uac-3.1.0

Changelog

All notable changes to this project will be documented in this file.

3.1.0 (2025-03-20)

Highlights

• Added collection of hidden /etc/ld.so.preload using debugfs and xfs_db tools, enhancing visibility into stealthy Linux rootkits.
• Added artifact to list immutable files on Linux systems.
• Numerous artifacts added to collect information about recently accessed files on popular BSD and Linux systems.
• Introduced a new offline_ir_triage profile for offline triage collections.

Added

• chkrootkit/hidden_etc_ld_so_preload.yaml: Added collection of hidden /etc/ld.so.preload using debugfs and xfs_db tools [linux]. (by mnrkbys)
• files/applications/ark.yaml: Added collection of metadata about recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd].
• files/applications/atftp.yaml: Added collection of atftp history files [all]. (by Pierre-Gronau-ndaal)
• files/applications/dolphin.yaml: Added collection of session data for the Dolphin file manager in the KDE desktop environment. This includes open directories and their paths [freebsd, linux, netbsd, openbsd].
• files/applications/dragon_player.yaml: Added collection of paths to recently opened video files using Dragon Player [freebsd, linux, netbsd, openbsd].
• files/applications/geany.yaml: Added collection of metadata about recently opened files in the Geany text editor [freebsd, linux, netbsd, openbsd].
• files/applications/gedit.yaml: Added collection of metadata about recently opened files in the Gedit text editor [freebsd, linux, netbsd, openbsd].
• files/applications/gnome_text_editor.yaml: Added collection of metadata about recently opened files in the Gnome Text Editor [freebsd, linux, netbsd, openbsd].
• files/applications/katesession.yaml: Added collection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd].
• files/applications/kde_mru.yaml: Added collection of metadata about recently opened files in KDE [freebsd, linux, netbsd, openbsd].
• files/applications/nano.yaml: Added collection of nano history files [all]. (by Pierre-Gronau-ndaal)
• files/applications/okular.yaml: Added collection of metadata related to documents opened using Okular, a KDE document viewer [freebsd, linux, netbsd, openbsd].
• files/applications/php.yaml: Added collection of PHP history files [all]. (by Pierre-Gronau-ndaal)
• files/browsers/konqueror.yaml: Added collection of Konqueror browser history, bookmark, cookies, cache, sessions, extensions and configuration files [linux]. (by Pierre-Gronau-ndaal)
• files/system/aws_ssm_agent.yaml: Added collection of AWS Systems Manager Agent (SSM Agent) configuration files and logs [linux].
• files/system/azure_vm_agent.yaml: Added collection of Azure Linux VM Agent logs and executed scripts [linux].
• files/system/gvfs_metadata.yaml: Added collection of user-specific metadata from the gvfs-metadata directory [freebsd, linux, netbsd, openbsd].
• files/system/kactivitymanagerd.yaml: Added collection of activity tracking data from KActivityManager [freebsd, linux, netbsd, openbsd].
• files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux].
• files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux].
• live_response/network/nmcli.yaml: Added displaying information from network connections managed by NetworkManager [linux].
• live_response/packages/0install.yaml: Added collection of installed packages managed by Zero Install [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/apk.yaml: Added collection of installed packages managed by apk package manager [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/cargo.yaml: Added collection of installed packages managed by cargo [all]. (by Pierre-Gronau-ndaal)
• live_response/packages/cargo.yaml: Added collection of installed packages managed by guix [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/conary.yaml: Added collection of installed packages managed by Conary [all]. (by Pierre-Gronau-ndaal)
• live_response/packages/kiss.yaml: Added collection of the installed packages managed by the KISS package manager [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/npm.yaml: Added collection of the installed packages managed by the npm package manager [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/package_owns_file.yaml: Added functionality to determine which installed package owns a specific file or command. This artifact is resource-intensive and time-consuming, so it is disabled by default in all profiles [linux]. (mnrkbys)
• live_response/packages/paludis.yaml: Added collection of the installed packages managed by the Paludis package manager [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/pkgin.yaml: Added functionality to list information for fully installed packages only [netbsd]. (by Pierre-Gronau-ndaal)
• live_response/packages/portage.yaml: Added collection of installed package lists using the Portage package management system [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/slackpkg.yaml: Added collection of installed and upgradable packages managed by the Slackpkg package manager [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/soar.yaml: Added collection of installed packages managed by Soar package manager [all]. (by Pierre-Gronau-ndaal)
• live_response/packages/tazpkg.yaml: Added collection of the installed packages managed by the Tazpkg package manager [linux]. (by Pierre-Gronau-ndaal)
• live_response/storage/findmnt.yaml: Added JSON output support for listing all mounted file systems [linux]. (by mnrkbys)
• live_response/storage/lsblk.yaml: Added JSON output support for listing block devices [linux]. (by mnrkbys)
• live_response/system/coredump.yaml: Added collection of information about core dump files [linux]. (by mnrkbys)
• live_response/system/getcap.yaml: Added functionality to collect a list of files with associated process capabilities [linux]. (by mnrkbys)
• live_response/system/group_name_unknown_files.yaml: List files with an unknown group ID name [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris].
• live_response/system/immutable_files.yaml: Added functionality to list immutable files on the system [linux].
• live_response/system/journalctl.yaml: Added collection of boot time period listings using journalctl [linux]. (by mnrkbys)
• live_response/system/sudo_lectured.yaml: Added collection of the timestamps of users who saw the sudo lecture message [all]. (by mnrkbys)
• live_response/system/ulimit.yaml: Added collection of all resource limits information [all]. (by mnrkbys)
• live_response/system/user_name_unknown_files.yaml: List files with an unknown user ID name [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris].
• memory_dump/coredump.yaml: Added collection of core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd]. (by mnrkbys)
• osquery/osquery.yaml: Added collection of multiple artifacts using OSQuery tool. Please note that the osqueryi binary is not included in the UAC package and must be manually placed in the bin directory [linux]. (by SolitudePy)

