Parse Linux group IDs, names and memberships (Velocidex#3038)

I've had the need to look up group names from GIDs, as well as finding
group memberships. This simple artifact does that. It is very much like
Linux.Sys.Users, except that GID is an int. I felt that this made more
sense, since gid in stat() is an int.

artifacts/definitions/Linux/Sys/Groups.yaml

@@ -0,0 +1,18 @@
+name: Linux.Sys.Groups
+author: Andreas Misje – @misje
+description: Get system group IDs, names and memberships from /etc/group
+parameters:
+  - name: GroupFile
+    default: /etc/group
+    description: The location of the group file
+
+sources:
+  - precondition: |
+      SELECT OS From info() where OS = 'linux'
+    query: |
+      SELECT Group, int(int=GID) AS GID, filter(regex='.',
+        list=split(sep_string=',', string=Members)) AS Members
+      FROM split_records(
+            filenames=GroupFile,
+            regex=':', record_regex='\r?\n',
+            columns=['Group', 'Password', 'GID', 'Members'])

artifacts/definitions/Linux/Sys/Users.yaml

@@ -11,5 +11,5 @@ sources:
       SELECT User, Description, Uid, Gid, Homedir, Shell
       FROM split_records(
             filenames=PasswordFile,
-            regex=":", record_regex="\n",
+            regex=":", record_regex="\r?\n",
             columns=["User", "X", "Uid", "Gid", "Description", "Homedir", "Shell"])

artifacts/testdata/files/linux/group

@@ -0,0 +1,44 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+testuser1:x:1000:
+testuser2:x:1001:
+group1:x:1002:testuser1
+group2:x:1003:testuser2
+group3:x:1004:testuser1,testuser2

artifacts/testdata/files/linux/passwd

@@ -0,0 +1,21 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+testuser1:x:1000:1000:Test User 1,Room number 1,12345678,23456789,Misc:/home/testuser1:/bin/bash
+testuser2:x:1001:1001:Test User 2,,34567890,45678901,Other:/home/testuser2:/bin/bash

artifacts/testdata/server/testcases/linux_passwd.in.yaml

@@ -0,0 +1,10 @@
+Queries:
+ - SELECT *
+   FROM Artifact.Linux.Sys.Users(
+      PasswordFile=srcDir + '/artifacts/testdata/files/linux/passwd'
+   )
+
+ - SELECT *
+   FROM Artifact.Linux.Sys.Groups(
+      GroupFile=srcDir + '/artifacts/testdata/files/linux/group'
+   )