From ebbd3a9df92393d6c6b7774ff433c543ed97769b Mon Sep 17 00:00:00 2001
From: Thiago Canozzo Lahr
Date: Wed, 3 Jul 2024 20:25:49 -0300
Subject: [PATCH] initial v3 code
---
.github/workflows/shellcheck.yaml | 19 +-
.github/workflows/unit-testing.yaml | 45 +
.../workflows/validate-artifacts-file.yaml | 41 -
.github/workflows/validate-artifacts.yaml | 31 +
.github/workflows/validate-profiles.yaml | 32 +
CHANGELOG.md | 80 +
CONTRIBUTING.md | 8 +-
LICENSE | 1 -
LICENSES.md | 3 +-
README.md | 134 +-
artifacts/bodyfile/bodyfile.yaml | 14 +-
artifacts/chkrootkit/chkrootkit.yaml | 6 +-
artifacts/files/applications/anydesk.yaml | 4 +-
artifacts/files/applications/dropbox.yaml | 2 +-
artifacts/files/applications/steam.yaml | 4 +-
artifacts/files/applications/whatsapp.yaml | 8 +-
artifacts/files/browsers/brave.yaml | 8 +-
artifacts/files/browsers/chrome.yaml | 6 +-
artifacts/files/browsers/chromium.yaml | 4 +-
artifacts/files/browsers/edge.yaml | 6 +-
artifacts/files/browsers/firefox.yaml | 8 +-
artifacts/files/browsers/opera.yaml | 8 +-
artifacts/files/browsers/safari.yaml | 2 +-
artifacts/files/browsers/vivaldi.yaml | 6 +-
...nal_logs.yaml => advanced_log_search.yaml} | 2 +-
.../files/logs/{openbsd.yaml => relink.yaml} | 4 +-
artifacts/files/shell/history.yaml | 5 +-
artifacts/files/shell/sessions.yaml | 4 +-
artifacts/files/system/acct.yaml | 4 +-
.../system/{device_db.yaml => dev_db.yaml} | 2 +-
artifacts/files/system/dev_shm.yaml | 6 +-
artifacts/files/system/ds_store.yaml | 2 +-
artifacts/files/system/etc.yaml | 7 +-
artifacts/files/system/locate_db.yaml | 3 +
artifacts/files/system/netscaler.yaml | 8 +-
artifacts/files/system/run_shm.yaml | 6 +-
artifacts/files/system/security_backups.yaml | 4 +-
artifacts/files/system/systemd.yaml | 4 +-
artifacts/files/system/tmp.yaml | 10 +-
artifacts/files/system/var_spool.yaml | 2 +-
artifacts/files/system/var_tmp.yaml | 10 +-
.../hash_executables/hash_executables.yaml | 43 +-
.../live_response/containers/containerd.yaml | 4 +-
.../live_response/containers/docker.yaml | 5 +-
artifacts/live_response/containers/lxc.yaml | 19 +-
artifacts/live_response/containers/pct.yaml | 4 +-
.../live_response/containers/podman.yaml | 4 +-
artifacts/live_response/hardware/alog.yaml | 4 +-
.../live_response/hardware/bootlist.yaml | 4 +-
artifacts/live_response/hardware/cfgadm.yaml | 4 +-
artifacts/live_response/hardware/cpuinfo.yaml | 6 +-
artifacts/live_response/hardware/devinfo.yaml | 4 +-
artifacts/live_response/hardware/dmesg.yaml | 21 +-
.../live_response/hardware/dmidecode.yaml | 4 +-
artifacts/live_response/hardware/esxcli.yaml | 4 +-
.../live_response/hardware/hostinfo.yaml | 4 +-
artifacts/live_response/hardware/hwinfo.yaml | 4 +-
artifacts/live_response/hardware/ioreg.yaml | 4 +-
artifacts/live_response/hardware/lscpu.yaml | 4 +-
artifacts/live_response/hardware/lsdev.yaml | 4 +-
artifacts/live_response/hardware/lshw.yaml | 4 +-
artifacts/live_response/hardware/lspci.yaml | 12 +-
artifacts/live_response/hardware/lsscsi.yaml | 4 +-
artifacts/live_response/hardware/lsusb.yaml | 6 +-
artifacts/live_response/hardware/mpstat.yaml | 4 +-
artifacts/live_response/hardware/nvram.yaml | 4 +-
artifacts/live_response/hardware/pciconf.yaml | 4 +-
artifacts/live_response/hardware/pcidump.yaml | 4 +-