Changed

• files/logs/macos_unified_logs.yaml: Updated to include collection of ASL logs [macos]. (by Pierre-Gronau-ndaal)
• files/system/job_scheduler.yaml: Updated to include anacron job scheduler [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]. (by 0xThiebaut)
• live_response/packages/dpkg.yaml: Updated to validate all installed packages by comparing the installed files against the package metadata stored in the dpkg database [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/snap.yaml: Updated collection to display installed packages including all revisions [linux]. (by Pierre-Gronau-ndaal)
• live_response/packages/swupd.yaml: Updated to list all available bundles for the current version of Clear Linux [linux]. (by Pierre-Gronau-ndaal)
• live_response/process/ps.yaml: Updated to collect the system date before reporting a snapshot of the current processes including elapsed time since the process was started [all].
• live_response/system/falconctl.yaml: Updated as falconctl -g is no longer a valid option [linux, macos].
• memory_dump/avml.yaml: Updated output file name from avml.raw to avml.lime [linux].

Fixed

• Resolved an issue where the hash and stat collectors failed to function correctly when the `%user_hom...

uac-3.0.0

Changelog

3.0.0 (2024-10-22)

Features

• New '--enable-modifiers' command line option. Enabling this option will case UAC to run artifacts that change the current system state (#272).
• UAC now completely skips an artifact file (YAML) that has no artifacts to be collected for the target operating system. You can use '--artifacts list [OPERATING_SYSTEM]' to display artifacts for a specific operating system only.
• New output file formats:
  • none: Collected data will not be archived or compressed. Instead, it will be copied directly to an output directory (#188).
  • zip: Collected data will be archived and compressed into a zip file. Additionally, you can create a password-protected zip file using the '--output-password' option (#149).
• You can now set a custom output file name using the '-o/--output-base-name' command line option. Variables are available to format the filename (#179).
• Now you have the option to supply a file path to a custom profile located outside the profiles directory.
• Now you have the option to supply a file path to a custom artifact located outside the artifacts directory (#154).
• Now you can have the option to supply a file path to a custom config file located outside the config directory using the '-c/--config' command line option.
• New remote transfer options for Amazon, Google and IBM cloud storage locations.
• UAC will now use 'wget' to transfer files to remote cloud storage locations when 'curl' is not available.
• You can now increase the verbosity level using the '-v/--verbose' command line option. Enabling a higher verbosity level will result in the display of all executed commands.
• UAC will now use the built-in function 'astrings' to extract strings from binary files when 'strings' is not available on the system.
• The message 'The strings command requires the command line developer tools.' will no longer appear on macOS systems without developer tools installed (#171).
• Error messages generated by executed commands (stderr) are now recorded in the uac.log file (#150).
• New '-H/--hash-collected' command line option. Enabling this option will cause UAC to hash all collected files and save the results in a hash file. To accomplish this, all collected data must first be copied to the destination directory. Therefore, ensure you have twice the free space available on the system: once for the collected data and once for the output file. Additionally, note that this process will increase the running time (#189).
• You can now validate profiles using the '--validate-profile' command line option.

