Merge pull request #93 from tclahr/develop

v2.3.0

.github/workflows/clearlinux-amd64.yaml

@@ -17,5 +17,6 @@ jobs:
       vagrant_box_name: "AntonioMeireles/ClearLinux"
       vagrant_ssh_username: "clear"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""
 

.github/workflows/esxi-6-5-amd64.yaml

@@ -17,5 +17,6 @@ jobs:
       vagrant_box_name: "david-flynn/esxi-6.5.0-base"
       vagrant_ssh_username: "root"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""
 

.github/workflows/freebsd-11-amd64.yaml

@@ -17,5 +17,6 @@ jobs:
       vagrant_box_name: "generic/freebsd11"
       vagrant_ssh_username: "vagrant"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""
 

.github/workflows/freebsd-13-amd64.yaml

@@ -17,5 +17,6 @@ jobs:
       vagrant_box_name: "generic/freebsd13"
       vagrant_ssh_username: "vagrant"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""
 

.github/workflows/netbsd-8-amd64.yaml

@@ -17,4 +17,5 @@ jobs:
       vagrant_box_name: "generic/netbsd8"
       vagrant_ssh_username: "vagrant"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""

.github/workflows/netbsd-9-amd64.yaml

@@ -17,4 +17,5 @@ jobs:
       vagrant_box_name: "generic/netbsd9"
       vagrant_ssh_username: "vagrant"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""

.github/workflows/openbsd-6-amd64.yaml

@@ -17,5 +17,6 @@ jobs:
       vagrant_box_name: "generic/openbsd6"
       vagrant_ssh_username: "vagrant"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""
 

.github/workflows/openbsd-7-amd64.yaml

@@ -17,5 +17,6 @@ jobs:
       vagrant_box_name: "generic/openbsd7"
       vagrant_ssh_username: "vagrant"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""
 

.github/workflows/openwrt-15.yaml

@@ -17,5 +17,6 @@ jobs:
       vagrant_box_name: "living42/openwrt-15.05-x86"
       vagrant_ssh_username: "root"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""
 

.github/workflows/redhat-6-5-amd64.yaml

@@ -17,5 +17,6 @@ jobs:
       vagrant_box_name: "anandbitra/redhat-6.5"
       vagrant_ssh_username: "vagrant"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""
 

.github/workflows/solaris-11-i386.yaml

@@ -17,4 +17,5 @@ jobs:
       vagrant_box_name: "plaurin/solaris-11_3"
       vagrant_ssh_username: "vagrant"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""

.github/workflows/ubuntu-14-04-amd64.yaml

@@ -17,5 +17,6 @@ jobs:
       vagrant_box_name: "ubuntu/trusty64"
       vagrant_ssh_username: "vagrant"
       vagrant_ssh_password: ""
+      vagrant_ssh_shell: "/bin/sh"
       vagrant_ssh_options: ""
 

CHANGELOG.md

@@ -2,15 +2,71 @@
 
 All notable changes to this project will be documented in this file.
 
