Added validator check for Mac OS private paths ForensicArtifacts#309

joachimmetz · Mar 1, 2019 · bff5012 · bff5012
1 parent 80dda50
commit bff5012
Show file tree

Hide file tree

Showing 2 changed files with 134 additions and 52 deletions.
diff --git a/data/config_files.yaml b/data/config_files.yaml
@@ -3,16 +3,30 @@
 name: NfsExportsFile
 doc: NFS Exports configuration
 sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/etc/exports'
+    - '/private/etc/exports'
+  supported_os: [Darwin]
 - type: FILE
   attributes: {paths: ['/etc/exports']}
+  supported_os: [Linux]
 labels: [Configuration Files]
 supported_os: [Linux, Darwin]
 ---
 name: SshdConfigFile
 doc: Sshd configuration
 sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/etc/ssh/sshd_config'
+    - '/private/etc/ssh/sshd_config'
+  supported_os: [Darwin]
 - type: FILE
   attributes: {paths: ['/etc/ssh/sshd_config']}
+  supported_os: [Linux]
 labels: [Configuration Files]
 supported_os: [Linux, Darwin]
 ---

diff --git a/data/unix_common.yaml b/data/unix_common.yaml
@@ -6,9 +6,9 @@ sources:
 - type: ARTIFACT_GROUP
   attributes:
     names:
-      - GlobalShellConfigs
-      - UsersShellConfigs
-      - RootUserShellConfigs
+    - GlobalShellConfigs
+    - UsersShellConfigs
+    - RootUserShellConfigs
 labels: [Configuration Files]
 supported_os: [Linux, Darwin]
 ---
@@ -18,8 +18,8 @@ sources:
 - type: ARTIFACT_GROUP
   attributes:
     names:
-      - UsersShellHistory
-      - RootUserShellHistory
+    - UsersShellHistory
+    - RootUserShellHistory
 labels: [History Files]
 supported_os: [Linux, Darwin]
 ---
@@ -29,20 +29,53 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '/etc/bashrc'
-      - '/etc/bash.bashrc'
-      - '/etc/kshrc'
-      - '/etc/csh.cshrc'
-      - '/etc/csh.login'
-      - '/etc/csh.logout'
-      - '/etc/profile'
-      - '/etc/zsh/zlogin'
-      - '/etc/zsh/zlogout'
-      - '/etc/zsh/zprofile'
-      - '/etc/zsh/zshenv'
-      - '/etc/zsh/zshrc'
-      - '/etc/zshenv'
-      - '/etc/zshrc'
+    - '/etc/bash.bashrc'
+    - '/etc/bashrc'
+    - '/etc/csh.cshrc'
+    - '/etc/csh.login'
+    - '/etc/csh.logout'
+    - '/etc/kshrc'
+    - '/etc/profile'
+    - '/etc/zshenv'
+    - '/etc/zshrc'
+    - '/etc/zsh/zlogin'
+    - '/etc/zsh/zlogout'
+    - '/etc/zsh/zprofile'
+    - '/etc/zsh/zshenv'
+    - '/etc/zsh/zshrc'
+    - '/private/etc/bash.bashrc'
+    - '/private/etc/bashrc'
+    - '/private/etc/csh.cshrc'
+    - '/private/etc/csh.login'
+    - '/private/etc/csh.logout'
+    - '/private/etc/kshrc'
+    - '/private/etc/profile'
+    - '/private/etc/zshenv'
+    - '/private/etc/zshrc'
+    - '/private/etc/zsh/zlogin'
+    - '/private/etc/zsh/zlogout'
+    - '/private/etc/zsh/zprofile'
+    - '/private/etc/zsh/zshenv'
+    - '/private/etc/zsh/zshrc'
+  supported_os: [Darwin]
+- type: FILE
+  attributes:
+    paths:
+    - '/etc/bash.bashrc'
+    - '/etc/bashrc'
+    - '/etc/csh.cshrc'
+    - '/etc/csh.login'
+    - '/etc/csh.logout'
+    - '/etc/kshrc'
+    - '/etc/profile'
+    - '/etc/zshenv'
+    - '/etc/zshrc'
+    - '/etc/zsh/zlogin'
+    - '/etc/zsh/zlogout'
+    - '/etc/zsh/zprofile'
+    - '/etc/zsh/zshenv'
+    - '/etc/zsh/zshrc'
+  supported_os: [Linux]
 labels: [Configuration Files]
 supported_os: [Linux, Darwin]
 ---
@@ -52,17 +85,17 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '/root/.bashrc'
-      - '/root/.bash_profile'
-      - '/root/.bash_logout'
-      - '/root/.cshrc'
-      - '/root/.ksh'
-      - '/root/.logout'
-      - '/root/.profile'
-      - '/root/.tcsh'
-      - '/root/.zlogin'
-      - '/root/.zlogout'
-      - '/root/.zprofile'
+    - '/root/.bash_logout'
+    - '/root/.bash_profile'
+    - '/root/.bashrc'
+    - '/root/.cshrc'
+    - '/root/.ksh'
+    - '/root/.logout'
