search

tclahr / uac

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
https://tclahr.github.io/uac-docs
Apache License 2.0
739 stars 114 forks source link

artif: new eBPF artifacts #265

Closed mnrkbys closed 3 weeks ago

mnrkbys commented 1 month ago

Added new artifacts to list, show, and dump pinned eBPF programs.

mnrkbys commented 4 weeks ago

Indeed, that sounds better. I am going to split this yaml file.

tclahr commented 3 weeks ago

What is the reason for using cut -c1-8 ? Also, as uac removes any aliases to commands I think you can use ls /sys/fs/bpf as I believe some busybox based systems do not support -A.

mnrkbys commented 3 weeks ago

As shown below, bpftool only recognizes the first 8 characters of the tagged eBPF program name. Therefore, cut command is used. Of course, other commands can be substituted if they seem more suitable. Also, as you mentioned, the -A option is unnecessary, so I will remove it.

john@localhost:~/Documents/src/ebpf> sudo bpftool prog load xdp_prog_kern.bpf.o /sys/fs/bpf/xdp_prog_kern
[sudo] password for root: 
john@localhost:~/Documents/src/ebpf> sudo ls -al /sys/fs/bpf/
total 0
drwx-----T 2 root root 0 Aug 23 21:46 .
drwxr-xr-x 7 root root 0 Aug  2 16:43 ..
-rw------- 1 root root 0 Aug  2 16:57 hello
-rw------- 1 root root 0 Aug 23 21:46 xdp_prog_kern
john@localhost:~/Documents/src/ebpf> sudo bpftool prog show name xdp_prog_kern
john@localhost:~/Documents/src/ebpf> sudo bpftool prog show name xdp_prog
335: xdp  name xdp_prog  tag 3b185187f1855c4c  gpl
        loaded_at 2024-08-23T21:46:13+0900  uid 0
        xlated 16B  jited 27B  memlock 4096B