Merge branch 'develop' into azure_vm_agent

tclahr · Feb 5, 2025 · adc948a · adc948a
2 parents a8c7493 + 58386a1
commit adc948a
Show file tree

Hide file tree

Showing 19 changed files with 260 additions and 123 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -46,17 +46,24 @@ All notable changes to this project will be documented in this file.
 - `live_response/system/journalctl.yaml`: Added collection of boot time period listings using `journalctl` [linux]. (by [mnrkbys](https://github.com/mnrkbys))
 - `live_response/system/ulimit.yaml`: Added collection of all resource limits information [all]. (by [mnrkbys](https://github.com/mnrkbys))
 - `memory_dump/coredump.yaml`: Added collection of core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd]. (by [mnrkbys](https://github.com/mnrkbys))
+- `osquery/osquery.yaml`: Added collection of multiple artifacts using OSQuery tool. Please note that the `osqueryi` binary is not included in the UAC package and must be manually placed in the `bin` directory [linux]. (by [SolitudePy](https://github.com/SolitudePy))
 
 ### Changed
+
 - `files/logs/macos_unified_logs.yaml`: Updated to include collection of ASL logs [macos]. (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal))
+- `files/system/job_scheduler.yaml`: Updated to include anacron job scheduler [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]. (by [0xThiebaut](https://github.com/0xThiebaut))
 - `live_response/packages/dpkg.yaml`: Updated to validate all installed packages by comparing the installed files against the package metadata stored in the dpkg database [linux]. (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal))
 - `live_response/packages/snap.yaml`: Updated collection to display installed packages including all revisions [linux]. (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal))
+- `live_response/process/ps.yaml`: Updated to collect the system date before reporting a snapshot of the current processes including elapsed time since the process was started [all].
 
 ### Fixed
+
 - Resolved an issue where the `hash` and `stat` collectors failed to function correctly when the `%user_home%` variable was included in the path property. ([#289](https://github.com/tclahr/uac/issues/289))
 
 ### Profiles
+
 - Added `offline_ir_triage.yaml`: New 'offline_ir_triage' profile for offline triage collections. (by [clausing](https://github.com/clausing))
 
 ### New Artifact Properties
+
 - Introduced `redirect_stderr_to_stdout`: When enabled, this property redirects error messages (stderr) to standard output (stdout). Useful for debugging and ensuring complete logs.
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -1,3 +1,5 @@
+# Code of Conduct
+
 An open-source and open community project is one in which participants choose to work together, and in that process experience differences in language, location, nationality, and experience. In such a diverse environment, misunderstandings and disagreements happen, which in most cases can be resolved informally. In rare cases, however, behavior can intimidate, harass, or otherwise disrupt one or more people in the community, which this project will not tolerate.
 
 A **Code of Conduct** is useful to define accepted and acceptable behaviors and to promote high standards of professional practice. It also provides a benchmark for self evaluation and acts as a vehicle for better identity of the organization.
@@ -7,7 +9,9 @@ This code (**CoC**) applies to any participant in this project's community – d
 ## Statement of Intent
 
 This project is committed to maintain a **positive** [work environment](#work-environment). This commitment calls for a workplace where [participants](#participant) at all levels behave according to the rules of the following code. A foundational concept of this code is that we all share responsibility for our work environment.
+
 ## Code
+
 1. Treat each other with [respect](#respect), professionalism, fairness, and sensitivity to our many differences and strengths, including in situations of high pressure and urgency.
 1. Never [harass](#harassment) or [bully](#workplace-bullying) anyone verbally, physically or [sexually](#sexual-harassment).
 1. Never [discriminate](#discrimination) on the basis of personal characteristics or group membership.
@@ -21,37 +25,50 @@ This project is committed to maintain a **positive** [work environment](#work-en
 1. Step down considerately: Members of every project come and go, and the Hyperledger Project is no different. When you leave or disengage from the project, in whole or in part, we ask that you do so in a way that minimizes disruption to the project. This means you should tell people you are leaving and take the proper steps to ensure that others can pick up where you left off.
 
 ## Glossary
-#### Demeaning behavior
+
+### Demeaning behavior
+
 is acting in a way that reduces another person's dignity, sense of self-worth or respect within the community.
 
-#### Discrimination
+### Discrimination
+
 is the prejudicial treatment of an individual based on criteria such as: physical appearance, race, ethnic origin, genetic differences, national or social origin, name, religion, gender, sexual orientation, family or health situation, pregnancy, disability, age, education, wealth, domicile, political view, morals, employment, or union activity.
 
