From 80dda508893d8bb17ea88a09b170824f2f40aad6 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Thu, 28 Feb 2019 21:15:02 +0100 Subject: [PATCH] Added validator check for Mac OS private paths #309 --- data/macos.yaml | 85 ++++++++++++++++++++++++++++-------- data/tomcat.yaml | 101 ++++++++++++++++++++++--------------------- data/webservers.yaml | 16 ++++--- tools/validator.py | 14 +++--- 4 files changed, 135 insertions(+), 81 deletions(-) diff --git a/data/macos.yaml b/data/macos.yaml index a9bdeca5..6529dee8 100644 --- a/data/macos.yaml +++ b/data/macos.yaml @@ -4,7 +4,10 @@ name: MacOSAppleSystemLogFiles doc: Apple system log (ASL) files sources: - type: FILE - attributes: {paths: ['/var/log/asl/*']} + attributes: + paths: + - '/private/var/log/asl/*' + - '/var/log/asl/*' labels: [System, Logs] supported_os: [Darwin] urls: @@ -60,7 +63,10 @@ name: MacOSAuditLogFiles doc: Audit log files sources: - type: FILE - attributes: {paths: ['/var/audit/*']} + attributes: + paths: + - '/private/var/audit/*' + - '/var/audit/*' labels: [System, Logs] supported_os: [Darwin] urls: @@ -106,6 +112,7 @@ sources: paths: - '/Library/Logs/DiagnosticReports/*.core_analytics' - '/private/var/db/analyticsd/aggregates/*' + - '/var/db/analyticsd/aggregates/*' labels: [Logs, System] supported_os: [Darwin] urls: @@ -120,6 +127,7 @@ sources: attributes: paths: - '/etc/crontab' + - '/private/etc/crontab' - '/usr/lib/cron/tabs/*' labels: [System] supported_os: [Darwin] @@ -153,7 +161,10 @@ name: MacOSHostsFile doc: Hosts file sources: - type: FILE - attributes: {paths: ['/etc/hosts']} + attributes: + paths: + - '/etc/hosts' + - '/private/etc/hosts' labels: [System, Network] supported_os: [Darwin] urls: @@ -205,7 +216,10 @@ name: MacOSInstallationLogFile doc: Installation log file sources: - type: FILE - attributes: {paths: ['/var/log/install.log']} + attributes: + paths: + - '/private/var/log/install.log' + - '/var/log/install.log' labels: [System, Logs] supported_os: [Darwin] urls: @@ -308,6 +322,7 @@ sources: paths: - '%%users.homedir%%/Library/Application Support/Knowledge/knowledgeC.db' - '/private/var/db/CoreDuet/Knowledge/knowledgeC.db' + - '/var/db/CoreDuet/Knowledge/knowledgeC.db' labels: [Users, Logs] supported_os: [Darwin] urls: ['https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage'] @@ -346,7 +361,10 @@ name: MacOSLastlogFile doc: Mac OS X lastlog file. sources: - type: FILE - attributes: {paths: ['/var/log/lastlog']} + attributes: + paths: + - '/private/var/log/lastlog' + - '/var/log/lastlog' labels: [Logs, Authentication] supported_os: [Darwin] --- @@ -544,9 +562,11 @@ sources: - type: FILE attributes: paths: - - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db' - - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db' - '%%users.homedir%%/Library/Application Support/NotificationCenter/*.db' + - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db' + - '/private/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db' + - '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db/db' + - '/var/folders/[a-z][0-9]/*/0/com.apple.notificationcenter/db2/db' labels: [Users, Logs] supported_os: [Darwin] --- @@ -556,17 +576,27 @@ sources: - type: FILE attributes: paths: + - '/etc/daily.local/*' - '/etc/defaults/periodic.conf' + - '/etc/monthly.local/*' + - '/etc/periodic/**2' - '/etc/periodic.conf' - '/etc/periodic.conf.local' - - '/etc/periodic/**2' - - '/usr/local/etc/periodic/**2' - - '/etc/daily.local/*' - - '/etc/weekly.local/*' - - '/etc/monthly.local/*' - '/etc/periodic/daily/*' - - '/etc/periodic/weekly/*' - '/etc/periodic/monthly/*' + - '/etc/periodic/weekly/*' + - '/etc/weekly.local/*' + - '/private/etc/daily.local/*' + - '/private/etc/defaults/periodic.conf' + - '/private/etc/monthly.local/*' + - '/private/etc/periodic/**2' + - '/private/etc/periodic.conf' + - '/private/etc/periodic.conf.local' + - '/private/etc/periodic/daily/*' + - '/private/etc/periodic/monthly/*' + - '/private/etc/periodic/weekly/*' + - '/private/etc/weekly.local/*' + - '/usr/local/etc/periodic/**2' labels: [System] supported_os: [Darwin] urls: @@ -648,7 +678,10 @@ name: MacOSSwapFiles doc: Swap files sources: - type: FILE - attributes: {paths: ['/var/vm/swapfile#']} + attributes: + paths: + - '/private/var/vm/swapfile#' + - '/var/vm/swapfile#' labels: [System] supported_os: [Darwin] urls: @@ -667,7 +700,10 @@ name: MacOSSystemInstallationTime doc: System installation time sources: - type: FILE - attributes: {paths: ['/var/db/.AppleSetupDone']} + attributes: + paths: + - '/private/var/db/.AppleSetupDone' + - '/var/db/.AppleSetupDone' labels: [System] supported_os: [Darwin] urls: @@ -678,7 +714,10 @@ name: MacOSSystemLogFiles doc: System log files sources: - type: FILE - attributes: {paths: ['/var/log/*']} + attributes: + paths: + - '/private/var/log/*' + - '/var/log/*' labels: [System, Logs] supported_os: [Darwin] urls: @@ -724,6 +763,9 @@ sources: - type: FILE attributes: paths: + - '/private/var/db/diagnostics/*.tracev3' + - '/private/var/db/diagnostics/*/*.tracev3' + - '/private/var/db/uuidtext/*/*' - '/var/db/diagnostics/*.tracev3' - '/var/db/diagnostics/*/*.tracev3' - '/var/db/uuidtext/*/*' @@ -849,8 +891,8 @@ sources: - type: FILE attributes: paths: - - '/var/db/dslocal/nodes/Default/users/*.plist' - '/private/var/db/dslocal/nodes/Default/users/*.plist' + - '/var/db/dslocal/nodes/Default/users/*.plist' labels: [System, Users, Authentication] supported_os: [Darwin] urls: @@ -930,8 +972,10 @@ sources: - type: FILE attributes: paths: - - '/var/log/wtmp' + - '/private/var/run/utmp' + - '/private/var/log/wtmp' - '/var/run/utmp' + - '/var/log/wtmp' labels: [Logs, Authentication] supported_os: [Darwin] urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] @@ -940,7 +984,10 @@ name: MacOSUtmpxFile doc: Mac OS X 10.5 utmpx login record file. sources: - type: FILE - attributes: {paths: ['/var/run/utmpx']} + attributes: + paths: + - '/private/var/run/utmpx' + - '/var/run/utmpx' labels: [Logs, Authentication] supported_os: [Darwin] urls: ['https://github.com/libyal/dtformats/blob/master/documentation/Utmp%20login%20records%20format.asciidoc'] diff --git a/data/tomcat.yaml b/data/tomcat.yaml index 7afa0f28..4970b888 100644 --- a/data/tomcat.yaml +++ b/data/tomcat.yaml @@ -17,55 +17,55 @@ sources: - type: FILE attributes: paths: - - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\catalina.out' - - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\catalina.out' - - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out' - - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' - - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' - - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' - - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\access_log*' - - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\access_log*' - - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\access_log*' - - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' - - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' - - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