+    - '/root/.profile'
+    - '/root/.tcsh'
+    - '/root/.zlogin'
+    - '/root/.zlogout'
+    - '/root/.zprofile'
 labels: [Configuration Files]
 supported_os: [Linux, Darwin]
 ---
@@ -72,50 +105,85 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '/root/.bash_history'
-      - '/root/.sh_history'
-      - '/root/.zhistory'
-      - '/root/.zsh_history'
+    - '/root/.bash_history'
+    - '/root/.sh_history'
+    - '/root/.zhistory'
+    - '/root/.zsh_history'
 labels: [History Files]
 supported_os: [Linux, Darwin]
 ---
 name: UnixGroups
 doc: Unix groups file.
 sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/etc/group'
+    - '/private/etc/group'
+  supported_os: [Darwin]
 - type: FILE
   attributes: {paths: ['/etc/group']}
+  supported_os: [Linux]
 labels: [Authentication]
 supported_os: [Linux, Darwin]
 ---
 name: UnixHostsFile
 doc: Unix hosts file
 sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/etc/hosts'
+    - '/private/etc/hosts'
+  supported_os: [Darwin]
 - type: FILE
   attributes: {paths: ['/etc/hosts']}
+  supported_os: [Linux]
 labels: [Configuration Files]
 supported_os: [Linux, Darwin]
 ---
 name: UnixPasswd
 doc: Unix /etc/passwd file.
 sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/etc/passwd'
+    - '/private/etc/passwd'
+  supported_os: [Darwin]
 - type: FILE
   attributes: {paths: ['/etc/passwd']}
+  supported_os: [Linux]
 labels: [Authentication]
 supported_os: [Linux, Darwin]
 ---
 name: UnixShadowFile
 doc: Unix /etc/shadow file.
 sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/etc/shadow'
+    - '/private/etc/shadow'
+  supported_os: [Darwin]
 - type: FILE
   attributes: {paths: ['/etc/shadow']}
+  supported_os: [Linux]
 labels: [Authentication]
 supported_os: [Linux, Darwin]
 ---
 name: UnixSudoersConfiguration
 doc: Unix sudoers configuration.
 sources:
+- type: FILE
+  attributes:
+    paths:
+    - '/etc/sudoers'
+    - '/private/etc/sudoers'
+  supported_os: [Darwin]
 - type: FILE
   attributes: {paths: ['/etc/sudoers']}
+  supported_os: [Linux]
 labels: [Authentication, Configuration Files]
 supported_os: [Linux, Darwin]
 ---
@@ -125,9 +193,9 @@ sources:
 - type: ARTIFACT_GROUP
   attributes:
     names:
-      - 'UnixPasswd'
-      - 'UnixShadowFile'
-      - 'UnixGroups'
+    - 'UnixPasswd'
+    - 'UnixShadowFile'
+    - 'UnixGroups'
 labels: [Authentication]
 supported_os: [Linux, Darwin]
 ---
@@ -137,17 +205,17 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%users.homedir%%/.bashrc'
-      - '%%users.homedir%%/.bash_profile'
-      - '%%users.homedir%%/.bash_logout'
-      - '%%users.homedir%%/.cshrc'
-      - '%%users.homedir%%/.ksh'
-      - '%%users.homedir%%/.logout'
-      - '%%users.homedir%%/.profile'
-      - '%%users.homedir%%/.tcsh'
-      - '%%users.homedir%%/.zlogin'
-      - '%%users.homedir%%/.zlogout'
-      - '%%users.homedir%%/.zprofile'
+    - '%%users.homedir%%/.bash_logout'
+    - '%%users.homedir%%/.bash_profile'
+    - '%%users.homedir%%/.bashrc'
+    - '%%users.homedir%%/.cshrc'
+    - '%%users.homedir%%/.ksh'
+    - '%%users.homedir%%/.logout'
+    - '%%users.homedir%%/.profile'
+    - '%%users.homedir%%/.tcsh'
+    - '%%users.homedir%%/.zlogin'
+    - '%%users.homedir%%/.zlogout'
+    - '%%users.homedir%%/.zprofile'
 labels: [Configuration Files]
 supported_os: [Linux, Darwin]
 ---
@@ -157,9 +225,9 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%users.homedir%%/.bash_history'
-      - '%%users.homedir%%/.sh_history'
-      - '%%users.homedir%%/.zhistory'
-      - '%%users.homedir%%/.zsh_history'
+    - '%%users.homedir%%/.bash_history'
+    - '%%users.homedir%%/.sh_history'
+    - '%%users.homedir%%/.zhistory'
+    - '%%users.homedir%%/.zsh_history'
 labels: [History Files]
 supported_os: [Linux, Darwin]