search

ForensicArtifacts / artifacts

Digital Forensics artifact repository
Apache License 2.0
1.06k stars 206 forks source link

Adding Kubernetes artifacts #444

Closed pr3l14t0r closed 2 years ago

pr3l14t0r commented 2 years ago

Heyho together! I am currently finalizing my master thesis about Kubernetes Forensics where one objection is the identification and description of forensic artifacts related to Kubernetes. To identify them, I have used a method of automated differential analysis between two states, mainly working with Pod resources. That allows to trace changes on a nodes file system level so that characteristic file changes can be identified and analyzed.

To bring my results into a usable and understandable format I have chosen to follow your formatting guidelines so that the results can get contributed to the repo.

I hope that I understood the guidelines correctly and did not mess up completely ... :D

To mark the purpose/ type of a placeholder in paths i have decided to use the following style:

attributes: {paths: ['/var/log/pods/<namespace>_<pod_name>_<pod_id>/<container_name>/<num>.log']}

If %% signs should be used instead I can just exchange the characters.

Looking forward for your feedback! :)

Kind regards, Christoph

joachimmetz commented 2 years ago

I'll have a look when time permits, CI tests are currently failing on artifacts.errors.FormatError: Artifact definition: KubernetesLogs found undefined labels: Log.

joachimmetz commented 2 years ago

Changed the docstrings to match the style guide:

'/var/log/pods/<namespace>_<pod_name>_<pod_id>/<container_name>/<num>.log'

Is not going to work, you'll need to make this a glob or add supported place holders

pr3l14t0r commented 2 years ago

Ahoi again! Sorry for my confusion here.

I've exchanged the paths now with values that match the glob pattern and added an additionaly explanation to the respective docs to explain how the path is structured.

I've also ran the run_tests.py locally and it says OK. :)

Regards, Christoph

joachimmetz commented 2 years ago

@pr3l14t0r thx for the proposed changes, I'll have a more detailed look later (when time is more favorable)

codecov[bot] commented 2 years ago

Codecov Report

Merging #444 (fd0115c) into main (f99cd72) will not change coverage. The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #444   +/-   ##
=======================================
  Coverage   91.92%   91.92%           
=======================================
  Files           7        7           
  Lines         446      446           
=======================================
  Hits          410      410           
  Misses         36       36
Impacted Files Coverage Δ
artifacts/definitions.py 100.00% <ø> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update f99cd72...fd0115c. Read the comment docs.