Add Linux.Forensics.BodyFile artifact

[chrisdfir]

This artifact collects detailed file metadata from all Linux directories, including file size, modification time, access time, and symbolic link targets, limited to 10 directory levels deep.

[scudette]

How is this different from the standard file finder?

[chrisdfir]

How is this different from the standard file finder?

The output is different. Rather than using file finder we use artifacts like this with offline triage collectors that we can reuse on hosts. MInimal config and this collects all of the paths at the recursion depth set. By default, 10, which is more than any other bodyfile at this collection speed with output that can be parsed into a SIEM. This artifact is necessary unless you want to configure file finder for every use case.

[scudette]

You have to be really careful with these kinds of artifacts on Linux. That's why the Linux file finder does some safety checks like not following symlinks, staying out of /proc etc.

Take a look at that artifact for the type of things needed on Linux

[countz3r0]

We're working to replicate the bodyfile artifact from UAC that uses the stat command. I'll work on an update to add the exclusions.

[scudette]

A better approach is probably to just call the standard artifact with pre-set parameters and rearrange the columns as needed. Then you don't have to worry about the implementation details