diff --git a/.github/workflows/clearlinux-amd64.yaml b/.github/workflows/clearlinux-amd64.yaml index 9ba168ef..6649d5b0 100644 --- a/.github/workflows/clearlinux-amd64.yaml +++ b/.github/workflows/clearlinux-amd64.yaml @@ -17,5 +17,6 @@ jobs: vagrant_box_name: "AntonioMeireles/ClearLinux" vagrant_ssh_username: "clear" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" \ No newline at end of file diff --git a/.github/workflows/esxi-6-5-amd64.yaml b/.github/workflows/esxi-6-5-amd64.yaml index a643c3db..e5ada691 100644 --- a/.github/workflows/esxi-6-5-amd64.yaml +++ b/.github/workflows/esxi-6-5-amd64.yaml @@ -17,5 +17,6 @@ jobs: vagrant_box_name: "david-flynn/esxi-6.5.0-base" vagrant_ssh_username: "root" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" \ No newline at end of file diff --git a/.github/workflows/freebsd-11-amd64.yaml b/.github/workflows/freebsd-11-amd64.yaml index 4246bf1f..e6e0c2d2 100644 --- a/.github/workflows/freebsd-11-amd64.yaml +++ b/.github/workflows/freebsd-11-amd64.yaml @@ -17,5 +17,6 @@ jobs: vagrant_box_name: "generic/freebsd11" vagrant_ssh_username: "vagrant" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" \ No newline at end of file diff --git a/.github/workflows/freebsd-13-amd64.yaml b/.github/workflows/freebsd-13-amd64.yaml index 50da5e8a..7d597275 100644 --- a/.github/workflows/freebsd-13-amd64.yaml +++ b/.github/workflows/freebsd-13-amd64.yaml @@ -17,5 +17,6 @@ jobs: vagrant_box_name: "generic/freebsd13" vagrant_ssh_username: "vagrant" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" \ No newline at end of file diff --git a/.github/workflows/netbsd-8-amd64.yaml b/.github/workflows/netbsd-8-amd64.yaml index 59e72104..b8a54fe2 100644 --- a/.github/workflows/netbsd-8-amd64.yaml +++ b/.github/workflows/netbsd-8-amd64.yaml @@ -17,4 +17,5 @@ jobs: vagrant_box_name: "generic/netbsd8" vagrant_ssh_username: "vagrant" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" diff --git a/.github/workflows/netbsd-9-amd64.yaml b/.github/workflows/netbsd-9-amd64.yaml index 02b17e35..131fb4eb 100644 --- a/.github/workflows/netbsd-9-amd64.yaml +++ b/.github/workflows/netbsd-9-amd64.yaml @@ -17,4 +17,5 @@ jobs: vagrant_box_name: "generic/netbsd9" vagrant_ssh_username: "vagrant" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" diff --git a/.github/workflows/openbsd-6-amd64.yaml b/.github/workflows/openbsd-6-amd64.yaml index fbdd8e71..8d41f3a9 100644 --- a/.github/workflows/openbsd-6-amd64.yaml +++ b/.github/workflows/openbsd-6-amd64.yaml @@ -17,5 +17,6 @@ jobs: vagrant_box_name: "generic/openbsd6" vagrant_ssh_username: "vagrant" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" \ No newline at end of file diff --git a/.github/workflows/openbsd-7-amd64.yaml b/.github/workflows/openbsd-7-amd64.yaml index 8f3dd589..ce75e2ba 100644 --- a/.github/workflows/openbsd-7-amd64.yaml +++ b/.github/workflows/openbsd-7-amd64.yaml @@ -17,5 +17,6 @@ jobs: vagrant_box_name: "generic/openbsd7" vagrant_ssh_username: "vagrant" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" \ No newline at end of file diff --git a/.github/workflows/openwrt-15.yaml b/.github/workflows/openwrt-15.yaml index f3a8dfe4..ed646758 100644 --- a/.github/workflows/openwrt-15.yaml +++ b/.github/workflows/openwrt-15.yaml @@ -17,5 +17,6 @@ jobs: vagrant_box_name: "living42/openwrt-15.05-x86" vagrant_ssh_username: "root" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" \ No newline at end of file diff --git a/.github/workflows/redhat-6-5-amd64.yaml b/.github/workflows/redhat-6-5-amd64.yaml index 39e5e1cf..b474dd48 100644 --- a/.github/workflows/redhat-6-5-amd64.yaml +++ b/.github/workflows/redhat-6-5-amd64.yaml @@ -17,5 +17,6 @@ jobs: vagrant_box_name: "anandbitra/redhat-6.5" vagrant_ssh_username: "vagrant" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" \ No newline at end of file diff --git a/.github/workflows/solaris-11-i386.yaml b/.github/workflows/solaris-11-i386.yaml index 43387d65..05327abe 100644 --- a/.github/workflows/solaris-11-i386.yaml +++ b/.github/workflows/solaris-11-i386.yaml @@ -17,4 +17,5 @@ jobs: vagrant_box_name: "plaurin/solaris-11_3" vagrant_ssh_username: "vagrant" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" diff --git a/.github/workflows/ubuntu-14-04-amd64.yaml b/.github/workflows/ubuntu-14-04-amd64.yaml index 5381aa74..2ed62175 100644 --- a/.github/workflows/ubuntu-14-04-amd64.yaml +++ b/.github/workflows/ubuntu-14-04-amd64.yaml @@ -17,5 +17,6 @@ jobs: vagrant_box_name: "ubuntu/trusty64" vagrant_ssh_username: "vagrant" vagrant_ssh_password: "" + vagrant_ssh_shell: "/bin/sh" vagrant_ssh_options: "" \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a91b962..4eeec919 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,15 +2,71 @@ All notable changes to this project will be documented in this file. +## 2.3.0 (2022-08-09) + +## New Features + +- You can now use as many --artifacts (-a) and --profile (-p) as you want to build an even more customized collection. Artifacts will be collected in the order they were provided in the command line. Please check the [project's documentation page](https://tclahr.github.io/uac-docs/#using-uac) for more information. +- UAC now collects copies of '/proc/[pid]/fd/*' from deleted processes even if they are not shown up as being (deleted). +- AVML was updated to v0.7.0. + +### New Artifacts + +- New artifact that collects the contents of /dev/shm (files/system/dev_shm.yaml) ([#68](https://github.com/tclahr/uac/issues/68)). +- New artifact that collects the contents of /run/shm (files/system/run_shm.yaml) ([#68](https://github.com/tclahr/uac/issues/68)). +- New artifact that collects the contents of /var/tmp (files/system/var_tmp.yaml) ([#68](https://github.com/tclahr/uac/issues/68)). +- New artifact that lists hidden files created outside of user home directories (live_response/system/hidden_files.yaml) ([#69](https://github.com/tclahr/uac/issues/69)). +- New artifact that lists hidden directories created outside of user home directories (live_response/system/hidden_directories.yaml) ([#69](https://github.com/tclahr/uac/issues/69)). +- New artifact that lists world writable files (live_response/system/world_writable_files.yaml). +- New artifact that lists world writable directories (live_response/system/world_writable_directories.yaml). +- New artifact that lists loaded kernel modules from /sys/module directory (live_response/system/sys_module.yaml). +- New artifact that collects last logins and logouts (live_response/system/last.yaml). +- New artifact that collects unsuccessful logins (live_response/system/lastb.yaml). +- New artifact that lists all socket files (live_response/system/socket_files.yaml). +- New artifact that collects sessions files from /run/systemd/sessions (files/system/systemd.yaml). +- New artifact that collects scope files from /run/systemd/transient (files/system/systemd.yaml). +- New artifact that collects Vivaldi browser artifacts (files/browsers/vivaldi.yaml). +- New artifact that collects Linux terse runtime status information about one or more logged in users, followed by the most recent log data from the journal (live_response/system/loginctl.yaml). +- New artifact that collects fish shell history files (files/shell/history.yaml). +- New artifact that collects Tracker database files (files/system/tracker.yaml). +- New artifact that collects macOS .DS_Store files (files/system/ds_store.yaml). +- New artifact that collects macOS network and application usage database files (files/system/network_application_usage.yaml). +- New artifact that collects macOS Powerlog files (files/system/powerlog.yaml). +- New artifact that collects macOS recovery account information files (files/system/recovery_account_info.yaml). +- New artifact that collects macOS system keychain file (files/system/keychain.yaml). +- New artifact that collects macOS system version file (files/system/system_version.yaml). +- New artifact that collects macOS unified logging and activity tracing files (files/system/var_db_diagnostics.yaml). +- New artifact that collects macOS time machine information (live_response/system/tmutil.yaml). +- New artitact that collects macOS Photos application database files (files/applications/photos.yaml). +- New artifact that collects AIX failed login attemtps from /etc/security/failedlogin (live_response/system/who.yaml). + +### Updated Artifacts + +- /dev was removed from the exclusion list during deleted process collection ([#65](https://github.com/tclahr/uac/issues/65)). +- files/system/time_machine.yaml, files/system/wifi.yaml, files/applications/macos_dock.yaml are no longer available because the same artifacts are been collected by files/system/library_preferences.yaml. + +### Deprecated Command Line Option + +- '-o' command line switch is no longer available because it was replaced by '-s'. + +### Deprecated Profiles + +- 'full-with-memory-dump' profile is no longer available because '-a memory_dump/avml.yaml -p full' can be used instead. +- 'memory-dump-only' profile is no longer available because '-a memory_dump/avml.yaml' can be used instead. + +### Fixed + +- UAC now copies all collected artifacts to a destination directory if 'tar' tool is not available ([#63](https://github.com/tclahr/uac/issues/63)). + ## 2.2.0 (2022-05-02) ### New Features - VMware ESXi is now fully supported as an operating system. Note that ESXi is not built upon the Linux kernel, and uses its own VMware proprietary kernel (the VMkernel) and software. So it misses most of the applications and components that are commonly found in all Linux distributions ([#33](https://github.com/tclahr/uac/issues/33)). - UAC now collects copies of '/proc/[pid]/exe' and their related '/proc/[pid]/fd/*' if they are shown up as being (deleted). They are copied using 'dd conv=swab' tool in order to avoid UAC output file being flagged and quarantined by any antivirus tool ([#36](https://github.com/tclahr/uac/issues/36)). -- Added '--s3-presigned-url' switch which allows for pushing the output file to S3 presigned URLs (if curl available) ([#38](https://github.com/tclahr/uac/issues/38)). -- Added '--s3-presigned-url-log-file' switch which allows for pushing the output log file to S3 presigned URLs (if curl available) ([#38](https://github.com/tclahr/uac/issues/38)). -- Added '--delete-local-on-successful-transfer' switch which will delete both local output and log files after they are successfully transferred either via sftp or to a presigned S3 URL. +- Added '--s3-presigned-url' switch which allows for pushing the output file to S3 pre-signed URLs (if curl available) ([#38](https://github.com/tclahr/uac/issues/38)). +- Added '--s3-presigned-url-log-file' switch which allows for pushing the output log file to S3 pre-signed URLs (if curl available) ([#38](https://github.com/tclahr/uac/issues/38)). +- Added '--delete-local-on-successful-transfer' switch which will delete both local output and log files after they are successfully transferred either via sftp or to a pre-signed S3 URL. - AVML was updated to v0.6.1 ([#45](https://github.com/tclahr/uac/issues/45)). ### New Artifacts diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1cea33c9..d00fdaca 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,7 +2,7 @@ We welcome contributions to the UAC project in many forms, and there's always plenty to do! -First things first, please review the project's [Code of Conduct](CODE_OF_CONDUCT.md) before participating. It is important that we keep things civil. +First things first, please review the project's [Code of Conduct](CODE_OF_CONDUCT.md) before participating. We must keep things civil. Here are a couple of things we are looking for help with: @@ -32,9 +32,9 @@ Share your experience with the community about how UAC is helping you by writing Before you submit an issue, please search the issue tracker, maybe an issue for your problem already exists and the discussion might inform you of workarounds readily available. -We want to fix all the issues as soon as possible, but before fixing a bug we need to reproduce and confirm it. In order to reproduce bugs we will systematically ask you to provide sufficient information for someone else to reproduce the issue. +We want to fix all the issues as soon as possible, but before fixing a bug we need to reproduce and confirm it. To reproduce bugs we will systematically ask you to provide sufficient information for someone else to reproduce the issue. -Unfortunately, we are not able to investigate / fix bugs without a minimal reproduction, so if we don't hear back from you we are going to close an issue that doesn't have enough info to be reproduced. +Unfortunately, we are not able to investigate/fix bugs without a minimal reproduction, so if we don't hear back from you we are going to close an issue that doesn't have enough info to be reproduced. ### Submitting a Pull Request (PR) @@ -44,7 +44,7 @@ The repo holds two main branches: **master**: Where the source code of HEAD always reflects a production-ready state. -**develop**: Where the source code of HEAD always reflects a state with the latest delivered development changes for the next release. When the source code in the develop branch reaches a stable point and is ready to be released, all of the changes will be merged back into master and then tagged with a release number. +**develop**: Where the source code of HEAD always reflects a state with the latest delivered development changes for the next release. When the source code in the develop branch reaches a stable point and is ready to be released, all of the changes will be merged back into the master and then tagged with a release number. All Pull Requests must be submitted to the **develop** branch. @@ -84,7 +84,7 @@ git checkout -b my-feature-branch develop 1. Create your code following our [Coding Rules](#coding-rules). -1. Test your code against as many system as you can using the [uac-unit-test](https://github.com/tclahr/uac-unit-test). For instance, your code can fully work on a Linux but not on a FreeBSD system. +1. Test your code against as many systems as you can using the [uac-unit-test](https://github.com/tclahr/uac-unit-test). For instance, your code can fully work on a Linux but not on a FreeBSD system. 