Parsing Jenkins Configuration Files for Forensics and Fun

A new parsing tool for Jenkins^® configuration files from Stroz Friedberg Digital Forensics and Incident Response enables efficient forensic examination during investigations.

If you've kept up with Jenkins security advisories over the past few years, you'll know that threat actors often find and exploit vulnerabilities in Jenkins servers. Jenkins is widely used for continuous integration and continuous delivery ("CI/CD") pipelines. According to the Continuous Delivery Foundations Jenkins project, Jenkins saw a 79% increase in total workloads per month between June 2021 and June 2023, reaching over 48 million jobs per month. A quick search for Jenkins servers on Shodan^® reveals over 53 thousand systems.

In a forensic investigation involving a Jenkins server, it's imperative that analysts have tools at their disposal to threat hunt and evaluate any suspicious activity on the system. On a Jenkins server, suspicious activity can mean any jobs created or triggered by suspicious users or vulnerable plugins installed on the server. Misconfigured Jenkins servers can allow even unauthenticated users to run arbitrary code on the system.

To aid investigators in cases involving Jenkins servers, Stroz Friedberg Digital Forensics and Incident Response has released a Python script that processes job and plugin configuration and compiles some of the most important attributes into a CSV file. The script extracts the following fields from the build and job configuration files:

and the following fields from the plugin configuration files:

The script takes the path to $JENKINS_HOME as input. It assumes that all timestamps are preserved from the original system, since it will use the file's modified timestamps to populate config_modified_time and build_modified_time.

The script is available on GitHub. We welcome issues and feature requests.

Jenkins^® is a registered trademark of LF Charities Inc.

Shodan^® is a registered trademark of Shodan.