root_folders: - applications #common - etc #common - home #common - lib - lib32 - lib64 - mnt #common - opt #common - private #common - run - snap #common - sys - system - systemd - tmp #common - usr #common - var #common common_file_folders: "applications etc home mnt opt private snap tmp usr var" common_directory_folders: "applications etc home mnt opt private tmp usr var" defaults: auto_check: False #The builder will generate a ceck for the file bad_regex: "" #The regex used to color red and grep lines (if only_bad_lines and no line_grep) check_extra_path: "" #Check if the found files are in a specific path good_regex: "" #The regex to color green just_list_file: False #Just mention the path to the file, do not cat it line_grep: "" #The regex to grep lines in a file (if only_bad_lines), by default bad_regex is used here if empty only_bad_lines: False #Only print lines containing something red regex_remove: "" #Extra regex to remove some lines remove_empty_lines: False #Remove empty lines remove_path: "" #Not interested in files contaiing this path #Files & folders to search search: Systemd: auto_check: False ? "*.service" : type: f search_in: - all Timer: auto_check: False ? "*.timer" : type: f search_in: - all Socket: auto_check: False ? "*.socket" : type: f search_in: - all DBus: auto_check: False ? "system.d" : type: d search_in: - etc ? "system.d" : type: d search_in: - etc MySQL: auto_check: False mysql: type: d check_extra_path: "^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql" remove_path: "mysql/mysql" search_in: - common PostgreSQL: auto_check: True exec: - "echo Version: $(warn_exec psql -V 2>/dev/null)" ? "pgadmin*.db" : type: f bad_regex: ".*" search_in: - common ? "pg_hba.conf" : bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common ? "postgresql.conf" : type: f search_in: - common ? "pgsql.conf" : type: f search_in: - common Apache: auto_check: True exec: - "echo Version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)" - "print_3title 'PHP exec extensions'" - 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null' ? "sites-enabled" : type: d files: ? "*" : bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" only_bad_lines: True remove_empty_lines: True remove_regex: "^#" search_in: - common ? "000-default" : auto_check: True bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" type: f search_in: - common PHPCookies: auto_check: True exec: - "ls /var/lib/php/sessions 2>/dev/null || echo_not_found /var/lib/php/sessions" ? "sess_*" : check_extra_path: '/tmp/.*sess_.*|/var/tmp/.*sess_.*' type: f search_in: - tmp - var - mnt PHP_files: auto_check: False ? "*config*.php" : type: f search_in: - common ? "database.php" : type: f search_in: - common ? "db.php" : type: f search_in: - common ? "storage.php" : type: f search_in: - common ? "settings.php" : type: f search_in: - common Wordpress: auto_check: True ? "wp-config.php" : bad_regex: "PASSWORD|USER|NAME|HOST" only_bad_lines: True type: f search_in: - common Drupal: auto_check: True ? "settings.php" : bad_regex: "drupal_hash_salt|'database'|'username'|'password'|'host'|'port'|'driver'|'prefix'" check_extra_path: "/default/settings.php" only_bad_lines: True type: f search_in: - common Moodle: auto_check: True ? "config.php" : auto_check: True bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" check_extra_path: "moodle/config.php" only_bad_lines: True type: f search_in: - common Tomcat: auto_check: True ? "tomcat-users.xml" : auto_check: True bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" check_extra_path: "username=|password=" only_bad_lines: True type: f search_in: - common Mongo: auto_check: True exec: - "echo Version: $(warn_exec mongo --version 2>/dev/null; warn_exec mongod --version 2>/dev/null)" ? "mongod*.conf" : type: f remove_empty_lines: True remove_regex: "\W+\#|^#" search_in: - common Supervisord: auto_check: True ? "supervisord.conf" : bad_regex: "port.*=|username.*=|password.*=" only_bad_lines: True type: f search_in: - common Cesi: auto_check: True ? "cesi.conf" : bad_regex: "username.*=|password.*=|host.*=|port.*=|database.*=" only_bad_lines: True type: f search_in: - common Rsync: auto_check: True ? "rsyncd.conf" : bad_regex: "secrets.*|auth.*users.*=" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common ? "rsyncd.secrets" : bad_regex: ".*" type: f search_in: - common Hostapd: auto_check: True ? "hostapd.conf" : bad_regex: "passphrase.*" type: f search_in: - common Anaconda-ks: auto_check: True ? "anaconda-ks.cfg" : bad_regex: "rootpw.*" only_bad_lines: True type: f search_in: - common VNC: ? ".vnc" : auto_check: True files: ? "passwd" : just_list: True type: d search_in: - common Ldap: auto_check: False ? "ldap" : files: ? "*.bdb" : bad_regex: "administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator" line_grep: '-i -a -E -o "description.