1. Commit your changes using a descriptive commit message that follows our [commit message guidelines](#commit-message-guidelines). *Don’t commit code as an unrecognized author. Having commits with unrecognized authors makes it more difficult to track who wrote which part of the code. Ensure your Git client is configured with the correct email address and linked to your GitHub user.* @@ -98,7 +98,7 @@ git checkout -b my-feature-branch develop git push origin my-feature-branch ``` -1. In GitHub, open a Pull Request and select the **develop** branch as base. Never send a Pull Request to master. +1. In GitHub, open a Pull Request and select the **develop** branch as the base. Never send a Pull Request to master. - If we suggest changes then: - Make the required updates using the same branch. @@ -173,14 +173,14 @@ Must be one of the following: - **fix**: A bug fix. - **perf**: A code change that improves performance. - **refactor**: A code change that neither fixes a bug nor adds a feature. -- **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc). +- **style**: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc). ### Subject -The subject contains succinct description of the change: +The subject must contain a succinct description of the change: - use the imperative, present tense: "change" not "changed" nor "changes" -- don't capitalize first letter +- don't capitalize the first letter - no dot (.) at the end ### Body diff --git a/README.md b/README.md index a8aedc01..2eb1a502 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Project documentation page: [https://tclahr.github.io/uac-docs](https://tclahr.g ## 💾 Supported Operating Systems -UAC runs on any Unix-like system (regardless the processor architecture). All UAC needs is shell :) +UAC runs on any Unix-like system (regardless of the processor architecture). All UAC needs is shell :) [![AIX](https://img.shields.io/static/v1?label=&message=AIX&color=brightgreen&style=for-the-badge)](https://github.com/tclahr/uac/actions) [![Android](https://img.shields.io/static/v1?label=&message=Android&color=green&style=for-the-badge)](https://github.com/tclahr/uac/actions) @@ -62,7 +62,7 @@ UAC runs on any Unix-like system (regardless the processor architecture). All UA UAC does not need to be installed on the target system. You only need to download the latest version from the [releases page](https://github.com/tclahr/uac/releases), uncompress and run it. As simple as that! -A profile name and/or a list of artifacts, and the destination directory need to be provided in order to run a collection. The remaining parameters are optional. +A profile name and/or a list of artifacts, and the destination directory need to be provided to run a collection. The remaining parameters are optional. Common usage scenarios may include the following: @@ -84,13 +84,19 @@ Common usage scenarios may include the following: ./uac -p full -a \!bodyfile/bodyfile.yaml /tmp ``` -**Note that when a profile and a list of artifacts are provided, the artifacts from the profile will always be collected first, even if the parameter ```-a``` was provided before ```-p``` in the command line. In the example below, the ```memory_dump/avml.yaml``` artifact will only be collected after all artifacts from ```full``` profile were collected.** +**Collect the memory dump, then all artifacts based on the ```full``` profile.** ```shell ./uac -a memory_dump/avml.yaml -p full /tmp ``` -**Collect all artifacts based on the ```full``` profile, but limiting the data collection based on the date range provided.** +**Collect the memory dump, then all artifacts based on the ```ir_triage``` profile excluding the ```bodyfile/bodyfile.yaml``` artifact.** + +```shell +./uac -a memory_dump/avml.yaml -p ir_triage -a \!bodyfile/bodyfile.yaml /tmp +``` + +**Collect all artifacts based on the ```full``` profile, but limit the data collection based on the date range provided.** ```shell ./uac -p full /tmp --date-range-start 2021-05-01 --date-range-end 2021-08-31 @@ -110,7 +116,7 @@ Please check the [project documentation page](https://tclahr.github.io/uac-docs) Have you created your own artifact files? Please share them with us! -You can contribute with new artifacts, profiles, bug fixes or even proposing new features. Please read our [Contributing Guide](CONTRIBUTING.md) before submitting a Pull Request to the project. +You can contribute with new artifacts, profiles, bug fixes or even propose new features. Please read our [Contributing Guide](CONTRIBUTING.md) before submitting a Pull Request to the project. *** diff --git a/artifacts/files/applications/addressbook.yaml b/artifacts/files/applications/addressbook.yaml index 2f4dc025..81a30202 100644 --- a/artifacts/files/applications/addressbook.yaml +++ b/artifacts/files/applications/addressbook.yaml @@ -10,12 +10,12 @@ artifacts: description: Collect AddressBook Metadata files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/AddressBook/Metadata/* + path: /%user_home%/Library/"Application Support"/AddressBook/Metadata exclude_nologin_users: true - description: Collect AddressBook Image files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/AddressBook/Images/* + path: /%user_home%/Library/"Application Support"/AddressBook/Images exclude_nologin_users: true \ No newline at end of file diff --git a/artifacts/files/applications/aspera_connect.yaml b/artifacts/files/applications/aspera_connect.yaml index 2df8ef5e..110ce1fd 100644 --- a/artifacts/files/applications/aspera_connect.yaml +++ b/artifacts/files/applications/aspera_connect.yaml @@ -4,13 +4,13 @@ artifacts: description: Collect Aspera Client file lists. supported_os: [linux, macos] collector: file - path: /%user_home%/.aspera/connect/filelists/* + path: /%user_home%/.aspera/connect/filelists exclude_nologin_users: true - description: Collect Aspera Client logs. supported_os: [linux, macos] collector: file - path: /%user_home%/.aspera/connect/var/log/* + path: /%user_home%/.aspera/connect/var/log exclude_nologin_users: true - description: Collect Aspera Client sqlite database. diff --git a/artifacts/files/applications/discord.yaml b/artifacts/files/applications/discord.yaml index 818f5e25..500af0fe 100644 --- a/artifacts/files/applications/discord.yaml +++ b/artifacts/files/applications/discord.yaml @@ -25,13 +25,13 @@ artifacts: description: Collect Discord cache files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/discord/Cache/* + path: /%user_home%/Library/"Application Support"/discord/Cache exclude_nologin_users: true - description: Collect Discord leveldb files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/discord/"Local Storage"/leveldb/* + path: /%user_home%/Library/"Application Support"/discord/"Local Storage"/leveldb exclude_nologin_users: true # Discord is a cloud-based application. All chats are in the cloud. diff --git a/artifacts/files/applications/dropbox.yaml b/artifacts/files/applications/dropbox.yaml index 0320b032..e2ec53e9 100644 --- a/artifacts/files/applications/dropbox.yaml +++ b/artifacts/files/applications/dropbox.yaml @@ -4,7 +4,7 @@ artifacts: description: Collect Dropbox Cloud Storage metadata. supported_os: [linux, macos] collector: file - path: /%user_home%/.dropbox/* + path: /%user_home%/.dropbox file_type: f ignore_date_range: true exclude_nologin_users: true diff --git a/artifacts/files/applications/filezilla.yaml b/artifacts/files/applications/filezilla.yaml index 2b218810..a961cd0a 100644 --- a/artifacts/files/applications/filezilla.yaml +++ b/artifacts/files/applications/filezilla.yaml @@ -1,20 +1,18 @@ -version: 1.0 +version: 2.0 artifacts: - description: Collect FileZilla XML and sqlite files. supported_os: [linux, macos] collector: file - path: /%user_home%/.config/filezilla/* + path: /%user_home%/.config/filezilla name_pattern: ["*.xml*", "*.sqlite3*"] - file_type: f ignore_date_range: true exclude_nologin_users: true - description: Collect FileZilla XML and sqlite files (Flatpak version). supported_os: [linux] collector: file - path: /%user_home%/.var/app/org.filezillaproject.Filezilla/* + path: /%user_home%/.var/app/org.filezillaproject.Filezilla name_pattern: ["*.xml*", "*.sqlite3*"] - file_type: f ignore_date_range: true exclude_nologin_users: true diff --git a/artifacts/files/applications/icloud.yaml b/artifacts/files/applications/icloud.yaml index 079c0dc6..3000993d 100644 --- a/artifacts/files/applications/icloud.yaml +++ b/artifacts/files/applications/icloud.yaml @@ -4,7 +4,7 @@ artifacts: description: Collect iCloud accounts information files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/iCloud/Accounts/* + path: /%user_home%/Library/"Application Support"/iCloud/Accounts exclude_nologin_users: true - description: Collect iCloud local databases that contain information about files that have been imported from the local computer or synced remotely from the iCloud. diff --git a/artifacts/files/applications/imessage.yaml b/artifacts/files/applications/imessage.yaml index f143e1a5..4e7f9ae1 100644 --- a/artifacts/files/applications/imessage.yaml +++ b/artifacts/files/applications/imessage.yaml @@ -10,6 +10,6 @@ artifacts: description: Collect iMessage attachments. supported_os: [macos] collector: file - path: /%user_home%/Library/Messages/Attachments/* + path: /%user_home%/Library/Messages/Attachments exclude_nologin_users: true \ No newline at end of file diff --git a/artifacts/files/applications/itunes_backup.yaml b/artifacts/files/applications/itunes_backup.yaml index 74f4ea60..49754a98 100644 --- a/artifacts/files/applications/itunes_backup.yaml +++ b/artifacts/files/applications/itunes_backup.yaml @@ -4,6 +4,6 @@ artifacts: description: iTunes backup directory. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/MobileSync/Backup/* + path: /%user_home%/Library/"Application Support"/MobileSync/Backup exclude_nologin_users: true \ No newline at end of file diff --git a/artifacts/files/applications/macos_dock.yaml b/artifacts/files/applications/macos_dock.yaml deleted file mode 100644 index 30a20e28..00000000 --- a/artifacts/files/applications/macos_dock.yaml +++ /dev/null @@ -1,10 +0,0 @@ -version: 1.0 -artifacts: - - - description: Collect user's dock file. - supported_os: [macos] - collector: file - path: /%user_home%/Library/Preferences/com.apple.dock.plist - ignore_date_range: true - exclude_nologin_users: true - \ No newline at end of file diff --git a/artifacts/files/applications/microsoft_teams.yaml b/artifacts/files/applications/microsoft_teams.yaml index 83d6dd57..8acd87d7 100644 --- a/artifacts/files/applications/microsoft_teams.yaml +++ b/artifacts/files/applications/microsoft_teams.yaml @@ -4,7 +4,7 @@ artifacts: description: Collect Microsoft Teams cache files. supported_os: [linux] collector: file - path: /%user_home%/.config/Microsoft/"Microsoft Teams"/Cache/* + path: /%user_home%/.config/Microsoft/"Microsoft Teams"/Cache exclude_nologin_users: true - description: Collect Microsoft Teams chat log files. @@ -17,7 +17,7 @@ artifacts: description: Collect Microsoft Teams leveldb files. supported_os: [linux] collector: file - path: /%user_home%/.config/Microsoft/"Microsoft Teams"/"Local Storage"/leveldb/* + path: /%user_home%/.config/Microsoft/"Microsoft Teams"/"Local Storage"/leveldb exclude_nologin_users: true - description: Collect Microsoft Teams config file. @@ -29,7 +29,7 @@ artifacts: description: Collect Microsoft Teams logs directory. supported_os: [linux] collector: file - path: /%user_home%/.config/Microsoft/"Microsoft Teams"/logs/* + path: /%user_home%/.config/Microsoft/"Microsoft Teams"/logs exclude_nologin_users: true - description: Collect Microsoft Teams log file. @@ -127,7 +127,7 @@ artifacts: description: Collect Microsoft Teams cache files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Microsoft/Teams/Cache/* + path: /%user_home%/Library/"Application Support"/Microsoft/Teams/Cache exclude_nologin_users: true - description: Collect Microsoft Teams chat log files. @@ -140,7 +140,7 @@ artifacts: description: Collect Microsoft Teams leveldb files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Microsoft/Teams/"Local Storage"/leveldb/* + path: /%user_home%/Library/"Application Support"/Microsoft/Teams/"Local Storage"/leveldb exclude_nologin_users: true - description: Collect Microsoft Teams config file. @@ -152,7 +152,7 @@ artifacts: description: Collect Microsoft Teams logs directory. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Microsoft/Teams/logs/* + path: /%user_home%/Library/"Application Support"/Microsoft/Teams/logs exclude_nologin_users: true - description: Collect Microsoft Teams log file. diff --git a/artifacts/files/applications/photos.yaml b/artifacts/files/applications/photos.yaml new file mode 100644 index 00000000..cba23509 --- /dev/null +++ b/artifacts/files/applications/photos.yaml @@ -0,0 +1,9 @@ +version: 1.0 +artifacts: + - + description: Collect Photos artifacts. + supported_os: [macos] + collector: file + path: /%user_home%/Pictures/Photos Library.photoslibrary + name_pattern: ["Photos.sqlite*"] + exclude_nologin_users: true diff --git a/artifacts/files/applications/signal.yaml b/artifacts/files/applications/signal.yaml index 54058042..d3baa4bd 100644 --- a/artifacts/files/applications/signal.yaml +++ b/artifacts/files/applications/signal.yaml @@ -4,19 +4,19 @@ artifacts: description: Collect Signal cache files. supported_os: [linux] collector: file - path: /%user_home%/.config/Signal/Cache/* + path: /%user_home%/.config/Signal/Cache exclude_nologin_users: true - description: Collect Signal attachments cache files. supported_os: [linux] collector: file - path: /%user_home%/.config/Signal/attachments.noindex/* + path: /%user_home%/.config/Signal/attachments.noindex exclude_nologin_users: true - description: Collect Signal log files. supported_os: [linux] collector: file - path: /%user_home%/.config/Signal/logs/* + path: /%user_home%/.config/Signal/logs exclude_nologin_users: true - description: Collect Signal config.json file. @@ -107,19 +107,19 @@ artifacts: description: Collect Signal cache files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Signal/Cache/* + path: /%user_home%/Library/"Application Support"/Signal/Cache exclude_nologin_users: true - description: Collect Signal attachments cache files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Signal/attachments.noindex/* + path: /%user_home%/Library/"Application Support"/Signal/attachments.noindex exclude_nologin_users: true - description: Collect Signal log files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Signal/logs/* + path: /%user_home%/Library/"Application Support"/Signal/logs exclude_nologin_users: true - description: Collect Signal config.json file. diff --git a/artifacts/files/applications/slack.yaml b/artifacts/files/applications/slack.yaml index 283358f3..4d93d25f 100644 --- a/artifacts/files/applications/slack.yaml +++ b/artifacts/files/applications/slack.yaml @@ -4,7 +4,7 @@ artifacts: description: Collect Slack cache files. supported_os: [linux] collector: file - path: /%user_home%/.config/Slack/Cache/* + path: /%user_home%/.config/Slack/Cache exclude_nologin_users: true - description: Collect Slack chat log files. @@ -17,19 +17,19 @@ artifacts: description: Collect Slack leveldb files. supported_os: [linux] collector: file - path: /%user_home%/.config/Slack/"Local Storage"/leveldb/* + path: /%user_home%/.config/Slack/"Local Storage"/leveldb exclude_nologin_users: true - description: Collect Slack log files. supported_os: [linux] collector: file - path: /%user_home%/.config/Slack/logs/* + path: /%user_home%/.config/Slack/logs exclude_nologin_users: true - description: Collect Slack storage files. supported_os: [linux] collector: file - path: /%user_home%/.config/Slack/storage/* + path: /%user_home%/.config/Slack/storage exclude_nologin_users: true - description: Collect Slack cache files (Flatpak version). @@ -107,7 +107,7 @@ artifacts: description: Collect Slack cache files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Slack/Cache/* + path: /%user_home%/Library/"Application Support"/Slack/Cache exclude_nologin_users: true - description: Collect Slack chat log files. @@ -120,19 +120,19 @@ artifacts: description: Collect Slack leveldb files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Slack/"Local Storage"/leveldb/* + path: /%user_home%/Library/"Application Support"/Slack/"Local Storage"/leveldb exclude_nologin_users: true - description: Collect Slack log files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Slack/logs/* + path: /%user_home%/Library/"Application Support"/Slack/logs exclude_nologin_users: true - description: Collect Slack storage files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/Slack/storage/* + path: /%user_home%/Library/"Application Support"/Slack/storage exclude_nologin_users: true # References: diff --git a/artifacts/files/applications/whatsapp.yaml b/artifacts/files/applications/whatsapp.yaml index 85736e06..a68b9306 100644 --- a/artifacts/files/applications/whatsapp.yaml +++ b/artifacts/files/applications/whatsapp.yaml @@ -4,13 +4,13 @@ artifacts: description: Collect WhatsApp cache files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/WhatsApp/Cache/* + path: /%user_home%/Library/"Application Support"/WhatsApp/Cache exclude_nologin_users: true - description: Collect WhatsApp leveldb files. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/WhatsApp/"Local Storage"/leveldb/* + path: /%user_home%/Library/"Application Support"/WhatsApp/"Local Storage"/leveldb exclude_nologin_users: true # WhatsApp is a cloud-based application. All chats are in the cloud. In part, chats can be found on mobile devices. diff --git a/artifacts/files/browsers/vivaldi.yaml b/artifacts/files/browsers/vivaldi.yaml new file mode 100644 index 00000000..2afd49b3 --- /dev/null +++ b/artifacts/files/browsers/vivaldi.yaml @@ -0,0 +1,18 @@ +version: 1.0 +artifacts: + - + description: Collect Vivaldi browser files. + supported_os: [linux] + collector: file + path: /%user_home%/.config/vivaldi + name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Extensions", "Favicons*", "File System", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Sessions", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect Vivaldi browser files. + supported_os: [macos] + collector: file + path: /%user_home%/Library/"Application Support"/Vivaldi + name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Extensions", "Favicons*", "File System", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Sessions", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"] + ignore_date_range: true + exclude_nologin_users: true diff --git a/artifacts/files/logs/additional_logs.yaml b/artifacts/files/logs/additional_logs.yaml index 07a52a05..06faaca5 100644 --- a/artifacts/files/logs/additional_logs.yaml +++ b/artifacts/files/logs/additional_logs.yaml @@ -4,7 +4,7 @@ artifacts: description: Collect all log files and directories. supported_os: [all] collector: file - path: /* + path: / name_pattern: ["*.[Ll][Oo][Gg]", "*.[Ll][Oo][Gg].*", "[Ll][Oo][Gg]", "[Ll][Oo][Gg][Ss]"] max_file_size: 1073741824 # 1GB \ No newline at end of file diff --git a/artifacts/files/logs/macos.yaml b/artifacts/files/logs/macos.yaml index 2b8fa401..9a7bc0d0 100644 --- a/artifacts/files/logs/macos.yaml +++ b/artifacts/files/logs/macos.yaml @@ -10,12 +10,12 @@ artifacts: description: Collect system logs. supported_os: [macos] collector: file - path: /Library/Logs/* + path: /Library/Logs max_file_size: 1073741824 # 1GB - description: Collect user applications logs. supported_os: [macos] collector: file - path: /%user_home%/Library/Logs/* + path: /%user_home%/Library/Logs max_file_size: 1073741824 # 1GB \ No newline at end of file diff --git a/artifacts/files/logs/netscaler.yaml b/artifacts/files/logs/netscaler.yaml index fa89a20b..50e762b5 100644 --- a/artifacts/files/logs/netscaler.yaml +++ b/artifacts/files/logs/netscaler.yaml @@ -4,17 +4,17 @@ artifacts: description: Collect nslog logs. supported_os: [netscaler] collector: file - path: /var/nslog/* + path: /var/nslog max_file_size: 1073741824 # 1GB - description: Collect nsproflog logs. supported_os: [netscaler] collector: file - path: /var/nsproflog/* + path: /var/nsproflog max_file_size: 1073741824 # 1GB - description: Collect nssynclog logs. supported_os: [netscaler] collector: file - path: /var/nssynclog/* + path: /var/nssynclog max_file_size: 1073741824 # 1GB diff --git a/artifacts/files/logs/tomcat.yaml b/artifacts/files/logs/tomcat.yaml index ff375b30..d3062b7c 100644 --- a/artifacts/files/logs/tomcat.yaml +++ b/artifacts/files/logs/tomcat.yaml @@ -4,6 +4,6 @@ artifacts: description: Collect Apache Tomcat logs. supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] collector: file - path: /* + path: / name_pattern: ["access_log*", "error_log*", "httpd-access.log*", "httpd-error.log*", "catalina.out"] max_file_size: 1073741824 # 1GB diff --git a/artifacts/files/logs/var_adm.yaml b/artifacts/files/logs/var_adm.yaml index 72a90fe7..72084922 100644 --- a/artifacts/files/logs/var_adm.yaml +++ b/artifacts/files/logs/var_adm.yaml @@ -4,5 +4,5 @@ artifacts: description: Collect /var/adm logs. supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] collector: file - path: /var/adm/* + path: /var/adm max_file_size: 1073741824 # 1GB diff --git a/artifacts/files/logs/var_log.yaml b/artifacts/files/logs/var_log.yaml index 61c84984..3713b8ae 100644 --- a/artifacts/files/logs/var_log.yaml +++ b/artifacts/files/logs/var_log.yaml @@ -4,11 +4,11 @@ artifacts: description: Collect /var/log logs. supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] collector: file - path: /var/log/* + path: /var/log max_file_size: 1073741824 # 1GB - description: Collect /private/var/log logs. supported_os: [macos] collector: file - path: /private/var/log/* + path: /private/var/log max_file_size: 1073741824 # 1GB diff --git a/artifacts/files/logs/var_run_log.yaml b/artifacts/files/logs/var_run_log.yaml index f780d7f8..dd95bc47 100644 --- a/artifacts/files/logs/var_run_log.yaml +++ b/artifacts/files/logs/var_run_log.yaml @@ -4,6 +4,6 @@ artifacts: description: Collect /var/run/log logs. supported_os: [esxi] collector: file - path: /var/run/log/* + path: /var/run/log max_file_size: 1073741824 # 1GB \ No newline at end of file diff --git a/artifacts/files/shell/history.yaml b/artifacts/files/shell/history.yaml index 8fca0e6e..9ea2beb5 100644 --- a/artifacts/files/shell/history.yaml +++ b/artifacts/files/shell/history.yaml @@ -7,4 +7,11 @@ artifacts: path: /%user_home% # lesshst: less command history file name_pattern: [".*_history", ".*history", ".lesshst", ".zhistory"] - max_depth: 2 \ No newline at end of file + max_depth: 2 + - + description: Collect fish shell history files. + supported_os: [all] + collector: file + path: /%user_home% + name_pattern: ["fish_history"] + max_depth: 4 \ No newline at end of file diff --git a/artifacts/files/system/autoruns.yaml b/artifacts/files/system/autoruns.yaml index 6f355ee2..3b2e7f15 100644 --- a/artifacts/files/system/autoruns.yaml +++ b/artifacts/files/system/autoruns.yaml @@ -4,35 +4,35 @@ artifacts: description: Collect Startup Items configuration files. supported_os: [macos] collector: file - path: /Library/StartupItems/* + path: /Library/StartupItems ignore_date_range: true - description: Collect Agents configuration files. supported_os: [macos] collector: file - path: /Library/LaunchAgents/* + path: /Library/LaunchAgents ignore_date_range: true - description: Collect Agents configuration files. supported_os: [macos] collector: file - path: /System/Library/LaunchAgents/* + path: /System/Library/LaunchAgents ignore_date_range: true - description: Collect Agents configuration files. supported_os: [macos] collector: file - path: /%user_home%/Library/LaunchAgents/* + path: /%user_home%/Library/LaunchAgents ignore_date_range: true - description: Collect Daemons configuration files. supported_os: [macos] collector: file - path: /Library/LaunchDaemons/* + path: /Library/LaunchDaemons ignore_date_range: true - description: Collect Daemons configuration files. supported_os: [macos] collector: file - path: /System/Library/LaunchDaemons/* + path: /System/Library/LaunchDaemons ignore_date_range: true diff --git a/artifacts/files/system/dev_shm.yaml b/artifacts/files/system/dev_shm.yaml new file mode 100644 index 00000000..0f2a8bc0 --- /dev/null +++ b/artifacts/files/system/dev_shm.yaml @@ -0,0 +1,9 @@ +version: 1.0 +artifacts: + - + description: Collect system temporary files. + supported_os: [all] + collector: file + path: /dev/shm + file_type: f + max_file_size: 5242880 # 5MB diff --git a/artifacts/files/system/ds_store.yaml b/artifacts/files/system/ds_store.yaml new file mode 100644 index 00000000..decb42f2 --- /dev/null +++ b/artifacts/files/system/ds_store.