Merged with HEAD and updates.

ForensicArtifacts · May 13, 2017 · 2b04ddd · 2b04ddd
1 parent 8a4cda1
commit 2b04ddd
Show file tree

Hide file tree

Showing 20 changed files with 624 additions and 19 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -0,0 +1,5 @@
+language: python
+python:
+  - "2.7"
+install: pip install -r requirements.txt
+script: nosetests -v
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-## ForensicArtifacts.com Artifact Repository
+## ForensicArtifacts.com Artifact Repository [![Build Status](https://travis-ci.org/ForensicArtifacts/artifacts.svg?branch=master)](https://travis-ci.org/ForensicArtifacts/artifacts)
 
 A free, community-sourced, machine-readable knowledge base of forensic artifacts
 that the world can use both as an information source and within other tools.
@@ -61,7 +61,7 @@ Please send us your contribution! See [the developers guide](https://github.com/
 
 ## External links
 * [ForensicsArtifacts.com ... the definitive database](http://forensicartifacts.com/)
-* [GRR Artifacts](https://www.blackhat.com/docs/us-14/materials/us-14-Castle-GRR-Find-All-The-Badness-Collect-All-The-Things-WP.pdf), by Greg Castle, Blackhat 2014 
+* [GRR Artifacts](https://www.blackhat.com/docs/us-14/materials/us-14-Castle-GRR-Find-All-The-Badness-Collect-All-The-Things-WP.pdf), by Greg Castle, Blackhat 2014
 
 ## Contact
 

diff --git a/artifacts/__init__.py b/artifacts/__init__.py
@@ -1,4 +1,3 @@
-#!/usr/bin/python
 # -*- coding: utf-8 -*-
 
-__version__ = '20141119'
+__version__ = '20150329'
diff --git a/artifacts/artifact.py b/artifacts/artifact.py
@@ -1,4 +1,3 @@
-#!/usr/bin/python
 # -*- coding: utf-8 -*-
 """The reader objects."""
 
@@ -67,6 +66,9 @@ def AppendSource(self, type_indicator, attributes):
     if type_indicator == definitions.TYPE_INDICATOR_ARTIFACT:
       source_type_class = source_type.ArtifactSourceType
 
+    elif type_indicator == definitions.TYPE_INDICATOR_COMMAND:
+      source_type_class = source_type.CommandSourceType
+
     elif type_indicator == definitions.TYPE_INDICATOR_FILE:
       source_type_class = source_type.FileSourceType
 

diff --git a/artifacts/definitions.py b/artifacts/definitions.py
@@ -1,9 +1,9 @@
-#!/usr/bin/python
 # -*- coding: utf-8 -*-
 """Constants and definitions."""
 
 # The type indictor constants.
 TYPE_INDICATOR_ARTIFACT = 'ARTIFACT'
+TYPE_INDICATOR_COMMAND = 'COMMAND'
 TYPE_INDICATOR_ENVIRONMENT = 'ENVIRONMENT'
 TYPE_INDICATOR_FILE = 'FILE'
 TYPE_INDICATOR_PATH = 'PATH'

diff --git a/artifacts/errors.py b/artifacts/errors.py
@@ -1,4 +1,3 @@
-#!/usr/bin/python
 # -*- coding: utf-8 -*-
 """The error objects."""
 

diff --git a/artifacts/reader.py b/artifacts/reader.py
@@ -1,4 +1,3 @@
-#!/usr/bin/python
 # -*- coding: utf-8 -*-
 """The artifact reader objects."""
 
@@ -70,8 +69,13 @@ def _ReadArtifactDefinition(self, yaml_definition):
             u'Invalid artifact definition: {0:s} source type.'.format(name))
 
       attributes = source.get('attributes', None)
-      source_type = artifact_definition.AppendSource(
-          type_indicator, attributes)
+      try:
+        source_type = artifact_definition.AppendSource(
+            type_indicator, attributes)
+      except errors.FormatError as exception:
+        raise errors.FormatError(
+            u'Invalid artifact definition: {0:s}. {1:s}'.format(
+                name, exception))
 
       # TODO: deprecate these left overs from the collector definition.
       if source_type:

diff --git a/artifacts/reader_test.py b/artifacts/reader_test.py
@@ -22,7 +22,7 @@ def testRead(self):
     with open(test_file, 'rb') as file_object:
       artifact_definitions = list(artifact_reader.Read(file_object))
 
-    self.assertEqual(len(artifact_definitions), 5)
+    self.assertEqual(len(artifact_definitions), 7)
 
