tclahr
commented
3 months ago Hi, Yes, you need to use a combination with the find and command collectors. First use find collector to find your files of interest. You can store them into a temporary location (%temp_directory%) if you do not want it to be part of the output file.
Then you need to use command collector to go through each line (using foreach) and run your dpkg command.
Never use find with command collector as some systems do not accept -exec, or even operators ( ).
The find collector will build the find command on the fly for you.
Note that the first example only works with the code in the develop branch (which is the future UAC v3) as some properties are new and do not work with UAC v2. If you want to run this in UAC 2.9.1, please take a look in the second example.
works only in UAC v3.
version: 0.1
condition: command_exists "dpkg"
artifacts:
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /sbin/*
file_type: [f, l]
output_directory: /%temp_directory%/live_response/packages
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /usr/sbin/*
file_type: [f, l]
output_directory: /%temp_directory%/live_response/packages
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /bin/*
file_type: [f, l]
output_directory: /%temp_directory%/live_response/packages
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /usr/bin/*
file_type: [f, l]
output_directory: /%temp_directory%/live_response/packages
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /opt/*
file_type: [f, l]
output_directory: /%temp_directory%/live_response/packages
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /usr/local/*
file_type: [f, l]
output_directory: /%temp_directory%/live_response/packages
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: command
foreach: cat /%temp_directory%/live_response/packages/binary_files.txt
command: dpkg -S "%line%"
output_directory: /live_response/packages
output_file: dpkg_-S.txtWorks only in UAC 2.9.1
version: 0.1
artifacts:
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /sbin/*
file_type: f
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /usr/sbin/*
file_type: f
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /bin/*
file_type: f
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /usr/bin/*
file_type: f
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /opt/*
file_type: f
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: find
path: /usr/local/*
file_type: f
output_file: binary_files.txt
-
description: Search for a filename from installed packages.
supported_os: [linux]
collector: command
foreach: cat "%destination_directory%/binary_files.txt"
command: dpkg -S "%line%"
output_file: dpkg_-S.txt
mnrkbys
Hi, I am trying to create new artifacts like below:
It is intended to verify that files under the specified directory are included in the installed package. The uac.log records that the command was executed, but the output destination file is zero bytes.
Is there a better alternative?