+## 2.3.0 (2022-08-09)
+
+## New Features
+
+- You can now use as many --artifacts (-a) and --profile (-p) as you want to build an even more customized collection. Artifacts will be collected in the order they were provided in the command line. Please check the [project's documentation page](https://tclahr.github.io/uac-docs/#using-uac) for more information.
+- UAC now collects copies of '/proc/[pid]/fd/*' from deleted processes even if they are not shown up as being (deleted).
+- AVML was updated to v0.7.0.
+
+### New Artifacts
+
+- New artifact that collects the contents of /dev/shm (files/system/dev_shm.yaml) ([#68](https://github.com/tclahr/uac/issues/68)).
+- New artifact that collects the contents of /run/shm (files/system/run_shm.yaml) ([#68](https://github.com/tclahr/uac/issues/68)).
+- New artifact that collects the contents of /var/tmp (files/system/var_tmp.yaml) ([#68](https://github.com/tclahr/uac/issues/68)).
+- New artifact that lists hidden files created outside of user home directories (live_response/system/hidden_files.yaml) ([#69](https://github.com/tclahr/uac/issues/69)).
+- New artifact that lists hidden directories created outside of user home directories (live_response/system/hidden_directories.yaml) ([#69](https://github.com/tclahr/uac/issues/69)).
+- New artifact that lists world writable files (live_response/system/world_writable_files.yaml).
+- New artifact that lists world writable directories (live_response/system/world_writable_directories.yaml).
+- New artifact that lists loaded kernel modules from /sys/module directory (live_response/system/sys_module.yaml).
+- New artifact that collects last logins and logouts (live_response/system/last.yaml).
+- New artifact that collects unsuccessful logins (live_response/system/lastb.yaml).
+- New artifact that lists all socket files (live_response/system/socket_files.yaml).
+- New artifact that collects sessions files from /run/systemd/sessions (files/system/systemd.yaml).
+- New artifact that collects scope files from /run/systemd/transient (files/system/systemd.yaml).
+- New artifact that collects Vivaldi browser artifacts (files/browsers/vivaldi.yaml).
+- New artifact that collects Linux terse runtime status information about one or more logged in users, followed by the most recent log data from the journal (live_response/system/loginctl.yaml).
+- New artifact that collects fish shell history files (files/shell/history.yaml).
+- New artifact that collects Tracker database files (files/system/tracker.yaml).
+- New artifact that collects macOS .DS_Store files (files/system/ds_store.yaml).
+- New artifact that collects macOS network and application usage database files (files/system/network_application_usage.yaml).
+- New artifact that collects macOS Powerlog files (files/system/powerlog.yaml).
+- New artifact that collects macOS recovery account information files (files/system/recovery_account_info.yaml).
+- New artifact that collects macOS system keychain file (files/system/keychain.yaml).
+- New artifact that collects macOS system version file (files/system/system_version.yaml).
+- New artifact that collects macOS unified logging and activity tracing files (files/system/var_db_diagnostics.yaml).
+- New artifact that collects macOS time machine information (live_response/system/tmutil.yaml).
+- New artitact that collects macOS Photos application database files (files/applications/photos.yaml).
+- New artifact that collects AIX failed login attemtps from /etc/security/failedlogin (live_response/system/who.yaml).
+
+### Updated Artifacts
+
+- /dev was removed from the exclusion list during deleted process collection ([#65](https://github.com/tclahr/uac/issues/65)).
+- files/system/time_machine.yaml, files/system/wifi.yaml, files/applications/macos_dock.yaml are no longer available because the same artifacts are been collected by files/system/library_preferences.yaml.
+
+### Deprecated Command Line Option
+
+- '-o' command line switch is no longer available because it was replaced by '-s'.
+
+### Deprecated Profiles
+
+- 'full-with-memory-dump' profile is no longer available because '-a memory_dump/avml.yaml -p full' can be used instead.
+- 'memory-dump-only' profile is no longer available because '-a memory_dump/avml.yaml' can be used instead.
+
+### Fixed
+
+- UAC now copies all collected artifacts to a destination directory if 'tar' tool is not available ([#63](https://github.com/tclahr/uac/issues/63)).
+
 ## 2.2.0 (2022-05-02)
 
