Added validator check for Mac OS private paths ForensicArtifacts#309

joachimmetz · Feb 28, 2019 · 80dda50 · 80dda50
1 parent e93839a
commit 80dda50
Show file tree

Hide file tree

Showing 4 changed files with 135 additions and 81 deletions.
diff --git a/data/macos.yaml b/data/macos.yaml
@@ -4,7 +4,10 @@ name: MacOSAppleSystemLogFiles
 doc: Apple system log (ASL) files
 sources:
 - type: FILE
-  attributes: {paths: ['/var/log/asl/*']}
+  attributes:
+    paths:
+    - '/private/var/log/asl/*'
+    - '/var/log/asl/*'
 labels: [System, Logs]
 supported_os: [Darwin]
 urls:
@@ -60,7 +63,10 @@ name: MacOSAuditLogFiles
 doc: Audit log files
 sources:
 - type: FILE
-  attributes: {paths: ['/var/audit/*']}
+  attributes:
+    paths:
+    - '/private/var/audit/*'
+    - '/var/audit/*'
 labels: [System, Logs]
 supported_os: [Darwin]
 urls:
@@ -106,6 +112,7 @@ sources:
     paths:
     - '/Library/Logs/DiagnosticReports/*.core_analytics'
     - '/private/var/db/analyticsd/aggregates/*'
+    - '/var/db/analyticsd/aggregates/*'
 labels: [Logs, System]
 supported_os: [Darwin]
 urls:
@@ -120,6 +127,7 @@ sources:
   attributes:
     paths:
       - '/etc/crontab'
+      - '/private/etc/crontab'
       - '/usr/lib/cron/tabs/*'
 labels: [System]
 supported_os: [Darwin]
@@ -153,7 +161,10 @@ name: MacOSHostsFile
 doc: Hosts file
 sources:
 - type: FILE
-  attributes: {paths: ['/etc/hosts']}
+  attributes:
+    paths:
+    - '/etc/hosts'
+    - '/private/etc/hosts'
 labels: [System, Network]
 supported_os: [Darwin]
 urls:
@@ -205,7 +216,10 @@ name: MacOSInstallationLogFile
 doc: Installation log file
 sources:
 - type: FILE
-  attributes: {paths: ['/var/log/install.log']}
+  attributes:
+    paths:
+    - '/private/var/log/install.log'
+    - '/var/log/install.log'
 labels: [System, Logs]
 supported_os: [Darwin]
 urls:
@@ -308,6 +322,7 @@ sources:
     paths:
     - '%%users.homedir%%/Library/Application Support/Knowledge/knowledgeC.db'
     - '/private/var/db/CoreDuet/Knowledge/knowledgeC.db'
+    - '/var/db/CoreDuet/Knowledge/knowledgeC.db'
 labels: [Users, Logs]
 supported_os: [Darwin]
 urls: ['https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage']
@@ -346,7 +361,10 @@ name: MacOSLastlogFile
 doc: Mac OS X lastlog file.
 sources:
 - type: FILE
-  attributes: {paths: ['/var/log/lastlog']}
+  attributes:
+    paths:
+    - '/private/var/log/lastlog'
+    - '/var/log/lastlog'
 labels: [Logs, Authentication]
 supported_os: [Darwin]
 ---
@@ -544,9 +562,11 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db'
-    - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db'
     - '%%users.homedir%%/Library/Application Support/NotificationCenter/*.db'
+    - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db'
+    - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db'
+    - '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db'
+    - '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db'
 labels: [Users, Logs]
 supported_os: [Darwin]
 ---
@@ -556,17 +576,27 @@ sources:
 - type: FILE
   attributes:
     paths:
+      - '/etc/daily.local/*'
       - '/etc/defaults/periodic.conf'
+      - '/etc/monthly.local/*'
+      - '/etc/periodic/**2'
       - '/etc/periodic.conf'
       - '/etc/periodic.conf.local'
-      - '/etc/periodic/**2'
-      - '/usr/local/etc/periodic/**2'
-      - '/etc/daily.local/*'
-      - '/etc/weekly.local/*'
-      - '/etc/monthly.local/*'
       - '/etc/periodic/daily/*'
-      - '/etc/periodic/weekly/*'
       - '/etc/periodic/monthly/*'
+      - '/etc/periodic/weekly/*'
+      - '/etc/weekly.local/*'
+      - '/private/etc/daily.local/*'
+      - '/private/etc/defaults/periodic.conf'
+      - '/private/etc/monthly.local/*'
+      - '/private/etc/periodic/**2'
+      - '/private/etc/periodic.conf'
+      - '/private/etc/periodic.conf.local'
+      - '/private/etc/periodic/daily/*'
+      - '/private/etc/periodic/monthly/*'
+      - '/private/etc/periodic/weekly/*'
+      - '/private/etc/weekly.local/*'
+      - '/usr/local/etc/periodic/**2'
 labels: [System]
 supported_os: [Darwin]
 urls:
@@ -648,7 +678,10 @@ name: MacOSSwapFiles
 doc: Swap files
 sources:
 - type: FILE
-  attributes: {paths: ['/var/vm/swapfile#']}
+  attributes:
+    paths:
+    - '/private/var/vm/swapfile#'
+    - '/var/vm/swapfile#'
 labels: [System]
 supported_os: [Darwin]
 urls:
@@ -667,7 +700,10 @@ name: MacOSSystemInstallationTime
 doc: System installation time
 sources:
 - type: FILE
-  attributes: {paths: ['/var/db/.AppleSetupDone']}
