Merge pull request #232 from tclahr/release/2.9.0

Release/2.9.0

CHANGELOG.md

@@ -1,40 +1,35 @@
 # Changelog
 
-## 2.8.0 (2024-01-22)
+## 2.9.0 (2024-05-28)
 
 ### Features
 
-- --debug option now does not remove the uac-data.tmp directory created in the destination directory. This is the location where temporary and debugging data is stored during execution.
+- uac.log and uac.log.stderr files were moved to the front of the output archive file (by [rbcrwd](https://github.com/rbcrwd)).
 
 ### Artifacts
 
-- files/applications/box_drive.yaml: Renamed to box.yaml.
-- files/applications/box.yaml: Added collection support for Box log files [macos].
-- files/applications/wget.yaml: Added collection support for wget hsts file. This file is used to store the HSTS cache for the wget utility [aix, esxi, freebsd, linux, macos, netbsd, openbsd, solaris] (by [firexfly](https://github.com/firexfly)).
-- files/browsers/brave.yaml: Updated collection support for Flatpak version [linux].
-- files/browsers/chrome.yaml: Updated collection support for Flatpak version [linux].
-- files/browsers/edge.yaml: Updated collection support for Flatpak version [linux].
-- files/browsers/opera.yaml: Updated collection support for Flatpak version [linux].
-- files/browsers/vivaldi.yaml: Updated collection support for Flatpak version [linux].
-- files/packages/pkg_contents.yaml: Added collection support for package table of contents files [openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
-- files/system/desktop.yaml: Added collection support for GUI shortcut files (.desktop) of users [freebsd, linux, netbsd, openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
-- files/system/etc.yaml: Added "master.passwd" and "spwd.db" to the exclude_name_pattern list as they contain the hashed passwords of local users [freebsd, netbsd, netscaler, openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
-- files/system/etc.yaml: Added exclusion for the group shadow files 'gshadow' and 'gshadow-'. Those files contain password hashes for groups [linux] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
-- files/system/xsession_errors.yaml: Updated collection support for OpenBSD systems [openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
-- live_response/network/ndp.yaml: Added collection support for kernel's IPv6 network neighbor cache [freebsd, netbsd, openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
-- live_response/network/nft.yaml: Added collection support for complete nftables ruleset [linux] (by [sanderu](https://github.com/sanderu)).
-- live_response/network/ss.yaml: Updated collection support for processes listening on UDP ports/sockets [android, linux].
-- live_response/vms/vmctl.yaml: Added collection support for information about running virtual machines on the OpenBSD using the native virtualization system [openbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
-
-### Fixes
-
-- Offline disk image mount point path was part of the file structure in [root] (by [maxspl](https://github.com/maxspl)).
-- Collected data was not being properly archived by tar in AIX systems.
-
-### Profiles
-
-- profiles/offline.yaml: New 'offline' profile that can be used during offline collections (by [randomaccess3](https://github.com/randomaccess3)).
-
-### Tools
-
-- statx source code was moved to a dedicated repository at https://github.com/tclahr/statx
+- files/logs/macos.yaml: Updated collection support for auditd logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- files/logs/solaris.yaml: Added collection support for lastlog, wtmpx, utmpx, svc and webui logs that are stored outside /var/log directory [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
+- files/logs/var_log.yaml: Updated collection to support new system [esxi] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- files/packages/pkg_contents.yaml: Updated collection support for NetBSD 10 [netbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/packages/pkg_contents.yaml: Updated collection support for package table of contents files [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
+- files/system/svc.yaml: Added collection support for svc manifest and method (service start) files [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
+- files/system/systemd.yaml: Updated collection to support artifacts related to transient and per-user systemd timers [linux] (by [halpomeranz](https://github.com/halpomeranz)).
+- files/system/var_ld.yaml: Added collection support for ld config files [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
+- live_response/containers/docker.yaml: Added collection support for resource usage statistics of each container [linux].
+- live_response/containers/podman.yaml: Added collection support for resource usage statistics of each container [linux].
+- live_response/packages/brew.yaml: Added collection support for packages installed through brew package manager [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- live_response/packages/equo.yaml: Added collection support for packages installed through Entropy package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- live_response/packages/nix.yaml: Added collection support for packages installed through Nix package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- live_response/packages/pip.yaml: Added collection support for Python packages installed through pip [linux] (by [sanderu](https://github.com/sanderu)).
+- live_response/packages/pisi.yaml: Added collection support for packages installed through pisi package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- live_response/packages/pkg.yaml: Updated collection support for information about installed packages [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
+- live_response/packages/xbps.yaml: Added collection support for packages installed through XBPS package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- live_response/packages/yay.yaml: Added collection support for packages installed through Yay [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
+- live_response/process/procfs_information.yaml: Added collection support for entries corresponding to memory-mapped files [linux].
+- live_response/process/procfs_information.yaml: Added collection support for listing the contents of /proc/modules [linux].
+- live_response/process/procfs_information.yaml: Added collection support for listing Unix sockets [linux].
+- live_response/system/ebpf.yaml: Added collection support for listing pinned eBPF progs [linux].
+- live_response/system/kernel_modules.yaml: Added collection support for listing available parameters per kernel module [linux].
+- live_response/system/kernel_modules.yaml: Added collection support for listing loaded kernel modules to compare with /proc/modules [linux].
+- live_response/system/modinfo.yaml: Added collection support for information about loaded kernel modules [linux, solaris] (by [sanderu](https://github.com/sanderu)).

