Linux Artifacts

Linux.Applications.Chrome.Extensions

Fetch Chrome extensions.

Chrome extensions are installed into the user’s home directory. We search for manifest.json files in a known path within each system user’s home directory. We then parse the manifest file as JSON.

Many extensions use locale packs to resolve strings like name and description. In this case we detect the default locale and load those locale files. We then resolve the extension’s name and description from there.

Arg Default Description
extensionGlobs /.config/google-chrome//Extensions//*/manifest.json
View Artifact Source

Linux.Applications.Chrome.Extensions.Upload

Upload all users chrome extension.

We dont bother actually parsing anything here, we just grab all the extension files in user’s home directory.

Arg Default Description
extensionGlobs /.config/google-chrome/*/Extensions/**
View Artifact Source

Linux.Applications.Docker.Info

Get Dockers info by connecting to its socket.

Arg Default Description
dockerSocket /var/run/docker.sock Docker server socket. You will normally need to be root to connect.\n
View Artifact Source

Linux.Applications.Docker.Version

Get Dockers version by connecting to its socket.

Arg Default Description
dockerSocket /var/run/docker.sock Docker server socket. You will normally need to be root to connect.\n
View Artifact Source

Linux.Debian.AptSources

Parse Debian apt sources.

We first search for *.list files which contain lines of the form

.. code:: console

deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted

For each line we construct the cache file by spliting off the section (last component) and replacing / and “ ” with _.

We then try to open the file. If the file exists we parse some metadata from it. If not we leave those columns empty.

Arg Default Description
linuxAptSourcesGlobs /etc/apt/sources.list,/etc/apt/sources.list.d/*.list Globs to find apt source *.list files.
aptCacheDirectory /var/lib/apt/lists/ Location of the apt cache directory.
View Artifact Source

Linux.Debian.Packages

Parse dpkg status file.

Arg Default Description
linuxDpkgStatus /var/lib/dpkg/status
View Artifact Source

Linux.Mounts

List mounted filesystems by reading /proc/mounts

Arg Default Description
ProcMounts /proc/mounts
View Artifact Source

Linux.Proc.Arp

ARP table via /proc/net/arp.

Arg Default Description
ProcNetArp /proc/net/arp
View Artifact Source

Linux.Proc.Modules

Module listing via /proc/modules.

Arg Default Description
ProcModules /proc/modules
View Artifact Source

Linux.Ssh.AuthorizedKeys

Find and parse ssh authorized keys files.

Arg Default Description
sshKeyFiles .ssh/authorized_keys*
View Artifact Source

Linux.Ssh.KnownHosts

Find and parse ssh known hosts files.

Arg Default Description
sshKnownHostsFiles .ssh/known_hosts*
View Artifact Source

Linux.Sys.ACPITables

Firmware ACPI functional table common metadata and content.

Arg Default Description
kLinuxACPIPath /sys/firmware/acpi/tables
View Artifact Source

Linux.Sys.CPUTime

Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.

Arg Default Description
procStat /proc/stat
View Artifact Source

Linux.Sys.Crontab

Displays parsed information from crontab.

Arg Default Description
cronTabGlob /etc/crontab,/etc/cron.d/,/var/at/tabs/,/var/spool/cron/,/var/spool/cron/crontabs/
View Artifact Source

Linux.Sys.LastUserLogin

Find and parse system wtmp files. This indicate when the user last logged in.

Arg Default Description
wtmpGlobs /var/log/wtmp*
wtmpProfile {\n “timeval”: [8, {\n “tv_sec”: [0, [“int”]],\n “tv_usec”: [4, [“int”]]\n }],\n “exit_status”: [4, {\n “e_exit”: [2, [“short int”]],\n “e_termination”: [0, [“short int”]]\n }],\n “timezone”: [8, {\n “tz_dsttime”: [4, [“int”]],\n “tz_minuteswest”: [0, [“int”]]\n }],\n “utmp”: [384, {\n “__glibc_reserved”: [364, [“Array”, {\n “count”: 20,\n “target”: “char”,\n “target_args”: null\n }]],\n “ut_addr_v6”: [348, [“Array”, {\n “count”: 4,\n “target”: “int”,\n “target_args”: null\n }]],\n “ut_exit”: [332, [“exit_status”]],\n “ut_host”: [76, [“String”, {\n “length”: 256\n }]],\n “ut_id”: [40, [“String”, {\n “length”: 4\n }]],\n “ut_line”: [8, [“String”, {\n “length”: 32\n }]],\n “ut_pid”: [4, [“int”]],\n “ut_session”: [336, [“int”]],\n “ut_tv”: [340, [“timeval”]],\n “ut_type”: [0, [“Enumeration”, {\n “target”: “short int”,\n “choices”: {\n “0”: “EMPTY”,\n “1”: “RUN_LVL”,\n “2”: “BOOT_TIME”,\n “5”: “INIT_PROCESS”,\n “6”: “LOGIN_PROCESS”,\n “7”: “USER_PROCESS”,\n “8”: “DEAD_PROCESS”\n }\n }]],\n “ut_user”: [44, [“String”, {\n “length”: 32\n }]]\n }]\n}\n
View Artifact Source

Linux.Sys.Users

Get User specific information like homedir, group etc from /etc/passwd.

Arg Default Description
PasswordFile /etc/passwd The location of the password file.
View Artifact Source