#!/usr/bin/perl5

#
#  Usage: $0 [-D] [-e error_file] [-d data_directory] [directory_name(s)]
#
#  If no dirnames are given, assume root dir ("/")
#
#  Rob the grave/site 'o' the [gc]rime.  Options:
#
#	-d dir		the data directory; overrides $DATA/hostname
#
#	-e file		the stderr file
#
#	-m		capture only MACtime data
#
#	-p		Capture pcat data; some systems have
#			trouble with this, so beware.
#
#	-q		Quick capture - try to avoid the filesystem;
#			no MD5's, stat(), expensive stuff... doesn't
#			make sense with the -m option.
#
#	-v		verbose
#
#	-D		debug.  You don't want to use this.  Really...
#
# Many more options are changed by modifying the "coroner.cf" config file
#
#

#
#  this will create a link in the data dir to the appropriate - current - 
# data dir
#
$running_under_grave_robber = 1;

require "conf/coroner.cf";

require "$LIB/crunch.pl";
require "$LIB/pass.cache.pl";
require "$LIB/misc.pl";
require "$LIB/tree.pl";
require "$LIB/getopts.pl";
require "$LIB/ps_spy.pl";
require "$LIB/hostname.pl";
require "$LIB/hostinfo.pl";
require "$LIB/maj_min_walk.pl";
require "$LIB/netinfo.pl";
require "$LIB/save_the_files.pl";
require "$LIB/trust.pl";
require "$LIB/dig-sig.pl";
require "$LIB/ostype.pl";
require "$LIB/proc.pl";

# require "last.pl";

$usage = "Usage: $0 [-mpqvD] [-e error_file] [-d data_directory] [directory_name(s)]\n";

&Getopts("d:e:mpqvD") || die $usage;

$| = 1;

die "The -m & -d options don't make sense when used together\n"
	if ($opt_m && $opt_q);

if ($opt_D) { $debug   = 1; }
if ($opt_m) { $mac_only= 1; }
if ($opt_v) { $verbose = 1; }
if ($opt_p) { $do_pcat = 1; }
if ($opt_q) { $quick   = 1; }
if ($opt_e) { $error_log = $opt_e; }
if ($opt_D) { 
	$DATA = $opt_d;
	mkdir($DATA, 0700);
	}

die "Can't open STDERR\n" unless open(STDERR, ">$error_log");
die "Can't open STDIN\n" unless open(STDIN, "</dev/null");

#
#  Put in the right maj/min stub code... also a sanity check - did
# they type make/reconfig?  This will squawk, so always run it.
#
&create_maj_min_stubs();

#
# what sort of system are we...?  Very simple check...
#
&determine_os();

#
# this is where one might capture all the memory... not done yet
#
# &capture_mem() - not written yet, don't try to uncomment it ;-)

#
# we'll be putting all the conf files here; get the vault ready
#
&prepare_config_vault();

#
# do the tools you use first, so you can examine some stuff while grave-rob
# is looking around.
#
&do_first_looks() unless $quick;

#
# suck in all process info
#
&suck_lsof() unless $mac_only;
&suck_ps()   unless $mac_only;

#
#  Highly advised, but may freeze up some shells and/or X stuff.  YMMV.
#
# YOU MUST CALL either suck_lsof() or suck_ps() before calling this -
# YOU MUST CALL either suck_lsof() or suck_ps() before calling this -
# YOU MUST CALL either suck_lsof() or suck_ps() before calling this -
#
#		- or it will do nothing!
#
&suck_proc_pcat() unless $mac_only || !$do_pcat;

#
#  Grab the maj/min numbers for the /dev dir.  Normally this would be
# turned off for -q, but if we want to icat stuff we need this... also
# this should really be done later on (OOV), but icat needs them.
#
&process_dev_dir($DEVICE_DIR) unless $mac_only;

#
#   This also requires suck_lsof() or suck_ps().  Saves the executable 
# of currently running programs that have been deleted from the disk.
#
&save_open_files() unless $mac_only;

#
#   This wants something that has process id's to be run before it.
# Saves the executable of currently running programs from /proc
#
if ($proc_fs && ($OS  =~ /FREEBSD2/ || $OS =~ /FREEBSD3/ || $OS =~ /LINUX2/ ||
   ($OS =~ /SUNOS5/ && $RELEASE >= /5.7/))) {
	&cp_all_from_proc() unless $mac_only;
	}
#
#   This requires suck_lsof() be run.  Saves the executable of currently 
# running programs.
#
else {
	&suck_proc_icat() unless $mac_only;
	}

#
# Load the password/group stuff
#
&'load_passwd_info(0,$PASSWD) unless $mac_only;
&'load_group_info(0,$GROUP)   unless $mac_only;

#
# grab network and host info
#
&suck_netinfo()  unless $mac_only;
&suck_hostinfo() unless $mac_only;

#
#  Do all sorts of data grabbing... last, finger, etc.
#

#
#  A pair of alpha programs...
#
# &get_last() unless $mac_only;
#
# &check_ttys() unless $mac_only;
#
 
#
#  Is the network interface opened by a program?   Doesn't work, more later.
#
# &check_nit();

#
# do any processes have tty's that aren't supposed to?
#
# Get the [cam]times & strings on dirs listed

#
# if no args were given, assume root
#
if ($#ARGV < 0) {
	$ARGV[0] = "/";
	}

#

if (!$quick) {
	for (@ARGV) {
		&process_dir($_, 1);
		}
	}

#
# this is where one might dd all the disks...
#
# &grab_disks() - not written yet, don't try to uncomment it ;-)

#
#  If don't grab the disk, grab individual, important files...
#

&process_files_to_save() unless $mac_only || $quick;

#
#  Various information, related to trust in some way - rhosts, cron, at, etc.
#
mkdir("$DATA/user_vault", 0700) unless $mac_only || $quick;
&grab_user_trust_files() unless $mac_only || $quick;
&grab_user_time_trust()  unless $mac_only || $quick;
&grab_window_trust()     unless $mac_only;

#
# Close the vault.  Also MD5's all the files in the data dir.
#
&close_config_vault();