artifacts/files/logs/macos.yaml

@@ -24,4 +24,11 @@ artifacts:
     collector: file
     path: /%user_home%/Library/Logs
     max_file_size: 1073741824 # 1GB
+  -
+    description: Collect auditd logs.
+    # Reference: https://medium.com/@boutnaru/the-macos-process-journey-auditd-audit-log-management-daemon-1addd6698016
+    supported_os: [macos]
+    collector: file
+    path: /var/audit
+    max_file_size: 1073741824 # 1GB
 

artifacts/files/logs/solaris.yaml

@@ -0,0 +1,29 @@
+version: 2.0
+artifacts:
+  -
+    description: Collect lastlog log file.
+    supported_os: [solaris]
+    collector: file
+    path: /var/share/adm/lastlog
+  -
+    description: Collect wtmpx log file.
+    supported_os: [solaris]
+    collector: file
+    path: /var/share/adm/wtmpx
+  -
+    description: Collect utmpx log file.
+    supported_os: [solaris]
+    collector: file
+    path: /system/volatile/utmpx
+  -
+    description: Collect svc log files.
+    supported_os: [solaris]
+    collector: file
+    path: /var/svc/log
+    max_file_size: 1073741824 # 1GB
+  -
+    description: Collect webui log files.
+    supported_os: [solaris]
+    collector: file
+    path: /var/webui/logs
+    max_file_size: 1073741824 # 1GB

artifacts/files/logs/var_log.yaml

@@ -2,7 +2,7 @@ version: 3.0
 artifacts:
   -
     description: Collect /var/log logs.
-    supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+    supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
     collector: file
     path: /var/log
     max_file_size: 1073741824 # 1GB

artifacts/files/packages/pkg_contents.yaml

@@ -1,8 +1,19 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: Collect package table of contents files.
-    supported_os: [openbsd]
+    supported_os: [netbsd, openbsd]
     collector: file
     path: /var/db/pkg
     path_pattern: ["*/+CONTENTS"]
+  -
+    description: Collect package table of contents files (NetBSD 10 and later).
+    supported_os: [netbsd]
+    collector: file
+    path: /usr/pkg/pkgdb
+    path_pattern: ["*/+CONTENTS"]
+  -
+    description: Collect package table of contents files.
+    supported_os: [solaris]
+    collector: file
+    path: /var/pkg/publisher/*/pkg

artifacts/files/system/svc.yaml

@@ -0,0 +1,21 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect svc manifest files.
+    supported_os: [solaris]
+    collector: file
+    path: /lib/svc/manifest
+    ignore_date_range: true
+  -
+    description: Collect svc manifest files.
+    supported_os: [solaris]
+    collector: file
+    path: /var/svc/manifest
+    ignore_date_range: true
+  -
+    description: Collect svc method (service start) files.
+    supported_os: [solaris]
+    collector: file
+    path: /lib/svc/method
+    ignore_date_range: true
+

artifacts/files/system/systemd.yaml

@@ -1,4 +1,4 @@
-version: 2.0
+version: 2.1
 artifacts:
   -
     description: Collect systemd configuration files.
@@ -19,8 +19,19 @@ artifacts:
     path: /run/systemd/sessions
     file_type: f
   -
-    description: Collect systemd scope files.
+    description: Collect systemd scope and transient timer files.
     supported_os: [linux]
     collector: file
     path: /run/systemd/transient
-    name_pattern: ["*.scope"]
+    name_pattern: ["*.scope", "*.service", "*.timer"]
+  -
+    description: Collect systemd per-user transient timers.
+    supported_os: [linux]
+    collector: file
+    path: /run/user/*/systemd/transient
+    name_pattern: ["*.service", "*.timer"]
+  -
+    description: Collect systemd per-user configuration.
+    supported_os: [linux]
+    collector: file
+    path: /%user_home%/.config/systemd

artifacts/files/system/var_ld.yaml

@@ -0,0 +1,8 @@
+version: 1.0
+artifacts:
+  -
+    description: Collect ld config files.
+    supported_os: [solaris]
+    collector: file
+    path: /var/ld
+    ignore_date_range: true

