# All Linux Compound Module
# Combines all Linux artifact modules
[module]
name = "All Linux Artifacts"
description = "Comprehensive Linux artifact collection (logs, bash history, user activity)"
category = "linux"
platform = ["linux"]
priority = "high"
# Include individual Linux modules
includes = [
"logs.toml",
"bash-history.toml",
"user-activity.toml"
]
# Additional cross-Linux patterns
[[patterns]]
name = "Passwd File"
pattern = "(?:^|[/])passwd$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Shadow File"
pattern = "(?:^|[/])shadow$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Group File"
pattern = "(?:^|[/])group$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Sudoers File"
pattern = "(?:^|[/])sudoers(?:\\.d)?$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Hosts File"
pattern = "(?:^|[/])hosts$"
case-insensitive = true
type = "regex"
[[patterns]]
name = "Fstab"
pattern = "(?:^|[/])fstab$"
case-insensitive = true
type = "regex"
# Signatures for Linux artifacts
[[signatures]]
name = "Multiple Linux Artifacts"
query = "SELECT sha256, COUNT(DISTINCT pattern_name) as linux_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Linux%' OR pattern_name LIKE '%Bash%' OR pattern_name LIKE '%Log%' OR pattern_name LIKE '%SSH%' GROUP BY sha256 HAVING linux_artifacts > 3"