Artifacts

• bodyfile/bodyfile.yaml: Updated to remove max_depth limit.
• files/applications/git.yaml: Added collection of files that can be used to run persistence [linux, macos] (mnrkbys).
• files/applications/lesshst.yaml: Added less history file (.lesshst) collection [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris] (mnrkbys).
• files/applications/whatsapp.yaml: Added collection of WhatsApp Desktop files [macos].
• files/logs/additional_logs.yaml: Artifact was renamed to advanced_log_search.yaml.
• files/logs/relink.yaml: Added collection of the kernel relink log file [openbsd] (Herbert-Karl).
• files/logs/run_log.yaml: Added collection of /run/log directory.
• files/packages/apt.yaml: Add artifacts to collect package manager plugins/scripts [linux] (mnrkbys).
• files/packages/dnf.yaml: Add artifacts to collect package manager plugins/scripts [linux] (mnrkbys).
• files/packages/pkg_contents.yaml: Updated to collect FreeBSD installed packages database [freebsd] (Herbert-Karl).
• files/packages/yum.yaml: Add artifacts to collect package manager plugins/scripts [linux] (mnrkbys).
• files/system/acct.yaml: Added collection of system accounting files [freebsd, netbsd, openbsd] (Herbert-Karl).
• files/system/acct.yaml: Updated to collect system accounting files [solaris] (sec-hbaer).
• files/system/dev_db.yaml: Added collection of the database file used for device lookups [netbsd, openbsd] (Herbert-Karl).
• files/system/dev_shm.yaml: Updated to increase max_file_size to 10MB.
• files/system/locate_db.yaml: Added collection of the database file used by locate command, representing a snapshot of the virtual file system accessible with minimal permissions [freebsd, netbsd, openbsd] (Herbert-Karl).
• files/system/netscaler.yaml: Updated to increase max_file_size to 10MB.
• files/system/run_shm.yaml: Updated to increase max_file_size to 10MB.
• files/system/security_backups.yaml: Added collection of file backups and hashes created by the integrated security script [freebsd, netbsd, openbsd] (Herbert-Karl).
• files/system/systemd.yaml: Updated to add new locations for configuration files.
• files/system/tmp.yaml: Updated to increase max_file_size to 10MB.
• files/system/udev.yaml: Added collection of udev rule files (mnrkbys).
• files/system/var_tmp.yaml: Updated to increase max_file_size to 10MB.
• hash_executables/hash_executables.yaml: Updated to remove max_depth and max_file_size properties.
• live_response/containers/jls.yaml: Added collection of jails used on FreeBSD systems [freebsd] (Herbert-Karl).
• live_response/hardware/dmesg.yaml: Updated collection of console message bufffer [esxi, freebsd, netscaler, openbsd, solaris] (Herbert-Karl).
• live_response/modifiers/revel_hidden_processes.yaml: Added command to umount filesystems mounted onto a directory that tipically corresponds to a process ID (PID) [linux] (halpomeranz).
• live_response/network/procfs_information.yaml: Added collection of TCP and UDP network details from /proc/net [linux].
• live_response/process/deleted.yaml: Collection of deleted processes will no longer use dd conv=swab. The binary file will be collected in its raw format now [linux].
• live_response/process/deleted.yaml: Updated to fix the collection of open files of (malicious) processes [linux] (mnrkbys).
• live_response/process/hash_running_processes.yaml: Updated to add support to hash running processes on FreeBSD systems that are using procfs (/proc) [freebsd].
