Updated References (Velocidex#904)

.wordlist.txt

@@ -1538,3 +1538,6 @@ reliancecyber
 vvv
 wsarecv
 OpenSSL
+
+journald
+lang

content/artifact_references/pages/admin.client.remove.md

@@ -24,15 +24,17 @@ parameters:
   - name: Age
     description: Remove clients older than this many days
     default: "7"
+    type: int
 
   - name: ReallyDoIt
     type: bool
 
 sources:
   - query: |
+      LET Threshold <= timestamp(epoch=now() - Age * 3600 * 24 )
       LET old_clients = SELECT os_info.fqdn AS Fqdn, client_id,
-             timestamp(epoch=last_seen_at/1000000) AS LastSeen FROM clients()
-      WHERE LastSeen < now() - ( atoi(string=Age) * 3600 * 24 )
+             timestamp(epoch=last_seen_at) AS LastSeen FROM clients()
+      WHERE LastSeen < Threshold
 
       SELECT * FROM foreach(row=old_clients,
       query={

content/artifact_references/pages/admin.events.postprocessuploads.md

@@ -37,6 +37,7 @@ required_permissions:
 
 parameters:
   - name: uploadPostProcessCommand
+    type: json_array
     description: |
       The command to run - must be a json array of strings! The list
       of files will be appended to the end of the command.
@@ -51,8 +52,7 @@ parameters:
 sources:
   - query: |
         LET files = SELECT Flow,
-            array(a1=parse_json_array(data=uploadPostProcessCommand),
-                  a2=file_store(path=Flow.uploaded_files)) as Argv
+            uploadPostProcessCommand + file_store(path=Flow.uploaded_files) AS Argv
         FROM watch_monitoring(artifact='System.Flow.Completion')
         WHERE uploadPostProcessArtifact in Flow.artifacts_with_results
 

content/artifact_references/pages/generic.client.cleanuptemp.md

@@ -26,10 +26,11 @@ parameters:
 
 sources:
   - query: |
+      LET Threshold <= timestamp(epoch=now() - AgeSeconds )
       SELECT OSPath, Size, Mtime,
          if(condition=ReadllyDoIt, then=rm(filename=OSPath)) AS Removed
       FROM glob(globs=expand(path=TempGlob))
-      WHERE NOT IsDir AND Mtime < now() - AgeSeconds
+      WHERE NOT IsDir AND Mtime < Threshold
 
 </code></pre>
 

content/artifact_references/pages/generic.client.info.md

@@ -53,6 +53,11 @@ sources:
                Interfaces.MAC AS MACAddresses
         FROM info()
 
+  - name: DetailedInfo
+    query: |
+      LET Info = SELECT * FROM info()
+      SELECT _key AS Param, _value AS Value FROM items(item=Info[0])
+
   - name: LinuxInfo
     description: Linux specific information about the host
     precondition: SELECT OS From info() where OS = 'linux'

content/artifact_references/pages/generic.client.locallogs.md

@@ -37,6 +37,16 @@ parameters:
   description: |
     By default we do not forward any of the logs to the server but
     this allows logs to be forwarded as well as written locally.
+- name: Component
+  default: generic
+  description: The log component to forward (default "generic")
+  type: choices
+  choices:
+    - generic
+    - client
+    - frontend
+    - gui
+    - api
 
 sources:
 - query: |
@@ -47,7 +57,7 @@ sources:
        filename=expand(path=LocalFilename),
        query={
          SELECT timestamp(epoch=now()) AS Timestamp, *
-         FROM logging(component="client")
+         FROM logging(component=Component)
        })
      WHERE AlsoForward
 

content/artifact_references/pages/generic.network.interfaceaddresses.md

@@ -20,10 +20,12 @@ aliases:
 sources:
   - query: |
         LET interface_address =
-           SELECT Index, MTU, Name, HardwareAddr, Flags, Addrs
+           SELECT Index, MTU, Name,
+                  HardwareAddr.String AS HardwareAddr,
+                  Flags, Addrs
            from interfaces()
 
-        SELECT Index, MTU, Name, HardwareAddr.String As HardwareAddr,
+        SELECT Index, MTU, Name, HardwareAddr,
            Flags, Addrs.IP as IP, Addrs.Mask.String as Mask
         FROM flatten(query=interface_address)
 

content/artifact_references/pages/linux.debian.packages.md

@@ -4,39 +4,169 @@ hidden: true
 tags: [Client Artifact]
 ---
 
-Parse dpkg status file.
+List all packages installed on the system, both deb packages and "snaps".
+The installed deb package information is fetched from the DPKG status file,
+while the snap package list is fetched from the snap daemon through a UNIX
+socket HTTP call (since detailed snap package information is not easily
+in files).
+
+The following columns are parsed from the DPKG status file:
+
+ - Package
+ - InstalledSize
+ - Version
+ - Source
+ - _Description
+ - Architecture
+
+The following columns are parsed from the snap package response (/v2/snaps):
+
+- Name
+- _Summary
+- _Description
+- InstalledSize
+- Publisher
+- InstalledAt
+- Version
+- Channel
+
+Both package sources provide more information than this and, and the artifact
+can easily be modified to include more details.
+
 
