Collect /proc/net on default volatile collection (#218)

fox-it · Feb 6, 2025 · 53d5944 · 53d5944
1 parent 2c0092b
commit 53d5944
Showing 1 changed file with 22 additions and 9 deletions.
diff --git a/acquire/acquire.py b/acquire/acquire.py
@@ -302,6 +302,18 @@ def _run(cls, target: Target, cli_args: argparse.Namespace, collector: Collector
         collector.collect(spec, follow=False, volatile=True)
 
 
+@register_module("--proc-net")
+@local_module
+class ProcNet(Module):
+    DESC = "Procfs network files (live systems only)"
+    EXEC_ORDER = ExecutionOrder.BOTTOM
+
+    @classmethod
+    def _run(cls, target: Target, cli_args: argparse.Namespace, collector: Collector) -> None:
+        spec = [("dir", "/proc/net")]
+        collector.collect(spec, follow=False, volatile=True)
+
+
 @register_module("-n", "--ntfs")
 class NTFS(Module):
     DESC = "NTFS filesystem metadata"
@@ -2090,27 +2102,28 @@ class VolatileProfile:
         WinArpCache,
         WinRDPSessions,
         WinDnsClientCache,
+        ProcNet,
     )
-    EXTENSIVE = (
+    FULL = (
         Proc,
         Sys,
     )
 
 
 VOLATILE = {
-    "default": {
+    "full": {
         "windows": VolatileProfile.DEFAULT,
-        "linux": [],
-        "bsd": [],
-        "esxi": [],
+        "linux": VolatileProfile.FULL,
+        "bsd": VolatileProfile.FULL,
+        "esxi": VolatileProfile.FULL,
         "osx": [],
         "proxmox": [],
     },
-    "extensive": {
+    "default": {
         "windows": VolatileProfile.DEFAULT,
-        "linux": VolatileProfile.EXTENSIVE,
-        "bsd": VolatileProfile.EXTENSIVE,
-        "esxi": VolatileProfile.EXTENSIVE,
+        "linux": [],
+        "bsd": [],
+        "esxi": [],
         "osx": [],
         "proxmox": [],
     },