search

tclahr / uac

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
https://tclahr.github.io/uac-docs
Apache License 2.0
782 stars 120 forks source link

Updated to collect dpkg.log and verify installed files. Also, search for package name that contains installed files. #253

Open mnrkbys opened 3 months ago

mnrkbys commented 3 months ago

Added an artifact to collect /var/log/dpkg.log to artifacts/files/packages/dpkg.yaml. Added an artifact to verify files installed from dpkg package. This is similar to the "rpm -q -a" command in artifacts/live_response/packages/dpkg.yaml.

And I also added artifacts that search for packages that contain installed files. Files not included in a package may have been installed manually, helping to find suspect files. As you know, /bin is a symbolic link to /usr/bin. Therefore, whether the installation destination directory is /bin or /usr/bin, the files are installed in the same directory. However, "dpkg -S /bin/ls" and "dpkg -S /usr/bin/ls" return different results. Therefore, "dpkg -S" must be executed for both file paths.

"dpkg -S /bin/ls" vs "dpkg -S /usr/bin/ls"

$ dpkg -S /bin/ls
coreutils: /bin/ls
$ dpkg -S /usr/bin/ls
dpkg-query: no path found matching pattern /usr/bin/ls

But, "rpm -q -f" will returns same results. "rpm -q -f /bin/ls" vs "rpm -q -f /usr/bin/ls"

$ rpm -q -f /bin/ls
coreutils-8.32-35.el9.x86_64
$ rpm -q -f /usr/bin/ls
coreutils-8.32-35.el9.x86_64
tclahr commented 2 months ago

Do you know if we can do the same for additional package managers such as pacman, brew, zipper...?

mnrkbys commented 2 months ago

I've tried zypper on openSUSE, and the results are like below.

> zypper --quiet search --provides --match-exact --installed-only /usr/bin/ls

S  | Name      | Summary            | Type
---+-----------+--------------------+--------
i  | coreutils | GNU Core Utilities | package
> zypper --quiet search --provides --match-exact --installed-only /bin/ls

S  | Name      | Summary            | Type
---+-----------+--------------------+--------
i  | coreutils | GNU Core Utilities | package
> zypper --quiet search --provides --match-exact --installed-only /nonexistent/file
No matching items found.

I believe zypper can check file paths as well as dpkg/rpm. However, files under /usr/sbin/ will show different results for the paths /sbin/ and /usr/sbin/.

> zypper --quiet search --provides --match-exact --installed-only /sbin/bpftool 
No matching items found.
> zypper --quiet search --provides --match-exact --installed-only /usr/sbin/bpftool 

S  | Name    | Summary                                                       | Type
---+---------+---------------------------------------------------------------+--------
i+ | bpftool | Tool for inspection and manipulation of BPF programs and maps | package
mnrkbys commented 2 months ago

I have found a useful table. This includes package management commands for various distributions (except brew).

pacman/Rosetta - ArchWiki https://wiki.archlinux.org/title/Pacman/Rosetta

mnrkbys commented 2 months ago

As for brew, it does not seem to have the same functionality. However, you can get a list of files included in a package with list -v <package_name>, so we may be able to find files not included in installed packages by comparing the list with files under /opt/homebrew/bin.