UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
For example, the following artifact's command is "ps -axo pid,user,etime,args", but outputfile is "ps-eo_pid_user_etime_args.txt".
Is this an intentional setting?
-
description: Report a snapshot of the current processes including elapsed time since the process was started.
supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
collector: command
command: ps -axo pid,user,etime,args
output_file: ps_-eo_pid_user_etime_args.txt
The same applies below.
-
description: Report a snapshot of the current processes including time the command started.
supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
collector: command
command: ps -axo pid,user,lstart,args
output_file: ps_-eo_pid_user_lstart_args.txt
-
description: Report a snapshot of the current processes including the control groups to which the process belongs.
supported_os: [linux]
collector: command
command: ps -axo pid,user,cgroup
output_file: ps_-eo_pid_user_cgroup.txt
For example, the following artifact's command is "ps -axo pid,user,etime,args", but outputfile is "ps-eo_pid_user_etime_args.txt". Is this an intentional setting?
The same applies below.