*"' type: d search_in: - common Open VPN: auto_check: True ? "*.ovpn" : bad_regex: "auth-user-pass.*" only_bad_lines: True type: f search_in: - common SSH: auto_check: False ? "id_dsa*" : type: f search_in: - common ? "id_rsa*" : type: f search_in: - common ? "known_hosts" : type: f search_in: - common ? "authorized_hosts" : type: f search_in: - common ? "authorized_keys" : type: f search_in: - common ? "*.pem" : type: f search_in: - common ? "*.cer" : type: f search_in: - common ? "*.crt" : type: f search_in: - common ? "*.csr" : type: f search_in: - common ? "*.der" : type: f search_in: - common ? "*.pfx" : type: f search_in: - common ? "*.p12" : type: f search_in: - common ? "agent*" : type: f search_in: - tmp ? "*ssh*config*" : type: f search_in: - usr home ? "*config*ssh*" : type: f search_in: - usr home Cloud credentials: auto_check: True ? "credentials" : auto_check: True bad_regex: ".*" type: f search_in: - common ? "credentials.db" : auto_check: True bad_regex: ".*" type: f search_in: - common ? "legacy_credentials.db" : auto_check: True bad_regex: ".*" type: f search_in: - common ? "access_tokens.db" : auto_check: True bad_regex: ".*" type: f search_in: - common ? "access_tokens.json" : auto_check: True bad_regex: ".*" type: f search_in: - common ? "accessTokens.json" : auto_check: True bad_regex: ".*" type: f search_in: - common ? "azureProfile.json" : auto_check: True bad_regex: ".*" type: f search_in: - common Kerberos: auto_check: False ? "krb5.conf" : type: f search_in: - common ? "krb5.keytab" : type: f search_in: - common ? ".k5login" : type: f search_in: - common ? "kadm5.acl" : type: f search_in: - common Kibana: auto_check: True ? "kibana.y*ml" : bad_regex: "username|password|host|port|elasticsearch|ssl" type: f remove_empty_lines: True remove_regex: '\W+\#|^#|^[[:space:]]*$' search_in: - common Knockd: auto_check: True ? "*knockd*" : auto_check: False check_extra_path: "/etc/init.d/" type: f search_in: - etc Logstash: auto_check: False ? "logstash" : type: d search_in: - common Elasticsearch: auto_check: True exec: - 'echo "Version: $(curl -X GET \'10.10.10.115:9200\' 2>/dev/null | grep number | cut -d \':\' -f 2)"' ? "elasticsearch.y*ml" : auto_check: False line_grep: "path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts" remove_regex: '\W+\#|^#' type: f search_in: - common Vault-ssh: auto_check: False ? "vault-ssh-helper.hcl" : type: f search_in: - common ? ".vault-token" : type: f search_in: - common CouchDB: auto_check: True ? "couchdb" : files: ? "local.ini" : bad_regex: "admin.*|password.*|cert_file.*|key_file.*|hashed.*|pbkdf2.*" remove_empty_lines: True remove_regex: "^;" type: d search_in: - common Redis: auto_check: True ? "redis.conf" : bad_regex: "masterauth.*|requirepass.*" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common Mosquitto: auto_check: True ? "mosquitto.conf" : bad_regex: "password_file.*|psk_file.*|allow_anonymous.*true|auth" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common Neo4j: auto_check: True ? "neo4j" : files: ? "auth" : bad_regex: ".*" remove_empty_lines: True type: d search_in: - common Cloud-Init: auto_check: True ? "cloud.cfg" : bad_regex: "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy" only_bad_lines: True type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common Erlang: auto_check: True ? ".erlang.cookie" : bad_regex: ".*" type: f search_in: - common GMV Auth: auto_check: True ? "gvm-tools.conf" : bad_regex: "username.*|password.*" type: f search_in: - common IPSec: auto_check: True ? "ipsec.secrets" : bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*" type: f search_in: - common ? "ipsec.conf" : auto_check: True bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*" type: f search_in: - common IRSSI: auto_check: True ? ".irssi" : files: ? "config" : bad_regex: "password.*" type: d search_in: - common Keyring: auto_check: True ? "keyrings" : type: d search_in: - common ? "*.keyring" : just_list_file: True type: f search_in: - common ? "*.keystore" : just_list_file: True type: f search_in: - common ? "*.jks" : just_list_file: True type: f search_in: - common Filezilla: auto_check: True ? "filelliza" : files: ? "sitemanager.xml" : bad_regex: "Host.*|Port.*|Protocol.*|User.*|Pass.