feat: find collectors may include a command to use with xargs

"find" type collectors may now include an optional "command:". The full command line is appended to the constructed command as "... | xargs <commandline>". This allows piping the xargs output into other programs (see artifacts/system/immutable_files.yaml). Refactored artifacts/system/{getcap,immutable_files}.yaml to take advantage of this feature and benefit from the path and name filtering normally applied to other "find" type collectors.

Author: halpomeranz

artifacts/system/getcap.yaml

@@ -1,20 +1,13 @@
-version: 2.1
-condition: command_exists "getcap"
+version: 3.0
 output_directory: /system
-# abuse process capabilities
-# ref: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
 artifacts:
   -
-    description: List files that have process capabilities (no recursion, parent top-level directories only).
+    description: List all files with Linux capabilities
     supported_os: [linux]
-    collector: command
-    foreach: dirwalk.sh parents "%mount_point%" "/proc|/sys|%non_local_mount_points%"
-    command: getcap "%line%"/*
-    output_file: getcap.txt
-  -
-    description: List files that have process capabilities (recursion, children directories only).
-    supported_os: [linux]
-    collector: command
-    foreach: dirwalk.sh children "%mount_point%" "/proc|/sys|%non_local_mount_points%"
-    command: getcap -r "%line%"/*
+    collector: find
+    path: /
+    file_type: [f]
+    command: getcap
+    exclude_file_system: [proc, procfs]
     output_file: getcap.txt
+  

artifacts/system/immutable_files.yaml

@@ -1,18 +1,13 @@
-version: 2.1
-condition: command_exists "lsattr"
+version: 3.0
 output_directory: /system
 artifacts:
   -
-    description: List immutable files (no recursion, parent top-level directories only).
+    description: List all immutable files
     supported_os: [linux]
-    collector: command
-    foreach: dirwalk.sh parents "%mount_point%" "/dev|/proc|/run|/sys|%non_local_mount_points%"
-    command: lsattr "%line%" | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
-    output_file: immutable_files.txt
-  -
-    description: List immutable files (recursion, children directories only).
-    supported_os: [linux]
-    collector: command
-    foreach: dirwalk.sh children "%mount_point%" "/dev|/proc|/run|/sys|%non_local_mount_points%"
-    command: lsattr -R "%line%" | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
+    collector: find
+    path: /
+    file_type: [f]
+    command: lsattr | awk '$1 ~ /i/ && $1 !~ /^\\//'
+    exclude_file_system: [proc, procfs, squashfs]
     output_file: immutable_files.txt
+  

lib/find_based_collector.sh

@@ -21,6 +21,7 @@
 #   boolean no_group: no group corresponds to file's numeric group ID (optional)
 #   boolean no_user: No user corresponds to file's numeric user ID (optional)
 #   boolean ignore_date_range: ignore date range (optional) (default: false)
+#   string command: command passed to xargs to execute on find output
 #   string output_directory: full path to the output directory
 #   string output_file: output file name
 # Returns:
@@ -62,6 +63,8 @@ _find_based_collector()
   shift
   __fc_ignore_date_range="${1:-false}"
   shift
+  __fc_command_xargs_pipe="${1:-}"
+  shift
   __fc_output_directory="${1:-}"
   shift
   __fc_output_file="${1:-}"
@@ -149,6 +152,8 @@ _find_based_collector()
       if ${__fc_is_file_list}; then
         __fc_find_command="cat \"${__fc_path}\""
       else
+	[ -n "${__fc_command_xargs_pipe}" ] && __fc_print0="true" || __fc_print0="false"
+	      
         __fc_find_command=`_build_find_command \
           "${__fc_path}" \
           "${__fc_path_pattern}" \
@@ -162,13 +167,20 @@ _find_based_collector()
           "${__fc_permissions}" \
           "${__fc_no_group}" \
           "${__fc_no_user}" \
-          "" \
+          "${__fc_print0}" \
           "${__fc_start_date_days}" \
           "${__fc_end_date_days}"`
       fi
+      if [ "${__fc_collector}" = "find" ] && [ -n "${__fc_command_xargs_pipe}" ]; then
+	if ${__UAC_TOOL_FIND_PRINT0_SUPPORT} && ${__UAC_TOOL_XARGS_NULL_DELIMITER_SUPPORT}; then
+          __fc_find_command="${__fc_find_command} | xargs -0 ${__fc_command_xargs_pipe}"
+	else
+	  __fc_find_command="${__fc_find_command} | xargs ${__fc_command_xargs_pipe}"
+	fi
+      fi
       _verbose_msg "${__UAC_VERBOSE_CMD_PREFIX}${__fc_find_command}"
       _run_command "${__fc_find_command}" \
-        >>"${__fc_output_directory}/${__fc_output_file}"
+	>>"${__fc_output_directory}/${__fc_output_file}"
       ;;
     "hash")
       for __fc_algorithm in `echo "${__UAC_CONF_HASH_ALGORITHM}" | sed -e 's:|: :g'`; do

