Merge pull request #196 from tclahr/release/uac-2.8.0

Release/uac 2.8.0

CHANGELOG.md

@@ -1,22 +1,40 @@
 # Changelog
 
-## 2.7.0 (2023-09-20)
+## 2.8.0 (2024-01-22)
+
+### Features
+
+- --debug option now does not remove the uac-data.tmp directory created in the destination directory. This is the location where temporary and debugging data is stored during execution.
 
 ### Artifacts
 
-- files/applications/findmy.yaml: Added the collection of the list of user's items/devices and items/devices info registered within the Find My application [macos].
-- files/applications/rclone.yaml: Added the collection of rclone application configuration and log files [freebsd, linux, macos, netbsd, openbsd, solaris].
-- files/applications/rustdesk.yaml: Added the collection of RustDesk application access logs and screen recording files [linux, macos].
-- files/applications/splashtop.yaml: Added the collection of Splashtop application artifacts [linux, macos].
-- files/applications/steam.yaml: Added the collection of Steam browser artifacts, avatar pictures, configuration and log files [linux, macos].
-- files/applications/teamviewer.yaml: Added the collection of TeamViewer application artifacts [linux, macos].
-- files/applications/thinlinc.yaml: Added the collection of ThinLinc application configuration files, connections and post-session logs [linux, macos].
-- files/package/installed_applications: Added the collection of Info.plist from installed applications [macos].
-- files/system/netscaler.yaml: Added the collection of '/var/vpn', '/var/netscaler/logon', and '/netscaler/ns_gui' system files and directories [netscaler].
-- files/system/nsconfig.yaml: Deprecated. All artifacts were moved to 'files/system/netscaler.yaml' [netscaler].
-- live_response/storage/mdadm.yaml: Added the collection of information on Linux software RAID [linux].
-- live_response/storage/zpool.yaml: Added the collection of the command history of all pools [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris].
+- files/applications/box_drive.yaml: Renamed to box.yaml.
+- files/applications/box.yaml: Added collection support for Box log files [macos].
+- files/applications/wget.yaml: Added collection support for wget hsts file. This file is used to store the HSTS cache for the wget utility [aix, esxi, freebsd, linux, macos, netbsd, openbsd, solaris] (by [firexfly](https://github.com/firexfly)).
+- files/browsers/brave.yaml: Updated collection support for Flatpak version [linux].
+- files/browsers/chrome.yaml: Updated collection support for Flatpak version [linux].
+- files/browsers/edge.yaml: Updated collection support for Flatpak version [linux].
+- files/browsers/opera.yaml: Updated collection support for Flatpak version [linux].
+- files/browsers/vivaldi.yaml: Updated collection support for Flatpak version [linux].
+- files/packages/pkg_contents.yaml: Added collection support for package table of contents files [openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/desktop.yaml: Added collection support for GUI shortcut files (.desktop) of users [freebsd, linux, netbsd, openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/etc.yaml: Added "master.passwd" and "spwd.db" to the exclude_name_pattern list as they contain the hashed passwords of local users [freebsd, netbsd, netscaler, openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/etc.yaml: Added exclusion for the group shadow files 'gshadow' and 'gshadow-'. Those files contain password hashes for groups [linux] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/xsession_errors.yaml: Updated collection support for OpenBSD systems [openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
+- live_response/network/ndp.yaml: Added collection support for kernel's IPv6 network neighbor cache [freebsd, netbsd, openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
+- live_response/network/nft.yaml: Added collection support for complete nftables ruleset [linux] (by [sanderu](https://github.com/sanderu)).
+- live_response/network/ss.yaml: Updated collection support for processes listening on UDP ports/sockets [android, linux].
+- live_response/vms/vmctl.yaml: Added collection support for information about running virtual machines on the OpenBSD using the native virtualization system [openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
+
+### Fixes
+
+- Offline disk image mount point path was part of the file structure in [root] (by [maxspl](https://github.com/maxspl)).
+- Collected data was not being properly archived by tar in AIX systems.
+
+### Profiles
+
+- profiles/offline.yaml: New 'offline' profile that can be used during offline collections (by [randomaccess3](https://github.com/randomaccess3)).
 
 ### Tools
 
-- AVML updated to v0.12.0.
+- statx source code was moved to a dedicated repository at https://github.com/tclahr/statx

LICENSES.md

@@ -0,0 +1,7 @@
+Use of the following Third-Party Software is subject to the license agreements at the URLs listed in the table below.
+
+|Product|Copyright|URL|
+|---|---|---|
+|AVML|Use rights in accordance with the information displayed at: https://github.com/microsoft/avml/blob/main/LICENSE|https://github.com/microsoft/avml|
+|linux_procmemdump.sh|Use rights in accordance with the information displayed at: https://creativecommons.org/licenses/by-sa/4.0||
+|statx|Use rights in accordance with the information displayed at: https://github.com/tclahr/statx/blob/main/LICENSE|https://github.com/tclahr/statx|

README.md

@@ -27,15 +27,15 @@ Project documentation page: [https://tclahr.github.io/uac-docs](https://tclahr.g
 
