Giters

anelshaer / Remote-Linux-Triage-Collection-using-OSquery

Remotely collect linux live forensics artifacts.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Remote Linux Triage Collection Using OSquery

Remotely collect linux live forensics artifacts.

Description

Ansible Playbook that uses OSquery to collect linux live forensics artifacts from a remote machine.

Getting Started

Sample Output

  1. Single File per machine - zipped TXT/CSV/JSON output Single File per machine - zipped TXT/CSV/JSON output
  2. Complete Execution Logs Complete Execution Logs
  3. Listing of all results returned from a sample machine Listing of all results returned from a sample machine

Demo Environment

To be able to see this in action

  1. Clone this repository
git clone https://github.com/anelshaer/Remote-Linux-Triage-Collection-using-OSquery.git
cd dev/
  1. [Install Docker] (https://docs.docker.com/get-docker/)
  2. Build Docker images for IR/Control node, 2 target machines.
sudo docker build -t ansible-control -f Dockerfile.ansible .
sudo docker build -t ansible-osquery-c7 -f Dockerfile.centos .
sudo docker build -t ansible-osquery-u1604 -f Dockerfile.ubuntu .
  1. Run docker-compose
docker-compose up --abort-on-container-exit
  1. Find the collection artifacts located under a new directory named playbooks/triage_results

Dependencies

  • Ansible - should be installed on the IR machine
  • OSquery - One condition is required
    1. OSquery Package installed on the remote machines.
    2. OSqueri exists locally on the IR machine.
    • Pushed to the remote during the execution.
    • Cleaned from the remote after the execution

Installing

Executing program

  • Clone the repository

  • Change Directory to playbooks

  • The current Inventory/hosts meant to be used with the demo environment, add/change hosts as needed.

  • OSqueryi has to be located at files/bin/osqueryi

  • Run the playbook you may use one of these commands depending on the needed output format:

'Run Remote Collection with TXT output'
ansible-playbook -i Inventory/hosts  remote_linux_triage_collection.yaml
echo 'Run Remote Collection with JSON output'
ansible-playbook -i Inventory/hosts -kK remote_linux_triage_collection.yaml --extra-vars '{"json_logs": true}'
echo 'Run Remote Collection with CSV output'
ansible-playbook -i Inventory/hosts -kK remote_linux_triage_collection.yaml --extra-vars '{"csv_logs": true}'

Note: you may need to use these options

  • ask for connection password -k, --ask-pass
  • ask for privilege escalation password -K, --ask-become-pass
  • See below Example
ansible-playbook -i Inventory/hosts -kK remote_linux_triage_collection.yaml
  • Find the collection artifacts located under a new directory named playbooks/triage_results

Help / contribution

Please file an issue on GitHub or contact me directly.

Authors

@Ahmed Elshaer

Version History

  • 0.1
    • Initial Release

License

This project is licensed under the MIT License - see the LICENSE.md file for details

About

Remotely collect linux live forensics artifacts.

License:MIT License

Languages

Language:Shell 100.0%