+  attributes:
+    paths:
+    - '/private/var/db/.AppleSetupDone'
+    - '/var/db/.AppleSetupDone'
 labels: [System]
 supported_os: [Darwin]
 urls:
@@ -678,7 +714,10 @@ name: MacOSSystemLogFiles
 doc: System log files
 sources:
 - type: FILE
-  attributes: {paths: ['/var/log/*']}
+  attributes:
+    paths:
+    - '/private/var/log/*'
+    - '/var/log/*'
 labels: [System, Logs]
 supported_os: [Darwin]
 urls:
@@ -724,6 +763,9 @@ sources:
 - type: FILE
   attributes:
     paths:
+    - '/private/var/db/diagnostics/*.tracev3'
+    - '/private/var/db/diagnostics/*/*.tracev3'
+    - '/private/var/db/uuidtext/*/*'
     - '/var/db/diagnostics/*.tracev3'
     - '/var/db/diagnostics/*/*.tracev3'
     - '/var/db/uuidtext/*/*'
@@ -849,8 +891,8 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '/var/db/dslocal/nodes/Default/users/*.plist'
       - '/private/var/db/dslocal/nodes/Default/users/*.plist'
+      - '/var/db/dslocal/nodes/Default/users/*.plist'
 labels: [System, Users, Authentication]
 supported_os: [Darwin]
 urls:
@@ -930,8 +972,10 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '/var/log/wtmp'
+      - '/private/var/run/utmp'
+      - '/private/var/log/wtmp'
       - '/var/run/utmp'
+      - '/var/log/wtmp'
 labels: [Logs, Authentication]
 supported_os: [Darwin]
 urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']
@@ -940,7 +984,10 @@ name: MacOSUtmpxFile
 doc: Mac OS X 10.5 utmpx login record file.
 sources:
 - type: FILE
-  attributes: {paths: ['/var/run/utmpx']}
+  attributes:
+    paths:
+    - '/private/var/run/utmpx'
+    - '/var/run/utmpx'
 labels: [Logs, Authentication]
 supported_os: [Darwin]
 urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc']

diff --git a/data/tomcat.yaml b/data/tomcat.yaml
@@ -17,55 +17,55 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
-      - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
-      - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
-      - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
-      - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
-      - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
-      - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\access_log*'
-      - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\access_log*'
-      - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\access_log*'
-      - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
-      - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
-      - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
+    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
+    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\access_log*'
+    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
+    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
+    - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
+    - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\access_log*'
+    - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
+    - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
+    - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
+    - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\access_log*'
+    - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
+    - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
     separator: '\'
   supported_os: [Windows]
 - type: FILE
   attributes:
     paths:
-      - '/usr/local/tomcat*/logs/catalina.out'
-      - '/opt/tomcat*/logs/catalina.out'
-      - '/usr/share/tomcat*/logs/catalina.out'
-      - '/var/lib/tomcat*/logs/catalina.out'
-      - '/usr/local/tomcat*/logs/access_log*'
-      - '/opt/tomcat*/logs/access_log*'
-      - '/usr/share/tomcat*/logs/access_log*'
-      - '/var/lib/tomcat*/logs/access_log*'
-      - '/usr/local/tomcat*/logs/**/catalina.out'
-      - '/opt/tomcat*/logs/**/catalina.out'
-      - '/usr/share/tomcat*/logs/**/catalina.out'
-      - '/var/lib/tomcat*/logs/**/catalina.out'
-      - '/usr/local/tomcat*/logs/**/access_log*'
-      - '/opt/tomcat*/logs/**/access_log*'
-      - '/usr/share/tomcat*/logs/**/access_log*'
-      - '/var/lib/tomcat*/logs/**/access_log*'
+    - '/opt/tomcat*/logs/**/access_log*'
+    - '/opt/tomcat*/logs/access_log*'
+    - '/opt/tomcat*/logs/**/catalina.out'
+    - '/opt/tomcat*/logs/catalina.out'
+    - '/usr/local/tomcat*/logs/**/access_log*'
+    - '/usr/local/tomcat*/logs/access_log*'
+    - '/usr/local/tomcat*/logs/**/catalina.out'
+    - '/usr/local/tomcat*/logs/catalina.out'