\access_log*' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out' + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\access_log*' + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\catalina.out' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\access_log*' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\access_log*' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\logs\catalina.out' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - - '/usr/local/tomcat*/logs/catalina.out' - - '/opt/tomcat*/logs/catalina.out' - - '/usr/share/tomcat*/logs/catalina.out' - - '/var/lib/tomcat*/logs/catalina.out' - - '/usr/local/tomcat*/logs/access_log*' - - '/opt/tomcat*/logs/access_log*' - - '/usr/share/tomcat*/logs/access_log*' - - '/var/lib/tomcat*/logs/access_log*' - - '/usr/local/tomcat*/logs/**/catalina.out' - - '/opt/tomcat*/logs/**/catalina.out' - - '/usr/share/tomcat*/logs/**/catalina.out' - - '/var/lib/tomcat*/logs/**/catalina.out' - - '/usr/local/tomcat*/logs/**/access_log*' - - '/opt/tomcat*/logs/**/access_log*' - - '/usr/share/tomcat*/logs/**/access_log*' - - '/var/lib/tomcat*/logs/**/access_log*' + - '/opt/tomcat*/logs/**/access_log*' + - '/opt/tomcat*/logs/access_log*' + - '/opt/tomcat*/logs/**/catalina.out' + - '/opt/tomcat*/logs/catalina.out' + - '/usr/local/tomcat*/logs/**/access_log*' + - '/usr/local/tomcat*/logs/access_log*' + - '/usr/local/tomcat*/logs/**/catalina.out' + - '/usr/local/tomcat*/logs/catalina.out' + - '/usr/share/tomcat*/logs/**/access_log*' + - '/usr/share/tomcat*/logs/access_log*' + - '/usr/share/tomcat*/logs/**/catalina.out' + - '/usr/share/tomcat*/logs/catalina.out' + - '/var/lib/tomcat*/logs/**/access_log*' + - '/var/lib/tomcat*/logs/access_log*' + - '/var/lib/tomcat*/logs/**/catalina.out' + - '/var/lib/tomcat*/logs/catalina.out' supported_os: [Linux] - type: FILE attributes: paths: - - '/Library/Tomcat/logs/catalina.out' - - '/usr/local/apache-tomcat*/logs/catalina.out' - - '/usr/local/Cellar/tomcat*/logs/catalina.out' # Default location for Homebrew - - '/Library/Tomcat/logs/**/catalina.out' - - '/usr/local/apache-tomcat*/logs/**/catalina.out' - - '/usr/local/Cellar/tomcat*/logs/**/catalina.out' # Default location for Homebrew - - '/Library/Tomcat/logs/access_log*' - - '/usr/local/apache-tomcat*/logs/access_log*' - - '/usr/local/Cellar/tomcat*/logs/access_log*' # Default location for Homebrew - - '/Library/Tomcat/logs/**/access_log*' - - '/usr/local/apache-tomcat*/logs/**/access_log*' - - '/usr/local/Cellar/tomcat*/logs/**/access_log*' # Default location for Homebrew + - '/Library/Tomcat/logs/**/access_log*' + - '/Library/Tomcat/logs/access_log*' + - '/Library/Tomcat/logs/**/catalina.out' + - '/Library/Tomcat/logs/catalina.out' + - '/usr/local/apache-tomcat*/logs/**/access_log*' + - '/usr/local/apache-tomcat*/logs/access_log*' + - '/usr/local/apache-tomcat*/logs/**/catalina.out' + - '/usr/local/apache-tomcat*/logs/catalina.out' + - '/usr/local/Cellar/tomcat*/logs/**/access_log*' # Default location for Homebrew + - '/usr/local/Cellar/tomcat*/logs/access_log*' # Default location for Homebrew + - '/usr/local/Cellar/tomcat*/logs/**/catalina.out' # Default location for Homebrew + - '/usr/local/Cellar/tomcat*/logs/catalina.out' # Default location for Homebrew supported_os: [Darwin] supported_os: [Windows,Linux,Darwin] urls: @@ -78,25 +78,26 @@ sources: - type: FILE attributes: paths: - - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' - - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' - - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' + - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' + - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' + - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml' separator: '\' supported_os: [Windows] - type: FILE attributes: paths: - - '/opt/tomcat*/conf/tomcat-users.xml' - - '/usr/local/tomcat*/conf/tomcat-users.xml' - - '/usr/share/tomcat*/conf/tomcat-users.xml' - - '/var/lib/tomcat*/conf/tomcat-users.xml' + - '/opt/tomcat*/conf/tomcat-users.xml' + - '/private/var/lib/tomcat*/conf/tomcat-users.xml' + - '/usr/local/tomcat*/conf/tomcat-users.xml' + - '/usr/share/tomcat*/conf/tomcat-users.xml' + - '/var/lib/tomcat*/conf/tomcat-users.xml' supported_os: [Linux] - type: FILE attributes: paths: - - '/Library/Tomcat/conf/tomcat-users.xml' - - '/usr/local/apache-tomcat-*/conf/tomcat-users.xml' - - '/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml' # Default location for Homebrew + - '/Library/Tomcat/conf/tomcat-users.xml' + - '/usr/local/apache-tomcat-*/conf/tomcat-users.xml' + - '/usr/local/Cellar/tomcat/*/conf/tomcat-users.xml' # Default location for Homebrew supported_os: [Darwin] supported_os: [Windows,Linux,Darwin] urls: ['https://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access'] diff --git a/data/webservers.yaml b/data/webservers.yaml index 0b140860..700c0d2a 100644 --- a/data/webservers.yaml +++ b/data/webservers.yaml @@ -6,7 +6,7 @@ sources: - type: FILE attributes: paths: - - '/var/log/nginx/access.log*' + - '/var/log/nginx/access.log*' labels: [Software, Logs] supported_os: [Linux] --- @@ -16,9 +16,9 @@ sources: - type: FILE attributes: paths: - - '/var/log/apache/access.log*' - - '/var/log/apache2/access.log*' - - '/var/log/httpd/access.log' + - '/var/log/apache/access.log*' + - '/var/log/apache2/access.log*' + - '/var/log/httpd/access.log' labels: [Software, Logs] supported_os: [Linux] --- @@ -28,8 +28,10 @@ sources: - type: FILE attributes: paths: - - '/wp/wp-config.php' - - '/var/www/wp-config.php' - - '/var/www/**/wp-config.php' + - '/private/var/www/**/wp-config.php' + - '/private/var/www/wp-config.php' + - '/var/www/**/wp-config.php' + - '/var/www/wp-config.php' + - '/wp/wp-config.php' labels: [Configuration Files] supported_os: [Linux, Darwin] diff --git a/tools/validator.py b/tools/validator.py index 4ba26d24..81e4e377 100755 --- a/tools/validator.py +++ b/tools/validator.py @@ -80,11 +80,14 @@ def _CheckMacOSPaths(self, filename, artifact_definition, source, paths): '{1:s}').format(artifact_definition.name, filename)) result = False - elif path_segments[0] in self._MACOS_PRIVATE_SUB_PATHS: + elif len(path_segments) == 1: + continue + + elif path_segments[1] in self._MACOS_PRIVATE_SUB_PATHS: paths_with_symbolic_links_to_private.append(path) - elif path_segments[0] == 'private': - if path_segments[1] in self._MACOS_PRIVATE_SUB_PATHS: + elif path_segments[1] == 'private' and len(path_segments) >=2: + if path_segments[2] in self._MACOS_PRIVATE_SUB_PATHS: paths_with_private.append(path) else: @@ -264,8 +267,9 @@ def CheckFile(self, filename): if source.type_indicator in ( definitions.TYPE_INDICATOR_FILE, definitions.TYPE_INDICATOR_PATH): - if (artifact_definition_supports_macos or - definitions.SUPPORTED_OS_DARWIN in source.supported_os): + if (definitions.SUPPORTED_OS_DARWIN in source.supported_os or ( + artifact_definition_supports_macos and + not source.supported_os)): if not self._CheckMacOSPaths( filename, artifact_definition, source, source.paths): result = False