*" remove_empty_lines: True remove_regex: "^;" type: d search_in: - common Backup Manager: ? "storage.php" : auto_check: True bad_regex: "password|pass|user|database|host" only_bad_lines: True type: f search_in: - common ? "database.php" : auto_check: True bad_regex: "password|pass|user|database|host" only_bad_lines: True type: f search_in: - common Splunk: auto_check: False ? "passwd" : type: f search_in: - common GitLab: auto_check: False ? "secrets.yml" : type: f remove_path: "/lib" search_in: - common ? "gitlab.yml" : type: f remove_path: "/lib" search_in: - common ? "gitlab.rm" : type: f remove_path: "/lib" search_in: - common PGP-GPG: auto_check: True exec: - '((command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null' - '((command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null' - '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null' ? "*.pgp" : type: f search_in: - common ? "*.gpg" : type: f search_in: - common ? "*.gnupg" : type: f search_in: - common Cache Vi: auto_check: True ? "*.swp" : just_list: True type: f search_in: - common ? "*.viminfo" : just_list: True type: f search_in: - common Docker: auto_check: False ? "docker.socket" : type: f search_in: - common ? "docker.sock" : type: f search_in: - common ? "Dockerfile" : type: f search_in: - common ? "docker-compose.yml" : type: f search_in: - common Firefox: auto_check: True ? ".mozilla" : files: ? "places.sqlite" : just_list: True ? "bookmarkbackups" : just_list: True ? "formhistory.sqlite" : just_list: True ? "handlers.json" : just_list: True ? "persdict.dat" : just_list: True ? "addons.json" : just_list: True ? "cookies.sqlite" : just_list: True ? "cache2" : just_list: True ? "startupCache" : just_list: True ? "favicons.sqlite" : just_list: True ? "prefs.js" : just_list: True ? "downloads.sqlite" : just_list: True ? "thumbnails" : just_list: True ? "logins.json" : just_list: True ? "key4.db" : just_list: True ? "key3.db" : just_list: True type: d search_in: - home Chrome: auto_check: True ? "google-chrome" : files: ? "Cookies" : just_list: True ? "Cache" : just_list: True ? "Bookmarks" : just_list: True ? "Web Data" : just_list: True ? "Favicons" : just_list: True ? "Login Data" : just_list: True ? "Current Session" : just_list: True ? "Current Tabs" : just_list: True ? "Last Session" : just_list: True ? "Last Tabs" : just_list: True ? "Extensions" : just_list: True ? "Thumbnails" : just_list: True search_in: - home Autologin: auto_check: True ? "autologin" : bad:regex: "passwd" type: f search_in: - common ? "autologin.conf" : bad:regex: "passwd" type: f search_in: - common FastCGI: auto_check: True ? "fastcgi_params" : bad_regex: "DB_NAME|DB_USER|DB_PASS" only_bad_lines: True type: f search_in: - common SNMP: auto_check: True ? "snmpd.conf" : bad_regex: "rocommunity|rwcommunity" only_bad_lines: True type: f search_in: - common Pypirc: auto_check: True ? ".pypirc" : bad_regex: "username|password" type: f search_in: - common CloudFlare: auto_check: True ? ".cloudflared" : type: d search_in: - common History: auto_check: False ? ".*_history" : type: f search_in: - common Http.conf: auto_check: True ? "httpd.conf" : bad_regex: "htaccess.*|htpasswd.*" only_bad_lines: True regex_remove: '\W+\#|^#' remove_empty_lines: True type: f search_in: - common Htpasswd: auto_check: True ? ".htpasswd" : bad_regex: ".*" regex_remove: "^#" remove_empty_lines: True type: f search_in: - common Ldaprc: auto_check: True ? ".ldaprc" : bad_regex: ".*" regex_remove: "^#" remove_empty_lines: True type: f search_in: - common Env: auto_check: True ? ".env" : bad_regex: "[pP][aA][sS][sS].*" regex_remove: "^#" remove_empty_lines: True type: f search_in: - common Msmtprc: auto_check: True ? ".msmtprc" : bad_regex: "user.*|password.*" regex_remove: "^#" remove_empty_lines: True type: f search_in: - common Github: auto_check: True ? ".git" : just_list: True type: f search_in: - common ? ".github" : auto_check: True just_list: True type: f search_in: - common ? ".gitconfig" : auto_check: True just_list: True type: f search_in: - common ? ".git-credentials" : auto_check: True just_list: True type: f search_in: - common Svn: auto_check: True ? ".svn" : just_list: True type: d search_in: - common Other Interesting Files: auto_check: True ? ".bashrc" : just_list: True type: f search_in: - common ? ".google_authenticator" : just_list: True type: f search_in: - common ? "hosts.equiv" : just_list: True type: f search_in: - common ? ".lesshst" : just_list: True type: f search_in: - common ? ".plan" : just_list: True type: f search_in: - common ? ".profile" : just_list: True type: f search_in: - common ? ".recently-used.xbel" : just_list: True type: f search_in: - common ? ".rhosts" : just_list: True type: f search_in: - common ? ".sudo_as_admin_successful" : just_list: True type: f search_in: - common # Final section Dabatase: auto_check: False ? "*.db" : remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common ? "*.sqlite" : remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common ? "*.sqlite3" : remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common