 ## 🌟 Main Features
 
-- Runs everywhere with no dependencies (no installation required).
+- Run everywhere with no dependencies (no installation required).
 - Customizable and extensible collections and artifacts.
-- Respects the order of volatility during artifacts collection.
-- Collects information from processes running without a binary on disk.
-- Hashes running processes and executable files.
-- Extracts information from files and directories to create a bodyfile (including enhanced file attributes for ext4).
-- Collects user and system configuration files and logs.
-- Collects artifacts from applications.
-- Acquires volatile memory from Linux systems using different methods and tools.
+- Respect the order of volatility during artifact collection.
+- Collect information from processes running without a binary on disk.
+- Hash running processes and executable files.
+- Extract information from files and directories to create a bodyfile (including enhanced file attributes for ext4).
+- Collect user and system configuration files and logs.
+- Collect artifacts from applications.
+- Acquire volatile memory from Linux systems using different methods and tools.
 
 ***
 
@@ -80,7 +80,7 @@ Common usage scenarios may include the following:
 ./uac -a live_response/\*,bodyfile/bodyfile.yaml .
 ```
 
-**Collect all artifacts based on the ```full``` profile, but excludes the ```bodyfile/bodyfile.yaml``` artifact, and create the output file in ```/tmp```.**
+**Collect all artifacts based on the ```full``` profile, but exclude the ```bodyfile/bodyfile.yaml``` artifact, and create the output file in ```/tmp```.**
 
 ```shell
 ./uac -p full -a \!bodyfile/bodyfile.yaml /tmp

artifacts/files/applications/box.yaml

@@ -0,0 +1,26 @@
+version: 2.0
+artifacts:
+  -
+    description: Collect Box configuration and sqlite database files.
+    supported_os: [macos]
+    collector: file
+    path: /Library/"Application Support"/Box/Box/data
+    exclude_nologin_users: true
+  -
+    description: Collect Box configuration and sqlite database files.
+    supported_os: [macos]
+    collector: file
+    path: /%user_home%/Library/"Application Support"/Box/Box/data
+    exclude_nologin_users: true
+  -
+    description: Collect Box log files.
+    supported_os: [macos]
+    collector: file
+    path: /Library/Logs/Box/Box
+  -
+    description: Collect Box log files.
+    supported_os: [macos]
+    collector: file
+    path: /%user_home%/Library/Logs/Box/Box
+    exclude_nologin_users: true
+

artifacts/files/applications/wget.yaml

@@ -0,0 +1,8 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect wget hsts file. This file is used to store the HSTS cache for the wget utility.
+    supported_os: [aix, esxi, freebsd, linux, macos, netbsd, openbsd, solaris]
+    collector: file
+    path: /%user_home%/.wget-hsts
+    exclude_nologin_users: true

artifacts/files/browsers/brave.yaml

@@ -1,4 +1,4 @@
-version: 2.0
+version: 3.0
 artifacts:
   -
     description: Collect Brave browser files.
@@ -17,6 +17,23 @@ artifacts:
     file_type: d
     ignore_date_range: true
     exclude_nologin_users: true
+  -
+    description: Collect Brave browser files (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.brave.Browser
+    name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"]
+    ignore_date_range: true
+    exclude_nologin_users: true
+  -
+    description: Collect Brave browser directories (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.brave.Browser
+    name_pattern: ["Extensions", "File System", "Sessions"]
+    file_type: d
+    ignore_date_range: true
+    exclude_nologin_users: true
   -
     description: Collect Brave browser files (Snap version).
     supported_os: [linux]

artifacts/files/browsers/chrome.yaml

@@ -1,4 +1,4 @@
-version: 2.0
+version: 3.0
 artifacts:
   -
     description: Collect Chrome browser files.
@@ -17,6 +17,23 @@ artifacts:
     file_type: d
     ignore_date_range: true
     exclude_nologin_users: true
+  -
+    description: Collect Chrome browser files (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.google.Chrome
+    name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"]
+    ignore_date_range: true
+    exclude_nologin_users: true
+  -
+    description: Collect Chrome browser directories (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.google.Chrome
+    name_pattern: ["Extensions", "File System", "Sessions"]
+    file_type: d
+    ignore_date_range: true
+    exclude_nologin_users: true
   -
     description: Collect Chrome browser files.
     supported_os: [macos]

artifacts/files/browsers/edge.yaml

@@ -1,4 +1,4 @@
-version: 2.0
+version: 3.0
 artifacts:
   -
     description: Collect Edge browser files.
@@ -17,6 +17,23 @@ artifacts:
     file_type: d
     ignore_date_range: true
     exclude_nologin_users: true
+  -
+    description: Collect Edge browser files (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.microsoft.Edge
+    name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"]
+    ignore_date_range: true
+    exclude_nologin_users: true
+  -
+    description: Collect Edge browser directories (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.microsoft.Edge
+    name_pattern: ["Extensions", "File System", "Sessions"]
+    file_type: d
+    ignore_date_range: true
+    exclude_nologin_users: true
   -
     description: Collect Edge browser files.
     supported_os: [macos]

