darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d17e4dcca7
PEASS-ng/build_lists/sensitive_files.yaml
Carlos Polop 75e11f7bb1
Update sensitive_files.yaml
2022-03-07 23:06:10 +00:00

3235 lines
81 KiB
YAML
Raw Blame History

############################
## LINPEAS SPECIFICATIONS ##
############################
root_folders:
- /applications #common
- /bin #common
- /.cache #common
- /cdrom #common
- /etc #common
- $HOMESEARCH #common, use this instead of "/home"
- /lib
- /lib32
- /lib64
- /media #common
- /mnt #common
- /opt #common
- /private #common
- /run
- /sbin #common
- /snap #common
- /srv #common
- /sys
- /system
- /systemd
- /tmp #common
- /usr #common
- /var #common
common_file_folders:
- /applications
- /bin
- /.cache
- /cdrom
- /etc
- $HOMESEARCH
- /media
- /mnt
- /opt
- /private
- /sbin
- /snap
- /srv
- /tmp
- /usr
- /var
common_directory_folders:
- /applications
- /bin
- /.cache
- /cdrom
- /etc
- $HOMESEARCH
- /media
- /mnt
- /opt
- /private
- /sbin
- /snap
- /srv
- /tmp
- /usr
- /var
peas_checks: "peass{CHECKS}"
peas_regexes_markup: "peass{REGEXES}"
peas_extrasections_markup: "peass{EXTRA_SECTIONS}"
peas_finds_markup: "peass{FINDS_HERE}"
find_line_markup: "peass{FIND_PARAMS_HERE}"
find_template: >
`eval_bckgrd "find peass{FIND_PARAMS_HERE} 2>/dev/null | sort; printf \\\$YELLOW'. '\\\$NC 1>&2;"`
peas_storages_markup: "peass{STORAGES_HERE}"
storage_line_markup: "peass{STORAGE_PARAMS_HERE}"
storage_line_extra_markup: "peass{STORAGE_PARAMS_EXTRA_HERE}"
storage_template: >
$(echo -e "peass{STORAGE_PARAMS_HERE}" peass{STORAGE_PARAMS_EXTRA_HERE} | sort | uniq | head -n 70)
int_hidden_files_markup: "peass{INT_HIDDEN_FILES}"
suidVB1_markup: "peass{SUIDVB1_HERE}"
suidVB2_markup: "peass{SUIDVB2_HERE}"
sudoVB1_markup: "peass{SUDOVB1_HERE}"
sudoVB2_markup: "peass{SUDOVB2_HERE}"
cap_setuid_markup: "peass{CAP_SETUID_HERE}"
cap_setgid_markup: "peass{CAP_SETGID_HERE}"
les_markup: "peass{LES}"
les2_markup: "peass{LES2}"
fat_linpeas_amicontained_markup: "peass{AMICONTAINED}"
fat_linpeas_gitleaks_linux_markup: "peass{GITLEAKS_LINUX}"
fat_linpeas_gitleaks_macos_markup: "peass{GITLEAKS_MACOS}"
##############################
## AUTO GENERATED VARIABLES ##
## FOR WINPEAS & LINPEAS ##
##############################
variables_markup: "peass{VARIABLES}"
variables:
- name: pwd_inside_history
value: "enable_autologin|7z|unzip|useradd|linenum|linpeas|mkpasswd|htpasswd|openssl|PASSW|passw|shadow|root|sudo|^su|pkexec|^ftp|mongo|psql|mysql|rdesktop|xfreerdp|^ssh|steghide|@|KEY=|TOKEN=|BEARER=|Authorization:"
####################
## DEFAULT VALUES ##
####################
defaults:
auto_check: False #The builder will generate a check for the file (only linpeas)
bad_regex: "" #The regex used to color red. If only_bad_lines and no line_grep, then only lines containing this regex will be printed
very_bad_regex: "" #The regex used to color yellow/red
check_extra_path: "" #Check if the found files are in a specific path (only linpeas)
good_regex: "" #The regex to color green
just_list_file: False #Just mention the path to the file, do not cat it
line_grep: "" #The regex to grep lines in a file. IMPORTANT: This is the argument for "grep" command so you need to specify the single and double quotes (see examples). Use double quotes to indicate the interesting things to grep as winpeas greps the things inside th double qoutes.