-#### Insulting behavior
+### Insulting behavior
+
 is treating another person with scorn or disrespect.
 
-#### Acknowledgement
+### Acknowledgement
+
 is a record of the origin(s) and author(s) of a contribution.
 
-#### Harassment
+### Harassment
+
 is any conduct, verbal or physical, that has the intent or effect of interfering with an individual, or that creates an intimidating, hostile, or offensive environment.
 
-#### Leadership position
+### Leadership position
+
 includes group Chairs, project maintainers, staff members, and Board members.
 
-#### Participant
+### Participant
+
 includes the following persons:
+
 * Developers
 * Anyone from the Public partaking in this project's work environment (e.g. contribute code, comment on our code or specs, email us, attend our conferences, functions, etc)
 
-#### Respect
+### Respect
+
 is the genuine consideration you have for someone (if only because of their status as participant in Hyperledger Project, like yourself), and that you show by treating them in a polite and kind way.
 
-#### Sexual harassment
+### Sexual harassment
+
 includes visual displays of degrading sexual images, sexually suggestive conduct, offensive remarks of a sexual nature, requests for sexual favors, unwelcome physical contact, and sexual assault.
 
-#### Unwelcome behavior
+### Unwelcome behavior
+
 Hard to define? Some questions to ask yourself are:
+
 * how would I feel if I were in the position of the recipient?
 * would my spouse, parent, child, sibling or friend like to be treated this way?
 * would I like an account of my behavior published in the organization's newsletter?
@@ -61,21 +78,25 @@ Hard to define? Some questions to ask yourself are:
 
 _Summary_: if you are unsure whether something might be welcome or unwelcome, don't do it.
 
-#### Unwelcome sexual advance
+### Unwelcome sexual advance
+
 includes requests for sexual favors, and other verbal or physical conduct of a sexual nature, where:
+
 * submission to such conduct is made either explicitly or implicitly a term or condition of an individual's employment,
 * submission to or rejection of such conduct by an individual is used as a basis for employment decisions affecting the individual,
 * such conduct has the purpose or effect of unreasonably interfering with an individual's work performance or creating an intimidating hostile or offensive working environment.
 
-#### Workplace Bullying
+### Workplace Bullying
+
 is a tendency of individuals or groups to use persistent aggressive or unreasonable behavior (e.g. verbal or written abuse, offensive conduct or any interference which undermines or impedes work) against a co-worker or any professional relations.
 
-#### Work Environment
+### Work Environment
+
 is the set of all available means of collaboration, including, but not limited to messages to mailing lists, private correspondence, Web pages, chat channels, phone and video teleconferences, and any kind of face-to-face meetings or discussions.
 
 ## Incident Procedure
 
-To report incidents or to appeal reports of incidents, send email to iplsdk@linux.vnet.ibm.com create email. Please include any available relevant information, including links to any publicly accessible material relating to the matter. Every effort will be taken to ensure a safe and collegial environment in which to collaborate on matters relating to the Project. In order to protect the community, the Project reserves the right to take appropriate action, potentially including the removal of an individual from any and all participation in the project. The Project will work towards an equitable resolution in the event of a misunderstanding.
+To report incidents or to appeal reports of incidents, send email to <iplsdk@linux.vnet.ibm.com> create email. Please include any available relevant information, including links to any publicly accessible material relating to the matter. Every effort will be taken to ensure a safe and collegial environment in which to collaborate on matters relating to the Project. In order to protect the community, the Project reserves the right to take appropriate action, potentially including the removal of an individual from any and all participation in the project. The Project will work towards an equitable resolution in the event of a misunderstanding.
 
 ## Credits
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -146,9 +146,9 @@ To ensure consistency throughout the source code, keep these rules in mind as yo
 
 We have very precise rules over how our git commit messages can be formatted. This leads to more readable messages that are easy to follow when looking through the project history.
 
-Each commit message consists of a **header**, a **blank line** and a **body**. The header has a special format that includes a **type** and a **subject**. 
+Each commit message consists of a **header**, a **blank line** and a **body**. The header has a special format that includes a **type** and a **subject**.
 
