Conversation
Detect running processes that inserted BPF filters in the Linux server
Fix typo
Fix yaml typo in spotlight.yaml
Update ss.yaml to show bpf filters
Add output and log filenames to the Azure Storage SAS URL. Fixes tclahr#389
The output and log file names are now automatically appended to the URL provided in `--azure-storage-sas-url` ([tclahr#389](tclahr#389)). Consequently, the `--azure-storage-sas-url-log-file` option is no longer needed and has been removed.
fix: update statx binaries
feat: add statf tool for FreeBSD based systems
Fix azure sas storage url
fix: parse special permissions in statx binary
Add an action to close stale pull requests older than 180 days.
artif: add binfmt_misc artifact
Resolved a bug that prevented proper artifact collection when the mountpoint of a mounted disk image included spaces or special characters.
Fix mount point with spaces
feat: user-defined variables
Add one more parameter as command was added to _find_based_collector function.
feat: find collectors may include a command to use with xargs
Add artifacts
artif: add additional possible persistence locations
Move artifact to a different artifact directory. Add changelog. Collect the SSH private key path only, and not the full key content.
Add System.map* to avml.yaml.
artif: collect /boot
fix: look for systemd journal only in /var/log
artif: collect SSH public keys, test secret keys for null passphrases
Not only is the new name more descriptive, it's a lot less hassle in both the "uac" code and also for later analysis. Signed-off-by: Hal Pomeranz <hrpomeranz@gmail.com>
Contributor
Author
|
Unit tests will need to be updated to account for the new directory name |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Renaming "[root]" to "collected_files" makes things easier in the
uaccode and also for analysts using the collected files.I'm not wedded to "collected_files" if you want to change the name to something else. There are only a very few spots in the
uacscript needed to make the change.This is apropos of Issue #435