only_bad_lines: False #Only print lines containing something red (cnotaining bad_regex)
remove_empty_lines: False #Remove empty lines, use only for text files (-I param in grep)
remove_path: "" #Not interested in files containing this path (only linpeas)
remove_regex: "" #Remove linpeas containing this regex
search_in: #By default search in defined common (only linpeas)
- common
type: f #File by default
exec: [] #Cmd to execute with the check (only linpeas)
##############
## EXAMPLES ##
##############
#-) In the following example PostgreSQL searches are performed:
## - auto_check is True (by default set it always to True)
## - exec is and array of sh commands to execute, in this case a command is executed to get the postgresql version
## - The file "pgadmin*.db" is searched
### - just_list_file is True, so the content of the list is not going to be read, just the path of the file will be indicated
### - type is f (file, not dir)
### - search_in is "common", so look for this file in common directories
## - The file "pg_hba.conf" is searched
### - bad_regex indicates the content of the file that if found is going to be written in red in the output
### - type is f (file, not dir)
### - remove_empty_lines is True, this indicates that empty lines of the file aren't going to be written in the output
### - remove_regex is a regex to avoid printing lines where the regex is found
### - search_in is "common", so look for this file in common directories
#- name: PostgreSQL
# value:
# config:
# auto_check: True
# exec:
# - 'echo "Version: $(warn_exec psql -V 2>/dev/null)"'
#
# files:
# - name: "pgadmin*.db"
# value:
# type: f
# just_list_file: True
# search_in:
# - common
#
# - name: "pg_hba.conf"
# value:
# bad_regex: "auth|password|md5|user=|pass=|trust"
# type: f
# remove_empty_lines: True
# remove_regex: '\W+\#|^#'
# search_in:
# - common
#-) In the following example Elasticsearch searches are performed:
## - auto_check is True (by default set it always to True)
## - exec is and array of sh commands to execute, in this case a HTTP request is performed to obtain the version
## - The file "elasticsearch.y*ml" is searched
### - line_grep is the grep argument to filter interesting lineas
### - remove_regex is a regex to avoid printing lines where the regex is found
### - type is f (file, not dir)
### - search_in is "common", so look for this file in common directories
#- name: Elasticsearch
# value:
# config:
# auto_check: True
# exec:
# - echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)"
#
# files:
# - name: "elasticsearch.y*ml"
# value:
# line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"'
# remove_regex: '\W+\#|^#'
# type: f
# search_in:
# - common
#-) In the following example Apache searches are performed:
## - auto_check is True (by default set it always to True)
## - exec is and array of sh commands to execute during the check
## - The directory "sites-enabled" is searched
### - type is d (dir)
### - search_in is "common", so look for this file in common directories
#### Inside this directory the file "*" is searched (in this case "*" will get all the files, but more specific regex can be used)
##### - bad_regex indicates the content of the file that if found is going to be written in red in the output
##### - only_bad_lines indicate that only lines that contains the regex indicated in bad_regex are going to be printed
##### - remove_empty_lines is True, this indicates that empty lines of the file aren't going to be written in the output
##### - remove_regex is a regex to avoid printing lines where the regex is found
#- name: Apache
# value:
# config:
# auto_check: True
# exec:
# - 'echo "Version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
# - "print_3title 'PHP exec extensions'"
# - 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'
#
# files:
# - name: "sites-enabled"
# value:
# type: d
# files:
# - name: "*"
# value:
# bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias"
# only_bad_lines: True
# remove_empty_lines: True
# remove_regex: '^#'
# search_in:
# - common
###############################
## Files & folders to search ##
###############################
search:
- name: Systemd
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "*.service"
value:
type: f
search_in:
- all
- name: Timer
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "*.timer"
value:
type: f
search_in:
- all
- name: Socket
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "*.socket"
value:
type: f
search_in:
- all
- name: DBus
value:
disable:
- winpeas
config:
auto_check: False
files:
- name: "system.d"
value:
type: d
search_in:
- /etc
- name: MySQL
value:
config:
auto_check: False
files:
- name: mysql
value:
type: d
check_extra_path: "^/etc/.*mysql|/usr/var/lib/.*mysql|/var/lib/.*mysql"
remove_path: "mysql/mysql"
search_in:
- common
- name: "passwd.ibd"
value:
type: f
search_in:
- common
- name: "password*.ibd"
value:
type: f
search_in:
- common
- name: "pwd.ibd"
value:
type: f
search_in:
- common
- name: MariaDB
value:
config:
auto_check: True
files:
- name: "mariadb.cnf"
value:
bad_regex: "user.*|password.*"
type: f
remove_regex: '^#'
remove_empty_lines: True
search_in:
- common
- name: "debian.cnf"
value:
bad_regex: "user.*|password.*"
type: f
only_bad_lines: True
search_in:
- common
- name: PostgreSQL
value:
config:
auto_check: True
exec:
- 'echo "Version: $(warn_exec psql -V 2>/dev/null)"'
files:
- name: "pgadmin*.db"
value:
type: f
just_list_file: True
search_in:
- common
- name: "pg_hba.conf"
value:
bad_regex: "auth|password|md5|user=|pass=|trust"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "postgresql.conf"
value:
bad_regex: "auth|password|md5|user=|pass=|trust"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "pgsql.conf"
value:
bad_regex: "auth|password|md5|user=|pass=|trust"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Apache-Nginx
value:
config:
auto_check: True
exec:
- 'echo "Apache version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
- 'echo "Nginx version: $(warn_exec nginx -v 2>/dev/null)"'
- if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'; fi
- if [ -d "/usr/share/nginx/modules" ] && [ -r "/usr/share/nginx/modules" ]; then print_3title 'Nginx modules'; ls /usr/share/nginx/modules | sed -${E} "s,$NGINX_KNOWN_MODULES,${SED_GREEN},g"; fi
- "print_3title 'PHP exec extensions'"
files:
- name: "sites-enabled"
value:
type: d
files:
- name: "*"
value:
bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias|command on"
remove_empty_lines: True
remove_regex: '#'
search_in:
- common
- name: "000-default.conf"
value:
bad_regex: "AuthType|AuthName|AuthUserFile|ServerName|ServerAlias"
remove_regex: '#'
type: f
search_in:
- common
- name: "php.ini"
value:
bad_regex: "On"
remove_regex: "^;"
line_grep: '"allow_"'
type: f
search_in:
- common
- name: PHP Sessions
value:
config:
auto_check: True
exec:
- "ls /var/lib/php/sessions 2>/dev/null || echo_not_found /var/lib/php/sessions"
files:
- name: "sess_*"
value:
check_extra_path: '/tmp/.*sess_.*|/var/tmp/.*sess_.*'
type: f
search_in:
- /tmp
- /var
- /mnt
- /private
- name: PHP_files
value:
config:
auto_check: False
files:
- name: "*config*.php"
value:
type: f
search_in:
- common
- name: "database.php"
value:
type: f
search_in:
- common
- name: "db.php"
value:
type: f
search_in:
- common
- name: "storage.php"
value:
type: f
search_in:
- common
- name: "settings.php"
value:
type: f
search_in:
- common
- name: Wordpress
value:
config:
auto_check: True
files:
- name: "wp-config.php"
value:
bad_regex: "PASSWORD|USER|NAME|HOST"
only_bad_lines: True
type: f
search_in:
- common
- name: Drupal
value:
config:
auto_check: True
files:
- name: "settings.php"
value:
bad_regex: "drupal_hash_salt|'database'|'username'|'password'|'host'|'port'|'driver'|'prefix'"
check_extra_path: "/default/settings.php"
only_bad_lines: True
type: f
search_in:
- common
- name: Moodle
value:
config:
auto_check: True
files:
- name: "config.php"
value:
bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport"
check_extra_path: "moodle/config.php"
only_bad_lines: True
type: f
search_in:
- common
- name: Tomcat
value:
config:
auto_check: True
files:
- name: "tomcat-users.xml"
value:
bad_regex: "dbtype|dbhost|dbuser|dbhost|dbpass|dbport"
line_grep: '"username=|password="'
only_bad_lines: True
type: f
search_in:
- common
- name: Mongo
value:
config:
auto_check: True
exec:
- 'echo "Version: $(warn_exec mongo --version 2>/dev/null; warn_exec mongod --version 2>/dev/null)"'
- if [ "$(command -v mongo)" ]; then echo "show dbs" | mongo 127.0.0.1 > /dev/null 2>&1;[ "$?" == "0" ] && echo "Possible mongo anonymous authentication" | sed -${E} "s,.*|kube,${SED_RED},"; fi
files:
- name: "mongod*.conf"
value:
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Rocketchat
value:
config:
auto_check: True
files:
- name: "rocketchat.service"
value:
bad_regex: "mongodb://.*"
line_grep: '-i "Environment"'
type: f
search_in:
- common
- /lib
- /systemd
- name: Supervisord
value:
config:
auto_check: True
files:
- name: "supervisord.conf"
value:
bad_regex: "port.*=|username.*=|password.*="
only_bad_lines: True
type: f
search_in:
- common
- name: Cesi
value:
config:
auto_check: True
files:
- name: "cesi.conf"
value:
bad_regex: "username.*=|password.*=|host.*=|port.*=|database.*="
only_bad_lines: True
type: f
search_in:
- common
- name: Rsync
value:
config:
auto_check: True
files:
- name: "rsyncd.conf"
value:
bad_regex: "secrets.*|auth.*users.*="
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: "rsyncd.secrets"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: Hostapd
value:
config:
auto_check: True
files:
- name: "hostapd.conf"
value:
bad_regex: "passphrase.*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Wifi Connections
value:
config:
auto_check: True
files:
- name: "system-connections"
value:
files:
- name: "*"
value:
bad_regex: "psk.*"
only_bad_lines: True
type: f
type: d
search_in:
- /etc
- name: PAM Auth
value:
config:
auto_check: True
files:
- name: "pam.d"
value:
files:
- name: "sshd"
value:
bad_regex: ".*"
line_grep: '-i "auth"'
remove_regex: "^#|^@"
type: f
type: d
search_in:
- /etc
- name: NFS Exports
value:
config:
auto_check: True
files:
- name: exports
value:
very_bad_regex: "no_root_squash|no_all_squash"
bad_regex: "insecure"
remove_regex: '\W+\#|^#'
type: f
search_in:
- /etc
- name: GlusterFS
value:
config:
auto_check: True
files:
- name: "glusterfs.pem"
value:
type: f
just_list_file: True
search_in:
- common
- name: "glusterfs.ca"
value:
type: f
just_list_file: True
search_in:
- common
- name: "glusterfs.key"
value:
type: f
just_list_file: True
search_in:
- common
- name: Anaconda ks
value:
config:
auto_check: True
files:
- name: "anaconda-ks.cfg"
value:
bad_regex: "rootpw.*"
only_bad_lines: True
type: f
search_in:
- common
- name: Racoon
value:
config:
auto_check: True
files:
- name: "racoon.conf"
value:
remove_empty_lines: True
bad_regex: "pre_shared_key.*"
remove_regex: '^#'
type: f
search_in:
- common
- name: "psk.txt"
value:
remove_empty_lines: True
bad_regex: ".*"
type: f
search_in:
- common
- name: Kubernetes
value:
config:
