search

tclahr / uac

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
https://tclahr.github.io/uac-docs
Apache License 2.0
739 stars 114 forks source link

The command of some artifacts in ps.yaml doesn't match their output_file #259

Closed mnrkbys closed 1 month ago

mnrkbys commented 1 month ago

For example, the following artifact's command is "ps -axo pid,user,etime,args", but outputfile is "ps-eo_pid_user_etime_args.txt". Is this an intentional setting?

  -
    description: Report a snapshot of the current processes including elapsed time since the process was started.
    supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
    collector: command
    command: ps -axo pid,user,etime,args
    output_file: ps_-eo_pid_user_etime_args.txt

The same applies below.

  -
    description: Report a snapshot of the current processes including time the command started.
    supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
    collector: command
    command: ps -axo pid,user,lstart,args
    output_file: ps_-eo_pid_user_lstart_args.txt
  -
    description: Report a snapshot of the current processes including the control groups to which the process belongs.
    supported_os: [linux]
    collector: command
    command: ps -axo pid,user,cgroup
    output_file: ps_-eo_pid_user_cgroup.txt
tclahr commented 1 month ago

No, it is not intentional. I will fix it. Thanks!

tclahr commented 1 month ago

Actually, can you update your PR #260 to apply the changes to the output_file above as well, please?

mnrkbys commented 1 month ago

Sure! I will update it.

mnrkbys commented 1 month ago

PR #260 was merged.