all]. | ||
| - live_response/vms/qm.yaml: Added the collection of information about all active and inactive virtual machines running on Proxmox VE [linux]. | ||
| - live_response/vms/qm.yaml: Added the collection of the current configuration of virtual machines running on Proxmox VE [linux]. | ||
|
|
||
| ### Artifacts File | ||
|
|
||
| - 'loop_command' property was renamed to 'foreach'. Don't forget to update your custom artifacts files as 'loop_command' property name will be removed in the next release. | ||
| - files/applications/findmy.yaml: Added the collection of the list of user's items/devices and items/devices info registered within the Find My application [macos]. | ||
| - files/applications/rclone.yaml: Added the collection of rclone application configuration and log files [freebsd, linux, macos, netbsd, openbsd, solaris]. | ||
| - files/applications/rustdesk.yaml: Added the collection of RustDesk application access logs and screen recording files [linux, macos]. | ||
| - files/applications/splashtop.yaml: Added the collection of Splashtop application artifacts [linux, macos]. | ||
| - files/applications/steam.yaml: Added the collection of Steam browser artifacts, avatar pictures, configuration and log files [linux, macos]. | ||
| - files/applications/teamviewer.yaml: Added the collection of TeamViewer application artifacts [linux, macos]. | ||
| - files/applications/thinlinc.yaml: Added the collection of ThinLinc application configuration files, connections and post-session logs [linux, macos]. | ||
| - files/package/installed_applications: Added the collection of Info.plist from installed applications [macos]. | ||
| - files/system/netscaler.yaml: Added the collection of '/var/vpn', '/var/netscaler/logon', and '/netscaler/ns_gui' system files and directories [netscaler]. | ||
| - files/system/nsconfig.yaml: Deprecated. All artifacts were moved to 'files/system/netscaler.yaml' [netscaler]. | ||
| - live_response/storage/mdadm.yaml: Added the collection of information on Linux software RAID [linux]. | ||
| - live_response/storage/zpool.yaml: Added the collection of the command history of all pools [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]. | ||
|
|
||
| ### Tools | ||
|
|
||
| - AVML updated to v0.11.2. | ||
| - AVML updated to v0.12.0. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| version: 1.0 | ||
| artifacts: | ||
| - | ||
| description: Collect configuration and log files. | ||
| supported_os: [freebsd, linux, macos, netbsd, openbsd, solaris] | ||
| collector: file | ||
| path: /%user_home%/.config/rclone | ||
| exclude_nologin_users: true | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| version: 1.0 | ||
| artifacts: | ||
| - | ||
| description: Collect access logs. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/logs/RustDesk | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect session recording files. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/Videos/RustDesk | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect access logs. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/Logs/RustDesk | ||
| exclude_nologin_users: true | ||
|
|
||
| # References: | ||
| # https://github.com/rustdesk/rustdesk/wiki/FAQ#access-logs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| version: 1.0 | ||
| artifacts: | ||
| - | ||
| description: Collect log files. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /opt/splashtop*/log | ||
| - | ||
| description: Collect config files. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /opt/splashtop*/config | ||
| - | ||
| description: Collect log files. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/"Application Support"/Splashtop*/Logs | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect STServerList file. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/"Application Support"/Splashtop*/STServerList | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect log files. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /Library/"Application Support"/Splashtop*/Logs | ||
| - | ||
| description: Collect diagnostic report files. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /Library/Logs/DiagnosticReports/Splashtop* | ||
| ignore_date_range: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| version: 1.0 | ||
| artifacts: | ||
| - | ||
| description: Collect image resources of installed/uninstalled games. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/Steam/appcache/librarycache | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect multiple configuration files. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/Steam | ||
| name_pattern: ["*.vdf"] | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect multiple configuration files. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.steam | ||
| name_pattern: ["*.vdf"] | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect avatar pictures. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/Steam/config/avatarcache | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect game icons. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/Steam/steam/games | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect log files. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/Steam/logs | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect Steam browser files. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/Steam/config/htmlcache | ||
| name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"] | ||
| ignore_date_range: true | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect Steam browser directories. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/Steam/config/htmlcache | ||
| name_pattern: ["Extensions", "File System", "Sessions"] | ||
| file_type: d | ||