• live_response/process/procfs_information.yaml: Added artifact collection using cat when strings is not available.
• live_response/process/procfs_information.yaml: Updated to collect /proc/*/mount [linux] (halpomeranz).
• live_response/process/procfs_information.yaml: Updated to collect /proc/*/stat [linux] (mnrkbys).
• live_response/process/strings_running_processes.yaml: Added collection of strings from running processes for ESXi systems [esxi].
• live_response/process/strings_running_processes.yaml: Added condition to check whether developer tools are installed before running strings on macOS [macos].
• live_response/process/strings_running_processes.yaml: Added support for collecting strings even when the strings command is unavailable. In such cases, the built-in astrings command will be used instead [all].
• live_response/storage/btrfs.yaml: Added collection of btrfs mountpoints, subvolumes and snapshots information [linux] (mnrkbys).
• live_response/system/acctadm.yaml: Added collection of configuration for extended accounting [solaris] (sec-hbaer).
• live_response/system/acctcom.yaml: Added collection of the last commands executed in a reverse order based on the default and historic accounting files [solaris] (sec-hbaer).
• live_response/system/bpftool.yaml: Added eBPF programs information collection using bpftool [linux] (mnrkbys).
• live_response/system/hidden_directories.yaml: Updated to remove max_depth limit.
• live_response/system/hidden_files.yaml: Updated to remove max_depth limit.
• live_response/system/kernel_tainted_state.yaml: Added collection of dmesg messages showing modules tainting the kernel [linux].
• live_response/system/lastcomm.yaml: Added collection of the last commands executed in a reverse order based on the default and historic accounting file [freebsd, netbsd, openbsd] (Herbert-Karl).
• live_response/system/lastcomm.yaml: Updated to collect the last commands executed in a reverse order based on the extended accounting file [solaris] (sec-hbaer).
• live_response/system/sgid.yaml: Updated to remove max_depth limit.
• live_response/system/socket_files.yaml: Updated to remove max_depth limit.
• live_response/system/suid.yaml: Updated to remove max_depth limit.
• live_response/system/sys_modules.yaml: Removed as it is was duplicate artifact with kernel_modules.yaml.
• live_response/system/world_writable_directories.yaml: Updated to remove max_depth limit.
• live_response/system/world_writable_files.yaml: Updated to remove max_depth limit.
• live_response/system/zoneadm.yaml: Artifact was moved to live_response/containers directory (Herbert-Karl).

Profiles

• files/applic...

uac-2.9.1

Changelog

2.9.1 (2024-06-12)

Fixes

• live_response/containers/docker.yaml: Fixed docker stats command that was running in a loop and therefore the program was not terminating [linux] (by 0xtter).
• live_response/containers/podman.yaml: Fixed docker stats command that was running in a loop and therefore the program was not terminating [linux].

Artifacts

• files/shell/history.yaml: Added collection support for *.historynew files [all].
• files/shell/sessions.yaml: Added collection support for *.session files [all] randomaccess3)

uac-2.9.0

Changelog

2.9.0 (2024-05-28)

Features

• uac.log and uac.log.stderr files were moved to the front of the output archive file (by rbcrwd).

