root_folders: - /applications #common - /bin #common - /.cache #common - /cdrom #common - /etc #common - $HOMESEARCH #common, use this instead of "/home" - /lib - /lib32 - /lib64 - /media #common - /mnt #common - /opt #common - /private #common - /run - /sbin #common - /snap #common - /srv #common - /sys - /system - /systemd - /tmp #common - /usr #common - /var #common common_file_folders: - /applications - /bin - /.cache - /cdrom - /etc - $HOMESEARCH - /media - /mnt - /opt - /private - /sbin - /snap - /srv - /tmp - /usr - /var common_directory_folders: - /applications - /bin - /.cache - /cdrom - /etc - $HOMESEARCH - /media - /mnt - /opt - /private - /sbin - /snap - /srv - /tmp - /usr - /var peas_extrasections_markup: "peass{EXTRA_SECTIONS}" peas_finds_markup: "peass{FINDS_HERE}" find_line_markup: "peass{FIND_PARAMS_HERE}" find_template: > `eval_bckgrd "find peass{FIND_PARAMS_HERE} 2>/dev/null | sort; printf \\\$YELLOW'. '\\\$NC 1>&2;"` peas_storages_markup: "peass{STORAGES_HERE}" storage_line_markup: "peass{STORAGE_PARAMS_HERE}" storage_line_extra_markup: "peass{STORAGE_PARAMS_EXTRA_HERE}" storage_template: > $(echo -e "peass{STORAGE_PARAMS_HERE}" peass{STORAGE_PARAMS_EXTRA_HERE} | sort | uniq | head -n 70) int_hidden_files_markup: "peass{INT_HIDDEN_FILES}" defaults: auto_check: False #The builder will generate a ceck for the file bad_regex: "" #The regex used to color red and grep lines (if only_bad_lines and no line_grep) check_extra_path: "" #Check if the found files are in a specific path good_regex: "" #The regex to color green just_list_file: False #Just mention the path to the file, do not cat it line_grep: "" #The regex to grep lines in a file (if only_bad_lines), by default bad_regex is used here if empty only_bad_lines: False #Only print lines containing something red remove_empty_lines: False #Remove empty lines, use only for text files (-I param in grep) remove_path: "" #Not interested in files containing this path remove_regex: "" #Extra regex to remove some lines search_in: #By default search in defined common - common type: f #File by default exec: [] #Files & folders to search search: Systemd: config: auto_check: False files: ? "*.service" : type: f search_in: - all Timer: config: auto_check: False files: ? "*.timer" : type: f search_in: - all Socket: config: auto_check: False files: ? "*.socket" : type: f search_in: - all DBus: config: auto_check: False files: ? "system.d" : type: d search_in: - /etc ? "system.d" : type: d search_in: - /etc MySQL: config: auto_check: False files: mysql: type: d check_extra_path: "^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql" remove_path: "mysql/mysql" search_in: - common PostgreSQL: config: auto_check: True exec: - 'echo "Version: $(warn_exec psql -V 2>/dev/null)"' files: ? "pgadmin*.db" : type: f just_list_file: True search_in: - common ? "pg_hba.conf" : bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common ? "postgresql.conf" : bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common ? "pgsql.conf" : bad_regex: "auth|password|md5|user=|pass=|trust" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common Apache: config: auto_check: True exec: - 'echo "Version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"' - "print_3title 'PHP exec extensions'" - 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null' files: ? "sites-enabled" : type: d files: ? "*" : bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" only_bad_lines: True remove_empty_lines: True remove_regex: "^#" search_in: - common ? "000-default" : bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias" type: f search_in: - common PHPCookies: config: auto_check: True exec: - "ls /var/lib/php/sessions 2>/dev/null || echo_not_found /var/lib/php/sessions" files: ? "sess_*" : check_extra_path: '/tmp/.*sess_.*|/var/tmp/.*sess_.*' type: f search_in: - /tmp - /var - /mnt PHP_files: config: auto_check: False files: ? "*config*.php" : type: f search_in: - common ? "database.php" : type: f search_in: - common ? "db.php" : type: f search_in: - common ? "storage.php" : type: f search_in: - common ? "settings.php" : type: f search_in: - common Wordpress: config: auto_check: True files: ? "wp-config.php" : bad_regex: "PASSWORD|USER|NAME|HOST" only_bad_lines: True type: f search_in: - common Drupal: config: auto_check: True files: ? "settings.php" : bad_regex: "drupal_hash_salt|'database'|'username'|'password'|'host'|'port'|'driver'|'prefix'" check_extra_path: "/default/settings.php" only_bad_lines: True type: f search_in: - common Moodle: config: auto_check: True files: ? "config.php" : bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" check_extra_path: "moodle/config.php" only_bad_lines: True type: f search_in: - common Tomcat: config: auto_check: True files: ? "tomcat-users.xml" : bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport" line_grep: '"username=|password="' only_bad_lines: True type: f search_in: - common Mongo: config: auto_check: True exec: - 'echo "Version: $(warn_exec mongo --version 2>/dev/null; warn_exec mongod --version 2>/dev/null)"' files: ? "mongod*.conf" : type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common Supervisord: config: auto_check: True files: ? "supervisord.conf" : bad_regex: "port.*=|username.*=|password.*=" only_bad_lines: True type: f search_in: - common Cesi: config: auto_check: True files: ? "cesi.conf" : bad_regex: "username.*=|password.*=|host.*=|port.*=|database.*=" only_bad_lines: True type: f search_in: - common Rsync: config: auto_check: True files: ? "rsyncd.conf" : bad_regex: "secrets.*|auth.*users.*=" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common ? "rsyncd.secrets" : bad_regex: ".*" type: f search_in: - common Hostapd: config: auto_check: True files: ? "hostapd.conf" : bad_regex: "passphrase.*" type: f search_in: - common Anaconda-ks: config: auto_check: True files: ? "anaconda-ks.cfg" : bad_regex: "rootpw.*" only_bad_lines: True type: f search_in: - common VNC: config: auto_check: True files: ? ".vnc" : files: ? "passwd" : just_list_file: True type: d search_in: - common ? "*vnc*.c*nf*" : bad_regex: ".*" type: f search_in: - common ? "*vnc*.ini" : just_list_file: True type: f search_in: - common ? "*vnc*.txt" : bad_regex: ".*" type: f search_in: - common ? "*vnc*.xml" : bad_regex: ".*" type: f search_in: - common Ldap: config: auto_check: True exec: - echo "The password hash is from the {SSHA} to 'structural'" files: ? "ldap" : files: ? "*.bdb" : bad_regex: "administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator" line_grep: '-i -a -o "description.*" | sort | uniq' type: d search_in: - common Open VPN: config: auto_check: True files: ? "*.ovpn" : bad_regex: "auth-user-pass.*" only_bad_lines: True type: f search_in: - common SSH_FILES: config: auto_check: True files: ? "id_dsa*" : type: f search_in: - common ? "id_rsa*" : type: f search_in: - common ? "known_hosts" : type: f search_in: - common ? "authorized_hosts" : type: f search_in: - common ? "authorized_keys" : good_regex: 'from=[\w\._\-]+' type: f search_in: - common CERTSB4: config: auto_check: False files: ? "*.pem" : type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*' search_in: - common ? "*.cer" : type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*' search_in: - common ? "*.crt" : type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*' search_in: - common CERTSBIN: config: auto_check: False files: ? "*.csr" : type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common ? "*.der" : type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common CERTSCLIENT: config: auto_check: False files: ? "*.pfx" : type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common ? "*.p12" : type: f remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*' search_in: - common SSH_AGENTS: config: auto_check: False files: ? "agent*" : type: f search_in: - /tmp SSH_CONFIG: config: auto_check: False files: ? "*ssh*config*" : type: f remove_path: '\..{1,4}$' #No interested in filenames with extensions search_in: - /usr - $HOMESEARCH ? "*config*ssh*" : type: f remove_path: '\..{1,4}$' #No interested in filenames with extensions search_in: - /usr - $HOMESEARCH Cloud credentials: config: auto_check: True files: ? "credentials" : bad_regex: ".*" type: f search_in: - common ? "credentials.db" : bad_regex: ".*" type: f search_in: - common ? "legacy_credentials.db" : bad_regex: ".*" type: f search_in: - common ? "access_tokens.db" : bad_regex: ".*" type: f search_in: - common ? "access_tokens.json" : bad_regex: ".*" type: f search_in: - common ? "accessTokens.json" : bad_regex: ".*" type: f search_in: - common ? "azureProfile.json" : bad_regex: ".*" type: f search_in: - common ? "TokenCache.dat" : bad_regex: ".*" type: f search_in: - common ? "AzureRMContext.json" : bad_regex: ".*" type: f search_in: - common ? ".bluemix" : files: ? "config.json" : bad_regex: ".