lib/parse_artifact.sh

@@ -362,6 +362,7 @@ _parse_artifact()
                         "${__pa_no_group}" \
                         "${__pa_no_user}" \
                         "${__pa_ignore_date_range}" \
+			"" \
                         "${__UAC_TEMP_DATA_DIR}" \
                         "file_collector.tmp"
                     elif [ "${__pa_collector}" = "find" ]; then
@@ -382,6 +383,7 @@ _parse_artifact()
                         "${__pa_no_group}" \
                         "${__pa_no_user}" \
                         "${__pa_ignore_date_range}" \
+			"${__pa_command}" \
                         "${__pa_new_output_directory}" \
                         "${__pa_new_output_file}"
                     elif [ "${__pa_collector}" = "hash" ]; then
@@ -402,6 +404,7 @@ _parse_artifact()
                         "${__pa_no_group}" \
                         "${__pa_no_user}" \
                         "${__pa_ignore_date_range}" \
+			"" \
                         "${__pa_new_output_directory}" \
                         "${__pa_new_output_file}"
                     elif [ "${__pa_collector}" = "stat" ]; then
@@ -422,6 +425,7 @@ _parse_artifact()
                         "${__pa_no_group}" \
                         "${__pa_no_user}" \
                         "${__pa_ignore_date_range}" \
+			"" \
                         "${__pa_new_output_directory}" \
                         "${__pa_new_output_file}"
                     fi
@@ -453,6 +457,7 @@ _parse_artifact()
                   "${__pa_no_group}" \
                   "${__pa_no_user}" \
                   "${__pa_ignore_date_range}" \
+		  "" \
                   "${__UAC_TEMP_DATA_DIR}" \
                   "file_collector.tmp"
               elif [ "${__pa_collector}" = "find" ]; then
@@ -473,6 +478,7 @@ _parse_artifact()
                   "${__pa_no_group}" \
                   "${__pa_no_user}" \
                   "${__pa_ignore_date_range}" \
+		  "${__pa_command}" \
                   "${__pa_output_directory}" \
                   "${__pa_output_file}"
               elif [ "${__pa_collector}" = "hash" ]; then
@@ -493,6 +499,7 @@ _parse_artifact()
                   "${__pa_no_group}" \
                   "${__pa_no_user}" \
                   "${__pa_ignore_date_range}" \
+		  "" \
                   "${__pa_output_directory}" \
                   "${__pa_output_file}"
               elif [ "${__pa_collector}" = "stat" ]; then
@@ -513,6 +520,7 @@ _parse_artifact()
                   "${__pa_no_group}" \
                   "${__pa_no_user}" \
                   "${__pa_ignore_date_range}" \
+		  "" \
                   "${__pa_output_directory}" \
                   "${__pa_output_file}"
               fi
@@ -523,4 +531,4 @@ _parse_artifact()
         esac
       done
 
-}
+}

lib/validate_artifact.sh

@@ -503,7 +503,7 @@ _validate_artifact()
                 _error_msg "Missing required field: 'path' is not set for '${__va_collector}' collector."
                 return 1
               fi
-              if [ -n "${__va_command}" ]; then
+              if [ -n "${__va_command}" ] && [ "${__va_collector}" != "find" ]; then
                 _error_msg "Invalid field: 'command' is not applicable for the '${__va_collector}' collector."
                 return 1
               fi
@@ -566,4 +566,4 @@ _validate_artifact()
         esac
 
       done
-}
+}