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect .DS_Store files. + supported_os: [macos] + collector: file + path: / + name_pattern: [".DS_Store"] + file_type: f + \ No newline at end of file diff --git a/artifacts/files/system/etc.yaml b/artifacts/files/system/etc.yaml index 091f0bc9..989fc259 100644 --- a/artifacts/files/system/etc.yaml +++ b/artifacts/files/system/etc.yaml @@ -4,12 +4,12 @@ artifacts: description: Collect system configuration files. supported_os: [all] collector: file - path: /etc/* + path: /etc exclude_name_pattern: ["shadow", "shadow-"] ignore_date_range: true - description: Collect system configuration files. supported_os: [macos] collector: file - path: /private/etc/* + path: /private/etc ignore_date_range: true diff --git a/artifacts/files/system/job_scheduler.yaml b/artifacts/files/system/job_scheduler.yaml index 8f9ddd6f..c9a577d6 100644 --- a/artifacts/files/system/job_scheduler.yaml +++ b/artifacts/files/system/job_scheduler.yaml @@ -1,27 +1,42 @@ -version: 1.0 +version: 2.0 artifacts: - description: Collect cron files. supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] collector: file - path: /var/cron/* + path: /var/cron - description: Collect cron files. supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] collector: file - path: /var/adm/cron/* + path: /var/adm/cron - description: Collect at files. supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] collector: file - path: /var/spool/at/* + path: /var/spool/at - description: Collect at files. supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] collector: file - path: /var/spool/cron/* + path: /var/spool/cron - description: Collect at files. supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] collector: file - path: /private/var/at/tabs/* + path: /private/var/at/tabs + - + description: Collect cron files. + supported_os: [macos] + collector: file + path: /usr/lib/cron/jobs + - + description: Collect cron files. + supported_os: [macos] + collector: file + path: /usr/lib/cron/spool + - + description: Collect cron files. + supported_os: [macos] + collector: file + path: /usr/lib/cron/tabs diff --git a/artifacts/files/system/keychain.yaml b/artifacts/files/system/keychain.yaml new file mode 100644 index 00000000..94f9a6ee --- /dev/null +++ b/artifacts/files/system/keychain.yaml @@ -0,0 +1,15 @@ +version: 1.0 +artifacts: + - + description: Collect system keychain file. + supported_os: [macos] + collector: file + path: /Library/Keychains/System.keychain + ignore_date_range: true + - + description: Collect user's keychain file. + supported_os: [macos] + collector: file + path: /%user_home%/Library/Keychains + ignore_date_range: true + \ No newline at end of file diff --git a/artifacts/files/system/library_preferences.yaml b/artifacts/files/system/library_preferences.yaml index a849878c..aa3ec34c 100644 --- a/artifacts/files/system/library_preferences.yaml +++ b/artifacts/files/system/library_preferences.yaml @@ -1,19 +1,18 @@ -version: 1.0 +version: 2.0 artifacts: - description: Collect system preferences and configuration plist files. supported_os: [macos] collector: file - path: /Library/Preferences/SystemConfiguration - name_pattern: ["*.plist"] + path: /Library/Preferences + name_pattern: ["*.plist", ".*.plist"] ignore_date_range: true - exclude_nologin_users: true - description: Collect user's preferences and configuration plist files. supported_os: [macos] collector: file path: /%user_home%/Library/Preferences - name_pattern: ["*.plist"] + name_pattern: ["*.plist", ".*.plist"] ignore_date_range: true exclude_nologin_users: true \ No newline at end of file diff --git a/artifacts/files/system/macos_mru.yaml b/artifacts/files/system/macos_mru.yaml index baf97653..a868f947 100644 --- a/artifacts/files/system/macos_mru.yaml +++ b/artifacts/files/system/macos_mru.yaml @@ -12,14 +12,14 @@ artifacts: description: Collect macOS Most Recently Used. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/com.apple.sharedfilelist/* + path: /%user_home%/Library/"Application Support"/com.apple.sharedfilelist ignore_date_range: true exclude_nologin_users: true - description: Collect macOS Most Recently Used. supported_os: [macos] collector: file - path: /%user_home%/Library/"Application Support"/com.apple.spotlight.Shortcuts/* + path: /%user_home%/Library/"Application Support"/com.apple.spotlight.Shortcuts ignore_date_range: true exclude_nologin_users: true - diff --git a/artifacts/files/system/network_application_usage.yaml b/artifacts/files/system/network_application_usage.yaml new file mode 100644 index 00000000..727f3dea --- /dev/null +++ b/artifacts/files/system/network_application_usage.yaml @@ -0,0 +1,13 @@ +version: 1.0 +artifacts: + - + description: Collect netusage.sqlite database file. Network Usage Application Data contains information about how an application sends or receives data over the network. + supported_os: [macos] + collector: file + path: /private/var/networkd/db/netusage.sqlite + - + description: Collect DataUsage.sqlite database file. Network Usage Application Data contains information about how an application sends or receives data over the network. + supported_os: [macos] + collector: file + path: /private/var/wireless/Library/Databases/DataUsage.sqlite + \ No newline at end of file diff --git a/artifacts/files/system/networkmanager.yaml b/artifacts/files/system/networkmanager.yaml index 1adda1b3..9b08ce2e 100644 --- a/artifacts/files/system/networkmanager.yaml +++ b/artifacts/files/system/networkmanager.yaml @@ -4,5 +4,5 @@ artifacts: description: Collect Network Manager files. supported_os: [linux] collector: file - path: /var/lib/NetworkManager/* + path: /var/lib/NetworkManager ignore_date_range: true diff --git a/artifacts/files/system/nsconfig.yaml b/artifacts/files/system/nsconfig.yaml index 8a037afb..5f1bc15a 100644 --- a/artifacts/files/system/nsconfig.yaml +++ b/artifacts/files/system/nsconfig.yaml @@ -4,5 +4,5 @@ artifacts: description: Collect system configuration files. supported_os: [netscaler] collector: file - path: /flash/nsconfig/* + path: /flash/nsconfig ignore_date_range: true diff --git a/artifacts/files/system/powerlog.yaml b/artifacts/files/system/powerlog.yaml new file mode 100644 index 00000000..f14b9f55 --- /dev/null +++ b/artifacts/files/system/powerlog.yaml @@ -0,0 +1,9 @@ +version: 1.0 +artifacts: + - + description: Collect Powerlog files. + supported_os: [macos] + collector: file + path: /private/var/db/powerlog/Library/BatteryLife/CurrentPowerlog.PLSQL* + ignore_date_range: true + \ No newline at end of file diff --git a/artifacts/files/system/private_tmp.yaml b/artifacts/files/system/private_tmp.yaml new file mode 100644 index 00000000..941f9d9d --- /dev/null +++ b/artifacts/files/system/private_tmp.yaml @@ -0,0 +1,9 @@ +version: 1.0 +artifacts: + - + description: Collect system temporary files. + supported_os: [macos] + collector: file + path: /private/tmp + file_type: f + max_file_size: 5242880 # 5MB diff --git a/artifacts/files/system/recovery_account_info.yaml b/artifacts/files/system/recovery_account_info.yaml new file mode 100644 index 00000000..b9b8ec9b --- /dev/null +++ b/artifacts/files/system/recovery_account_info.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect recovery account information files. + supported_os: [macos] + collector: file + path: /var/db + name_pattern: ["AdminUserRecoveryInfo.plist", "CryptoUserInfo.plist"] + ignore_date_range: true + \ No newline at end of file diff --git a/artifacts/files/system/resumed_applications.yaml b/artifacts/files/system/resumed_applications.yaml deleted file mode 100644 index fd623406..00000000 --- a/artifacts/files/system/resumed_applications.yaml +++ /dev/null @@ -1,8 +0,0 @@ -version: 1.0 -artifacts: - - - description: Collect information about the applications that are set to reopen after macOS computer restarts or resumes from sleep. - supported_os: [macos] - collector: file - path: /%user_home%/Library/Preferences/ByHost/com.apple.loginwindow.* - exclude_nologin_users: true \ No newline at end of file diff --git a/artifacts/files/system/run_shm.yaml b/artifacts/files/system/run_shm.yaml new file mode 100644 index 00000000..e646b2b5 --- /dev/null +++ b/artifacts/files/system/run_shm.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect system temporary files. + supported_os: [all] + collector: file + path: /run/shm + file_type: f + max_file_size: 5242880 # 5MB + diff --git a/artifacts/files/system/startup_items.yaml b/artifacts/files/system/startup_items.yaml index 6f355ee2..3b2e7f15 100644 --- a/artifacts/files/system/startup_items.yaml +++ b/artifacts/files/system/startup_items.yaml @@ -4,35 +4,35 @@ artifacts: description: Collect Startup Items configuration files. supported_os: [macos] collector: file - path: /Library/StartupItems/* + path: /Library/StartupItems ignore_date_range: true - description: Collect Agents configuration files. supported_os: [macos] collector: file - path: /Library/LaunchAgents/* + path: /Library/LaunchAgents ignore_date_range: true - description: Collect Agents configuration files. supported_os: [macos] collector: file - path: /System/Library/LaunchAgents/* + path: /System/Library/LaunchAgents ignore_date_range: true - description: Collect Agents configuration files. supported_os: [macos] collector: file - path: /%user_home%/Library/LaunchAgents/* + path: /%user_home%/Library/LaunchAgents ignore_date_range: true - description: Collect Daemons configuration files. supported_os: [macos] collector: file - path: /Library/LaunchDaemons/* + path: /Library/LaunchDaemons ignore_date_range: true - description: Collect Daemons configuration files. supported_os: [macos] collector: file - path: /System/Library/LaunchDaemons/* + path: /System/Library/LaunchDaemons ignore_date_range: true diff --git a/artifacts/files/system/system_version.yaml b/artifacts/files/system/system_version.yaml new file mode 100644 index 00000000..e258a0c5 --- /dev/null +++ b/artifacts/files/system/system_version.yaml @@ -0,0 +1,9 @@ +version: 1.0 +artifacts: + - + description: Collect system name and version. + supported_os: [macos] + collector: file + path: /System/Library/CoreServices/SystemVersion.plist + ignore_date_range: true + \ No newline at end of file diff --git a/artifacts/files/system/systemd.yaml b/artifacts/files/system/systemd.yaml index 6a0270cf..6d7fd0da 100644 --- a/artifacts/files/system/systemd.yaml +++ b/artifacts/files/system/systemd.yaml @@ -1,14 +1,26 @@ -version: 1.0 +version: 2.0 artifacts: - description: Collect systemd configuration files. supported_os: [linux] collector: file - path: /lib/systemd/system/* + path: /lib/systemd/system ignore_date_range: true - description: Collect systemd configuration files. supported_os: [linux] collector: file - path: /usr/lib/systemd/system/* + path: /usr/lib/systemd/system ignore_date_range: true + - + description: Collect systemd sessions files. + supported_os: [linux] + collector: file + path: /run/systemd/sessions + file_type: f + - + description: Collect systemd scope files. + supported_os: [linux] + collector: file + path: /run/systemd/transient + name_pattern: ["*.scope"] diff --git a/artifacts/files/system/time_machine.yaml b/artifacts/files/system/time_machine.yaml deleted file mode 100644 index 22645693..00000000 --- a/artifacts/files/system/time_machine.yaml +++ /dev/null @@ -1,9 +0,0 @@ -version: 1.0 -artifacts: - - - description: Collect TimeMachine plist file. - supported_os: [macos] - collector: file - path: /Library/Preferences/com.apple.TimeMachine.plist - ignore_date_range: true - \ No newline at end of file diff --git a/artifacts/files/system/tmp.yaml b/artifacts/files/system/tmp.yaml index d6c3ddbc..ef8eea8e 100644 --- a/artifacts/files/system/tmp.yaml +++ b/artifacts/files/system/tmp.yaml @@ -1,33 +1,9 @@ -version: 1.0 +version: 2.0 artifacts: - description: Collect system temporary files. supported_os: [all] collector: file - path: /tmp/* - file_type: f - max_file_size: 5242880 # 5MB - - - description: Collect hidden system temporary files. - supported_os: [all] - collector: file path: /tmp - name_pattern: [".*"] - file_type: f - max_file_size: 5242880 # 5MB - - - description: Collect system temporary files. - supported_os: [macos] - collector: file - path: /private/tmp/* - file_type: f - max_file_size: 5242880 # 5MB - - - description: Collect hidden system temporary files. - supported_os: [macos] - collector: file - path: /private/tmp - name_pattern: [".*"] file_type: f max_file_size: 5242880 # 5MB - \ No newline at end of file diff --git a/artifacts/files/system/tracker.yaml b/artifacts/files/system/tracker.yaml new file mode 100644 index 00000000..b0da69b4 --- /dev/null +++ b/artifacts/files/system/tracker.