| ignore_date_range: true | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect image resources of installed/uninstalled games. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/"Application Support"/Steam/appcache/librarycache | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect multiple configuration files. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/"Application Support"/Steam | ||
| name_pattern: ["*.vdf"] | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect avatar pictures. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/"Application Support"/Steam/config/avatarcache | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect game icons. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/"Application Support"/Steam/steam/games | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect log files. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/"Application Support"/Steam/logs | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect Steam browser files. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/"Application Support"/Steam/config/htmlcache | ||
| name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"] | ||
| ignore_date_range: true | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect Steam browser directories. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/"Application Support"/Steam/config/htmlcache | ||
| name_pattern: ["Extensions", "File System", "Sessions"] | ||
| file_type: d | ||
| ignore_date_range: true | ||
| exclude_nologin_users: true | ||
|
|
||
| # References: | ||
| # https://www.forensicxlab.com/posts/steam/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| version: 1.0 | ||
| artifacts: | ||
| - | ||
| description: Collect network and connections logs. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /var/log/teamviewer* | ||
| name_pattern: ["Connections_incoming.txt", "install_teamviewerd.log", "signaturekey.log", "TeamViewer*_Logfile.log", "TV*Install.log", "TV*Network.log"] | ||
| - | ||
| description: Collect log files from user's home directory. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/teamviewer*/logfiles | ||
| name_pattern: ["*.log"] | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect sqlite3 database storing cache about TeamViewer chat. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/teamviewer* | ||
| name_pattern: ["tvchatfilecache.db*"] | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect sqlite3 database storing TeamViewer print jobs. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /%user_home%/.local/share/teamviewer* | ||
| name_pattern: ["tvprint.db*"] | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect network and connections logs. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/Logs/TeamViewer | ||
| name_pattern: ["Connections_incoming.txt", "install_teamviewerd.log", "signaturekey.log", "TeamViewer*_Logfile.log", "TV*Install.log", "TV*Network.log"] | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect sqlite3 database storing cache about TeamViewer chat. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/Caches/TeamViewer | ||
| name_pattern: ["tvchatfilecache.db*"] | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect sqlite3 database storing TeamViewer print jobs. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/Caches/TeamViewer | ||
| name_pattern: ["tvprint.db*"] | ||
| exclude_nologin_users: true | ||
|
|
||
| # References: | ||
| # https://community.teamviewer.com/English/kb/articles/4694-find-your-log-files | ||
| # https://www.synacktiv.com/en/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| version: 1.0 | ||
| artifacts: | ||
| - | ||
| description: Collect client logs and configuration files. | ||
| supported_os: [linux, macos] | ||
| collector: file | ||
| path: /%user_home%/.thinlinc | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect VSM server, agent and Web Administration Interface logs. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /var/log | ||
| name_pattern: ["tlwebaccess.log", "tlwebadm.log", "vsmagent.log", "vsmserver.log"] | ||
| - | ||
| description: Collect server configuration files. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /opt/thinlinc/etc | ||
| - | ||
| description: Collect server per-session logs. | ||
| supported_os: [linux] | ||
| collector: file | ||
| path: /var/opt/thinlinc/sessions | ||
|
|
||
| # References: | ||
| # https://www.cendio.com/resources/docs/tag/client_logfile_placement.html | ||
| # https://www.cendio.com/resources/docs/tag/config_logging.html |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| version: 2.0 | ||
| artifacts: | ||
| - | ||
| description: Collect InstallHistory.plist file. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /Library/Receipts/InstallHistory.plist | ||
| ignore_date_range: true | ||
| - | ||
| description: Collect Info.plist from installed applications. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /Applications | ||
| path_pattern: ["*/Contents/Info.plist"] | ||
| - | ||
| description: Collect Info.plist from installed applications. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /Library | ||
| path_pattern: ["*/Contents/Info.plist"] | ||
| - | ||
| description: Collect Info.plist from installed applications. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Applications | ||
| path_pattern: ["*/Contents/Info.plist"] | ||
| exclude_nologin_users: true | ||
| - | ||
| description: Collect Info.plist from installed applications. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library | ||
| path_pattern: ["*/Contents/Info.plist"] | ||
| exclude_nologin_users: true | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| version: 1.0 | ||
| artifacts: | ||
| - | ||
| description: Collect the list of user's items/devices and items/devices info registered within the Find My application. | ||
| supported_os: [macos] | ||
| collector: file | ||
| path: /%user_home%/Library/Caches/com.apple.findmy.* | ||
| name_pattern: ["Devices.data"] | ||
| ignore_date_range: true | ||
| exclude_nologin_users: true | ||
|
|
Oops, something went wrong.