auto_check: True
exec:
- (env || set) | grep -Ei "kubernetes|kube" | grep -v "PSTORAGE_KUBERNETES|USEFUL_SOFTWARE" | sed -${E} "s,kubernetes|kube,${SED_RED},"
files:
- name: "kubeconfig"
value:
bad_regex: "server:|cluster:|namespace:|user:|exec:"
type: d
search_in:
- common
- name: "kubelet-kubeconfig"
value:
bad_regex: "server:|cluster:|namespace:|user:|exec:"
type: d
search_in:
- common
- name: "psk.txt"
value:
remove_empty_lines: True
bad_regex: ".*"
type: f
search_in:
- common
- name: ".kube*"
value:
files:
- name: "config"
value:
bad_regex: "server:|cluster:|namespace:|user:|exec:"
type: d
search_in:
- common
- name: "kubelet"
value:
files:
- name: "kubelet.conf"
value:
bad_regex: "server:|cluster:|namespace:|user:|exec:"
- name: "config.yaml"
value:
bad_regex: "server:|cluster:|namespace:|user:|exec:"
- name: "kubeadm-flags.env"
value:
remove_empty_lines: True
type: d
search_in:
- /var
- name: "kube-proxy"
value:
type: d
search_in:
- /var
- name: "kubernetes"
value:
type: d
search_in:
- /etc
- name: VNC
value:
config:
auto_check: True
files:
- name: ".vnc"
value:
files:
- name: "passwd"
value:
just_list_file: True
type: d
search_in:
- common
- name: "*vnc*.c*nf*"
value:
bad_regex: ".*"
remove_regex: '^#'
type: f
search_in:
- common
- name: "*vnc*.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*vnc*.txt"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "*vnc*.xml"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: Ldap
value:
config:
auto_check: True
exec:
- echo "The password hash is from the {SSHA} to 'structural'"
files:
- name: "ldap"
value:
files:
- name: "*.bdb"
value:
bad_regex: "administrator|password|ADMINISTRATOR|PASSWORD|Password|Administrator"
line_grep: '-i -a -o "description.*" | sort | uniq'
type: f
type: d
search_in:
- common
- name: Log4Shell
value:
config:
auto_check: False
files:
- name: "log4j-core*.jar"
value:
type: f
search_in:
- common
- /lib
- /lib32
- /lib64
- name: OpenVPN
value:
config:
auto_check: True
files:
- name: "*.ovpn"
value:
bad_regex: "auth-user-pass.+"
only_bad_lines: True
type: f
search_in:
- common
- name: SSH
value:
config:
auto_check: True
files:
- name: "id_dsa*"
value:
type: f
search_in:
- common
- name: "id_rsa*"
value:
type: f
search_in:
- common
- name: "known_hosts"
value:
type: f
search_in:
- common
- name: "authorized_hosts"
value:
type: f
search_in:
- common
- name: "authorized_keys"
value:
good_regex: 'from=[\w\._\-]+'
type: f
search_in:
- common
- name: CERTSB4
value:
config:
auto_check: False
files:
- name: "*.pem"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*'
search_in:
- common
- name: "*.cer"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*'
search_in:
- common
- name: "*.crt"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib.*'
search_in:
- common
- name: CERTSBIN
value:
config:
auto_check: False
files:
- name: "*.csr"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: "*.der"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: CERTSCLIENT
value:
config:
auto_check: False
files:
- name: "*.pfx"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: "*.p12"
value:
type: f
remove_path: '^/usr/share/|^/etc/ssl/|^/usr/local/lib/|^/usr/lib/.*'
search_in:
- common
- name: SSH AGENTS
value:
config:
auto_check: False
files:
- name: "agent*"
value:
type: f
search_in:
- /tmp
- name: SSH_CONFIG
value:
config:
auto_check: False
files:
- name: "ssh*config"
value:
type: f
search_in:
- /usr
- $HOMESEARCH
- name: Cloud Credentials
value:
config:
auto_check: True
files:
#- name: "credentials"
# value:
# bad_regex: ".*"
# type: f
# search_in:
# - common
- name: "credentials.db"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "legacy_credentials.db"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "access_tokens.db"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "access_tokens.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "accessTokens.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "azureProfile.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "TokenCache.dat"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: "AzureRMContext.json"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: ".bluemix"
value:
files:
- name: "config.json"
value:
bad_regex: ".*"
type: d
search_in:
- common
- name: Kerberos
value:
config:
auto_check: False
files:
- name: "krb5.conf"
value:
type: f
search_in:
- common
- name: "krb5.keytab"
value:
type: f
search_in:
- common
- name: ".k5login"
value:
type: f
search_in:
- common
- name: "kadm5.acl"
value:
type: f
search_in:
- common
- name: "secrets.ldb"
value:
type: f
search_in:
- common
- name: ".secrets.mkey"
value:
type: f
search_in:
- common
- name: "sssd.conf"
value:
type: f
search_in:
- common
- name: Kibana
value:
config:
auto_check: True
files:
- name: "kibana.y*ml"
value:
bad_regex: "username|password|host|port|elasticsearch|ssl"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#|^[[:space:]]*$'
search_in:
- common
- name: Knockd
value:
config:
auto_check: True
files:
- name: "*knockd*"
value:
check_extra_path: "/etc/init.d/"
type: f
search_in:
- /etc
- name: Logstash
value:
config:
auto_check: False
files:
- name: "logstash"
value:
type: d
search_in:
- common
- name: Elasticsearch
value:
config:
auto_check: True
exec:
- echo "The version is $(curl -X GET '127.0.0.1:9200' 2>/dev/null | grep number | cut -d ':' -f 2)"
files:
- name: "elasticsearch.y*ml"
value:
line_grep: '"path.data|path.logs|cluster.name|node.name|network.host|discovery.zen.ping.unicast.hosts"'
remove_regex: '\W+\#|^#'
type: f
search_in:
- common