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect tracker db files. Tracker provides searching and indexing functionality for the GNOME desktop environment and beyond. + supported_os: [linux] + collector: file + path: /%user_home%/.cache/tracker3/files + name_pattern: ["*Audio.db*", "*Documents.db*", "*FileSystem.db*", "*Pictures.db*", "*Software.db*", "*Video.db*", "meta.db*"] + ignore_date_range: true + exclude_nologin_users: true diff --git a/artifacts/files/system/trash_info.yaml b/artifacts/files/system/trash_info.yaml index 8ab3276f..9d9f9ec0 100644 --- a/artifacts/files/system/trash_info.yaml +++ b/artifacts/files/system/trash_info.yaml @@ -1,8 +1,8 @@ -version: 1.0 +version: 2.0 artifacts: - description: Collect Trash info file. - supported_os: [linux] + supported_os: [freebsd, linux, netbsd, openbsd] collector: file path: /%user_home%/.local/share/Trash/info - exclude_nologin_users: true \ No newline at end of file + exclude_nologin_users: true diff --git a/artifacts/files/system/var_db_diagnostics.yaml b/artifacts/files/system/var_db_diagnostics.yaml new file mode 100644 index 00000000..a4e5c3cb --- /dev/null +++ b/artifacts/files/system/var_db_diagnostics.yaml @@ -0,0 +1,9 @@ +version: 1.0 +artifacts: + - + description: Collect AirDrop activity files. + supported_os: [macos] + collector: file + path: /private/var/db/diagnostics + name_pattern: ["*.tracev3"] + \ No newline at end of file diff --git a/artifacts/files/system/var_spool.yaml b/artifacts/files/system/var_spool.yaml index 311ceb87..7157e2cf 100644 --- a/artifacts/files/system/var_spool.yaml +++ b/artifacts/files/system/var_spool.yaml @@ -4,9 +4,9 @@ artifacts: description: Collect spool files. supported_os: [all] collector: file - path: /var/spool/* + path: /var/spool - description: Collect spool files. supported_os: [macos] collector: file - path: /private/var/spool/* + path: /private/var/spool diff --git a/artifacts/files/system/var_tmp.yaml b/artifacts/files/system/var_tmp.yaml new file mode 100644 index 00000000..44bdf180 --- /dev/null +++ b/artifacts/files/system/var_tmp.yaml @@ -0,0 +1,9 @@ +version: 1.0 +artifacts: + - + description: Collect system temporary files. + supported_os: [all] + collector: file + path: /var/tmp + file_type: f + max_file_size: 5242880 # 5MB diff --git a/artifacts/files/system/wifi.yaml b/artifacts/files/system/wifi.yaml deleted file mode 100644 index 4cb7e322..00000000 --- a/artifacts/files/system/wifi.yaml +++ /dev/null @@ -1,9 +0,0 @@ -version: 1.0 -artifacts: - - - description: Collect wifi plist file. This can be useful in determining where a machine has been, or if a user has joined an illegitimate or unauthorized wireless network. - supported_os: [macos] - collector: file - path: /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist - ignore_date_range: true - \ No newline at end of file diff --git a/artifacts/hash_executables/hash_executables.yaml b/artifacts/hash_executables/hash_executables.yaml index f0250f45..14078190 100644 --- a/artifacts/hash_executables/hash_executables.yaml +++ b/artifacts/hash_executables/hash_executables.yaml @@ -4,7 +4,7 @@ artifacts: description: Find files that contain at least +x flag set for other. supported_os: [all] collector: find - path: /* + path: / exclude_file_system: [proc, procfs] file_type: f max_depth: 4 @@ -15,7 +15,7 @@ artifacts: description: Find files that contain at least +x flag set for group. supported_os: [all] collector: find - path: /* + path: / exclude_file_system: [proc, procfs] file_type: f max_depth: 4 @@ -26,7 +26,7 @@ artifacts: description: Find files that contain at least +x flag set for owner. supported_os: [all] collector: find - path: /* + path: / exclude_file_system: [proc, procfs] file_type: f max_depth: 4 diff --git a/artifacts/live_response/process/deleted.yaml b/artifacts/live_response/process/deleted.yaml index 52eb994d..8f0ca297 100644 --- a/artifacts/live_response/process/deleted.yaml +++ b/artifacts/live_response/process/deleted.yaml @@ -1,34 +1,55 @@ version: 1.0 -artifacts: +artifacts: - - description: Collect the binary of (malicious) processes after they have been deleted. + description: Collect the binary of (malicious) processes if they are shown up as being (deleted). # the collection will be limited to the first 50M of data only. # this is to avoid dd hitting an invalid file descriptor (such as /dev/null) and generating an endless output file supported_os: [linux] collector: command - loop_command: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | grep -v -E "> /dev/|> /proc/" | awk -F"/proc/|/exe" '{print $2}' + loop_command: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | grep -v -E "> /proc/" | awk -F"/proc/|/exe" '{print $2}' command: dd if=/proc/%line%/exe of=%output_file% conv=swab bs=1024 count=50000 output_directory: proc/%line% output_file: recovered_exe.dd.swab - - description: Collect the list of file descriptors of (malicious) processes after they have been deleted. + description: Collect the list of deleted files of (malicious) processes if they are shown up as being (deleted). supported_os: [linux] collector: command loop_command: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | awk -F"/proc/|/exe" '{print $2}' command: ls -l /proc/%line%/fd/[0-9]* | grep -E "\(deleted\)" | grep -v -E "> /dev/|> /proc/" | awk -F"/proc/%line%/fd/| ->" '{print "%line%/fd/"$2}' output_file: .deleted_file_descriptors.txt - - description: Collect files of (malicious) processes after they have been deleted. + description: Collect the list of deleted files located in /dev/shm of (malicious) processes if they are shown up as being (deleted). + supported_os: [linux] + collector: command + loop_command: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | awk -F"/proc/|/exe" '{print $2}' + command: ls -l /proc/%line%/fd/[0-9]* | grep -E "\(deleted\)" | grep -E "> /dev/shm" | awk -F"/proc/%line%/fd/| ->" '{print "%line%/fd/"$2}' + output_file: .deleted_file_descriptors.txt + - + description: Collect open files of (malicious) processes if they are shown up as being (deleted). # the collection will be limited to the first 50M of data only. # this is to avoid dd hitting an invalid file descriptor (such as /dev/null) and generating an endless output file supported_os: [linux] collector: command loop_command: cat "%destination_directory%/.deleted_file_descriptors.txt" - command: dd if=/proc/%line% of=%output_file% conv=swab bs=1024 count=50000 + command: dd if=/proc/%line% of=%output_file% bs=1024 count=50000 output_directory: proc/%line% - output_file: recovered_file.dd.swab + output_file: recovered_file.dd + - + description: Collect the list of open files of (malicious) processes. + supported_os: [linux] + collector: command + loop_command: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | awk -F"/proc/|/exe" '{print $2}' + command: ls -l /proc/%line%/fd/[0-9]* | grep -v -E "\(deleted\)" | awk -F'-> ' '{print $2}' | sed -e "s:^'::" -e "s:'$::" -e ':^"::' -e ':"$::' + output_file: .open_file_descriptors.txt + - + description: Collect open files of (malicious) processes. + supported_os: [linux] + collector: file + path: .open_file_descriptors.txt + is_file_list: true + file_type: f - - description: Collect the binary of (malicious) processes after they have been deleted. + description: Collect the binary of (malicious) processes if they are shown up as being (deleted). # the collection will be limited to the first 50M of data only. # this is to avoid dd hitting an invalid file descriptor (such as /dev/null) and generating an endless output file supported_os: [solaris] diff --git a/artifacts/live_response/system/hidden_directories.yaml b/artifacts/live_response/system/hidden_directories.yaml new file mode 100644 index 00000000..e10106be --- /dev/null +++ b/artifacts/live_response/system/hidden_directories.yaml @@ -0,0 +1,12 @@ +version: 1.0 +artifacts: + - + description: List all hidden directories outside of user home directory. + supported_os: [all] + collector: find + path: / + name_pattern: [".*"] + exclude_path_pattern: ["/root", "/home", "/export/home", "/Users"] + file_type: d + output_file: hidden_directories.txt + \ No newline at end of file diff --git a/artifacts/live_response/system/hidden_files.yaml b/artifacts/live_response/system/hidden_files.yaml new file mode 100644 index 00000000..c1057410 --- /dev/null +++ b/artifacts/live_response/system/hidden_files.yaml @@ -0,0 +1,12 @@ +version: 1.0 +artifacts: + - + description: List all hidden files outside of user home directory. + supported_os: [all] + collector: find + path: / + name_pattern: [".*"] + exclude_path_pattern: ["/root", "/home", "/export/home", "/Users"] + file_type: f + output_file: hidden_files.txt + \ No newline at end of file diff --git a/artifacts/live_response/system/last.yaml b/artifacts/live_response/system/last.yaml new file mode 100644 index 00000000..1531533f --- /dev/null +++ b/artifacts/live_response/system/last.yaml @@ -0,0 +1,32 @@ +version: 1.0 +artifacts: + - + description: Show a listing of last logins and logouts. + supported_os: [aix, freebsd, linux, macos, netbsd, solaris] + collector: command + command: last + output_file: last.txt + - + description: Show a listing of last logins and logouts, but prints all available characters of each user name instead of truncating to the first 8 characters. + supported_os: [aix] + collector: command + command: last -X + output_file: last_-X.txt + - + description: Show a listing of last logins and logouts, but displays the host's IP number instead of the name. + supported_os: [linux] + collector: command + command: last -i + output_file: last_-i.txt + - + description: Show a listing of last logins and logouts, but display the hostname in the last column and print full login and logout times and dates. + supported_os: [linux] + collector: command + command: last -a -F + output_file: last_-a_-F.txt + - + description: Show a listing of last logins and logouts, but displays the hostname in the last column. + supported_os: [solaris] + collector: command + command: last -a + output_file: last_-a.txt diff --git a/artifacts/live_response/system/lastb.yaml b/artifacts/live_response/system/lastb.yaml new file mode 100644 index 00000000..f782cb05 --- /dev/null +++ b/artifacts/live_response/system/lastb.yaml @@ -0,0 +1,21 @@ +version: 1.0 +artifacts: + - + description: Show a listing of last unsuccessful logins. + supported_os: [linux] + collector: command + command: lastb + output_file: lastb.txt + - + description: Show a listing of last unsuccessful logins, but displays the host's IP number instead of the name. + supported_os: [linux] + collector: command + command: lastb -i + output_file: lastb_-i.txt + - + description: Show a listing of last unsuccessful logins, but display the hostname in the last column and print full times and dates. + supported_os: [linux] + collector: command + command: lastb -a -F + output_file: lastb_-a_-F.txt + \ No newline at end of file diff --git a/artifacts/live_response/system/loginctl.yaml b/artifacts/live_response/system/loginctl.yaml new file mode 100644 index 00000000..bae82f41 --- /dev/null +++ b/artifacts/live_response/system/loginctl.yaml @@ -0,0 +1,8 @@ +version: 1.0 +artifacts: + - + description: Show terse runtime status information about one or more logged in users, followed by the most recent log data from the journal. + supported_os: [linux] + collector: command + command: loginctl user-status + output_file: loginctl_user-status.txt diff --git a/artifacts/live_response/system/suid_sgid.yaml b/artifacts/live_response/system/sgid.yaml similarity index 50% rename from artifacts/live_response/system/suid_sgid.yaml rename to artifacts/live_response/system/sgid.yaml index 35fc9748..a328bb6a 100644 --- a/artifacts/live_response/system/suid_sgid.yaml +++ b/artifacts/live_response/system/sgid.yaml @@ -1,20 +1,10 @@ version: 1.0 artifacts: - - - description: Search for files that have SUID bit set. - supported_os: [all] - collector: find - path: /* - exclude_file_system: [proc, procfs] - file_type: f - max_depth: 5 - permissions: -4000 - output_file: suid.txt - description: Search for files that have SGID bit set. supported_os: [all] collector: find - path: /* + path: / exclude_file_system: [proc, procfs] file_type: f max_depth: 5 diff --git a/artifacts/live_response/system/socket_files.yaml b/artifacts/live_response/system/socket_files.yaml new file mode 100644 index 00000000..784a681c --- /dev/null +++ b/artifacts/live_response/system/socket_files.yaml @@ -0,0 +1,11 @@ +version: 1.0 +artifacts: + - + description: List all socket files. + supported_os: [all] + collector: find + path: / + file_type: s + exclude_file_system: [proc, procfs] + output_file: socket_files.txt + \ No newline at end of file diff --git a/artifacts/live_response/system/suid.yaml b/artifacts/live_response/system/suid.yaml new file mode 100644 index 00000000..8cfa3831 --- /dev/null +++ b/artifacts/live_response/system/suid.yaml @@ -0,0 +1,13 @@ +version: 1.0 +artifacts: + - + description: Search for files that have SUID bit set. + supported_os: [all] + collector: find + path: / + exclude_file_system: [proc, procfs] + file_type: f + max_depth: 5 + permissions: -4000 + output_file: suid.txt + \ No newline at end of file diff --git a/artifacts/live_response/system/sys_modules.yaml b/artifacts/live_response/system/sys_modules.yaml new file mode 100644 index 00000000..7955a696 --- /dev/null +++ b/artifacts/live_response/system/sys_modules.yaml @@ -0,0 +1,15 @@ +version: 1.0 +artifacts: + - + description: List loaded kernel modules. + supported_os: [linux] + collector: command + command: ls -l -a /sys/module + output_file: ls_-l_-a_sys_module.txt + - + description: List loaded kernel modules. + supported_os: [linux] + collector: command + command: ls -l -a -R /sys/module + output_file: ls_-l_-a_-R_sys_module.txt + \ No newline at end of file diff --git a/artifacts/live_response/system/tmutil.yaml b/artifacts/live_response/system/tmutil.yaml new file mode 100644 index 00000000..4fd900a1 --- /dev/null +++ b/artifacts/live_response/system/tmutil.yaml @@ -0,0 +1,27 @@ +version: 1.0 +artifacts: + - + description: Print paths for all of this computer's completed snapshots. + supported_os: [macos] + collector: command + command: tmutil listbackups + output_file: tmutil_listbackups.txt + - + description: Print the path to the current machine directory for this computer. + supported_os: [macos] + collector: command + command: tmutil machinedirectory + output_file: tmutil_machinedirectory.txt + - + description: List local Time Machine snapshots of the specified volume. + supported_os: [macos] + collector: command + command: tmutil listlocalsnapshots %mount_point% + output_file: tmutil_listlocalsnapshots.txt + - + description: List the creation dates of all local Time Machine snapshots. + supported_os: [macos] + collector: command + command: tmutil listlocalsnapshotdates %mount_point% + output_file: tmutil_listlocalsnapshotdates.txt + \ No newline at end of file diff --git a/artifacts/live_response/system/who.yaml b/artifacts/live_response/system/who.yaml index 8cfe64b5..da508c13 100644 --- a/artifacts/live_response/system/who.yaml +++ b/artifacts/live_response/system/who.yaml @@ -1,4 +1,4 @@ -version: 1.0 +version: 2.0 artifacts: - description: Display the current run-level of the process. @@ -6,4 +6,16 @@ artifacts: collector: command command: who -r output_file: who_-r.txt + - + description: Show failed login attempts. + supported_os: [aix] + collector: command + command: who %mount_point%/etc/security/failedlogin + output_file: who_etc_security_failedlogin.txt + - + description: Show who is logged on. + supported_os: [all] + collector: command + command: who + output_file: who.txt \ No newline at end of file diff --git a/artifacts/live_response/system/world_writable_directories.yaml b/artifacts/live_response/system/world_writable_directories.yaml new file mode 100644 index 00000000..4e288ce9 --- /dev/null +++ b/artifacts/live_response/system/world_writable_directories.yaml @@ -0,0 +1,12 @@ +version: 1.0 +artifacts: + - + description: List all world writable directories. + supported_os: [all] + collector: find + path: / + file_type: d + permissions: 777 + exclude_file_system: [proc, procfs] + output_file: world_writable_directories.txt + \ No newline at end of file diff --git a/artifacts/live_response/system/world_writable_files.yaml b/artifacts/live_response/system/world_writable_files.yaml new file mode 100644 index 00000000..bf703339 --- /dev/null +++ b/artifacts/live_response/system/world_writable_files.yaml @@ -0,0 +1,12 @@ +version: 1.0 +artifacts: + - + description: List all world writable files. + supported_os: [all] + collector: find + path: / + file_type: f + permissions: 777 + exclude_file_system: [proc, procfs] + output_file: world_writable_files.txt + \ No newline at end of file diff --git a/config/uac.conf b/config/uac.conf index c6105b17..f1a8b7ee 100644 --- a/config/uac.conf +++ b/config/uac.conf @@ -8,7 +8,7 @@ # Example: ["/etc", "/usr/*/local", "*/log"] exclude_path_pattern: [] -# Directory/path patterns that will be excluded from 'find', 'stat', 'hash' and +# File name patterns that will be excluded from 'find', 'stat', 'hash' and # 'file' collectors. # As 'find' tool is used to search for files and directories, the file name # patterns below need to be compatible with '-name' option. Please check @@ -22,7 +22,7 @@ exclude_name_pattern: [] # to the exclusion list automatically. # The file system types which are supported depend on the target computer's # running kernel. -exclude_file_system: [9p, afs, autofs, cifs, davfs, devfs, devpts, devtmpfs, fuse, kernfs, nfs, nfs4, rpc_pipefs, smbfs, sysfs] +exclude_file_system: [9p, afs, autofs, cifs, davfs, fuse, kernfs, nfs, nfs4, rpc_pipefs, smbfs, sysfs] # hash algorithms # Accepted values: md5, sha1 and sha256 @@ -33,7 +33,7 @@ hash_algorithm: [md5, sha1] # collection based on the file/directory last accessed, last modified and last # status changed dates. # Example 1: -# to collect only files which data was last modified OR status last +# to collect only files in which data was last modified OR status last # changed within the given date range, please set enable_find_mtime and # enable_find_ctime to true and enable_find_atime to false. # Example 2: diff --git a/lib/check_available_system_tools.sh b/lib/check_available_system_tools.sh index 7da17f35..70a11ebd 100644 --- a/lib/check_available_system_tools.sh +++ b/lib/check_available_system_tools.sh @@ -60,6 +60,7 @@ check_available_system_tools() FIND_PATH_SUPPORT=false FIND_PERM_SUPPORT=false FIND_SIZE_SUPPORT=false + FIND_TYPE_SUPPORT=false GZIP_TOOL_AVAILABLE=false MD5_HASHING_TOOL="" PERL_TOOL_AVAILABLE=false @@ -172,8 +173,7 @@ check_available_system_tools() fi # check which options are supported by the find tool - if eval "find \"${UAC_DIR}\" \\( -name \"uac\" -o -name \"uac\" \\) -type f \ - -print"; then + if eval "find \"${UAC_DIR}\" \\( -name \"uac.conf\" -o -name \"uac.conf\" \\) -print"; then FIND_OPERATORS_SUPPORT=true fi @@ -193,6 +193,10 @@ check_available_system_tools() FIND_PERM_SUPPORT=true fi + if eval "find \"${UAC_DIR}/uac\" -type f -print"; then + FIND_TYPE_SUPPORT=true + fi + if eval "find \"${UAC_DIR}/uac\" -atime +1 -print"; then FIND_ATIME_SUPPORT=true fi diff --git a/lib/file_collector.sh b/lib/file_collector.sh index 6181df02..11e5d423 100644 --- a/lib/file_collector.sh +++ b/lib/file_collector.sh @@ -43,7 +43,8 @@ # $11: max file size (optional) # $12: permissions (optional) # $13: ignore date range (optional) (default: false) -# $14: output file +# $14: root output directory +# $15: output file # Exit Status: # Exit with status 0 on success. # Exit with status greater than 0 if errors occur. @@ -79,6 +80,8 @@ file_collector() shift fl_ignore_date_range="${1:-false}" shift + fl_root_output_directory="${1:-}" + shift fl_output_file="${1:-}" # return if path is empty @@ -87,6 +90,13 @@ file_collector() return 22 fi + # return if root output directory is empty + if [ -z "${fl_root_output_directory}" ]; then + printf %b "file_collector: missing required argument: \ +'root_output_directory'\n" >&2 + return 22 + fi + # return if output file is empty if [ -z "${fl_output_file}" ]; then printf %b "file_collector: missing required argument: 'output_file'\n" >&2 @@ -96,7 +106,7 @@ file_collector() # prepend TEMP_DATA_DIR to path if it does not start with / # (which means local file) if echo "${fl_path}" | grep -q -v -E "^/"; then - fl_path=`sanitize_path "${TEMP_DATA_DIR}/${fl_path}"` + fl_path=`sanitize_path "${TEMP_DATA_DIR}/${fl_root_output_directory}/${fl_path}"` fi # return if is file list and file list does not exist diff --git a/lib/find_wrapper.sh b/lib/find_wrapper.sh index 8d01c14d..64f195bb 100644 --- a/lib/find_wrapper.sh +++ b/lib/find_wrapper.sh @@ -193,8 +193,14 @@ find_wrapper() fi # build -type parameter + # -type parameter will be added even if 'find' does not support it if [ -n "${fw_file_type}" ]; then fw_find_type_param="-type ${fw_file_type}" + if ${FIND_TYPE_SUPPORT}; then + true + elif ${PERL_TOOL_AVAILABLE}; then + fw_find_tool="perl \"${UAC_DIR}/tools/find.pl/find.pl\"" + fi fi # build -size parameter @@ -216,11 +222,12 @@ find_wrapper() fi # build -perm parameter + # -perm parameter will be added even if 'find' does not support it if [ -n "${fw_permissions}" ]; then + fw_find_perm_param="-perm ${fw_permissions}" if ${FIND_PERM_SUPPORT}; then - fw_find_perm_param="-perm ${fw_permissions}" + true elif ${PERL_TOOL_AVAILABLE}; then - fw_find_perm_param="-perm ${fw_permissions}" fw_find_tool="perl \"${UAC_DIR}/tools/find.pl/find.pl\"" fi fi diff --git a/lib/list_artifacts.sh b/lib/list_artifacts.sh index 111c4ec8..fa4a5b2c 100644 --- a/lib/list_artifacts.sh +++ b/lib/list_artifacts.sh @@ -32,7 +32,7 @@ list_artifacts() printf %b "Artifacts\n" printf %b "--------------------------------------------------------------------------------\n" - find "${UAC_DIR}"/artifacts/* -name "*.yaml" -type f -print \ + find "${UAC_DIR}"/artifacts/* -name "*.yaml" -print \ | sed -e "s:^${UAC_DIR}/artifacts/::g" 2>/dev/null } \ No newline at end of file diff --git a/lib/parse_artifact_list.sh b/lib/parse_artifact_list.sh new file mode 100644 index 00000000..3fa0b79e --- /dev/null +++ b/lib/parse_artifact_list.sh @@ -0,0 +1,65 @@ +# Copyright (C) 2020 IBM Corporation +# +# Licensed under the Apache License, Version 2.0 (the “License”); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an “AS IS” BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# shellcheck disable=SC2001,SC2006 + +############################################################################### +# Parse artifact list. +# Globals: +# TEMP_DATA_DIR +# UAC_DIR +# Requires: +# None +# Arguments: +# $1: comma separated list of artifacts +# Outputs: +# None +# Exit Status: +# Exit with status 0 on success. +# Exit with status greater than 0 if errors occur. +############################################################################### +parse_artifact_list() +{ + pr_artifact_list="${1:-}" + + OIFS="${IFS}" + IFS="," + for pr_artifact in ${pr_artifact_list}; do + if eval "echo \"${pr_artifact}\" | grep -q -E \"^!\""; then + pr_artifact=`echo "${pr_artifact}" | sed -e 's:^!::'` + # shellcheck disable=SC2086 + find "${UAC_DIR}"/artifacts/${pr_artifact} -name "*.yaml" -print \ + | sed -e "s:${UAC_DIR}/artifacts/::g" \ + >>"${TEMP_DATA_DIR}/.artifacts.exclude.tmp" + + # remove common lines between include and exclude + awk 'NR==FNR {a[$0]=1; next} !a[$0]' \ + "${TEMP_DATA_DIR}/.artifacts.exclude.tmp" \ + "${TEMP_DATA_DIR}/.artifacts.include.tmp" \ + >"${TEMP_DATA_DIR}/.artifacts.diff.tmp" + cp "${TEMP_DATA_DIR}/.artifacts.diff.tmp" "${TEMP_DATA_DIR}/.artifacts.include.tmp" + + else + # shellcheck disable=SC2086 + find "${UAC_DIR}"/artifacts/${pr_artifact} -name "*.yaml" -print \ + | sed -e "s:${UAC_DIR}/artifacts/::g" \ + >>"${TEMP_DATA_DIR}/.artifacts.include.tmp" + fi + done + IFS="${OIFS}" + + # remove duplicates + awk '!a[$0]++' <"${TEMP_DATA_DIR}/.artifacts.include.tmp" + +} \ No newline at end of file diff --git a/lib/parse_artifacts_file.sh b/lib/parse_artifacts_file.sh index 6b6f8b8a..d10c4ba0 100644 --- a/lib/parse_artifacts_file.sh +++ b/lib/parse_artifacts_file.sh @@ -294,6 +294,7 @@ sequence of mappings\n" >&2 "${pa_max_file_size}" \ "${pa_permissions}" \ "${pa_ignore_date_range}" \ + "${pa_root_output_directory}" \ ".files.tmp" elif [ "${pa_collector}" = "find" ]; then find_collector \ @@ -376,6 +377,7 @@ sequence of mappings\n" >&2 "${pa_max_file_size}" \ "${pa_permissions}" \ "${pa_ignore_date_range}" \ + "${pa_root_output_directory}" \ ".files.tmp" elif [ "${pa_collector}" = "find" ]; then find_collector \ diff --git a/lib/parse_profile_file.sh b/lib/parse_profile_file.sh deleted file mode 100644 index 8b559511..00000000 --- a/lib/parse_profile_file.sh +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright (C) 2020 IBM Corporation -# -# Licensed under the Apache License, Version 2.0 (the “License”); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an “AS IS” BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -############################################################################### -# Parse profile file. -# Globals: -# TEMP_DATA_DIR -# UAC_DIR -# Requires: -# None -# Arguments: -# $1: profile file -# Outputs: -# None -# Exit Status: -# Exit with status 0 on success. -# Exit with status greater than 0 if errors occur. -############################################################################### -parse_profile_file() -{ - pp_profile_file="${1:-}" - - # return if profile file does not exist - if [ ! -f "${pp_profile_file}" ]; then - printf %b "parse_profile_file: no such file or directory: \ -'${pp_profile_file}'\n" >&2 - return 2 - fi - - # remove lines starting with # (comments) - # remove inline comments - # remove blank lines - # grep lines starting with " - !" - # remove " - !" from the beginning of the line - # remove duplicates - # shellcheck disable=SC2162 - sed -e 's/#.*$//g' -e '/^ *$/d' -e '/^$/d' <"${pp_profile_file}" 2>/dev/null \ - | grep -E " +- +!" \ - | sed -e 's: *- *!::g' 2>/dev/null \ - | while read pp_line || [ -n "${pp_line}" ]; do - # shellcheck disable=SC2086 - find "${UAC_DIR}"/artifacts/${pp_line} -type f -print \ - | sed -e "s:${UAC_DIR}/artifacts/::g" 2>/dev/null - done \ - | awk '!a[$0]++' 2>/dev/null \ - >"${TEMP_DATA_DIR}/.artifacts.exclude.tmp" - - # remove lines starting with # (comments) - # remove inline comments - # remove blank lines - # grep lines starting with " - " - # remove " - " from the beginning of the line - # remove duplicates - # shellcheck disable=SC2162 - sed -e 's/#.