*" type: d search_in: - common Kerberos: config: auto_check: False files: ? "krb5.conf" : type: f search_in: - common ? "krb5.keytab" : type: f search_in: - common ? ".k5login" : type: f search_in: - common ? "kadm5.acl" : type: f search_in: - common Kibana: config: auto_check: True files: ? "kibana.y*ml" : bad_regex: "username|password|host|port|elasticsearch|ssl" type: f remove_empty_lines: True remove_regex: '\W+\#|^#|^[[:space:]]*$' search_in: - common Knockd: config: auto_check: True files: ? "*knockd*" : check_extra_path: "/etc/init.d/" type: f search_in: - /etc Logstash: config: auto_check: False files: ? "logstash" : type: d search_in: - common Elasticsearch: config: auto_check: True exec: - echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)" files: ? "elasticsearch.y*ml" : line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"' remove_regex: '\W+\#|^#' type: f search_in: - common Vault_ssh_helper: config: auto_check: False files: ? "vault-ssh-helper.hcl" : type: f search_in: - common Vault_ssh_token: config: auto_check: False files: ? ".vault-token" : type: f search_in: - common CouchDB: config: auto_check: True files: ? "couchdb" : files: ? "local.ini" : bad_regex: "admin.*|password.*|cert_file.*|key_file.*|hashed.*|pbkdf2.*" remove_empty_lines: True remove_regex: "^;" type: d search_in: - common Redis: config: auto_check: True files: ? "redis.conf" : bad_regex: "masterauth.*|requirepass.*" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common Mosquitto: config: auto_check: True files: ? "mosquitto.conf" : bad_regex: "password_file.*|psk_file.*|allow_anonymous.*true|auth" type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common Neo4j: config: auto_check: True files: ? "neo4j" : files: ? "auth" : bad_regex: ".*" remove_empty_lines: True type: d search_in: - common Cloud-Init: config: auto_check: True files: ? "cloud.cfg" : bad_regex: "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy" only_bad_lines: True type: f remove_empty_lines: True remove_regex: '\W+\#|^#' search_in: - common Erlang: config: auto_check: True files: ? ".erlang.cookie" : bad_regex: ".*" type: f search_in: - common GMV Auth: config: auto_check: True files: ? "gvm-tools.conf" : bad_regex: "username.*|password.*" type: f search_in: - common IPSec: config: auto_check: True files: ? "ipsec.secrets" : bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*" type: f search_in: - common ? "ipsec.conf" : bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*" type: f search_in: - common IRSSI: config: auto_check: True files: ? ".irssi" : files: ? "config" : bad_regex: "password.*" type: d search_in: - common Keyring: config: auto_check: True files: ? "keyrings" : type: d search_in: - common ? "*.keyring" : just_list_file: True type: f search_in: - common ? "*.keystore" : just_list_file: True type: f search_in: - common ? "*.jks" : just_list_file: True type: f search_in: - common Filezilla: config: auto_check: True files: ? "filelliza" : files: ? "sitemanager.xml" : bad_regex: "Host.*|Port.*|Protocol.*|User.*|Pass.*" remove_empty_lines: True remove_regex: "^;" type: d search_in: - common ? "filezilla.xml" : just_list_file: True type: f search_in: - common Backup Manager: config: auto_check: True files: ? "storage.php" : bad_regex: "password|pass|user|database|host" line_grep: >- "'pass'|'password'|'user'|'database'|'host'" type: f search_in: - common ? "database.php" : bad_regex: "password|pass|user|database|host" line_grep: >- "'pass'|'password'|'user'|'database'|'host'" only_bad_lines: True type: f search_in: - common Splunk: config: auto_check: False files: ? "passwd" : type: f search_in: - common GitLab: config: auto_check: False files: ? "secrets.yml" : type: f remove_path: "/lib" search_in: - common ? "gitlab.yml" : type: f remove_path: "/lib" search_in: - common ? "gitlab.rm" : type: f remove_path: "/lib" search_in: - common PGP-GPG: config: auto_check: True exec: - '((command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null' - '((command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null' - '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null' files: ? "*.pgp" : type: f search_in: - common ? "*.gpg" : type: f search_in: - common ? "*.gnupg" : type: f search_in: - common Cache Vi: config: auto_check: True files: ? "*.swp" : just_list_file: True type: f search_in: - common ? "*.viminfo" : just_list_file: True type: f search_in: - common Docker: config: auto_check: False files: ? "docker.socket" : type: f search_in: - common ? "docker.sock" : type: f search_in: - common ? "Dockerfile" : type: f search_in: - common ? "docker-compose.yml" : type: f search_in: - common Firefox: config: auto_check: True files: ? ".mozilla" : files: ? "places.sqlite" : just_list_file: True ? "bookmarkbackups" : just_list_file: True ? "formhistory.sqlite" : just_list_file: True ? "handlers.json" : just_list_file: True ? "persdict.dat" : just_list_file: True ? "addons.json" : just_list_file: True ? "cookies.sqlite" : just_list_file: True ? "cache2" : just_list_file: True ? "startupCache" : just_list_file: True ? "favicons.sqlite" : just_list_file: True ? "prefs.js" : just_list_file: True ? "downloads.sqlite" : just_list_file: True ? "thumbnails" : just_list_file: True ? "logins.json" : just_list_file: True ? "key4.db" : just_list_file: True ? "key3.db" : just_list_file: True type: d search_in: - $HOMESEARCH Chrome: config: auto_check: True files: ? "google-chrome" : files: ? "Cookies" : just_list_file: True ? "Cache" : just_list_file: True ? "Bookmarks" : just_list_file: True ? "Web Data" : just_list_file: True ? "Favicons" : just_list_file: True ? "Login Data" : just_list_file: True ? "Current Session" : just_list_file: True ? "Current Tabs" : just_list_file: True ? "Last Session" : just_list_file: True ? "Last Tabs" : just_list_file: True ? "Extensions" : just_list_file: True ? "Thumbnails" : just_list_file: True search_in: - $HOMESEARCH Autologin: config: auto_check: True files: ? "autologin" : bad_regex: "passwd" type: f search_in: - common ? "autologin.conf" : bad_regex: "passwd" type: f search_in: - common FastCGI: config: auto_check: True files: ? "fastcgi_params" : bad_regex: "DB_NAME|DB_USER|DB_PASS" only_bad_lines: True type: f search_in: - common SNMP: config: auto_check: True files: ? "snmpd.conf" : bad_regex: "rocommunity|rwcommunity" only_bad_lines: True type: f search_in: - common Pypirc: config: auto_check: True files: ? ".pypirc" : bad_regex: "username|password" type: f search_in: - common CloudFlare: config: auto_check: True files: ? ".cloudflared" : type: d search_in: - common History: config: auto_check: False files: ? ".*_history" : bad_regex: "$pwd_inside_history" line_grep: '-a "$pwd_inside_history"' type: f search_in: - common Http_conf: config: auto_check: True files: ? "httpd.conf" : bad_regex: "htaccess.*|htpasswd.*" only_bad_lines: True remove_regex: '\W+\#|^#' remove_empty_lines: True type: f search_in: - common Htpasswd: config: auto_check: True files: ? ".htpasswd" : bad_regex: ".*" remove_regex: "^#" remove_empty_lines: True type: f search_in: - common Ldaprc: config: auto_check: True files: ? ".ldaprc" : bad_regex: ".*" remove_regex: "^#" remove_empty_lines: True type: f search_in: - common Env: config: auto_check: True files: ? ".env" : bad_regex: "[pP][aA][sS][sS].*" remove_regex: "^#" remove_empty_lines: True type: f search_in: - common Msmtprc: config: auto_check: True files: ? ".msmtprc" : bad_regex: "user.*|password.*" remove_regex: "^#" remove_empty_lines: True type: f search_in: - common Github: config: auto_check: True files: ? ".github" : just_list_file: True type: f search_in: - common ? ".gitconfig" : just_list_file: True type: f search_in: - common ? ".git-credentials" : just_list_file: True type: f search_in: - common ? ".git" : just_list_file: True type: f search_in: - common Svn: config: auto_check: True files: ? ".svn" : just_list_file: True type: d search_in: - common Keepass: config: auto_check: True files: ? "*.kdbx" : just_list_file: True type: f search_in: - common ? "KeePass.config*" : just_list_file: True type: f search_in: - common ? "KeePass.ini" : just_list_file: True type: f search_in: - common ? "KeePass.enforced*" : just_list_file: True type: f search_in: - common FTP: config: auto_check: True files: ? "*.ftpconfig" : just_list_file: True type: f search_in: - common ? "ffftp.ini" : just_list_file: True type: f search_in: - common ? "ftp.ini" : just_list_file: True type: f search_in: - common ? "ftp.config" : just_list_file: True type: f search_in: - common ? "ws_ftp.ini" : just_list_file: True type: f search_in: - common Bind: config: auto_check: True files: ? "bind" : files: ? "*" : just_list_file: True ? "*.key" : bad_regex: ".