BSD related artifacts

[Herbert-Karl]

Hi,

during research for a thesis, I identified multiple artifacts on OpenBSD yet to be covered by UAC.
These cover

• the console message buffer, containing stdout and stderr messages written during system startup (as supposed to kernel messages)
• system accounting files, covering processes that terminated on the system, allowing one to see past program executions (this is sadly deactivated by default, but quite usefull when active)
• backups of important system configuration files, created by the security script
• kernel relink log (contains information about the relinking of the kernel on boot or an error message about the failure to do so)
• device database (showing configured devices on system startup)
• locate database (snapshot of file system paths that can be queried with "locate" - can be used to compare file system structure at the time of database update against current file system structure)
• "lastcomm" live response - this program parses the system accounting files (if available) and decodes the content

Ive created collection files for them and successfully tested them. As by the man pages, some of these artifacts should also be available on NetBSD and FreeBSD. This has been reflected in the collection files, but I havent tested it on those platforms.
If needed, I can provide an example of data collected with them.

Kind Regards

[tclahr]

I will test and let you know. Also, I am about to push a new development code into the develop branch and I want to merge this into the new code.