*$//g' -e '/^ *$/d' -e '/^$/d' <"${pp_profile_file}" 2>/dev/null \ - | grep -E " +- +[^!]" \ - | sed -e 's: *- *::g' 2>/dev/null \ - | while read pp_line || [ -n "${pp_line}" ]; do - # shellcheck disable=SC2086 - find "${UAC_DIR}"/artifacts/${pp_line} -type f -print \ - | sed -e "s:^${UAC_DIR}/artifacts/::g" 2>/dev/null - done \ - | awk '!a[$0]++' 2>/dev/null \ - >"${TEMP_DATA_DIR}/.artifacts.include.tmp" - - # remove common lines between include and exclude - if [ -s "${TEMP_DATA_DIR}/.artifacts.exclude.tmp" ]; then - awk 'NR==FNR {a[$0]=1; next} !a[$0]' \ - "${TEMP_DATA_DIR}/.artifacts.exclude.tmp" \ - "${TEMP_DATA_DIR}/.artifacts.include.tmp" \ - >"${TEMP_DATA_DIR}/.artifacts.tmp" - else - mv "${TEMP_DATA_DIR}/.artifacts.include.tmp" "${TEMP_DATA_DIR}/.artifacts.tmp" - fi - -} \ No newline at end of file diff --git a/lib/profile_file_to_artifact_list.sh b/lib/profile_file_to_artifact_list.sh new file mode 100644 index 00000000..e871c3d8 --- /dev/null +++ b/lib/profile_file_to_artifact_list.sh @@ -0,0 +1,46 @@ +# Copyright (C) 2020 IBM Corporation +# +# Licensed under the Apache License, Version 2.0 (the “License”); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an “AS IS” BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +############################################################################### +# Create a comma separated list of artifacts based on a profile file. +# Globals: +# None +# Requires: +# None +# Arguments: +# $1: profile file +# Outputs: +# Comma separated list of artifacts. +# Exit Status: +# Exit with status 0 on success. +# Exit with status greater than 0 if errors occur. +############################################################################### +profile_file_to_artifact_list() +{ + pl_profile_file="${1:-}" + + # remove lines starting with # (comments) + # remove inline comments + # remove blank lines + # grep lines starting with " - " + # remove " - " from the beginning of the line + # shellcheck disable=SC2162 + sed -e 's/#.*$//g' -e '/^ *$/d' -e '/^$/d' <"${pl_profile_file}" 2>/dev/null \ + | grep -E " +- +" \ + | sed -e 's: *- *::g' 2>/dev/null \ + | while read pl_line || [ -n "${pl_line}" ]; do + printf %b "${pl_line}," + done + +} \ No newline at end of file diff --git a/lib/sftp_transfer.sh b/lib/sftp_transfer.sh index 63cfc818..3829b14a 100644 --- a/lib/sftp_transfer.sh +++ b/lib/sftp_transfer.sh @@ -19,7 +19,7 @@ # Requires: # None # Arguments: -# $1: source file +# $1: source file or directory # $2: remote destination # $3: remote port (default: 22) # $4: identity file @@ -37,7 +37,8 @@ sftp_transfer() sr_identity_file="${4:-}" if [ -n "${sr_identity_file}" ]; then - sftp -P "${sr_port}" \ + sftp -r \ + -P "${sr_port}" \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ -i "${sr_identity_file}" \ @@ -45,7 +46,8 @@ sftp_transfer() mput "${sr_source}" EOF else - sftp -P "${sr_port}" \ + sftp -r \ + -P "${sr_port}" \ -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ "${sr_destination}" >/dev/null << EOF diff --git a/lib/usage.sh b/lib/usage.sh index 0612de2f..a2aa3e1e 100644 --- a/lib/usage.sh +++ b/lib/usage.sh @@ -80,10 +80,10 @@ Collection Arguments: Filter Arguments: --date-range-start YYYY-MM-DD Only collects files that were last modified/accessed/changed - after given date. + after the given date. --date-range-end YYYY-MM-DD Only collects files that were last modified/accessed/changed - before given date. + before the given date. Informational Arguments: --case-number CASE_NUMBER @@ -107,9 +107,9 @@ Remote Transfer Arguments: File from which the identity (private key) for public key authentication is read. --s3-presigned-url URL - Transfer output file to AWS S3 using a presigned URL. + Transfer output file to AWS S3 using a pre-signed URL. --s3-presigned-url-log-file URL - Transfer log file to AWS S3 using a presigned URL. + Transfer log file to AWS S3 using a pre-signed URL. --delete-local-on-successful-transfer Delete local output and log files on successful transfer. diff --git a/lib/validate_profile_file.sh b/lib/validate_profile_file.sh index 3068ef48..ba2726d1 100644 --- a/lib/validate_profile_file.sh +++ b/lib/validate_profile_file.sh @@ -107,7 +107,7 @@ entry.\n" >&2 # shellcheck disable=SC2086 find "${UAC_DIR}"/artifacts/${vp_artifact_file} -name "*.yaml" \ - -type f -print >/dev/null 2>/dev/null + -print >/dev/null 2>/dev/null # shellcheck disable=SC2181 if [ "$?" -gt 0 ]; then printf %b "uac: profile file: no such \ diff --git a/profiles/full-with-memory-dump.yaml b/profiles/full-with-memory-dump.yaml deleted file mode 100644 index 2b86881a..00000000 --- a/profiles/full-with-memory-dump.yaml +++ /dev/null @@ -1,29 +0,0 @@ -name: full-with-memory-dump -description: Full artifacts collection including memory dump (Linux only). -artifacts: - - live_response/process/ps.yaml - - live_response/process/lsof.yaml - - live_response/process/top.yaml - - live_response/process/procfs_information.yaml - - live_response/process/procstat.yaml - - live_response/process/fstat.yaml - - live_response/process/pstat.yaml - - live_response/process/pstree.yaml - - live_response/process/ptree.yaml - - live_response/process/proctree.yaml - - live_response/process/hash_running_processes.yaml - - live_response/process/strings_running_processes.yaml - - live_response/process/* - - live_response/network/* - - live_response/system/* - - bodyfile/bodyfile.yaml - - live_response/hardware/* - - live_response/packages/* - - live_response/storage/* - - live_response/containers/* - - live_response/vms/* - - memory_dump/avml.yaml - - chkrootkit/chkrootkit.yaml - - hash_executables/hash_executables.yaml - - files/* - \ No newline at end of file diff --git a/profiles/ir_triage.yaml b/profiles/ir_triage.yaml index 76f2edcc..c287f921 100644 --- a/profiles/ir_triage.yaml +++ b/profiles/ir_triage.yaml @@ -24,9 +24,6 @@ artifacts: - live_response/vms/* - chkrootkit/chkrootkit.yaml - hash_executables/hash_executables.yaml - - files/logs/* - - files/packages/* - - files/shell/* - - files/ssh/* - - files/system/* - \ No newline at end of file + - files/* + - !files/applications/* + - !files/browsers/* diff --git a/profiles/memory-dump-only.yaml b/profiles/memory-dump-only.yaml deleted file mode 100644 index 0087aaad..00000000 --- a/profiles/memory-dump-only.yaml +++ /dev/null @@ -1,5 +0,0 @@ -name: memory-dump-only -description: Collects memory dump from Linux systems. -artifacts: - - memory_dump/avml.yaml - \ No newline at end of file diff --git a/tools/avml/bin/linux/x86_64/avml b/tools/avml/bin/linux/x86_64/avml index b2e535a2..fbdf77b5 100755 Binary files a/tools/avml/bin/linux/x86_64/avml and b/tools/avml/bin/linux/x86_64/avml differ diff --git a/uac b/uac index ecdbeba9..761ae49a 100755 --- a/uac +++ b/uac @@ -33,6 +33,13 @@ export _POSIX2_VERSION # $PWD is not set in solaris 10 UAC_DIR=`pwd` +# check if UAC is being executed from untarred directory +if [ ! -d "${UAC_DIR}/lib" ] || [ ! -d "${UAC_DIR}/artifacts" ]; then + printf %b "uac: required files not found. Make sure you are executing uac \ +from untarred directory.\n" >&2 + exit 1 +fi + # set path PATH="/usr/xpg4/bin:/usr/xpg6/bin:/bin:/sbin:/usr/bin:/usr/sbin" PATH="${PATH}:/usr/local/bin:/usr/local/sbin:/usr/ucb:/usr/ccs/bin:/opt/bin" @@ -67,8 +74,9 @@ export PATH . "${UAC_DIR}/lib/load_config_file.sh" . "${UAC_DIR}/lib/log_message.sh" . "${UAC_DIR}/lib/lrstrip.sh" +. "${UAC_DIR}/lib/parse_artifact_list.sh" . "${UAC_DIR}/lib/parse_artifacts_file.sh" -. "${UAC_DIR}/lib/parse_profile_file.sh" +. "${UAC_DIR}/lib/profile_file_to_artifact_list.sh" . "${UAC_DIR}/lib/s3_presigned_url_transfer_test.sh" . "${UAC_DIR}/lib/s3_presigned_url_transfer.sh" . "${UAC_DIR}/lib/sanitize_filename.sh" @@ -83,7 +91,7 @@ export PATH . "${UAC_DIR}/lib/validate_profile_file.sh" # global vars -UAC_VERSION="2.2.0" +UAC_VERSION="2.3.0" MOUNT_POINT="/" OPERATING_SYSTEM="" SYSTEM_ARCH="" @@ -147,7 +155,32 @@ while [ "${1:-}" != "" ]; do # profiling arguments "-p"|"--profile") if [ -n "${2}" ]; then + # print available profiles + if [ "${2}" = "list" ]; then + list_profiles + exit 1 + fi ua_profile="${2}" + # get proper profile file based on the profile name + ua_profile_file="" + for ua_file in "${UAC_DIR}"/profiles/*.yaml; do + if grep -q -E "name: +${ua_profile} *$" <"${ua_file}" 2>/dev/null; then + ua_profile_file="${ua_file}" + break + fi + done + # exit if profile not found + if [ -z "${ua_profile_file}" ]; then + printf %b "uac: profile not found '${ua_profile}'\n" + exit 1 + fi + # check if profile file is valid + validate_profile_file "${ua_profile_file}" || exit 1 + + # convert profile file into a comma separated list of artifacts + ua_artifacts_from_profile=`profile_file_to_artifact_list "${ua_profile_file}"` + ua_artifacts="${ua_artifacts},${ua_artifacts_from_profile}" + shift else printf %b "uac: option '${1}' requires an argument.\n\ @@ -157,7 +190,12 @@ Try 'uac --help' for more information.\n" >&2 ;; "-a"|"--artifacts") if [ -n "${2}" ]; then - ua_artifacts="${2}" + # print available artifacts + if [ "${2}" = "list" ]; then + list_artifacts + exit 1 + fi + ua_artifacts="${ua_artifacts},${2}" shift else printf %b "uac: option '${1}' requires an argument.\n\ @@ -182,18 +220,6 @@ Try 'uac --help' for more information.\n" >&2 shift else printf %b "uac: option '${1}' requires an argument.\n\ -Try 'uac --help' for more information.\n" >&2 - exit 1 - fi - ;; - "-o") - if [ -n "${2}" ]; then - OPERATING_SYSTEM="${2}" - printf %b "WARNING: '-o' has been replaced by '-s' option, and will be \ -removed in future releases. Check 'uac --help' for more information.\n" >&2 - shift - else - printf %b "uac: option '${1}' requires an argument.\n\ Try 'uac --help' for more information.\n" >&2 exit 1 fi @@ -379,72 +405,46 @@ Try 'uac --help' for more information.\n" >&2 shift done -# treat unset variables as an error when substituting -# set -u cannot be set the beginning of the file since it will fail on $@ +# do not allow using undefined variables +# set -u cannot be set at the beginning of the file since it will fail on $@ set -u -# print available profiles -if [ -n "${ua_profile}" ] && [ "${ua_profile}" = "list" ]; then - list_profiles - exit 1 -fi - -# print available artifacts -if [ -n "${ua_artifacts}" ] && [ "${ua_artifacts}" = "list" ]; then - list_artifacts - exit 1 -fi - -# exit if profile and artifacts, or destination dir is empty -if { [ -z "${ua_profile}" ] && [ -z "${ua_artifacts}" ]; } \ - || [ -z "${ua_destination_dir}" ] ; then +# exit if list of artifacts or destination dir is empty +if [ -z "${ua_artifacts}" ] || [ -z "${ua_destination_dir}" ] ; then usage exit 1 fi -# profile name provided -if [ -n "${ua_profile}" ]; then - # get proper profile file based on the profile name - ua_profile_file="" - for ua_file in "${UAC_DIR}"/profiles/*.yaml; do - if grep -q -E "name: +${ua_profile} *$" <"${ua_file}"; then - ua_profile_file="${ua_file}" - break +# replace ,.. by , +# replace /.. by / +# replace consecutive commas by one comma +# remove leading and trailing comma +ua_artifacts=`echo "${ua_artifacts}" \ + | sed -e 's:^,\.\.:,:g' \ + -e 's:/\.\.:/:g' \ + -e 's:,,*:,:g' \ + -e 's:^,::' \ + -e 's:,$::'` +OIFS="${IFS}" +IFS="," +# check if artifacts exist +for ua_artifact_file in ${ua_artifacts}; do + ua_artifact_file=`echo "${ua_artifact_file}" | sed -e 's:^!::g'` + if [ -n "${ua_artifact_file}" ]; then + # shellcheck disable=SC2086 + find "${UAC_DIR}"/artifacts/${ua_artifact_file} -name "*.yaml" \ + -print >/dev/null 2>/dev/null + if [ "$?" -gt 0 ]; then + printf %b "uac: artifact file not found \ +'${UAC_DIR}/artifacts/${ua_artifact_file}'\n" >&2 + exit 1 fi - done - - # exit if profile not found - if [ -z "${ua_profile_file}" ]; then - printf %b "uac: profile not found '${ua_profile}'\n" + else + printf %b "uac: artifact not found '${ua_artifact_file}'\n" >&2 exit 1 fi - - # check if profile file is valid - validate_profile_file "${ua_profile_file}" || exit 1 -fi - -# artifacts list provided -if [ -n "${ua_artifacts}" ]; then - OIFS="${IFS}" - IFS="," - for ua_artifact_file in ${ua_artifacts}; do - ua_artifact_file=`echo "${ua_artifact_file}" | sed -e 's:^!::g' -e 's:\.