/usr/share/artifacts/linux_proc.yaml is in forensic-artifacts 20161022-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 | # Linux specific /proc artifacts.
name: LinuxASLREnabled
doc: Kernel ASLR state.
sources:
- type: FILE
attributes: {paths: ['/proc/sys/kernel/randomize_va_space']}
labels: [System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt']
---
name: LinuxIgnoreICMPBroadcasts
doc: Whether the system ignores ICMP pings.
sources:
- type: FILE
attributes: {paths: ['/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts']}
labels: [Network, System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt']
---
name: LinuxKernelBootloader
doc: Bootloader state acquired from the kernel.
sources:
- type: FILE
attributes:
paths:
- '/proc/sys/kernel/bootloader_type'
- '/proc/sys/kernel/bootloader_version'
labels: [System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt']
---
name: LinuxKernelModuleRestrictions
doc: Module loading controls.
sources:
- type: FILE
attributes:
paths:
- '/proc/sys/kernel/kexec_load_disabled'
- '/proc/sys/kernel/modules_disabled'
labels: [System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt']
---
name: LinuxKernelModuleTaintStatus
doc: Taint state of loaded modules (binary blobs, unsigned modules etc).
sources:
- type: FILE
attributes: {paths: ['/proc/sys/kernel/tainted']}
labels: [System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt']
---
name: LinuxNetworkIpForwardingState
doc: IP forwarding states.
sources:
- type: FILE
attributes:
paths:
- '/proc/sys/net/ipv*/conf/*/forwarding'
- '/proc/sys/net/ipv4/conf/*/mc_forwarding'
- '/proc/sys/net/ipv4/ip_forward'
labels: [Network, System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt']
---
name: LinuxNetworkPathFilteringSettings
doc: States that determine how the system responds to route manipulation.
sources:
- type: FILE
attributes:
paths:
- '/proc/sys/net/ipv*/conf/*/accept_source_route'
- '/proc/sys/net/ipv4/conf/*/rp_filter'
- '/proc/sys/net/ipv4/conf/*/log_martians'
labels: [Network, System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt']
---
name: LinuxNetworkRedirectState
doc: Redirect send/receive states.
sources:
- type: FILE
attributes:
paths:
- '/proc/sys/net/ipv*/conf/*/accept_redirects'
- '/proc/sys/net/ipv4/conf/*/secure_redirects'
- '/proc/sys/net/ipv4/conf/*/send_redirects'
labels: [Network, System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt']
---
name: LinuxProcMounts
doc: Current mounted filesystems.
sources:
- type: FILE
attributes:
paths:
- '/proc/mounts'
labels: [System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/filesystems/proc.txt']
---
name: LinuxProcSysHardeningSettings
doc: Linux sysctl settings obtained from /proc/sys.
sources:
- type: ARTIFACT_GROUP
attributes:
names:
- 'LinuxASLREnabled'
- 'LinuxIgnoreICMPBroadcasts'
- 'LinuxKernelBootloader'
- 'LinuxKernelModuleTaintStatus'
- 'LinuxKernelModuleRestrictions'
- 'LinuxNetworkIpForwardingState'
- 'LinuxNetworkPathFilteringSettings'
- 'LinuxNetworkRedirectState'
- 'LinuxRestrictedDmesgReadPrivileges'
- 'LinuxRestrictedKernelPointerReadPrivileges'
- 'LinuxSecureSuidCoreDumps'
- 'LinuxSecureFsLinks'
- 'LinuxSyncookieState'
labels: [System]
supported_os: [Linux]
---
name: LinuxRestrictedDmesgReadPrivileges
doc: Restrict whether non-privileged users can read dmesg.
sources:
- type: FILE
attributes:
paths:
- '/proc/sys/kernel/dmesg_restrict'
labels: [System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt']
---
name: LinuxRestrictedKernelPointerReadPrivileges
doc: Memory address obfuscation settings.
sources:
- type: FILE
attributes: {paths: ['/proc/sys/kernel/kptr_restrict']}
labels: [System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/sysctl/kernel.txt']
---
name: LinuxSecureFsLinks
doc: Security controls to restrict operations on links in world writable directories.
sources:
- type: FILE
attributes:
paths:
- '/proc/sys/fs/protected_hardlinks'
- '/proc/sys/fs/protected_symlinks'
labels: [System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt']
---
name: LinuxSecureSuidCoreDumps
doc: Security controls for suid core dumps.
sources:
- type: FILE
attributes: {paths: ['/proc/sys/fs/suid_dumpable']}
labels: [System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/sysctl/fs.txt']
---
name: LinuxSyncookieState
doc: Whether the system uses syncookies.
sources:
- type: FILE
attributes: {paths: ['/proc/sys/net/ipv4/tcp_syncookies']}
labels: [Network, System]
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt']
---
name: LinuxSysctlCmd
doc: Linux output of systctl -a.
sources:
- type: COMMAND
attributes:
args: ["-a"]
cmd: /sbin/sysctl
supported_os: [Linux]
urls: ['https://www.kernel.org/doc/Documentation/sysctl']
|