 ### New Features
 
 - VMware ESXi is now fully supported as an operating system. Note that ESXi is not built upon the Linux kernel, and uses its own VMware proprietary kernel (the VMkernel) and software. So it misses most of the applications and components that are commonly found in all Linux distributions ([#33](https://github.com/tclahr/uac/issues/33)).
 - UAC now collects copies of '/proc/[pid]/exe' and their related '/proc/[pid]/fd/*' if they are shown up as being (deleted). They are copied using 'dd conv=swab' tool in order to avoid UAC output file being flagged and quarantined by any antivirus tool ([#36](https://github.com/tclahr/uac/issues/36)).
-- Added '--s3-presigned-url' switch which allows for pushing the output file to S3 presigned URLs (if curl available) ([#38](https://github.com/tclahr/uac/issues/38)).
-- Added '--s3-presigned-url-log-file' switch which allows for pushing the output log file to S3 presigned URLs (if curl available) ([#38](https://github.com/tclahr/uac/issues/38)).
-- Added '--delete-local-on-successful-transfer' switch which will delete both local output and log files after they are successfully transferred either via sftp or to a presigned S3 URL.
+- Added '--s3-presigned-url' switch which allows for pushing the output file to S3 pre-signed URLs (if curl available) ([#38](https://github.com/tclahr/uac/issues/38)).
+- Added '--s3-presigned-url-log-file' switch which allows for pushing the output log file to S3 pre-signed URLs (if curl available) ([#38](https://github.com/tclahr/uac/issues/38)).
+- Added '--delete-local-on-successful-transfer' switch which will delete both local output and log files after they are successfully transferred either via sftp or to a pre-signed S3 URL.
 - AVML was updated to v0.6.1 ([#45](https://github.com/tclahr/uac/issues/45)).
 
 ### New Artifacts

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 We welcome contributions to the UAC project in many forms, and there's always plenty to do!
 
-First things first, please review the project's [Code of Conduct](CODE_OF_CONDUCT.md) before participating. It is important that we keep things civil.
+First things first, please review the project's [Code of Conduct](CODE_OF_CONDUCT.md) before participating. We must keep things civil.
 
 Here are a couple of things we are looking for help with:
 
@@ -32,9 +32,9 @@ Share your experience with the community about how UAC is helping you by writing
 
 Before you submit an issue, please search the issue tracker, maybe an issue for your problem already exists and the discussion might inform you of workarounds readily available.
 
-We want to fix all the issues as soon as possible, but before fixing a bug we need to reproduce and confirm it. In order to reproduce bugs we will systematically ask you to provide sufficient information for someone else to reproduce the issue.
+We want to fix all the issues as soon as possible, but before fixing a bug we need to reproduce and confirm it. To reproduce bugs we will systematically ask you to provide sufficient information for someone else to reproduce the issue.
 
-Unfortunately, we are not able to investigate / fix bugs without a minimal reproduction, so if we don't hear back from you we are going to close an issue that doesn't have enough info to be reproduced.
+Unfortunately, we are not able to investigate/fix bugs without a minimal reproduction, so if we don't hear back from you we are going to close an issue that doesn't have enough info to be reproduced.
 
 ### Submitting a Pull Request (PR)
 
@@ -44,7 +44,7 @@ The repo holds two main branches:
 
 **master**: Where the source code of HEAD always reflects a production-ready state.
 
-**develop**: Where the source code of HEAD always reflects a state with the latest delivered development changes for the next release. When the source code in the develop branch reaches a stable point and is ready to be released, all of the changes will be merged back into master and then tagged with a release number.
+**develop**: Where the source code of HEAD always reflects a state with the latest delivered development changes for the next release. When the source code in the develop branch reaches a stable point and is ready to be released, all of the changes will be merged back into the master and then tagged with a release number.
 
 All Pull Requests must be submitted to the **develop** branch.
 
@@ -84,7 +84,7 @@ git checkout -b my-feature-branch develop
 
 1. Create your code following our [Coding Rules](#coding-rules).
 
-1. Test your code against as many system as you can using the [uac-unit-test](https://github.com/tclahr/uac-unit-test). For instance, your code can fully work on a Linux but not on a FreeBSD system.
+1. Test your code against as many systems as you can using the [uac-unit-test](https://github.com/tclahr/uac-unit-test). For instance, your code can fully work on a Linux but not on a FreeBSD system.
 