Artifacts

• files/logs/macos.yaml: Updated collection support for auditd logs [macos] (by Pierre-Gronau-ndaal).
• files/logs/solaris.yaml: Added collection support for lastlog, wtmpx, utmpx, svc and webui logs that are stored outside /var/log directory [solaris] (by sec-hbaer).
• files/logs/var_log.yaml: Updated collection to support new system [esxi] (by Pierre-Gronau-ndaal).
• files/packages/pkg_contents.yaml: Updated collection support for NetBSD 10 [netbsd] (by Herbert-Karl).
• files/packages/pkg_contents.yaml: Updated collection support for package table of contents files [solaris] (by sec-hbaer).
• files/system/svc.yaml: Added collection support for svc manifest and method (service start) files [solaris] (by sec-hbaer).
• files/system/systemd.yaml: Updated collection to support artifacts related to transient and per-user systemd timers [linux] (by halpomeranz).
• files/system/var_ld.yaml: Added collection support for ld config files [solaris] (by sec-hbaer).
• live_response/containers/docker.yaml: Added collection support for resource usage statistics of each container [linux].
• live_response/containers/podman.yaml: Added collection support for resource usage statistics of each container [linux].
• live_response/packages/brew.yaml: Added collection support for packages installed through brew package manager [macos] (by Pierre-Gronau-ndaal).
• live_response/packages/equo.yaml: Added collection support for packages installed through Entropy package manager [linux] (by Pierre-Gronau-ndaal).
• live_response/packages/nix.yaml: Added collection support for packages installed through Nix package manager [linux] (by Pierre-Gronau-ndaal).
• live_response/packages/pip.yaml: Added collection support for Python packages installed through pip [linux] (by sanderu).
• live_response/packages/pisi.yaml: Added collection support for packages installed through pisi package manager [linux] (by Pierre-Gronau-ndaal).
• live_response/packages/pkg.yaml: Updated collection support for information about installed packages [solaris] (by sec-hbaer).
• live_response/packages/xbps.yaml: Added collection support for packages installed through XBPS package manager [linux] (by Pierre-Gronau-ndaal).
• live_response/packages/yay.yaml: Added collection support for packages installed through Yay [linux] (by Pierre-Gronau-ndaal).
• live_response/process/procfs_information.yaml: Added collection support for entries corresponding to memory-mapped files [linux].
• live_response/process/procfs_information.yaml: Added collection support for listing the contents of /proc/modules [linux].
• live_response/process/procfs_information.yaml: Added collection support for listing Unix sockets [linux].
• live_response/system/ebpf.yaml: Added collection support for listing pinned eBPF progs [linux].
• live_response/system/kernel_modules.yaml: Added collection support for listing available parameters per kernel module [linux].
• live_response/system/kernel_modules.yaml: Added collection support for listing loaded kernel modules to compare with /proc/modules [linux].
• live_response/system/modinfo.yaml: Added collection support for information about loaded kernel modules [linux, solaris] (by sanderu).

uac-2.8.0

Changelog

2.8.0 (2024-01-22)

Features

• --debug option now does not remove the uac-data.tmp directory created in the destination directory. This is the location where temporary and debugging data is stored during execution.