artifacts/live_response/containers/docker.yaml

@@ -1,4 +1,4 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: List all containers.
@@ -90,4 +90,11 @@ artifacts:
     collector: command
     foreach: docker container ps --all | sed 1d | awk '{print $1}'
     command: docker diff %line%
-    output_file: docker_diff_%line%.txt
+    output_file: docker_diff_%line%.txt
+  -
+    description: Display a live stream of resource usage statistics.
+    supported_os: [linux]
+    collector: command
+    foreach: docker container ps --all | sed 1d | awk '{print $1}'
+    command: docker stats %line%
+    output_file: docker_stats_%line%.txt

artifacts/live_response/containers/podman.yaml

@@ -1,4 +1,4 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: List all containers.
@@ -90,4 +90,11 @@ artifacts:
     collector: command
     foreach: podman container ps --all | sed 1d | awk '{print $1}'
     command: podman diff %line%
-    output_file: podman_diff_%line%.txt
+    output_file: podman_diff_%line%.txt
+  -
+    description: Display a live stream of resource usage statistics.
+    supported_os: [linux]
+    collector: command
+    foreach: podman container ps --all | sed 1d | awk '{print $1}'
+    command: podman stats %line%
+    output_file: podman_stats_%line%.txt

artifacts/live_response/packages/brew.yaml

@@ -0,0 +1,39 @@
+version: 1.0
+artifacts:
+  -
+    description: Display installed packages.
+    supported_os: [macos]
+    collector: command
+    command: brew list
+    output_file: brew_list.txt
+  -
+    description: Display CLI only installed packages.
+    supported_os: [macos]
+    collector: command
+    command: brew list --formula
+    output_file: brew_list_--formula.txt
+  -
+    description: Display GUI only installed packages.
+    supported_os: [macos]
+    collector: command
+    command: brew list --cask
+    output_file: brew_list_--cask.txt
+  -
+    description: Display installed packages including their version numbers.
+    supported_os: [macos]
+    collector: command
+    command: brew list --versions --multiple
+    output_file: brew_list_--versions_--multiple.txt
+  -
+    description: Display all top-level packages.
+    supported_os: [macos]
+    collector: command
+    command: brew leaves
+    output_file: brew_leaves.txt
+  -
+    description: Display installed packages and their dependencies, in a tree view.
+    supported_os: [macos]
+    collector: command
+    command: brew deps --tree --installed
+    output_file: brew_deps_--tree_--installed.txt
+

artifacts/live_response/packages/equo.yaml

@@ -0,0 +1,9 @@
+version: 1.0
+artifacts:
+  -
+    description: Display installed packages.
+    supported_os: [linux]
+    collector: command
+    command: equo query list
+    output_file: equo_query_list.txt
+

artifacts/live_response/packages/nix.yaml

@@ -0,0 +1,9 @@
+version: 1.0
+artifacts:
+  -
+    description: Display installed packages.
+    supported_os: [linux]
+    collector: command
+    command: nix-env -q --installed
+    output_file: nix-env_-q_--installed.txt
+

artifacts/live_response/packages/pip.yaml

@@ -0,0 +1,15 @@
+version: 1.0
+artifacts:
+  -
+    description: Display Python packages installed through pip.
+    supported_os: [all]
+    collector: command
+    command: pip list
+    output_file: pip_list.txt
+  -
+    description: Display Python packages installed through pip.
+    supported_os: [all]
+    collector: command
+    command: pip list -v
+    output_file: pip_list_-v.txt
+

artifacts/live_response/packages/pisi.yaml

@@ -0,0 +1,8 @@
+version: 1.0
+artifacts:
+  -
+    description: Display installed packages.
+    supported_os: [linux]
+    collector: command
+    command: pisi list
+    output_file: pisi_list.txt

artifacts/live_response/packages/pkg.yaml

@@ -1,10 +1,9 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: Displays information about installed packages.
-    supported_os: [freebsd]
+    supported_os: [freebsd, solaris]
     collector: command
     command: pkg info
     output_file: pkg_info.txt
-
 

artifacts/live_response/packages/xbps.yaml

@@ -0,0 +1,9 @@
+version: 1.0
+artifacts:
+  -
+    description: Display installed packages.
+    supported_os: [linux]
+    collector: command
+    command: xbps-query -l
+    output_file: xbps-query_-l.txt
+

artifacts/live_response/packages/yay.yaml

@@ -0,0 +1,9 @@
+version: 1.0
+artifacts:
+  -
+    description: Display installed packages.
+    supported_os: [linux]
+    collector: command
+    command: yay -Qq
+    output_file: yay_-Qq.txt
+