\.::g'` - if [ -n "${ua_artifact_file}" ]; then - # shellcheck disable=SC2086 - find "${UAC_DIR}"/artifacts/${ua_artifact_file} -name "*.yaml" \ - -type f -print >/dev/null 2>/dev/null - if [ "$?" -gt 0 ]; then - printf %b "uac: artifact file not found \ - '${UAC_DIR}/artifacts/${ua_artifact_file}'\n" >&2 - exit 1 - fi - else - printf %b "uac: artifact not found '${ua_artifact_file}'\n" >&2 - exit 1 - fi - done - IFS="${OIFS}" -fi +done +IFS="${OIFS}" # check if destination directory exists if [ ! -d "${ua_destination_dir}" ]; then @@ -652,36 +652,27 @@ log_message INFO "Enable find ctime: ${ENABLE_FIND_CTIME}" log_message INFO "Checking available system tools" check_available_system_tools >/dev/null 2>>"${UAC_STDERR_LOG_FILE}" +log_message INFO "'find' opperators support: ${FIND_OPERATORS_SUPPORT}" +log_message INFO "'find -path' support: ${FIND_PATH_SUPPORT}" +log_message INFO "'find -type' support: ${FIND_TYPE_SUPPORT}" +log_message INFO "'find -maxdepth' support: ${FIND_MAXDEPTH_SUPPORT}" +log_message INFO "'find -size' support: ${FIND_SIZE_SUPPORT}" +log_message INFO "'find -perm' support: ${FIND_PERM_SUPPORT}" +log_message INFO "'find -atime' support: ${FIND_ATIME_SUPPORT}" +log_message INFO "'find -mtime' support: ${FIND_MTIME_SUPPORT}" +log_message INFO "'find -ctime' support: ${FIND_CTIME_SUPPORT}" log_message INFO "MD5 hashing tool: ${MD5_HASHING_TOOL}" log_message INFO "SHA1 hashing tool: ${SHA1_HASHING_TOOL}" log_message INFO "SHA256 hashing tool: ${SHA256_HASHING_TOOL}" -log_message INFO "'tar' tool available: ${TAR_TOOL_AVAILABLE}" log_message INFO "'gzip' tool available: ${GZIP_TOOL_AVAILABLE}" +log_message INFO "'perl' tool available: ${PERL_TOOL_AVAILABLE}" +log_message INFO "'tar' tool available: ${TAR_TOOL_AVAILABLE}" log_message INFO "'stat' tool available: ${STAT_TOOL_AVAILABLE}" log_message INFO "'stat' btime support: ${STAT_BTIME_SUPPORT}" log_message INFO "'statx' tool available: ${STATX_TOOL_AVAILABLE}" log_message INFO "PATH: ${PATH}" -# if profile defined, copy it to a temporary profile file -if [ -n "${ua_profile}" ]; then - cp "${ua_profile_file}" "${TEMP_DATA_DIR}/.temp-profile.yaml" \ - >/dev/null 2>/dev/null -fi - -# if artifacts defined, add them to the temporary profile file -if [ -n "${ua_artifacts}" ]; then - OIFS="${IFS}" - IFS="," - for ua_artifact_file in ${ua_artifacts}; do - printf %b " - ${ua_artifact_file}\n" >>"${TEMP_DATA_DIR}/.temp-profile.yaml" - done - IFS="${OIFS}" -fi - -# parse temporary profile file -parse_profile_file "${TEMP_DATA_DIR}/.temp-profile.yaml" || exit 1 - # add UAC_DIR abd TEMP_DATA_DIR to GLOBAL_EXCLUDE_PATH_PATTERN if [ -n "${GLOBAL_EXCLUDE_PATH_PATTERN}" ]; then GLOBAL_EXCLUDE_PATH_PATTERN="${GLOBAL_EXCLUDE_PATH_PATTERN},${UAC_DIR},${TEMP_DATA_DIR}" @@ -704,6 +695,11 @@ ua_acq_start_date_epoch=`get_epoch_date 2>>"${UAC_STDERR_LOG_FILE}"` log_message INFO "Artifacts collection started" printf %b "Artifacts collection started...\n" +# parse artifact list +parse_artifact_list "${ua_artifacts}" \ + >"${TEMP_DATA_DIR}/.artifacts.tmp" \ + 2>>"${UAC_STDERR_LOG_FILE}" + ua_progress_current=0 ua_progress_total=`wc -l "${TEMP_DATA_DIR}/.artifacts.tmp" | awk '{print $1}'` @@ -743,88 +739,111 @@ Total running time: ${ua_total_running_time} seconds" printf %b "Artifacts collection complete. \ Total running time: ${ua_total_running_time} seconds\n" -if [ -f "${TEMP_DATA_DIR}/.files.tmp" ]; then - if ${ua_temp_data_dir_symlink_support}; then - # create symbolic link to / - ln -s "/" "${TEMP_DATA_DIR}/[root]" 2>>"${UAC_STDERR_LOG_FILE}" - else - # copy files to uac-data.tmp/[root] - printf %b "Copying files to ${TEMP_DATA_DIR}/[root]. Please wait...\n" - copy_data "${TEMP_DATA_DIR}/.files.tmp" "${TEMP_DATA_DIR}/[root]" \ - 2>>"${UAC_STDERR_LOG_FILE}" +# output file/directory name +ua_output_base_name="uac-${ua_hostname}-${OPERATING_SYSTEM}-${ua_current_date_time}" +# output file/directory name +ua_output_name="${ua_output_base_name}" +# acquisition log file name +ua_acquisition_log="${ua_output_base_name}.log" +# output file hash +ua_output_file_hash="-" + +if ${TAR_TOOL_AVAILABLE}; then + + if [ -f "${TEMP_DATA_DIR}/.files.tmp" ]; then + # sort and uniq + sort_uniq_file "${TEMP_DATA_DIR}/.files.tmp" 2>>"${UAC_STDERR_LOG_FILE}" + if ${ua_temp_data_dir_symlink_support}; then + # create symbolic link to / + ln -s "/" "${TEMP_DATA_DIR}/[root]" 2>>"${UAC_STDERR_LOG_FILE}" + else + # copy files to uac-data.tmp/[root] + printf %b "Copying files to ${TEMP_DATA_DIR}/[root]. Please wait...\n" + copy_data "${TEMP_DATA_DIR}/.files.tmp" "${TEMP_DATA_DIR}/[root]" \ + 2>>"${UAC_STDERR_LOG_FILE}" + fi + # add [root] string to the beginning of each entry in .files.tmp + # and add them to the list of files to be archived within the output file + sed -e 's:^/:\[root\]/:' "${TEMP_DATA_DIR}/.files.tmp" \ + >>"${TEMP_DATA_DIR}/.output_file.tmp" fi - # add [root] string to the beginning of each entry in .files.tmp - # and add them to the list of files to be archived within the output file - sed -e 's:^/:\[root\]/:' "${TEMP_DATA_DIR}/.files.tmp" \ - >>"${TEMP_DATA_DIR}/.output_file.tmp" -fi - -# add uac.log to the list of files to be archived within the output file -echo "uac.log" >>"${TEMP_DATA_DIR}/.output_file.tmp" -# add uac.log.stderr to the list of files to be archived within the output file -echo "uac.log.stderr" >>"${TEMP_DATA_DIR}/.output_file.tmp" - -# sort and uniq -sort_uniq_file "${TEMP_DATA_DIR}/.output_file.tmp" 2>>"${UAC_STDERR_LOG_FILE}" - -# output file name -ua_output_file="" + # add uac.log to the list of files to be archived within the output file + echo "uac.log" >>"${TEMP_DATA_DIR}/.output_file.tmp" + # add uac.log.stderr to the list of files to be archived within the output file + echo "uac.log.stderr" >>"${TEMP_DATA_DIR}/.output_file.tmp" -if ${TAR_TOOL_AVAILABLE} && ${GZIP_TOOL_AVAILABLE}; then - # archive and compress collected artifacts to output file + # archive (and compress) collected artifacts to output file printf %b "Creating output file. Please wait...\n" - ua_output_file="uac-${ua_hostname}-${OPERATING_SYSTEM}-${ua_current_date_time}.tar.gz" - cd "${TEMP_DATA_DIR}" || exit 1 - if archive_compress_data ".output_file.tmp" \ - "${ua_destination_dir}/${ua_output_file}" 2>/dev/null; then - printf %b "Output file created '${ua_destination_dir}/${ua_output_file}'\n" + + if ${GZIP_TOOL_AVAILABLE}; then + ua_output_name="${ua_output_base_name}.tar.gz" + archive_compress_data ".output_file.tmp" \ + "${ua_destination_dir}/${ua_output_name}" 2>/dev/null + else + ua_output_name="${ua_output_base_name}.tar" + archive_data ".output_file.tmp" \ + "${ua_destination_dir}/${ua_output_name}" 2>/dev/null + fi + + if [ -f "${ua_destination_dir}/${ua_output_name}" ]; then + printf %b "Output file created '${ua_destination_dir}/${ua_output_name}'\n" cd "${UAC_DIR}" || exit 1 - rm -rf "${TEMP_DATA_DIR}" >/dev/null 2>/dev/null - if [ -d "${TEMP_DATA_DIR}" ]; then + if ${ua_debug_mode}; then + printf %b "Temporary directory not removed '${TEMP_DATA_DIR}'\n" + else + rm -rf "${TEMP_DATA_DIR}" >/dev/null 2>/dev/null + if [ -d "${TEMP_DATA_DIR}" ]; then printf %b "Cannot remove temporary directory '${TEMP_DATA_DIR}'\n" + fi fi + # hash output file + printf %b "Hashing output file. Please wait...\n" + cd "${ua_destination_dir}" || exit 1 + ua_output_file_hash=`${MD5_HASHING_TOOL} "${ua_output_name}"` + cd "${UAC_DIR}" || exit 1 else printf %b "Cannot create output file\n" printf %b "Please check collected artifacts in '${TEMP_DATA_DIR}'\n" cd "${UAC_DIR}" && exit 1 fi +else + printf %b "'tar' not found. Copying collected artifacts to '${ua_destination_dir}/${ua_output_name}'. Please wait...\n" + if [ -f "${TEMP_DATA_DIR}/.files.tmp" ]; then + # sort and uniq + sort_uniq_file "${TEMP_DATA_DIR}/.files.tmp" 2>>"${UAC_STDERR_LOG_FILE}" + copy_data "${TEMP_DATA_DIR}/.files.tmp" "${ua_destination_dir}/${ua_output_name}/[root]" \ + 2>>"${UAC_STDERR_LOG_FILE}" + fi -elif ${TAR_TOOL_AVAILABLE}; then - # archive collected artifacts to output to file - printf %b "Creating output file. Please wait...\n" - ua_output_file="uac-${ua_hostname}-${OPERATING_SYSTEM}-${ua_current_date_time}.tar" + # add uac.log to the list of files to be archived within the output file + echo "uac.log" >>"${TEMP_DATA_DIR}/.output_file.tmp" + # add uac.log.stderr to the list of files to be archived within the output file + echo "uac.log.stderr" >>"${TEMP_DATA_DIR}/.output_file.tmp" cd "${TEMP_DATA_DIR}" || exit 1 - if archive_data ".output_file.tmp" \ - "${ua_destination_dir}/${ua_output_file}" 2>/dev/null; then - printf %b "Output file created '${ua_destination_dir}/${ua_output_file}'\n" + copy_data "${TEMP_DATA_DIR}/.output_file.tmp" "${ua_destination_dir}/${ua_output_name}" \ + 2>>"${UAC_STDERR_LOG_FILE}" + ua_file_count=`find "${ua_destination_dir}/${ua_output_name}" -print | wc -l` + if [ "${ua_file_count}" -gt 2 ]; then + printf %b "Please check collected artifacts in '${ua_destination_dir}/${ua_output_name}'\n" cd "${UAC_DIR}" || exit 1 - rm -rf "${TEMP_DATA_DIR}" >/dev/null 2>/dev/null - if [ -d "${TEMP_DATA_DIR}" ]; then - printf %b "Cannot remove temporary directory '${TEMP_DATA_DIR}'\n" + if ${ua_debug_mode}; then + printf %b "Temporary directory not removed '${TEMP_DATA_DIR}'\n" + else + rm -rf "${TEMP_DATA_DIR}" >/dev/null 2>/dev/null + if [ -d "${TEMP_DATA_DIR}" ]; then + printf %b "Cannot remove temporary directory '${TEMP_DATA_DIR}'\n" + fi fi else - printf %b "Cannot create output file\n" + printf %b "Cannot copy collected artifacts\n" printf %b "Please check collected artifacts in '${TEMP_DATA_DIR}'\n" - cd "${UAC_DIR}" && exit 1 + exit 1 fi fi -ua_output_file_hash="" - -# hash output file -if [ -f "${ua_destination_dir}/${ua_output_file}" ]; then - printf %b "Hashing output file. Please wait...\n" - cd "${ua_destination_dir}" || exit 1 - ua_output_file_hash=`${MD5_HASHING_TOOL} "${ua_output_file}"` - cd "${UAC_DIR}" || exit 1 -fi - -# acquisition log file name -ua_acquisition_log="uac-${ua_hostname}-${OPERATING_SYSTEM}-${ua_current_date_time}.log" - # create the acquisition log if create_acquisition_log \ "${ua_case_number}" \ @@ -844,56 +863,61 @@ else fi # transfer output and log file to remote sftp server -if [ -n "${ua_sftp_destination}" ]; then - printf %b "Transferring output file to remote SFTP server. Please wait...\n" - if sftp_transfer "${ua_destination_dir}/${ua_output_file}" \ - "${ua_sftp_destination}" "${ua_sftp_port}" "${ua_sftp_identity_file}"; then - printf %b "File transferred successfully\n" - # delete output file on success transfer - ${ua_delete_local_on_successful_transfer} \ - && rm -f "${ua_destination_dir}/${ua_output_file}" 2>/dev/null - printf %b "Transferring log file to remote SFTP server. Please wait...\n" - if sftp_transfer "${ua_destination_dir}/${ua_acquisition_log}" \ +if [ -f "${ua_destination_dir}/${ua_output_name}" ] \ + || [ -d "${ua_destination_dir}/${ua_output_name}" ]; then + if [ -n "${ua_sftp_destination}" ]; then + printf %b "Transferring output file to remote SFTP server. Please wait...\n" + if sftp_transfer "${ua_destination_dir}/${ua_output_name}" \ "${ua_sftp_destination}" "${ua_sftp_port}" "${ua_sftp_identity_file}"; then printf %b "File transferred successfully\n" - # delete log file on success transfer + # delete output file on success transfer ${ua_delete_local_on_successful_transfer} \ - && rm -f "${ua_destination_dir}/${ua_acquisition_log}" 2>/dev/null + && rm -f "${ua_destination_dir}/${ua_output_name}" 2>/dev/null + printf %b "Transferring log file to remote SFTP server. Please wait...\n" + if sftp_transfer "${ua_destination_dir}/${ua_acquisition_log}" \ + "${ua_sftp_destination}" "${ua_sftp_port}" "${ua_sftp_identity_file}"; then + printf %b "File transferred successfully\n" + # delete log file on success transfer + ${ua_delete_local_on_successful_transfer} \ + && rm -f "${ua_destination_dir}/${ua_acquisition_log}" 2>/dev/null + else + printf %b "Could not transfer log file to remote SFTP server\n" + exit 1 + fi else - printf %b "Could not transfer log file to remote SFTP server\n" + printf %b "Could not transfer output file to remote SFTP server\n" exit 1 fi - else - printf %b "Could not transfer output file to remote SFTP server\n" - exit 1 fi fi # transfer output and log file to s3 presigned url -if [ -n "${ua_s3_presigned_url}" ]; then - printf %b "Transferring output file to S3 presigned URL. Please wait...\n" - if s3_presigned_url_transfer "${ua_destination_dir}/${ua_output_file}" \ - "${ua_s3_presigned_url}"; then - printf %b "File transferred successfully\n" - # delete output file on success transfer - ${ua_delete_local_on_successful_transfer} \ - && rm -f "${ua_destination_dir}/${ua_output_file}" 2>/dev/null - else - printf %b "Could not transfer output file to S3 presigned URL\n" - exit 1 - fi - if [ -n "${ua_s3_presigned_url_log_file}" ]; then - printf %b "Transferring log file to S3 presigned URL. Please wait...\n" - if s3_presigned_url_transfer "${ua_destination_dir}/${ua_acquisition_log}" \ - "${ua_s3_presigned_url_log_file}"; then +if [ -f "${ua_destination_dir}/${ua_output_name}" ]; then + if [ -n "${ua_s3_presigned_url}" ]; then + printf %b "Transferring output file to S3 presigned URL. Please wait...\n" + if s3_presigned_url_transfer "${ua_destination_dir}/${ua_output_name}" \ + "${ua_s3_presigned_url}"; then printf %b "File transferred successfully\n" # delete output file on success transfer ${ua_delete_local_on_successful_transfer} \ - && rm -f "${ua_destination_dir}/${ua_acquisition_log}" 2>/dev/null + && rm -f "${ua_destination_dir}/${ua_output_name}" 2>/dev/null else - printf %b "Could not transfer log file to S3 presigned URL\n" + printf %b "Could not transfer output file to S3 presigned URL\n" exit 1 fi + if [ -n "${ua_s3_presigned_url_log_file}" ]; then + printf %b "Transferring log file to S3 presigned URL. Please wait...\n" + if s3_presigned_url_transfer "${ua_destination_dir}/${ua_acquisition_log}" \ + "${ua_s3_presigned_url_log_file}"; then + printf %b "File transferred successfully\n" + # delete output file on success transfer + ${ua_delete_local_on_successful_transfer} \ + && rm -f "${ua_destination_dir}/${ua_acquisition_log}" 2>/dev/null + else + printf %b "Could not transfer log file to S3 presigned URL\n" + exit 1 + fi + fi fi fi