- name: Vault_ssh_helper
value:
config:
auto_check: False
files:
- name: "vault-ssh-helper.hcl"
value:
type: f
search_in:
- common
- name: Vault_ssh_token
value:
config:
auto_check: False
files:
- name: ".vault-token"
value:
type: f
search_in:
- common
- name: CouchDB
value:
config:
auto_check: True
files:
- name: "couchdb"
value:
files:
- name: "local.ini"
value:
bad_regex: "admin.*|password.*|cert_file.*|key_file.*|hashed.*|pbkdf2.*"
remove_empty_lines: True
remove_regex: "^;"
type: d
search_in:
- common
- name: Redis
value:
config:
auto_check: True
files:
- name: "redis.conf"
value:
bad_regex: "masterauth.*|requirepass.*"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Mosquitto
value:
config:
auto_check: True
files:
- name: "mosquitto.conf"
value:
bad_regex: "password_file.*|psk_file.*|allow_anonymous.*true|auth"
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Neo4j
value:
config:
auto_check: True
files:
- name: "neo4j"
value:
files:
- name: "auth"
value:
bad_regex: ".*"
remove_empty_lines: True
type: d
search_in:
- common
- name: Cloud Init
value:
config:
auto_check: True
files:
- name: "cloud.cfg"
value:
bad_regex: "consumer_key|token_key|token_secret|metadata_url|password:|passwd:|PRIVATE KEY|PRIVATE KEY|encrypted_data_bag_secret|_proxy"
only_bad_lines: True
type: f
remove_empty_lines: True
remove_regex: '\W+\#|^#'
search_in:
- common
- name: Erlang
value:
config:
auto_check: True
files:
- name: ".erlang.cookie"
value:
bad_regex: ".*"
type: f
search_in:
- common
- name: GMV Auth
value:
config:
auto_check: True
files:
- name: "gvm-tools.conf"
value:
bad_regex: "username.*|password.*"
type: f
search_in:
- common
- name: IPSec
value:
config:
auto_check: True
files:
- name: "ipsec.secrets"
value:
bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*"
type: f
search_in:
- common
- name: "ipsec.conf"
value:
bad_regex: ".*PSK.*|.*RSA.*|.*EAP =.*|.*XAUTH.*"
type: f
search_in:
- common
- name: IRSSI
value:
config:
auto_check: True
files:
- name: ".irssi"
value:
files:
- name: "config"
value:
bad_regex: "password.*"
type: d
search_in:
- common
- name: Keyring
value:
config:
auto_check: True
files:
- name: "keyrings"
value:
type: d
search_in:
- common
- name: "*.keyring"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.keystore"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.jks"
value:
just_list_file: True
type: f
search_in:
- common
- name: Filezilla
value:
config:
auto_check: True
files:
- name: "filezilla"
value:
files:
- name: "sitemanager.xml"
value:
bad_regex: "Host.*|Port.*|Protocol.*|User.*|Pass.*"
remove_empty_lines: True
remove_regex: "^;"
type: d
search_in:
- common
- name: "filezilla.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "recentservers.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: Backup Manager
value:
config:
auto_check: True
files:
- name: "storage.php"
value:
bad_regex: "password|pass|user|database|host"
line_grep: >-
"'pass'|'password'|'user'|'database'|'host'"
type: f
search_in:
- common
- name: "database.php"
value:
bad_regex: "password|pass|user|database|host"
line_grep: >-
"'pass'|'password'|'user'|'database'|'host'"
only_bad_lines: True
type: f
search_in:
- common
- name: Splunk
value:
config:
auto_check: False
files:
- name: "passwd"
value:
type: f
search_in:
- common
- name: GitLab
value:
config:
auto_check: False
files:
- name: "secrets.yml"
value:
type: f
remove_path: "/lib"
search_in:
- common
- name: "gitlab.yml"
value:
type: f
remove_path: "/lib"
search_in:
- common
- name: "gitlab.rm"
value:
type: f
remove_path: "/lib"
search_in:
- common
- name: PGP-GPG
value:
config:
auto_check: True
exec:
- '( (command -v gpg && gpg --list-keys) || echo_not_found "gpg") 2>/dev/null'
- '( (command -v netpgpkeys && netpgpkeys --list-keys) || echo_not_found "netpgpkeys") 2>/dev/null'
- '(command -v netpgp || echo_not_found "netpgp") 2>/dev/null'
files:
- name: "*.pgp"
value:
type: f
search_in:
- common
- name: "*.gpg"
value:
type: f
search_in:
- common
- name: "*.gnupg"
value:
type: f
remove_path: "README.gnupg"
search_in:
- common
- name: Cache Vi
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "*.swp"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.viminfo"
value:
just_list_file: True
type: f
search_in:
- common
- name: Docker
value:
config:
auto_check: False
files:
- name: "docker.socket"
value:
type: f
search_in:
- common
- name: "docker.sock"
value:
type: f
search_in:
- common
- name: "Dockerfile"
value:
type: f
search_in:
- common
- name: "docker-compose.yml"
value:
type: f
search_in:
- common
- name: "dockershim.sock"
value:
type: f
search_in:
- common
- name: "containerd.sock"
value:
type: f
search_in:
- common
- name: "crio.sock"
value:
type: f
search_in:
- common
- name: "frakti.sock"
value:
type: f
search_in:
- common
- name: "rktlet.sock"
value:
type: f
search_in:
- common
- name: Firefox
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: ".mozilla"
value:
files:
- name: "places.sqlite"
value:
just_list_file: True
- name: "bookmarkbackups"
value:
just_list_file: True
- name: "formhistory.sqlite"
value:
just_list_file: True
- name: "handlers.json"
value:
just_list_file: True
- name: "persdict.dat"
value:
just_list_file: True
- name: "addons.json"
value:
just_list_file: True
- name: "cookies.sqlite"
value:
just_list_file: True
- name: "cache2"
value:
just_list_file: True
- name: "startupCache"
value:
just_list_file: True
- name: "favicons.sqlite"
value:
just_list_file: True
- name: "prefs.js"
value:
just_list_file: True
- name: "downloads.sqlite"
value:
just_list_file: True