+    - '/usr/share/tomcat*/logs/**/access_log*'
+    - '/usr/share/tomcat*/logs/access_log*'
+    - '/usr/share/tomcat*/logs/**/catalina.out'
+    - '/usr/share/tomcat*/logs/catalina.out'
+    - '/var/lib/tomcat*/logs/**/access_log*'
+    - '/var/lib/tomcat*/logs/access_log*'
+    - '/var/lib/tomcat*/logs/**/catalina.out'
+    - '/var/lib/tomcat*/logs/catalina.out'
   supported_os: [Linux]
 - type: FILE
   attributes:
     paths:
-      - '/Library/Tomcat/logs/catalina.out'
-      - '/usr/local/apache-tomcat*/logs/catalina.out'
-      - '/usr/local/Cellar/tomcat*/logs/catalina.out' # Default location for Homebrew
-      - '/Library/Tomcat/logs/**/catalina.out'
-      - '/usr/local/apache-tomcat*/logs/**/catalina.out'
-      - '/usr/local/Cellar/tomcat*/logs/**/catalina.out' # Default location for Homebrew
-      - '/Library/Tomcat/logs/access_log*'
-      - '/usr/local/apache-tomcat*/logs/access_log*'
-      - '/usr/local/Cellar/tomcat*/logs/access_log*' # Default location for Homebrew
-      - '/Library/Tomcat/logs/**/access_log*'
-      - '/usr/local/apache-tomcat*/logs/**/access_log*'
-      - '/usr/local/Cellar/tomcat*/logs/**/access_log*' # Default location for Homebrew
+    - '/Library/Tomcat/logs/**/access_log*'
+    - '/Library/Tomcat/logs/access_log*'
+    - '/Library/Tomcat/logs/**/catalina.out'
+    - '/Library/Tomcat/logs/catalina.out'
+    - '/usr/local/apache-tomcat*/logs/**/access_log*'
+    - '/usr/local/apache-tomcat*/logs/access_log*'
+    - '/usr/local/apache-tomcat*/logs/**/catalina.out'
+    - '/usr/local/apache-tomcat*/logs/catalina.out'
+    - '/usr/local/Cellar/tomcat*/logs/**/access_log*' # Default location for Homebrew
+    - '/usr/local/Cellar/tomcat*/logs/access_log*' # Default location for Homebrew
+    - '/usr/local/Cellar/tomcat*/logs/**/catalina.out' # Default location for Homebrew
+    - '/usr/local/Cellar/tomcat*/logs/catalina.out' # Default location for Homebrew
   supported_os: [Darwin]
 supported_os: [Windows,Linux,Darwin]
 urls:
@@ -78,25 +78,26 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
-      - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
-      - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
+    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
+    - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
+    - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
     separator: '\'
   supported_os: [Windows]
 - type: FILE
   attributes:
     paths:
-      - '/opt/tomcat*/conf/tomcat-users.xml'
-      - '/usr/local/tomcat*/conf/tomcat-users.xml'
-      - '/usr/share/tomcat*/conf/tomcat-users.xml'
-      - '/var/lib/tomcat*/conf/tomcat-users.xml'
+    - '/opt/tomcat*/conf/tomcat-users.xml'
+    - '/private/var/lib/tomcat*/conf/tomcat-users.xml'
+    - '/usr/local/tomcat*/conf/tomcat-users.xml'
+    - '/usr/share/tomcat*/conf/tomcat-users.xml'
+    - '/var/lib/tomcat*/conf/tomcat-users.xml'
   supported_os: [Linux]
 - type: FILE
   attributes:
     paths:
-      - '/Library/Tomcat/conf/tomcat-users.xml'
-      - '/usr/local/apache-tomcat-*/conf/tomcat-users.xml'
-      - '/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml' # Default location for Homebrew
+    - '/Library/Tomcat/conf/tomcat-users.xml'
+    - '/usr/local/apache-tomcat-*/conf/tomcat-users.xml'
+    - '/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml' # Default location for Homebrew
   supported_os: [Darwin]
 supported_os: [Windows,Linux,Darwin]
 urls: ['https://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access']
diff --git a/data/webservers.yaml b/data/webservers.yaml
@@ -6,7 +6,7 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '/var/log/nginx/access.log*'
+    - '/var/log/nginx/access.log*'
 labels: [Software, Logs]
 supported_os: [Linux]
 ---
@@ -16,9 +16,9 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '/var/log/apache/access.log*'
-      - '/var/log/apache2/access.log*'
-      - '/var/log/httpd/access.log'
+    - '/var/log/apache/access.log*'
+    - '/var/log/apache2/access.log*'
+    - '/var/log/httpd/access.log'
 labels: [Software, Logs]
 supported_os: [Linux]
 ---
@@ -28,8 +28,10 @@ sources:
 - type: FILE
   attributes:
     paths:
-      - '/wp/wp-config.php'
-      - '/var/www/wp-config.php'
-      - '/var/www/**/wp-config.php'
+    - '/private/var/www/**/wp-config.php'
+    - '/private/var/www/wp-config.php'
+    - '/var/www/**/wp-config.php'
+    - '/var/www/wp-config.php'
+    - '/wp/wp-config.php'
 labels: [Configuration Files]
 supported_os: [Linux, Darwin]