From af1e74d36c491a5cb37ee8c1172664bb2385a36f Mon Sep 17 00:00:00 2001 From: shortstack Date: Wed, 18 Oct 2023 17:01:04 -0500 Subject: [PATCH 1/2] linux trash dir artifact to find recycled files --- artifacts/definitions/Linux/Sys/Trash.yaml | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 artifacts/definitions/Linux/Sys/Trash.yaml diff --git a/artifacts/definitions/Linux/Sys/Trash.yaml b/artifacts/definitions/Linux/Sys/Trash.yaml new file mode 100644 index 00000000000..5bff1c93d81 --- /dev/null +++ b/artifacts/definitions/Linux/Sys/Trash.yaml @@ -0,0 +1,24 @@ +name: Linux.Sys.Trash +description: Find files in trash bin for all users +author: Whitney Champion (@shortxstack) +parameters: + - name: trashFiles + default: '.local/share/Trash/**/*' + description: Glob of trash bin files relative to a user's home directory. + +sources: + - precondition: | + SELECT OS From info() where OS = 'linux' + + query: | + LET trash = SELECT * from foreach( + row={ + SELECT Uid, User, Homedir from Artifact.Linux.Sys.Users() + }, + query={ + SELECT FullPath, Mtime, Ctime, User, Uid + FROM glob(root=Homedir, globs=trashFiles) + }) + + SELECT * from foreach( + row=trash) From fd50e23658a62117d10282ec76add82419c31f61 Mon Sep 17 00:00:00 2001 From: shortstack Date: Thu, 19 Oct 2023 15:37:35 -0500 Subject: [PATCH 2/2] s/FullPath/OSPath, added Size field --- artifacts/definitions/Linux/Sys/Trash.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts/definitions/Linux/Sys/Trash.yaml b/artifacts/definitions/Linux/Sys/Trash.yaml index 5bff1c93d81..9df26a0a2e6 100644 --- a/artifacts/definitions/Linux/Sys/Trash.yaml +++ b/artifacts/definitions/Linux/Sys/Trash.yaml @@ -16,7 +16,7 @@ sources: SELECT Uid, User, Homedir from Artifact.Linux.Sys.Users() }, query={ - SELECT FullPath, Mtime, Ctime, User, Uid + SELECT OSPath, Size, Mtime, Ctime, User, Uid FROM glob(root=Homedir, globs=trashFiles) })