 1. Commit your changes using a descriptive commit message that follows our [commit message guidelines](#commit-message-guidelines). *Don’t commit code as an unrecognized author. Having commits with unrecognized authors makes it more difficult to track who wrote which part of the code. Ensure your Git client is configured with the correct email address and linked to your GitHub user.*
 
@@ -98,7 +98,7 @@ git checkout -b my-feature-branch develop
   git push origin my-feature-branch
   ```
 
-1. In GitHub, open a Pull Request and select the **develop** branch as base. Never send a Pull Request to master.
+1. In GitHub, open a Pull Request and select the **develop** branch as the base. Never send a Pull Request to master.
 
 - If we suggest changes then:
   - Make the required updates using the same branch.
@@ -173,14 +173,14 @@ Must be one of the following:
 - **fix**: A bug fix.
 - **perf**: A code change that improves performance.
 - **refactor**: A code change that neither fixes a bug nor adds a feature.
-- **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc).
+- **style**: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc).
 
 ### Subject
 
-The subject contains succinct description of the change:
+The subject must contain a succinct description of the change:
 
 - use the imperative, present tense: "change" not "changed" nor "changes"
-- don't capitalize first letter
+- don't capitalize the first letter
 - no dot (.) at the end
 
 ### Body

README.md

@@ -41,7 +41,7 @@ Project documentation page: [https://tclahr.github.io/uac-docs](https://tclahr.g
 
 ## 💾 Supported Operating Systems
 
-UAC runs on any Unix-like system (regardless the processor architecture). All UAC needs is shell :)
+UAC runs on any Unix-like system (regardless of the processor architecture). All UAC needs is shell :)
 
 [![AIX](https://img.shields.io/static/v1?label=&message=AIX&color=brightgreen&style=for-the-badge)](https://github.com/tclahr/uac/actions)
 [![Android](https://img.shields.io/static/v1?label=&message=Android&color=green&style=for-the-badge)](https://github.com/tclahr/uac/actions)
@@ -62,7 +62,7 @@ UAC runs on any Unix-like system (regardless the processor architecture). All UA
 
 UAC does not need to be installed on the target system. You only need to download the latest version from the [releases page](https://github.com/tclahr/uac/releases), uncompress and run it. As simple as that!
 
-A profile name and/or a list of artifacts, and the destination directory need to be provided in order to run a collection. The remaining parameters are optional.
+A profile name and/or a list of artifacts, and the destination directory need to be provided to run a collection. The remaining parameters are optional.
 
 Common usage scenarios may include the following:
 
@@ -84,13 +84,19 @@ Common usage scenarios may include the following:
 ./uac -p full -a \!bodyfile/bodyfile.yaml /tmp
 ```
 
-**Note that when a profile and a list of artifacts are provided, the artifacts from the profile will always be collected first, even if the parameter ```-a``` was provided before ```-p``` in the command line. In the example below, the ```memory_dump/avml.yaml``` artifact will only be collected after all artifacts from ```full``` profile were collected.**
+**Collect the memory dump, then all artifacts based on the ```full``` profile.**
 
 ```shell
 ./uac -a memory_dump/avml.yaml -p full /tmp
 ```
 