Artifacts

• files/applications/box_drive.yaml: Renamed to box.yaml.
• files/applications/box.yaml: Added collection support for Box log files [macos].
• files/applications/wget.yaml: Added collection support for wget hsts file. This file is used to store the HSTS cache for the wget utility [aix, esxi, freebsd, linux, macos, netbsd, openbsd, solaris] (by firexfly).
• files/browsers/brave.yaml: Updated collection support for Flatpak version [linux].
• files/browsers/chrome.yaml: Updated collection support for Flatpak version [linux].
• files/browsers/edge.yaml: Updated collection support for Flatpak version [linux].
• files/browsers/opera.yaml: Updated collection support for Flatpak version [linux].
• files/browsers/vivaldi.yaml: Updated collection support for Flatpak version [linux].
• files/packages/pkg_contents.yaml: Added collection support for package table of contents files [openbsd] (by Herbert-Karl).
• files/system/desktop.yaml: Added collection support for GUI shortcut files (.desktop) of users [freebsd, linux, netbsd, openbsd] (by Herbert-Karl).
• files/system/etc.yaml: Added "master.passwd" and "spwd.db" to the exclude_name_pattern list as they contain the hashed passwords of local users [freebsd, netbsd, netscaler, openbsd] (by Herbert-Karl).
• files/system/etc.yaml: Added exclusion for the group shadow files 'gshadow' and 'gshadow-'. Those files contain password hashes for groups [linux] (by Herbert-Karl).
• files/system/xsession_errors.yaml: Updated collection support for OpenBSD systems [openbsd] (by Herbert-Karl).
• live_response/network/ndp.yaml: Added collection support for kernel's IPv6 network neighbor cache [freebsd, netbsd, openbsd] (by Herbert-Karl).
• live_response/network/nft.yaml: Added collection support for complete nftables ruleset [linux] (by sanderu).
• live_response/network/ss.yaml: Updated collection support for processes listening on UDP ports/sockets [android, linux].
• live_response/vms/vmctl.yaml: Added collection support for information about running virtual machines on the OpenBSD using the native virtualization system [openbsd] (by Herbert-Karl).

Fixes

• Offline disk image mount point path was part of the file structure in [root] (by maxspl).
• Collected data was not being properly archived by tar in AIX systems.

Profiles

• profiles/offline.yaml: New 'offline' profile that can be used during offline collections (by randomaccess3).

Tools

• statx source code was moved to a dedicated repository at https://github.com/tclahr/statx

uac-2.7.0

Changelog

2.7.0 (2023-09-20)

Artifacts

• files/applications/findmy.yaml: Added the collection of the list of user's items/devices and items/devices info registered within the Find My application [macos].
• files/applications/rclone.yaml: Added the collection of rclone application configuration and log files [freebsd, linux, macos, netbsd, openbsd, solaris].
• files/applications/rustdesk.yaml: Added the collection of RustDesk application access logs and screen recording files [linux, macos].
• files/applications/splashtop.yaml: Added the collection of Splashtop application artifacts [linux, macos].
• files/applications/steam.yaml: Added the collection of Steam browser artifacts, avatar pictures, configuration and log files [linux, macos].
• files/applications/teamviewer.yaml: Added the collection of TeamViewer application artifacts [linux, macos].
• files/applications/thinlinc.yaml: Added the collection of ThinLinc application configuration files, connections and post-session logs [linux, macos].
• files/package/installed_applications: Added the collection of Info.plist from installed applications [macos].
• files/system/netscaler.yaml: Added the collection of '/var/vpn', '/var/netscaler/logon', and '/netscaler/ns_gui' system files and directories [netscaler].
• files/system/nsconfig.yaml: Deprecated. All artifacts were moved to 'files/system/netscaler.yaml' [netscaler].
• live_response/storage/mdadm.yaml: Added the collection of information on Linux software RAID [linux].
• live_response/storage/zpool.yaml: Added the collection of the command history of all pools [aix, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris].

Tools

• AVML updated to v0.12.0.

uac-2.6.0

Changelog

2.6.0 (2023-05-31)

