Merge pull request #440 from tclahr/update-shell-artifacts

replace single by individual shell artifacts

Author: tclahr

CHANGELOG.md

@@ -16,9 +16,15 @@ All notable changes to this project will be documented in this file.
 
 ### Artifacts
 
+- `files/applications/calc.yaml`: Added collection of calc history files [all].
 - `files/applications/imessage.yaml`: Renamed to `files/applications/messages.yaml` to better reflect its contents.
 - `files/applications/jenkins.yaml`: Added collection of Jenkins config.xml and build.xml files [linux, macos]. (by [halpomeranz](https://github.com/halpomeranz))
+- `files/applications/mail.yaml`: Added collection of .mailrc and .mail_aliases files [all].
 - `files/applications/microsoft_teams.yaml`: Updated collection of Microsoft Teams artifacts [linux, macos].
+- `files/applications/nano.yaml`: Added collection of nano history and config files [all].
+- `files/applications/python.yaml`: Added collection of python history files [all].
+- `files/applications/screen.yaml`: Added collection of .screenrc file [all].
+- `files/applications/sqlite.yaml`: Added collection of sqlite history files [all].
 - `files/browsers/brave.yaml`: Added collection of affiliation database file [linux, macos].
 - `files/browsers/chrome.yaml`: Added collection of affiliation database file [linux, macos].
 - `files/browsers/chromium.yaml`: Added collection of affiliation database file [linux, macos].
@@ -28,6 +34,22 @@ All notable changes to this project will be documented in this file.
 - `files/browsers/vivaldi.yaml`: Added collection of affiliation database file [linux, macos].
 - `files/logs/journal.yaml`: Updated collection of systemd journal artifacts to search files in `/var/log` only [linux]. (by [halpomeranz](https://github.com/halpomeranz))
 - `files/logs/tomcat.yaml`: Updated collection of Apache Tomcat logs to also search in the $CATALINA_BASE and $CATALINA_HOME locations [all].
+- `files/shell/config.yaml`, `files/shell/history.yaml`, and `files/shell/sessions.yaml` were replaced by the following artifacts:
+  - `files/shell/ash.yaml`: Added collection of ash history and config files [all].
+  - `files/shell/bash.yaml`: Added collection of bash history and config files [all].
+  - `files/shell/common.yaml`: Added collection of common shell config files [all].
+  - `files/shell/dash.yaml`: Added collection of dash history and config files [all].
+  - `files/shell/elvish.yaml`: Added collection of elvish history and config files [all].
+  - `files/shell/fish.yaml`: Added collection of fish history and config files [all].
+  - `files/shell/ion.yaml`: Added collection of ion history and config files [all].
+  - `files/shell/ksh.yaml`: Added collection of ksh history and config files [all].
+  - `files/shell/mksh.yaml`: Added collection of mksh history and config files [all].
+  - `files/shell/nscli.yaml`: Added collection of nscli history and config files [netscaler].
+  - `files/shell/osh.yaml`: Added collection of osh history and config files [all].
+  - `files/shell/powershell.yaml`: Added collection of powershell history and config files [all].
+  - `files/shell/tcsh.yaml`: Added collection of tcsh history and config files [all].
+  - `files/shell/xonsh.yaml`: Added collection of xonsh history and config files [all].
+  - `files/shell/zsh.yaml`: Added collection of zsh history and config files [all].
 - `files/ssh/public_keys.yaml`: Added collection of SSH public keys [all]. (by [halpomeranz](https://github.com/halpomeranz))
 - `files/system/biome.yaml`: Updated collection of Biome artifacts [macos].
 - `files/system/boot.yaml`: Added collection of boot config, initramfs/initrd, sysvers, System.map, and GRUB config files, possible persistence mechanisms [linux]. (by [halpomeranz](https://github.com/halpomeranz))

artifacts/files/applications/calc.yaml

@@ -0,0 +1,7 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect calc history files.
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.calc_history

artifacts/files/applications/mail.yaml

@@ -0,0 +1,7 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect mail config files.
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.mailrc /%user_home%/.mail_aliases

artifacts/files/applications/nano.yaml

@@ -1,9 +1,12 @@
-version: 1.0
+version: 1.1
 artifacts:
   -
     description: Collect nano history files.
     supported_os: [all]
     collector: file
-    path: %user_home%
-    name_pattern: [".nano_history"]
-    max_depth: 4
+    path: %user_home%/.nano_history
+  -
+    description: Collect nano config files.
+    supported_os: [all]
+    collector: file
+    path: %user_home%/.nanorc

artifacts/files/applications/python.yaml

@@ -0,0 +1,7 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect python history files.
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.python_history

artifacts/files/applications/screen.yaml

@@ -0,0 +1,7 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect screen config files.
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.screenrc

artifacts/files/applications/sqlite.yaml

@@ -0,0 +1,7 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect sqlite history files.
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.sqlite_history

artifacts/files/shell/ash.yaml

@@ -0,0 +1,12 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect history files (including logrotate and backup files).
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.ash_history /var/log/shell.log
+  -
+    description: Collect system config files.
+    supported_os: [all]
+    collector: file
+    path: /etc/profile.local /etc/rc.local.d/local.sh

artifacts/files/shell/bash.yaml

@@ -0,0 +1,40 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect history files (including logrotate and backup files).
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.bash_history /%user_home%/.bash_history~ /%user_home%/.bash_history.*
+  -
+    description: Collect user config files.
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.bashrc /%user_home%/.profile /%user_home%/.bash_login /%user_home%/.bash_profile
+  -
+    description: Collect user session files.
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.bash_sessions
+  -
+    description: Collect system config files.
+    supported_os: [all]
+    collector: file
+    path: /etc/bash.bashrc
+  -
+    description: Collect additional user files.
+    supported_os: [all]
+    collector: file
+    path: /%user_home%/.bash_aliases /%user_home%/.bash_logout /%user_home%/.inputrc
+  -
+    description: Parse config files to determine $HISTFILE.
+    supported_os: [all]
+    collector: command
+    command: grep -E "HISTFILE=.*" /%user_home%/.bashrc /%user_home%/.bash_profile /%user_home%/.profile /etc/bash.bashrc | sed -e 's|.*HISTFILE=||' -e 's|^~/|/%user_home%/|'
+    output_directory: /%temp_directory%/files/shell
+    output_file: bash_histfile.txt
+  -
+    description: Collect $HISTFILE.
+    supported_os: [all]
+    collector: file
+    path: /%temp_directory%/files/shell/bash_histfile.txt
+    is_file_list: true

artifacts/files/shell/common.yaml

@@ -0,0 +1,20 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect system files.
+    supported_os: [all]
+    collector: file
+    path: /etc/.login /etc/profile /etc/shells /etc/profile.d/*
+  -
+    description: Parse config files to determine $HISTFILE.
+    supported_os: [all]
+    collector: command
+    command: grep -E "^HISTFILE=.*" /etc/profile | sed -e 's|.*HISTFILE=||' -e 's|^~/|/%user_home%/|'
+    output_directory: /%temp_directory%/files/shell
+    output_file: common_histfile.txt
+  -
+    description: Collect $HISTFILE.
+    supported_os: [all]
+    collector: file
+    path: /%temp_directory%/files/shell/common_histfile.txt
+    is_file_list: true