artifacts/files/browsers/opera.yaml

@@ -1,4 +1,4 @@
-version: 2.0
+version: 3.0
 artifacts:
   -
     description: Collect Opera browser files.
@@ -17,6 +17,23 @@ artifacts:
     file_type: d
     ignore_date_range: true
     exclude_nologin_users: true
+  -
+    description: Collect Opera browser files (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.opera.Opera
+    name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"]
+    ignore_date_range: true
+    exclude_nologin_users: true
+  -
+    description: Collect Opera browser directories (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.opera.Opera
+    name_pattern: ["Extensions", "File System", "Sessions"]
+    file_type: d
+    ignore_date_range: true
+    exclude_nologin_users: true
   -
     description: Collect Opera browser files (Snap version).
     supported_os: [linux]

artifacts/files/browsers/vivaldi.yaml

@@ -1,4 +1,4 @@
-version: 2.0
+version: 3.0
 artifacts:
   -
     description: Collect Vivaldi browser files.
@@ -17,6 +17,23 @@ artifacts:
     file_type: d
     ignore_date_range: true
     exclude_nologin_users: true
+  -
+    description: Collect Vivaldi browser files (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.vivaldi.Vivaldi
+    name_pattern: ["Bookmarks*", "Cookies*", "DownloadMetadata", "Extension Cookies*", "Favicons*", "History*", "Login Data*", "Media History*", "Network Action Predictor*", "Network Persistent State", "Preferences", "QuotaManager*", "Reporting and NEL*", "SecurePreferences", "Shortcuts*", "SyncData.sqlite3", "Top Sites*", "Trust Tokens*", "Visited Links", "Web Data*"]
+    ignore_date_range: true
+    exclude_nologin_users: true
+  -
+    description: Collect Vivaldi browser directories (Flatpak version).
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.var/app/com.vivaldi.Vivaldi
+    name_pattern: ["Extensions", "File System", "Sessions"]
+    file_type: d
+    ignore_date_range: true
+    exclude_nologin_users: true
   -
     description: Collect Vivaldi browser files.
     supported_os: [macos]

artifacts/files/logs/apache.yaml

@@ -0,0 +1,27 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect Apache logs.
+    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    collector: file
+    path: /var/log
+    name_pattern: ["access_log*", "access.log*", "error_log*", "error.log*"]
+    max_file_size: 1073741824 # 1GB
+  -
+    description: Collect Apache logs.
+    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    collector: file
+    path: /var/log/apache
+    max_file_size: 1073741824 # 1GB
+  -
+    description: Collect Apache logs.
+    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    collector: file
+    path: /var/log/apache2
+    max_file_size: 1073741824 # 1GB
+  -
+    description: Collect Apache logs.
+    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    collector: file
+    path: /var/log/httpd
+    max_file_size: 1073741824 # 1GB

artifacts/files/logs/nginx.yaml

@@ -0,0 +1,16 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect nginx logs.
+    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    collector: file
+    path: /var/log
+    name_pattern: ["*access_log*", "*access.log*", "*error_log*", "*error.log*"]
+    max_file_size: 1073741824 # 1GB
+  -
+    description: Collect nginx logs.
+    supported_os: [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+    collector: file
+    path: /var/log/nginx
+    max_file_size: 1073741824 # 1GB
+

artifacts/files/packages/pkg_contents.yaml

@@ -0,0 +1,8 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect package table of contents files.
+    supported_os: [openbsd]
+    collector: file
+    path: /var/db/pkg
+    path_pattern: ["*/+CONTENTS"]

artifacts/files/system/desktop.yaml

@@ -0,0 +1,11 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect GUI shortcut files of users.
+    supported_os: [freebsd, linux, netbsd, openbsd]
+    collector: file
+    path: /%user_home%
+    max_depth: 6
+    name_pattern: ["*.desktop"]
+    ignore_date_range: true
+    exclude_nologin_users: true

artifacts/files/system/etc.yaml

@@ -5,7 +5,7 @@ artifacts:
     supported_os: [aix, android, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
     collector: file
     path: /etc
-    exclude_name_pattern: ["shadow", "shadow-"]
+    exclude_name_pattern: ["shadow", "shadow-", "master.passwd", "spwd.db", "gshadow", "gshadow-"]
     ignore_date_range: true
   -
     description: Collect system configuration files.

artifacts/files/system/xsession_errors.yaml

@@ -2,8 +2,8 @@ version: 1.0
 artifacts:
   -
     description: Collect xsession errors file. This is the error log produced by X window system.
-    supported_os: [linux]
+    supported_os: [linux, openbsd]
     collector: file
     path: /%user_home%/.xsession-errors
     exclude_nologin_users: true
-    
+

artifacts/live_response/network/ndp.yaml

@@ -0,0 +1,8 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect the kernel's IPv6 network neighbour cache.
+    supported_os: [freebsd, netbsd, openbsd]
+    collector: command
+    command: ndp -a
+    output_file: ndp_-a.txt