Artifacts

• live_response/containers/lxc.yaml: Added the collection of information about all active and inactive Linux containers and virtual machines (LXD), including their configuration, network, and storage information [linux].
• live_response/containers/pct.yaml: Added the collection of information about all active and inactive Linux containers (LXC) running on Proxmox VE [linux].
• live_response/containers/pct.yaml: Added the collection of the current configuration of Linux containers (LXC) running on Proxmox VE [linux].
• live_response/containers/pct.yaml: Added the collection of the list of assigned CPU sets for each Linux container (LXC) running on Proxmox VE [linux].
• live_response/process/deleted.yaml: Added the collection of files being hidden in a memfd socket [linux].
• live_response/storage/arcstat.yaml: Added the collection of ZFS ARC and L2ARC statistics [freebsd, linux, netbsd, openbsd, solaris].
• live_response/storage/findmnt.yaml: Added the collection of all mounted filesystems in the tree-like format [linux].
• live_response/storage/iostat.yaml: Updated the collection of device I/O statistics [aix, freebsd, linux, openbsd, solaris].
• live_response/storage/iscsiadm.yaml: Added the collection of information about iSCSI connected devices [linux].
• live_response/storage/ls_dev_disk.yaml: Added the collection of the mapping of logical volumes with physical disks [linux].
• live_response/storage/pvesm.yaml: Added the collection of status for all Proxmox VE datastores [linux].
• live_response/system/ha-manager.yaml: Added the collection of information about Proxmox VE HA manager status [linux].
• live_response/system/hidden_directories.yaml: Updated max_depth value to 6 [all].
• live_response/system/hidden_files.yaml: Updated max_depth value to 6 [all].
• live_response/system/kernel_tainted_state.yaml: Added the collection of the kernel tainted state [linux].
• live_response/system/kernel_tainted_state.yaml: Added the collection of the list of what modules are marked at tainting the kernel [linux].
• live_response/system/pvecm.yaml: Added the collection of information about Proxmox VE local view of the cluster nodes [linux].
• live_response/system/pvecm.yaml: Added the collection of information about Proxmox VE local view of the cluster status [linux].
• live_response/system/pvesubscription.yaml: Added the collection of Proxmox VM subscription information [linux].
• live_response/system/pveum.yaml: Added the collection of Proxmox VE users and groups list [linux].
• live_response/system/pveversion.yaml: Added the collection of version information for Proxmox VE packages [linux].
• live_response/system/sgid.yaml: Updated max_depth value to 6 [all].
• live_response/system/socket_files.yaml: Updated max_depth value to 6 [all].
• live_response/system/suid.yaml: Updated max_depth value to 6 [all].
• live_response/system/world_writable_directories.yaml: Updated max_depth value to 6 [all].
• live_response/system/world_writable_files.yaml: Updated max_depth value to 6 [all].
• live_response/vms/qm.yaml: Added the collection of information about all active and inactive virtual machines running on Proxmox VE [linux].
• live_response/vms/qm.yaml: Added the collection of the current configuration of virtual machines running on Proxmox VE [linux].

Artifacts File

• 'loop_command' property was renamed to 'foreach'. Don't forget to update your custom artifacts files as 'loop_command' property name will be removed in the next release.

Tools

• AVML updated to v0.11.2.

uac-2.5.0

Features

• Added extraction of memory sections and strings from '/proc/[pid]/mem' using the data available in '/proc/[pid]/maps', even if processes are shown up as being (deleted). This functionality is enabled via 'tools/linux_procmemdump.sh' script.
• Artifacts file: Added a new option to define a custom output file name where the standard error messages (stderr stream) will be stored in. Please check the project's documentation page for more information.

