Folder missing from collection / differences in artifact counts

[anthony-pierce]

Noticed that the previous version 1.7 would gather the contents of the system's "tmp" directory, but 2.0.0 does not. Could this be added back in?

On another note noticed that by default "/live_response/process/proctree.yaml" is not being ran as part of the "-p full" or "-p full-with-memory" options. Would you be able to add that into both of those?
sudo ./uac -p full .= 181 artifacts
sudo ./uac -p full-with-memory .= 182 artifacts
sudo ./uac -a memory_dump/*,live_response/*,bodyfile/*,files/*,chkrootkit/*,hash_executables/* .= 183 artifacts

[tclahr]

Hi anthony-pierce,

I will add an artifact to grab the contents of the system's "/tmp" directory in the next release. In the meantime, you can create your own custom artifact based on the example below. I would create a tmp.yaml file and place it into artifacts/files/system directory.

version: 1.0
artifacts:
  -
    description: Collect system temporary files.
    supported_os: [all]
    collector: file
    path: /tmp/*
    file_type: f
    max_file_size: 5242880 # 5MB
  -
    description: Collect hidden system temporary files.
    supported_os: [all]
    collector: file
    path: /tmp
    name_pattern: [".*"]
    file_type: f
    max_file_size: 5242880 # 5MB
  -
    description: Collect system temporary files.
    supported_os: [macos]
    collector: file
    path: /private/tmp/*
    file_type: f
    max_file_size: 5242880 # 5MB
  -
    description: Collect hidden system temporary files.
    supported_os: [macos]
    collector: file
    path: /private/tmp
    name_pattern: [".*"]
    file_type: f
    max_file_size: 5242880 # 5MB

[tclahr]

'live_response/process/proctree.yaml' artifact file was added on both 'full' and 'full-with-memory-dump' profiles. Please check branch v2.1.0-dev.

[tclahr]

New artifact to collect temporary files located in the '/tmp' directory (files/system/tmp.yaml). Please check branch v2.1.0-dev.