-```
+```text
 <type>: <subject>
 <BLANK LINE>
 <body>
@@ -158,7 +158,7 @@ Any line of the commit message cannot be longer than 100 characters! This allows
 
 Samples:
 
-```
+```text
 docs: update changelog to v2.0.0
 fix: fixed issue #15
 ```

diff --git a/LICENSES.md b/LICENSES.md
@@ -1,8 +1,10 @@
+# Licenses
+
 Use of the following Third-Party Software is subject to the license agreements at the URLs listed in the table below.
 
 |Product|Copyright|URL|
 |---|---|---|
-|AVML|Use rights in accordance with the information displayed at: https://github.com/microsoft/avml/blob/main/LICENSE|https://github.com/microsoft/avml|
-|linux_procmemdump.sh|Use rights in accordance with the information displayed at: https://creativecommons.org/licenses/by-sa/4.0|
-|statx|Use rights in accordance with the information displayed at: https://github.com/tclahr/statx/blob/main/LICENSE|https://github.com/tclahr/statx|
-|zip|Use rights in accordance with the information displayed at: https://infozip.sourceforge.net/license.html|https://infozip.sourceforge.net|
+|AVML|Use rights in accordance with the information displayed at: <https://github.com/microsoft/avml/blob/main/LICENSE>|<https://github.com/microsoft/avml>|
+|linux_procmemdump.sh|Use rights in accordance with the information displayed at: <https://creativecommons.org/licenses/by-sa/4.0>||
+|statx|Use rights in accordance with the information displayed at: <https://github.com/tclahr/statx/blob/main/LICENSE>|<https://github.com/tclahr/statx>|
+|zip|Use rights in accordance with the information displayed at: <https://infozip.sourceforge.net/license.html>|<https://infozip.sourceforge.net>|
diff --git a/README.md b/README.md
@@ -1,3 +1,5 @@
+<!-- markdownlint-disable MD033 -->
+<!-- markdownlint-disable MD041 -->
 <p align="center">
   <picture>
     <source media="(prefers-color-scheme: dark)" srcset="logo/uac-light.svg">
@@ -8,13 +10,13 @@
 
   <p align="center">
     <a href="https://github.com/tclahr/uac/actions/workflows/shellcheck.yaml" alt="Issues">
-      <img src="https://github.com/tclahr/uac/actions/workflows/shellcheck.yaml/badge.svg" /></a>
+      <img src="https://github.com/tclahr/uac/actions/workflows/shellcheck.yaml/badge.svg" alt="shellcheck_badge"/></a>
     <a href="https://bestpractices.coreinfrastructure.org/projects/5640" alt="CII Best Practices">
-      <img src="https://bestpractices.coreinfrastructure.org/projects/5640/badge" /></a>
+      <img src="https://bestpractices.coreinfrastructure.org/projects/5640/badge" alt="bestpractices_badge"/></a>
     <a href="https://github.com/tclahr/uac/releases" alt="GitHub release (latest by date including pre-releases)">
-      <img src="https://img.shields.io/github/v/release/tclahr/uac?include_prereleases&style=flat-square" /></a>
+      <img src="https://img.shields.io/github/v/release/tclahr/uac?include_prereleases&style=flat-square" alt="release_badge"/></a>
     <a href="https://github.com/tclahr/uac/LICENSE" alt="License">
-      <img src="https://img.shields.io/github/license/tclahr/uac?style=flat-square" /></a>
+      <img src="https://img.shields.io/github/license/tclahr/uac?style=flat-square" alt="license_badge"/></a>
   </p>
 
   <p align="center">
@@ -34,16 +36,18 @@
     •
     <a href="#-license">License</a>
   </p>
-
 </p>
+<!-- markdownlint-enable MD033 -->
+<!-- markdownlint-enable MD041 -->
 
 ## 🔎 About UAC
 
 **UAC (Unix-like Artifacts Collector)** is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris.
 
 Whether you're handling an intrusion, conducting forensic investigations, or performing compliance checks, UAC simplifies and accelerates data collection while minimizing reliance on external support during critical incidents.
 
-### Key Highlights:
+### Key Highlights
+
 - 📂 Fully customizable via YAML profiles for tailored data collection.
 - ⚡ Lightweight, portable, and requires no installation or dependencies.
 - 🔒 Adheres to the order of volatility to ensure reliable data acquisition.
@@ -87,27 +91,32 @@ UAC runs on any Unix-like system, regardless of the processor architecture. All
 UAC does not need to be installed on the target system. Simply download the latest version from the [releases page](https://github.com/tclahr/uac/releases), uncompress it, and launch. It's that simple!
 
 ### 🛠 Getting Started
+
 1. Download the latest release from the [Releases page](https://github.com/tclahr/uac/releases).
 2. Uncompress the archive.
 3. Execute the tool directly from the terminal.
 
 ### Examples
 
+<!-- markdownlint-disable MD033 -->
 <details>
 <summary>Click to view usage examples</summary>
 
 **Collect all artifacts based on the ir_triage profile:**
-```bash
+
+```shell
 ./uac -p ir_triage /tmp
 ```
 