- name: "thumbnails"
value:
just_list_file: True
- name: "logins.json"
value:
just_list_file: True
- name: "key4.db"
value:
just_list_file: True
- name: "key3.db"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: "Firefox"
value:
files:
- name: "places.sqlite"
value:
just_list_file: True
- name: "bookmarkbackups"
value:
just_list_file: True
- name: "formhistory.sqlite"
value:
just_list_file: True
- name: "handlers.json"
value:
just_list_file: True
- name: "persdict.dat"
value:
just_list_file: True
- name: "addons.json"
value:
just_list_file: True
- name: "cookies.sqlite"
value:
just_list_file: True
- name: "cache2"
value:
just_list_file: True
- name: "startupCache"
value:
just_list_file: True
- name: "favicons.sqlite"
value:
just_list_file: True
- name: "prefs.js"
value:
just_list_file: True
- name: "downloads.sqlite"
value:
just_list_file: True
- name: "thumbnails"
value:
just_list_file: True
- name: "logins.json"
value:
just_list_file: True
- name: "key4.db"
value:
just_list_file: True
- name: "key3.db"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Chrome
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "google-chrome"
value:
files:
- name: "History"
value:
just_list_file: True
- name: "Cookies"
value:
just_list_file: True
- name: "Cache"
value:
just_list_file: True
- name: "Bookmarks"
value:
just_list_file: True
- name: "Web Data"
value:
just_list_file: True
- name: "Favicons"
value:
just_list_file: True
- name: "Login Data"
value:
just_list_file: True
- name: "Current Session"
value:
just_list_file: True
- name: "Current Tabs"
value:
just_list_file: True
- name: "Last Session"
value:
just_list_file: True
- name: "Last Tabs"
value:
just_list_file: True
- name: "Extensions"
value:
just_list_file: True
- name: "Thumbnails"
value:
just_list_file: True
- name: "Preferences"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: "Chrome"
value:
files:
- name: "History"
value:
just_list_file: True
- name: "Cookies"
value:
just_list_file: True
- name: "Cache"
value:
just_list_file: True
- name: "Bookmarks"
value:
just_list_file: True
- name: "Web Data"
value:
just_list_file: True
- name: "Favicons"
value:
just_list_file: True
- name: "Login Data"
value:
just_list_file: True
- name: "Current Session"
value:
just_list_file: True
- name: "Current Tabs"
value:
just_list_file: True
- name: "Last Session"
value:
just_list_file: True
- name: "Last Tabs"
value:
just_list_file: True
- name: "Extensions"
value:
just_list_file: True
- name: "Thumbnails"
value:
just_list_file: True
- name: "Preferences"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Opera
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "com.operasoftware.Opera"
value:
files:
- name: "History"
value:
just_list_file: True
- name: "Cookies"
value:
just_list_file: True
- name: "Cache"
value:
just_list_file: True
- name: "Bookmarks"
value:
just_list_file: True
- name: "Web Data"
value:
just_list_file: True
- name: "Favicons"
value:
just_list_file: True
- name: "Login Data"
value:
just_list_file: True
- name: "Current Session"
value:
just_list_file: True
- name: "Current Tabs"
value:
just_list_file: True
- name: "Last Session"
value:
just_list_file: True
- name: "Last Tabs"
value:
just_list_file: True
- name: "Extensions"
value:
just_list_file: True
- name: "Thumbnails"
value:
just_list_file: True
- name: "Preferences"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Safari
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "Safari"
value:
files:
- name: "History.db"
value:
just_list_file: True
- name: "Downloads.plist"
value:
just_list_file: True
- name: "Book-marks.plist"
value:
just_list_file: True
- name: "TopSites.plist"
value:
just_list_file: True
- name: "UserNotificationPermissions.plist"
value:
just_list_file: True
- name: "LastSession.plist"
value:
just_list_file: True
type: d
search_in:
- $HOMESEARCH
- name: Autologin
value:
disable:
- winpeas
config:
auto_check: True
files:
- name: "autologin"
value:
bad_regex: "passwd"
type: f
search_in:
- common
- name: "autologin.conf"
value:
bad_regex: "passwd"
type: f
search_in:
- common
- name: FastCGI
value:
config:
auto_check: True
files:
- name: "fastcgi_params"
value:
bad_regex: "DB_NAME|DB_USER|DB_PASS"
only_bad_lines: True
type: f
search_in:
- common
- name: SNMP
value:
config:
auto_check: True
files:
- name: "snmpd.conf"
value:
bad_regex: "rocommunity|rwcommunity|extend.*"
only_bad_lines: True
type: f
search_in:
- common
- name: Pypirc
value:
config:
auto_check: True
files:
- name: ".pypirc"
value:
bad_regex: "username|password"
type: f
search_in:
- common
- name: Postfix
value:
config:
auto_check: True
files:
- name: "postfix"
value:
files:
- name: "master.cf"
value:
bad_regex: "user=|argv="
remove_empty_lines: True
line_grep: '"user="'
type: d
search_in:
- common
- name: CloudFlare
value:
config:
auto_check: True
files:
- name: ".cloudflared"
value:
type: d
just_list_file: True
search_in:
- common
- name: History
value:
config:
auto_check: False
files:
- name: '*_history*'
value:
bad_regex: "$pwd_inside_history"
line_grep: '-a "$pwd_inside_history"'
type: f
search_in:
- common
- name: Http_conf
value:
config:
auto_check: True
files:
- name: "httpd.conf"
value:
bad_regex: "htaccess.*|htpasswd.*"
only_bad_lines: True
remove_regex: '\W+\#|^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Htpasswd
value:
config:
auto_check: True
files:
- name: ".htpasswd"
value:
bad_regex: ".*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Ldaprc
value:
config:
auto_check: True
files:
- name: ".ldaprc"
value:
bad_regex: ".*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Env
value:
config:
auto_check: True
files:
- name: ".env"
value:
bad_regex: "[pP][aA][sS][sS].*|[tT][oO][kK][eE][N]|[dD][bB]"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Msmtprc
value:
config:
auto_check: True
files:
- name: ".msmtprc"
value:
bad_regex: "user.*|password.*"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: InfluxDB
value:
config:
auto_check: True
files:
- name: "influxdb.conf"
value:
bad_regex: "auth-enabled.*=.*false|token|https-private-key"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: Zabbix
value:
config:
auto_check: True
files:
- name: "zabbix_server.conf"
value:
bad_regex: "DBName|DBUser|DBPassword"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: "zabbix_agentd.conf"
value:
bad_regex: "TLSPSKFile|psk"
remove_regex: '^#'
remove_empty_lines: True
type: f
search_in:
- common
- name: "zabbix"
value:
files:
- name: "*.psk"
value:
bad_regex: ".*"
remove_empty_lines: True
type: d
search_in:
- common
- name: Github
value:
config:
auto_check: True
files:
- name: ".github"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".gitconfig"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".git-credentials"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".git"
value:
just_list_file: True
type: f
search_in:
- common
- name: Svn
value:
config:
auto_check: True
files:
- name: ".svn"
value:
just_list_file: True
type: d
search_in:
- common
- name: Keepass
value:
config:
auto_check: True
files:
- name: "*.kdbx"
value:
just_list_file: True
type: f
search_in:
- common
- name: "KeePass.config*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "KeePass.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "KeePass.enforced*"
value:
just_list_file: True
type: f
search_in:
- common
- name: Pre-Shared Keys
value:
config:
auto_check: True
files:
- name: "*.psk"
value:
just_list_file: True
type: f
search_in:
- common
- name: Pass Store Directories
value:
config:
auto_check: True
files:
- name: ".password-store"
value:
just_list_file: True
type: d
search_in:
- common
- name: FTP
value:
config:
auto_check: True
files:
- name: "*.ftpconfig"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ffftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ftp.config"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sites.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "wcx_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "winscp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ws_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: Bind
value:
config:
auto_check: True
files:
- name: "bind"
value:
files:
- name: "*"
value:
just_list_file: True
- name: "*.key"
value:
bad_regex: ".*"
remove_empty_lines: True
remove_regex: '^#'
type: d
search_in:
- /etc #False possitives in home
- /var
- /usr
- name: SeedDMS
value:
config:
auto_check: True
files:
- name: "seeddms*"
value:
files:
- name: "settings.xml"
value:
bad_regex: "[pP][aA][sS][sS]"
line_grep: '"="'
type: d
search_in:
- common
- name: Ddclient
value:
config:
auto_check: True
files:
- name: "ddclient.conf"
value:
bad_regex: ".*password.*"
type: f
search_in:
- common
- name: kcpassword
value:
config:
auto_check: False
files:
- name: "kcpassword"
value:
just_list_file: True
type: f
search_in:
- common
- name: Sentry
value:
config:
auto_check: True
files:
- name: "sentry"
value:
files:
- name: "config.yml"
value:
bad_regex: "*key*"
remove_empty_lines: True
remove_regex: '^#'
type: d
search_in:
- common
- name: "sentry.conf.py"
value:
bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*"
remove_empty_lines: True
remove_regex: '^#'
type: f
search_in:
- common
- name: Strapi
value:
config:
auto_check: True
files:
- name: "environments"
value:
files:
- name: "custom.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "database.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "request.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "response.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "security.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
- name: "server.json"
value:
bad_regex: "username.*|[pP][aA][sS][sS].*|secret.*"
remove_empty_lines: True
type: d
search_in:
- common
- name: Cacti
value:
config:
auto_check: True
files:
- name: "cacti"
value:
files:
- name: "config.php"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
- name: "config.php.dist"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
- name: "installer.php"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
- name: "check_all_pages"
value:
bad_regex: "database_pw.*|database_user.*|database_pass.*"
line_grep: '"database_pw|database_user|database_pass|database_type|database_default|detabase_hostname|database_port|database_ssl"'
type: d
search_in:
- common
- name: Roundcube
value:
config:
auto_check: True
files:
- name: "roundcube"
value:
files:
- name: "config.inc.php"
value:
bad_regex: "db_dsnw"
line_grep: '"config\["'
type: d
search_in:
- common
- name: Passbolt
value:
config:
auto_check: True
files:
- name: "passbolt.php"
value:
bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*"
line_grep: '"host|port|username|password|database"'
remove_empty_lines: True
remove_regex: '^#'
type: f
search_in:
- common
- name: Jetty
value:
config:
auto_check: True
files:
- name: "jetty-realm.properties"
value:
bad_regex: ".*"
remove_empty_lines: True
remove_regex: '^#'
type: f
search_in:
- common
- name: Wget
value:
config:
auto_check: True
files:
- name: ".wgetrc"
value:
bad_regex: "[pP][aA][sS][sS].*|[uU][sS][eE][rR].*"
remove_empty_lines: True