 <pre><code class="language-yaml">
 name: Linux.Debian.Packages
-description: Parse dpkg status file.
+description: |
+ List all packages installed on the system, both deb packages and "snaps".
+ The installed deb package information is fetched from the DPKG status file,
+ while the snap package list is fetched from the snap daemon through a UNIX
+ socket HTTP call (since detailed snap package information is not easily
+ in files).
+
+ The following columns are parsed from the DPKG status file:
+
+  - Package
+  - InstalledSize
+  - Version
+  - Source
+  - _Description
+  - Architecture
+
+ The following columns are parsed from the snap package response (/v2/snaps):
+
+ - Name
+ - _Summary
+ - _Description
+ - InstalledSize
+ - Publisher
+ - InstalledAt
+ - Version
+ - Channel
+
+ Both package sources provide more information than this and, and the artifact
+ can easily be modified to include more details.
+
 parameters:
   - name: linuxDpkgStatus
+    description: The DPKG status file to read deb package information from
     default: /var/lib/dpkg/status
+  - name: snapdSocket
+    description: |
+     The location of the snap deamon UNIX socket, used for fetching the snap
+     list through a HTTP API call. If snap is not used, the failed query
+     response will simply be ignored.
+    default: /run/snapd.socket
+
+precondition: |
+ SELECT OS
+ FROM info()
+ WHERE OS = 'linux'
+
 sources:
-  - precondition: |
-      SELECT OS From info() where OS = 'linux'
+  - name: DebPackages
+    notebook:
+      - type: none
+
     query: |
-        /* First pass - split file into records start with
-           Package and end with \n\n.
-
-           Then parse each record using multiple RegExs.
-        */
-        LET packages = SELECT parse_string_with_regex(
-            string=Record,
-            regex=['Package:\\s(?P&lt;Package&gt;.+)',
-                   'Installed-Size:\\s(?P&lt;InstalledSize&gt;.+)',
-                   'Version:\\s(?P&lt;Version&gt;.+)',
-                   'Source:\\s(?P&lt;Source&gt;.+)',
-                   'Architecture:\\s(?P&lt;Architecture&gt;.+)']) as Record
-            FROM parse_records_with_regex(
-                   file=linuxDpkgStatus,
-                   regex='(?sm)^(?P&lt;Record&gt;Package:.+?)\\n\\n')
-
-        SELECT Record.Package as Package,
-               atoi(string=Record.InstalledSize) as InstalledSize,
-               Record.Version as Version,
-               Record.Source as Source,
-               Record.Architecture as Architecture from packages
+     LET ColumnTypes &lt;= dict(`_Description`='nobreak')
+
+     /* First pass - split file into records start with
+        Package and end with \n\n.
+        Then parse each record using multiple RegExs.
+     */
+     LET packages = SELECT parse_string_with_regex(
+         string=Record,
+         regex=['Package:\\s(?P&lt;Package&gt;.+)',
+                'Installed-Size:\\s(?P&lt;InstalledSize&gt;.+)',
+                'Version:\\s(?P&lt;Version&gt;.+)',
+                'Source:\\s(?P&lt;Source&gt;.+)',
+                '''Description:\s+(?P&lt;Description&gt;.+(\n\s+.+)*)''',
+                'Architecture:\\s(?P&lt;Architecture&gt;.+)']) AS Record
+     FROM parse_records_with_regex(file=linuxDpkgStatus,
+                                     regex='(?sm)^(?P&lt;Record&gt;Package:.+?)\\n\\n')
+
+     SELECT Record.Package AS Package,
+            humanize(bytes=atoi(string=Record.InstalledSize)) AS InstalledSize,
+            Record.Version AS Version,
+            Record.Source AS Source,
+            regex_replace(source=Record.Description,
+                          re='''^\s+\.$''') AS _Description,
+            Record.Architecture AS Architecture
+     FROM packages
+
+  - name: Snaps
+    query: |
+     LET ColumnTypes &lt;= dict(`_Summary`='nobreak', `_Description`='nobreak')
+
+     LET SnapSocketCheck = SELECT
+         parse_json(data=Content).result AS Result
+       FROM http_client(url=snapdSocket + ':unix/v2/snaps')
+       WHERE Response = 200
+         OR NOT log(message="Error fetching snap: %v", args=Content)
+
+     SELECT * FROM foreach(
+         row=SnapSocketCheck,
+         query={
+           SELECT name AS Name,
+                  summary AS _Summary,
+                  description AS _Description,
+                  humanize(bytes=`installed-size`) AS InstalledSize,
+                  publisher.`display-name` AS Publisher,
+                  timestamp(string=`install-date`) AS InstalledAt,
+                  version AS Version,
+                  channel AS Channel,
+                  id AS PackageId
+           FROM foreach(row=Result)
+         })
+
+    notebook:
+      - type: vql
+        template: |
+          /*
+          ## Combined results
+          */
+          LET ColumnTypes &lt;= dict(`_Description`='nobreak')
+
+          SELECT *
+          FROM chain(
+            debs={
+              SELECT Package AS Name,
+                     'deb' AS Type,
+                     InstalledSize,
+                     Version,
+                     _Description,
+                     Architecture
+              FROM source(artifact="Linux.Debian.Packages/DebPackages")
+            },
+            snaps={
+              SELECT Name,
+                     'snap' AS Type,
+                     InstalledSize,
+                     Version,
+                     _Description,
+                     NULL AS Architecture
+              FROM source(artifact="Linux.Debian.Packages/Snaps")
+            })
 
 </code></pre>