 **Collect memory dump and all artifacts based on the full profile:**
-```bash
+
+```shell
 ./uac -a ./artifacts/memory_dump/avml.yaml -p full /tmp
 ```
 
 **Collect all artifacts excluding a specific one:**
-```bash
+
+```shell
 ./uac -p full -a \!artifacts/bodyfile/bodyfile.yaml .
 ```
 
@@ -124,6 +133,7 @@ UAC does not need to be installed on the target system. Simply download the late
 ```
 
 </details>
+<!-- markdownlint-enable MD033 -->
 
 ## 💙 Contributing
 

diff --git a/artifacts/files/system/job_scheduler.yaml b/artifacts/files/system/job_scheduler.yaml
@@ -1,32 +1,37 @@
-version: 3.0
+version: 3.1
 artifacts:
   -
     description: Collect cron files.
-    supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+    supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
     collector: file
     path: /var/cron
   -
     description: Collect cron files.
-    supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+    supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
     collector: file
     path: /var/adm/cron
+  -
+    description: Collect anacron files.
+    supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+    collector: file
+    path: /var/spool/anacron
   -
     description: Collect at files.
-    supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+    supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
     collector: file
     path: /var/spool/at
   -
-    description: Collect at files.
-    supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+    description: Collect cron files.
+    supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
     collector: file
     path: /var/spool/cron
   -
-    description: Collect at files.
-    supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+    description: Collect tabs files.
+    supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
     collector: file
     path: /var/at/tabs
   -
-    description: Collect at and cron files.
+    description: Collect at files.
     supported_os: [macos]
     collector: file
     path: /private/var/at
diff --git a/artifacts/live_response/process/ps.yaml b/artifacts/live_response/process/ps.yaml
@@ -1,4 +1,4 @@
-version: 3.0
+version: 4.0
 output_directory: /live_response/process
 artifacts:
   -
@@ -37,18 +37,39 @@ artifacts:
     collector: command
     command: ps -efl
     output_file: ps_-efl.txt
+  -
+    description: Collect system date before reporting a snapshot of the current processes including elapsed time since the process was started.
+    supported_os: [aix, solaris]
+    collector: command
+    condition: ps -eo pid,user,etime,args
+    command: date
+    output_file: date_before_ps_-eo_pid_user_etime_args.txt
   -
     description: Report a snapshot of the current processes including elapsed time since the process was started.
     supported_os: [aix, solaris]
     collector: command
     command: ps -eo pid,user,etime,args
     output_file: ps_-eo_pid_user_etime_args.txt
+  -
+    description: Collect system date before reporting a snapshot of the current processes including elapsed time since the process was started.
+    supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
+    collector: command
+    condition: ps -axo pid,user,etime,args
+    command: date
+    output_file: date_before_ps_-axo_pid_user_etime_args.txt
   -
     description: Report a snapshot of the current processes including elapsed time since the process was started.
     supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
     collector: command
     command: ps -axo pid,user,etime,args
     output_file: ps_-axo_pid_user_etime_args.txt
+  -
+    description: Collet system date before reporting a snapshot of the current processes including time the command started.
+    supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
+    collector: command
+    condition: ps -axo pid,user,lstart,args
+    command: date
+    output_file: date_before_ps_-axo_pid_user_lstart_args.txt
   -
     description: Report a snapshot of the current processes including time the command started.
     supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
@@ -61,6 +82,13 @@ artifacts:
     collector: command
     command: ps -axo pid,user,cgroup
     output_file: ps_-axo_pid_user_cgroup.txt
+  -
+    description: Collect system date before reporting a snapshot of the current processes including used time, verbose, session ID and process group, state and type.
+    supported_os: [esxi]
+    collector: command
+    condition: ps -P -T -c -g -s -t -J
+    command: date
+    output_file: date_before_ps_-P_-T_-c_-g_-s_-t_-J.txt
   -
     description: Report a snapshot of the current processes including used time, verbose, session ID and process group, state and type.
     supported_os: [esxi]