From b8e3a7ed39b4684305db99334461002960dd91be Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Tue, 10 Dec 2024 11:21:29 +0900 Subject: [PATCH 1/2] artif: new artifacts to collect timestamps of users who saw the sudo lecture New artifacts for collecting timestamps of users who saw the sudo lecture message. This can help determine when a user executed sudo for the first time. --- .../live_response/system/sudo_lectured.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 artifacts/live_response/system/sudo_lectured.yaml diff --git a/artifacts/live_response/system/sudo_lectured.yaml b/artifacts/live_response/system/sudo_lectured.yaml new file mode 100644 index 00000000..6428e12e --- /dev/null +++ b/artifacts/live_response/system/sudo_lectured.yaml @@ -0,0 +1,17 @@ +version: 1.0 +output_directory: /live_response/system +artifacts: + - + description: Timestamps of users who saw the sudo lecture message. + supported_os: [all] + collector: command + foreach: ls /var/db/sudo/lectured + command: stat /var/db/sudo/lectured/"%line%" + output_file: sudo_lectured_timestamps.txt + - + description: Timestamps of users who saw the sudo lecture message in JSON format. + supported_os: [all] + collector: command + foreach: ls /var/db/sudo/lectured + command: stat --format='{"File": "%n", "Size": %s, "Blocks": %b, "IOBlock": %o, "Type": "%F", "Device": "%D", "Inode": %i, "Permissions": "%a", "Links": %h, "UID": %u, "GID": %g, "Access": "%x", "Modify": "%y", "Change": "%z"}' /var/db/sudo/lectured/"%line%" + output_file: sudo_lectured_timestamps_json.txt From 9ac39a817b22e63a1d0d4422bd760c8683d80bee Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Tue, 10 Dec 2024 16:16:22 +0900 Subject: [PATCH 2/2] Update sudo_lectured.yaml Change supported_os. --- artifacts/live_response/system/sudo_lectured.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts/live_response/system/sudo_lectured.yaml b/artifacts/live_response/system/sudo_lectured.yaml index 6428e12e..15afd791 100644 --- a/artifacts/live_response/system/sudo_lectured.yaml +++ b/artifacts/live_response/system/sudo_lectured.yaml @@ -10,7 +10,7 @@ artifacts: output_file: sudo_lectured_timestamps.txt - description: Timestamps of users who saw the sudo lecture message in JSON format. - supported_os: [all] + supported_os: [linux] collector: command foreach: ls /var/db/sudo/lectured command: stat --format='{"File": "%n", "Size": %s, "Blocks": %b, "IOBlock": %o, "Type": "%F", "Device": "%D", "Inode": %i, "Permissions": "%a", "Links": %h, "UID": %u, "GID": %g, "Access": "%x", "Modify": "%y", "Change": "%z"}' /var/db/sudo/lectured/"%line%"