adding more files to watch, and argument to enable searching for suid…

… and sgid files instead of doing it by default, the search can take a very long time
theflakes · Apr 8, 2023 · 9a4cdd4 · 9a4cdd4
1 parent 642af1f
commit 9a4cdd4
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -7,27 +7,29 @@ If you just want to run it, download the "lin_fh" binary.
 Linux Forensic Harvester
     Author: Brian Kellogg
     License: MIT
-    Disclaimer:
-        This tool comes with no warranty or support.
+    Disclaimer: 
+        This tool comes with no warranty or support. 
         If anyone chooses to use it, you accept all responsibility and liability.
 
 If not run as root, not all telemetry can be harvested.
 
 Usage:
   lin_fh [--ip <ip> --port <port>]
   lin_fh [--ip <ip> --port <port>] [--limit]
+  lin_fh --suidsgid [--limit]
   lin_fh --limit
   lin_fh --help
 
 Options:
-  -h, --help            Show this screen
+  -h, --help            Print help
   -i, --ip <ip>         IP address to send output to [default: NONE]
   -p, --port <port>     Destination port to send output to [default: 80]
   -l, --limit           Limit CPU use
+  -s, --suidsgid        Search for suid and sgid files
 
 Note:
   If not run as root some telemetry cannot be harvested.
-
+  
   To capture network output, start a netcat listener on your port of choice.
   Use the -k option with netcat to prevent netcat from closing after a TCP connection is closed.
 

diff --git a/src/data_def.rs b/src/data_def.rs
@@ -22,14 +22,16 @@ If not run as root, not all telemetry can be harvested.
 Usage:
   lin_fh [--ip <ip> --port <port>]
   lin_fh [--ip <ip> --port <port>] [--limit]
+  lin_fh --suidsgid [--limit]
   lin_fh --limit
   lin_fh --help
 
 Options:
-  -h, --help            Show this screen
+  -h, --help            Print help
   -i, --ip <ip>         IP address to send output to [default: NONE]
   -p, --port <port>     Destination port to send output to [default: 80]
   -l, --limit           Limit CPU use
+  -s, --suidsgid        Search for suid and sgid files
 
 Note:
   If not run as root some telemetry cannot be harvested.
@@ -41,15 +43,16 @@ Note:
 ";
 
 #[derive(Debug, Deserialize)]
-struct Args {
+pub struct Args {
     flag_ip: String,
     flag_port: u16,
-    flag_limit: bool
+    flag_limit: bool,
+    pub flag_suidsgid: bool
 }
 
 
 lazy_static! { 
-    static ref ARGS: Args = Docopt::new(USAGE)
+    pub static ref ARGS: Args = Docopt::new(USAGE)
                     .and_then(|d| d.deserialize())
                     .unwrap_or_else(|e| e.exit());
 }

diff --git a/src/main.rs b/src/main.rs
@@ -572,6 +572,8 @@ fn main() -> std::io::Result<()> {
                 Err(_e) => continue};
         }
     }
-    find_suid_sgid(&mut already_seen)?; // WARNING: searches entire directory structure
+    if ARGS.flag_suidsgid {
+        find_suid_sgid(&mut already_seen)?; // WARNING: searches entire directory structure
+    }
     Ok(())
 }