     # Artifact with file source type.
     artifact_definition = artifact_definitions[0]
@@ -122,6 +122,16 @@ def testRead(self):
     self.assertEqual(
         source_type.type_indicator, definitions.TYPE_INDICATOR_ARTIFACT)
 
+    # Artifact with command definition source type.
+    artifact_definition = artifact_definitions[5]
+    self.assertEqual(artifact_definition.name, 'RedhatPackagesList')
+
+    self.assertEqual(len(artifact_definition.sources), 1)
+    source_type = artifact_definition.sources[0]
+    self.assertNotEqual(source_type, None)
+    self.assertEqual(
+        source_type.type_indicator, definitions.TYPE_INDICATOR_COMMAND)
+
   def testBadSupportedOS(self):
     """Tests supported_os is checked correctly."""
     artifact_reader = reader.YamlArtifactsReader()

diff --git a/artifacts/registry.py b/artifacts/registry.py
@@ -1,4 +1,3 @@
-#!/usr/bin/python
 # -*- coding: utf-8 -*-
 """The artifact definitions registry."""
 

diff --git a/artifacts/registry_test.py b/artifacts/registry_test.py
@@ -43,7 +43,7 @@ def testArtifactDefinitionsRegistry(self):
     for artifact_definition in artifact_registry.GetDefinitions():
       artifact_definitions.append(artifact_definition)
 
-    self.assertEqual(len(artifact_definitions), 4)
+    self.assertEqual(len(artifact_definitions), 6)
 
     test_artifact_definition = artifact_registry.GetDefinitionByName(
         'SecurityEventLogEvtx')

diff --git a/artifacts/source_type.py b/artifacts/source_type.py
@@ -1,4 +1,3 @@
-#!/usr/bin/python
 # -*- coding: utf-8 -*-
 """The source type objects.
 
@@ -107,6 +106,29 @@ def __init__(self, paths=None, separator=u'/', **kwargs):
     self.separator = separator
 
 
+class CommandSourceType(SourceType):
+  """Class that implements the command source type."""
+
+  TYPE_INDICATOR = definitions.TYPE_INDICATOR_COMMAND
+
+  def __init__(self, args=None, cmd=None, **kwargs):
+    """Initializes the source type object.
+
+    Args:
+      args: list of strings that will be passed as arguments to the command.
+      cmd: string representing the command to run.
+
+    Raises:
+      FormatError: when args or cmd is not set.
+    """
+    if args is None or cmd is None:
+      raise errors.FormatError(u'Missing args or cmd value.')
+
+    super(CommandSourceType, self).__init__(**kwargs)
+    self.args = args
+    self.cmd = cmd
+
+
 class PathSourceType(SourceType):
   """Class that implements the path source type."""
 

