robertdebock.forensics
Ansible Role Forensics
This guide will help you install and set up forensics on your system.
| GitHub | GitLab | Downloads | Version |
|---|---|---|---|
 |
 |
 |
 |
Example Playbook
This example comes from molecule/default/converge.yml. It is tested with every update.
---
- name: Converge
hosts: all
become: true
gather_facts: true
roles:
- role: robertdebock.forensics
Before running the playbook, you need to prepare the machine. This preparation is done in CI by using molecule/default/prepare.yml:
---
- name: Prepare
hosts: all
become: true
gather_facts: false
roles:
- role: robertdebock.bootstrap
You can also refer to a full explanation and example on how to use these roles.
Role Variables
The default values for the role variables are found in defaults/main.yml:
---
# defaults for forensics
# Directory where collected data is stored.
forensics_local_storage_path: /tmp/forensics
# List of commands to run.
forensics_command_list:
- "journalctl -xe"
- "ps -ef"
- "lsof"
- "systemctl status"
- "netstat -an"
- "netstat -tulpen"
# List of directories to gather all files from.
forensics_directory_list:
- "/var/log"
- "/tmp"
- "/var/tmp"
- "/var/spool/cron"
- "/var/spool/anacron"
- "/etc/cron.d"
- "/etc/cron.daily"
- "/etc/cron.hourly"
- "/etc/cron.monthly"
- "/etc/cron.weekly"
- "/var/spool/at"
# List of specific files to collect.
forensics_file_list:
- "/etc/passwd"
- "/etc/group"
- "/etc/shadow"
# Specific directories and patterns to collect.
forensics_specific_file_list:
- path: "/root"
pattern: ".authorized_keys"
- path: "/root"
pattern: ".bash_history"
- path: "/root"
pattern: ".history"
- path: "/home"
pattern: ".authorized_keys"
- path: "/home"
pattern: ".bash_history"
- path: "/home"
pattern: ".history"
Requirements
- The pip packages listed in requirements.txt.
State of Used Roles
The following roles are used to set up a system. You can choose a different method if you prefer.
| Requirement | GitHub | GitLab |
|---|---|---|
| robertdebock.bootstrap |  |
 |
Context
This role is part of many compatible roles. Check the documentation of these roles for more information.
Here’s a visual representation of related roles:
Compatibility
This role has been tested with the following container images:
| Container | Tags |
|---|---|
| Alpine | all |
| Amazon | Candidate |
| EL | 9 |
| Debian | all |
| Fedora | all |
| Ubuntu | all |
The minimum required version of Ansible is 2.12. Testing has been done on:
- The previous version.
- The current version.
- The development version.
If you find any issues, please report them on GitHub.
License
Author Information
Please consider sponsoring me.
Install and configure forensics on your system.
ansible-galaxy install robertdebock.forensics