*" remove_empty_lines: True remove_regex: "^#" type: d search_in: - common Interesting logs: config: auto_check: True files: ? "access.log" : just_list_file: True type: f search_in: - common ? "error.log" : just_list_file: True type: f search_in: - common Other Interesting Files: config: auto_check: True files: ? ".bashrc" : just_list_file: True type: f search_in: - common ? ".google_authenticator" : just_list_file: True type: f search_in: - common ? "hosts.equiv" : just_list_file: True type: f search_in: - common ? ".lesshst" : just_list_file: True type: f search_in: - common ? ".plan" : just_list_file: True type: f search_in: - common ? ".profile" : just_list_file: True type: f search_in: - common ? ".recently-used.xbel" : just_list_file: True type: f search_in: - common ? ".rhosts" : just_list_file: True type: f search_in: - common ? ".sudo_as_admin_successful" : just_list_file: True type: f search_in: - common Windows Files: config: auto_check: True files: ? "unattend.inf" : just_list_file: True type: f search_in: - common ? "*.rdg" : just_list_file: True type: f search_in: - common ? "AppEvent.Evt" : just_list_file: True type: f search_in: - common ? "ConsoleHost_history.txt" : just_list_file: True type: f search_in: - common ? "FreeSSHDservice.ini" : just_list_file: True type: f search_in: - common ? "NetSetup.log" : just_list_file: True type: f search_in: - common ? "Ntds.dit" : just_list_file: True type: f search_in: - common ? "RDCMan.settings" : just_list_file: True type: f search_in: - common ? "SAM" : just_list_file: True type: f search_in: - common ? "SYSTEM" : just_list_file: True type: f search_in: - common ? "SecEvent.Evt" : just_list_file: True type: f search_in: - common ? "appcmd.exe" : just_list_file: True type: f search_in: - common ? "bash.exe" : just_list_file: True type: f search_in: - common ? "datasources.xml" : just_list_file: True type: f search_in: - common ? "default.sav" : just_list_file: True type: f search_in: - common ? "drives.xml" : just_list_file: True type: f search_in: - common ? "groups.xml" : just_list_file: True type: f search_in: - common ? "https-xampp.conf" : just_list_file: True type: f search_in: - common ? "https.conf" : just_list_file: True type: f search_in: - common ? "iis6.log" : just_list_file: True type: f search_in: - common ? "index.dat" : just_list_file: True type: f search_in: - common ? "my.cnf" : just_list_file: True type: f search_in: - common ? "my.ini" : just_list_file: True type: f search_in: - common ? "ntuser.dat" : just_list_file: True type: f search_in: - common ? "pagefile.sys" : just_list_file: True type: f search_in: - common ? "php.ini" : just_list_file: True type: f search_in: - common ? "printers.xml" : just_list_file: True type: f search_in: - common ? "recentservers.xml" : just_list_file: True type: f search_in: - common ? "scclient.exe" : just_list_file: True type: f search_in: - common ? "scheduledtasks.xml" : just_list_file: True type: f search_in: - common ? "security" : just_list_file: True type: f search_in: - common ? "security.sav" : just_list_file: True type: f search_in: - common ? "server.xml" : just_list_file: True type: f search_in: - common ? "services.xml" : just_list_file: True type: f search_in: - common ? "setupinfo" : just_list_file: True type: f search_in: - common ? "setupinfo.bak" : just_list_file: True type: f search_in: - common ? "sitemanager.xml" : just_list_file: True type: f search_in: - common ? "sites.ini" : just_list_file: True type: f search_in: - common ? "software" : just_list_file: True type: f search_in: - common ? "software.sav" : just_list_file: True type: f search_in: - common ? "sysprep.inf" : just_list_file: True type: f search_in: - common ? "sysprep.xml" : just_list_file: True type: f search_in: - common ? "system.sav" : just_list_file: True type: f search_in: - common ? "unattend.txt" : just_list_file: True type: f search_in: - common ? "unattend.xml" : just_list_file: True type: f search_in: - common ? "unattended.xml" : just_list_file: True type: f search_in: - common ? "wcx_ftp.ini" : just_list_file: True type: f search_in: - common ? "web*.config" : just_list_file: True type: f search_in: - common ? "winscp.ini" : just_list_file: True type: f search_in: - common ? "wsl.exe" : just_list_file: True type: f search_in: - common # Final section Database: config: auto_check: False files: ? "*.db" : remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common ? "*.sqlite" : remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common ? "*.sqlite3" : remove_path: "/man/|/usr/|/var/cache/" type: f search_in: - common Backups: config: auto_check: False files: ? "backup" : type: f search_in: - common ? "backups" : type: f search_in: - common Password_Files: config: auto_check: False files: ? "*password*" : just_list_file: True type: f search_in: - common ? "*credential*" : just_list_file: True type: f search_in: - common ? "creds*" : just_list_file: True type: f search_in: - common ? "*.key" : just_list_file: True type: f search_in: - common