-**Collect all artifacts based on the ```full``` profile, but limiting the data collection based on the date range provided.**
+**Collect the memory dump, then all artifacts based on the ```ir_triage``` profile excluding the ```bodyfile/bodyfile.yaml``` artifact.**
+
+```shell
+./uac -a memory_dump/avml.yaml -p ir_triage -a \!bodyfile/bodyfile.yaml /tmp
+```
+
+**Collect all artifacts based on the ```full``` profile, but limit the data collection based on the date range provided.**
 
 ```shell
 ./uac -p full /tmp --date-range-start 2021-05-01 --date-range-end 2021-08-31
@@ -110,7 +116,7 @@ Please check the [project documentation page](https://tclahr.github.io/uac-docs)
 
 Have you created your own artifact files? Please share them with us!
 
-You can contribute with new artifacts, profiles, bug fixes or even proposing new features. Please read our [Contributing Guide](CONTRIBUTING.md) before submitting a Pull Request to the project.
+You can contribute with new artifacts, profiles, bug fixes or even propose new features. Please read our [Contributing Guide](CONTRIBUTING.md) before submitting a Pull Request to the project.
 
 ***
 

artifacts/files/applications/addressbook.yaml

@@ -10,12 +10,12 @@ artifacts:
     description: Collect AddressBook Metadata files.
     supported_os: [macos]
     collector: file
-    path: /%user_home%/Library/"Application Support"/AddressBook/Metadata/*
+    path: /%user_home%/Library/"Application Support"/AddressBook/Metadata
     exclude_nologin_users: true
   -
     description: Collect AddressBook Image files.
     supported_os: [macos]
     collector: file
-    path: /%user_home%/Library/"Application Support"/AddressBook/Images/*
+    path: /%user_home%/Library/"Application Support"/AddressBook/Images
     exclude_nologin_users: true
 

artifacts/files/applications/aspera_connect.yaml

@@ -4,13 +4,13 @@ artifacts:
     description: Collect Aspera Client file lists.
     supported_os: [linux, macos]
     collector: file
-    path: /%user_home%/.aspera/connect/filelists/*
+    path: /%user_home%/.aspera/connect/filelists
     exclude_nologin_users: true
   -
     description: Collect Aspera Client logs.
     supported_os: [linux, macos]
     collector: file
-    path: /%user_home%/.aspera/connect/var/log/*
+    path: /%user_home%/.aspera/connect/var/log
     exclude_nologin_users: true
   -
     description: Collect Aspera Client sqlite database.

artifacts/files/applications/discord.yaml

@@ -25,13 +25,13 @@ artifacts:
     description: Collect Discord cache files.
     supported_os: [macos]
     collector: file
-    path: /%user_home%/Library/"Application Support"/discord/Cache/*
+    path: /%user_home%/Library/"Application Support"/discord/Cache
     exclude_nologin_users: true
   -
     description: Collect Discord leveldb files.
     supported_os: [macos]
     collector: file
-    path: /%user_home%/Library/"Application Support"/discord/"Local Storage"/leveldb/*
+    path: /%user_home%/Library/"Application Support"/discord/"Local Storage"/leveldb
     exclude_nologin_users: true
 
 # Discord is a cloud-based application. All chats are in the cloud.

artifacts/files/applications/dropbox.yaml

@@ -4,7 +4,7 @@ artifacts:
     description: Collect Dropbox Cloud Storage metadata.
     supported_os: [linux, macos]
     collector: file
-    path: /%user_home%/.dropbox/*
+    path: /%user_home%/.dropbox
     file_type: f
     ignore_date_range: true
     exclude_nologin_users: true

artifacts/files/applications/filezilla.yaml

@@ -1,20 +1,18 @@
-version: 1.0
+version: 2.0
 artifacts:
   -
     description: Collect FileZilla XML and sqlite files.
     supported_os: [linux, macos]
     collector: file
-    path: /%user_home%/.config/filezilla/*
+    path: /%user_home%/.config/filezilla
     name_pattern: ["*.xml*", "*.sqlite3*"]
-    file_type: f
     ignore_date_range: true
     exclude_nologin_users: true
   -
     description: Collect FileZilla XML and sqlite files (Flatpak version).
     supported_os: [linux]
     collector: file
-    path: /%user_home%/.var/app/org.filezillaproject.Filezilla/*
+    path: /%user_home%/.var/app/org.filezillaproject.Filezilla
     name_pattern: ["*.xml*", "*.sqlite3*"]
-    file_type: f
     ignore_date_range: true
     exclude_nologin_users: true

artifacts/files/applications/icloud.yaml

@@ -4,7 +4,7 @@ artifacts:
     description: Collect iCloud accounts information files.
     supported_os: [macos]
     collector: file
-    path: /%user_home%/Library/"Application Support"/iCloud/Accounts/*
+    path: /%user_home%/Library/"Application Support"/iCloud/Accounts
     exclude_nologin_users: true
   -
     description: Collect iCloud local databases that contain information about files that have been imported from the local computer or synced remotely from the iCloud.