diff --git a/definitions/config_files.yaml b/definitions/config_files.yaml
@@ -7,3 +7,13 @@ sources:
   attributes: {paths: ['/etc/ssh/sshd_config']}
 labels: [Configuration Files]
 supported_os: [Linux]
+---
+name: NfsExportsFile
+doc: NFS Exports configuration
+sources:
+- type: FILE
+  attributes:
+    paths:
+      - '/etc/exports'
+labels: [Configuration Files]
+supported_os: [Linux, Darwin]
diff --git a/definitions/darwin.yaml b/definitions/darwin.yaml
@@ -4,7 +4,11 @@ name: OSXLaunchAgents
 doc: Mac OS X Launch Agent files.
 sources:
 - type: FILE
-  attributes: {paths: ['/System/Library/LaunchAgents/*']}
+  attributes:
+    paths:
+      - '/Library/LaunchAgents/*'
+      - '/System/Library/LaunchAgents/*'
+      - '%%users.homedir%%/Library/LaunchAgents/*'
 labels: [System]
 supported_os: [Darwin]
 urls: ['http://www.forensicswiki.org/wiki/Mac_OS_X']
@@ -17,6 +21,7 @@ sources:
     paths:
       - '/Library/LaunchDaemons/*'
       - '/System/Library/LaunchDaemons/*'
+      - '%%users.homedir%%/Library/LaunchDaemons/*'
 labels: [System]
 supported_os: [Darwin]
 urls: ['http://www.forensicswiki.org/wiki/Mac_OS_X']
@@ -76,3 +81,73 @@ sources:
   attributes: {paths: ['%%users.homedir%%/Library/Preferences/*']}
 labels: [Users]
 supported_os: [Darwin]
+---
+name: OSXUserLoginItems
+doc: Mac OS X user login items.
+sources:
+- type: FILE
+  attributes: {paths: ['%%users.homedir%%/Library/Preferences/com.apple.loginitems.plist']}
+labels: [Users]
+supported_os: [Darwin]
+---
+name: OSXPeriodicSystemFunctions
+doc: Mac OS X periodic system functions scripts and configuration.
+sources:
+- type: FILE
+  attributes:
+    paths:
+      - '/etc/defaults/periodic.conf'
+      - '/etc/periodic.conf'
+      - '/etc/periodic.conf.local'
+      - '/etc/periodic/**2'
+      - '/usr/local/etc/periodic/**2'
+      - '/etc/daily.local/*'
+      - '/etc/weekly.local/*'
+      - '/etc/monthly.local/*'
+labels: [System]
+supported_os: [Darwin]
+urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/periodic.8.html#//apple_ref/doc/man/8/periodic']
+---
+name: OSXAtJobs
+doc: Mac OS X at jobs.
+sources:
+- type: FILE
+  attributes:
+    paths:
+      - '/usr/lib/cron/jobs/*'
+labels: [System]
+supported_os: [Darwin]
+urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/at.1.html#//apple_ref/doc/man/1/at']
+---
+name: OSXCronTabs
+doc: Mac OS X cron tabs.
+sources:
+- type: FILE
+  attributes:
+    paths:
+      - '/etc/crontab'
+      - '/usr/lib/cron/tabs/*'
+labels: [System]
+supported_os: [Darwin]
+urls: ['https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/crontab.5.html#//apple_ref/doc/man/5/crontab']
+---
+name: OSXKexts
+doc: Mac OS X Kernel Extentions.
+sources:
+- type: FILE
+  attributes:
+    paths:
+      - '/System/Library/Extensions/*'
+      - '/Library/Extensions/*'
+labels: [System]
+supported_os: [Darwin]
+---
+name: OSXLoadedKexts
+doc: Mac OS X Loaded Kernel Extensions.
+sources:
+- type: COMMAND
+  attributes:
+    args: []
+    cmd: /usr/sbin/kextstat
+labels: [System]
+supported_os: [Darwin]
diff --git a/definitions/linux.yaml b/definitions/linux.yaml
@@ -1,17 +1,42 @@
 # Linux specific artifacts.
 
-name: SystemCronFiles
-doc: System-wide cron files.
+name: AnacronFiles
+doc: Anacron files.
 sources:
 - type: FILE
   attributes:
     paths:
-      - '/etc/crontab'
+      - '/etc/anacrontab'
       - '/etc/cron.daily'
       - '/etc/cron.hourly'
       - '/etc/cron.monthly'
       - '/etc/cron.weekly'
+      - '/var/spool/anacron/cron.daily'
+      - '/var/spool/anacron/cron.hourly'
+      - '/var/spool/anacron/cron.monthly'
+      - '/var/spool/anacron/cron.weekly'
+labels: [Configuration Files]
+supported_os: [Linux]
+---
+name: LinuxCronTabs
+doc: Crontab files.
+sources:
+- type: FILE
+  attributes:
+    paths:
+      - '/etc/crontab'
       - '/etc/cron.d/*'
+      - '/var/spool/cron/*'
+labels: [Configuration Files]
+supported_os: [Linux]
+---
+name: LinuxAtJobs
+doc: Linux at jobs.
+sources:
+- type: FILE
+  attributes:
+    paths:
+      - '/var/spool/at/*'
 labels: [Configuration Files]
 supported_os: [Linux]
 ---
@@ -162,3 +187,35 @@ sources:
 labels: [Users, Logs]
 urls: ['http://forensicswiki.org/wiki/Zeitgeist']
 supported_os: [Linux]
+---
+name: KernelModules
+doc: Kernel modules to be loaded on boot.
+sources:
+- type: FILE
+  attributes:
+    paths:
+      - '/etc/modules.conf'
+      - '/etc/modprobe.d/*'
+supported_os: [Linux]
+---
+name: LoadedKernelModules
+doc: Linux output of lsmod.
+sources:
+- type: COMMAND
+  attributes:
+    args: []
+    cmd: /sbin/lsmod
+supported_os: [Linux]
+---
+name: LinuxLSBInit
+doc: Linux LSB-style init scripts.
+sources:
+- type: FILE
+  attributes:
+    paths:
+      - '/etc/init.d/*'
+      - '/etc/insserv.conf'
+      - '/etc/insserv.conf.d/**'
+labels: [Configuration Files, System]
+supported_os: [Linux]
+urls: ['https://wiki.debian.org/LSBInitScripts']