remove_regex: '^#'
type: f
search_in:
- common
- name: Interesting logs
value:
config:
auto_check: True
files:
- name: "access.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: "error.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: Other Interesting
value:
config:
auto_check: True
files:
- name: ".bashrc"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".google_authenticator"
value:
just_list_file: True
type: f
search_in:
- common
- name: "hosts.equiv"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".lesshst"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".plan"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".profile"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".recently-used.xbel"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".rhosts"
value:
just_list_file: True
type: f
search_in:
- common
- name: ".sudo_as_admin_successful"
value:
just_list_file: True
type: f
search_in:
- common
- name: Windows
value:
config:
auto_check: True
files:
- name: "unattend.inf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.rdg"
value:
just_list_file: True
type: f
search_in:
- common
- name: "AppEvent.Evt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ConsoleHost_history.txt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "FreeSSHDservice.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "NetSetup.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: "Ntds.dit"
value:
just_list_file: True
type: f
search_in:
- common
- name: "protecteduserkey.bin"
value:
just_list_file: True
type: f
search_in:
- common
- name: "RDCMan.settings"
value:
just_list_file: True
type: f
search_in:
- common
- name: "SAM"
value:
just_list_file: True
type: f
search_in:
- common
- name: "SYSTEM"
value:
just_list_file: True
type: f
search_in:
- common
- name: "SecEvent.Evt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "appcmd.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: "bash.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: "datasources.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "default.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "drives.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "groups.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "https-xampp.conf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "https.conf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "iis6.log"
value:
just_list_file: True
type: f
search_in:
- common
- name: "index.dat"
value:
just_list_file: True
type: f
search_in:
- common
- name: "my.cnf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "my.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ntuser.dat"
value:
just_list_file: True
type: f
search_in:
- common
- name: "pagefile.sys"
value:
just_list_file: True
type: f
search_in:
- common
- name: "printers.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "recentservers.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "scclient.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: "scheduledtasks.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "security.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "server.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "setupinfo"
value:
just_list_file: True
type: f
search_in:
- common
- name: "setupinfo.bak"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sitemanager.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sites.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "software"
value:
just_list_file: True
type: f
search_in:
- common
- name: "software.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sysprep.inf"
value:
just_list_file: True
type: f
search_in:
- common
- name: "sysprep.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "system.sav"
value:
just_list_file: True
type: f
search_in:
- common
- name: "unattend.txt"
value:
just_list_file: True
type: f
search_in:
- common
- name: "unattend.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "unattended.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "wcx_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "ws_ftp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "web*.config"
value:
just_list_file: True
type: f
search_in:
- common
- name: "winscp.ini"
value:
just_list_file: True
type: f
search_in:
- common
- name: "wsl.exe"
value:
just_list_file: True
type: f
search_in:
- common
- name: Other Windows
value:
config:
auto_check: True
disable:
- linpeas
files:
- name: "security"
value:
just_list_file: True
type: f
search_in:
- common
- name: "services.xml"
value:
just_list_file: True
type: f
search_in:
- common
- name: "system"
value:
just_list_file: True
type: f
search_in:
- common
# Final section
- name: Database
value:
config:
auto_check: False
files:
- name: "*.db"
value:
remove_path: "/man/|/usr/|/var/cache/"
type: f
search_in:
- common
- name: "*.sqlite"
value:
remove_path: "/man/|/usr/|/var/cache/"
type: f
search_in:
- common
- name: "*.sqlite3"
value:
remove_path: "/man/|/usr/|/var/cache/"
type: f
search_in:
- common
- name: Backups
value:
config:
auto_check: False
files:
- name: "backup"
value:
type: f
search_in:
- common
- name: "backups"
value:
type: f
search_in:
- common
- name: Password Files
value:
config:
auto_check: False
files:
- name: "*password*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*credential*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "creds*"
value:
just_list_file: True
type: f
search_in:
- common
- name: "*.key"
value:
just_list_file: True
type: f
search_in:
- common
Reference in New Issue View Git Blame Copy Permalink