Artifacts

• files/applications/anydesk.yaml: Added the collection of AnyDesk configuration, chat transcript, screenshot, session recording and trace files [freebsd, linux, macos].
• files/applications/box_drive.yaml: Added the collection of Box Drive client configuration and sqlite database files [macos].
• files/applications/qnap_qsync.yaml: Added the collection of QNAP Qsync client configuration and log files [linux, macos].
• files/applications/spotlight_shortcuts.yaml: Added the collection of searches that a user performed in the Spotlight application [macos].
• files/applications/synology_drive.yaml: Added the collection of Synology Drive client configuration, database and log files [linux, macos].
• files/system/coreanalytics.yaml: Added the collection of information about the system usage and application execution history [macos].
• files/system/powerlog.yaml: Added the collection of Powerlog archive files [macos].
• live_response/network/ip6tables.yaml: Added the collection of firewall rules information using ip6tables tool [android, linux].
• live_response/network/iptables.yaml: Updated command parameters to support legacy iptables versions [android, linux].
• live_response/network/lsof.yaml: Added the listing of UNIX domain socket files.
• live_response/packages/synopkg.yaml: Added the collection of installed packages on Synology DSM systems [linux].
• live_response/process/deleted.yaml: Added the collection of process memory sections and strings (for processes shown up as being deleted) from '/proc/[pid]/mem' [linux].
• live_response/system/lastlog.yaml: Added the collection of the last login log '/var/log/lastlog' file [linux].
• live_response/system/timedatectl.yaml: Added the collection of current settings of the system clock and RTC, including whether network time synchronization is active or not [linux].
• memory_dump/process_memory_sections_strings.yaml: Added the collection of process memory sections and strings from '/proc/[pid]/mem' [linux].
• memory_dump/process_memory_strings.yaml: Added the collection of process memory strings only from '/proc/[pid]/mem' [linux].

Profiles

• full.yaml: Updated the artifacts collection order. 'bodyfile/bodyfile.yaml' artifact is now collected sooner.
• ir_triage.yaml: Updated the artifacts collection order. 'bodyfile/bodyfile.yaml' artifact is now collected sooner.

Tools

• AVML updated to v0.11.0.

uac-2.4.1

Fixed

• macOS FSEvents were not being collected from additional volumes located at '/System/Volumes' (files/logs/macos.yaml).
• macOS Timesync files location was fixed (files/logs/macos_unified_logs.yaml).

uac-2.4.0

New Features

• Added '--ibm-cos-url' switch which allows for pushing the output file to IBM Cloud Object Storage (if curl is available) (#106).
• Added '--ibm-cos-url-log-file' switch which allows for pushing the output log file to IBM Cloud Object Storage (if curl is available) (#106).
• Added '--ibm-cloud-api-key' switch which is required for transferring files to IBM Cloud Object Storage (#106).
• Added '--azure-storage-sas-url' switch which allows for pushing the output file to Azure Storage using shared access signature (SAS) URLs (if curl is available) (#62).
• Added '--azure-storage-sas-url-log-file' switch which allows for pushing the output log file to Azure Storage using shared access signature (SAS) URLs (if curl is available) (#62).
• AVML was updated to v0.9.0.

New Artifacts

• New artifact that collects macOS Biome data files (if SIP is disabled) (files/system/biome.yaml).
• New artifact that collects macOS saved application state files (files/system/saved_application_state.yaml).
• New artifact that collects macOS Unified Logs UUID and Timesync files (files/logs/macos_unified_logs.yaml).
• New artifact that collects macOS System Integrity Protection (SIP) status (live_response/system/csrutil.yaml).
• New artifact that collects macOS login items installed using the Service Management framework (files/system/startup_items.yaml).
• New artifact that collects macOS installed updates history information (live_response/packages/softwareupdate.yaml).
• New artifact that collects SSH rc files (files/ssh/rc.yaml).
• New artifact that collects Google Earth KML files (files/applications/google_earth.yaml).
• New artifact that collects the status of firewall and ufw managed rules (live_response/network/ufw.yaml).
• New artifact that collects kernel audit status and rules on Linux systems (live_response/system/auditctl.yaml).
• New artifact that collects installed packages on Gentoo Linux systems (live_response/packages/qlist.yaml).
• New artifact that collects the values of parameters in the EEPROM on Solaris systems (live_response/system/eeprom.yaml).
• New artifact that collects information about installed zones on Solaris systems (live_response/system/zoneadm.yaml).

Updated Artifacts

• 'files/system/var_db_diagnostics.yaml' was moved and renamed to 'files/logs/macos_unified_logs.yaml'.