artifacts/live_response/hardware/prtconf.yaml | 4 +-
artifacts/live_response/hardware/psrinfo.yaml | 4 +-
artifacts/live_response/hardware/smbios.yaml | 4 +-
.../live_response/hardware/systemstats.yaml | 4 +-
.../live_response/hardware/usbconfig.yaml | 4 +-
artifacts/live_response/hardware/usbdevs.yaml | 4 +-
artifacts/live_response/network/arp.yaml | 4 +-
artifacts/live_response/network/esxcli.yaml | 4 +-
.../live_response/network/firewall-cmd.yaml | 6 +-
artifacts/live_response/network/hostname.yaml | 4 +-
artifacts/live_response/network/ifconfig.yaml | 6 +-
artifacts/live_response/network/inetadm.yaml | 4 +-
artifacts/live_response/network/ip.yaml | 12 +-
.../live_response/network/ip6tables.yaml | 8 +-
artifacts/live_response/network/ipfstat.yaml | 4 +-
artifacts/live_response/network/ipfw.yaml | 4 +-
artifacts/live_response/network/iptables.yaml | 8 +-
artifacts/live_response/network/lsdev.yaml | 4 +-
artifacts/live_response/network/lsof.yaml | 4 +-
artifacts/live_response/network/lssrc.yaml | 4 +-
.../network/macos_network_preferences.yaml | 3 +-
artifacts/live_response/network/ndp.yaml | 4 +-
artifacts/live_response/network/netstat.yaml | 20 +-
artifacts/live_response/network/nfso.yaml | 4 +-
artifacts/live_response/network/nfsstat.yaml | 4 +-
artifacts/live_response/network/nft.yaml | 4 +-
artifacts/live_response/network/pfctl.yaml | 4 +-
artifacts/live_response/network/scutil.yaml | 4 +-
.../live_response/network/showmount.yaml | 4 +-
artifacts/live_response/network/sockstat.yaml | 4 +-
artifacts/live_response/network/ss.yaml | 24 +-
artifacts/live_response/network/ufw.yaml | 4 +-
artifacts/live_response/network/vim-cmd.yaml | 4 +-
artifacts/live_response/packages/brew.yaml | 4 +-
artifacts/live_response/packages/dnf.yaml | 4 +-
artifacts/live_response/packages/dpkg.yaml | 4 +-
artifacts/live_response/packages/equo.yaml | 4 +-
artifacts/live_response/packages/esxcli.yaml | 4 +-
artifacts/live_response/packages/flatpak.yaml | 4 +-
artifacts/live_response/packages/instfix.yaml | 4 +-
artifacts/live_response/packages/ipkg.yaml | 6 +-
artifacts/live_response/packages/lppchk.yaml | 4 +-
.../live_response/packages/lsappinfo.yaml | 4 +-
artifacts/live_response/packages/lslpp.yaml | 4 +-
.../packages/macos_applications.yaml | 6 +-
artifacts/live_response/packages/nix.yaml | 4 +-
artifacts/live_response/packages/opkg.yaml | 4 +-
artifacts/live_response/packages/pacman.yaml | 4 +-
artifacts/live_response/packages/pip.yaml | 4 +-
artifacts/live_response/packages/pisi.yaml | 4 +-
artifacts/live_response/packages/pkg.yaml | 6 +-
.../live_response/packages/pkg_info.yaml | 4 +-
artifacts/live_response/packages/pkginfo.yaml | 4 +-
artifacts/live_response/packages/pkgutil.yaml | 4 +-
artifacts/live_response/packages/qlist.yaml | 4 +-
artifacts/live_response/packages/rpm.yaml | 4 +-
artifacts/live_response/packages/snap.yaml | 4 +-
.../packages/softwareupdate.yaml | 4 +-
artifacts/live_response/packages/swupd.yaml | 4 +-
artifacts/live_response/packages/synopkg.yaml | 4 +-
artifacts/live_response/packages/xbps.yaml | 4 +-
artifacts/live_response/packages/yay.yaml | 4 +-
artifacts/live_response/packages/yum.yaml | 4 +-
artifacts/live_response/packages/zypper.yaml | 4 +-
artifacts/live_response/process/deleted.yaml | 60 +-
artifacts/live_response/process/esxcli.yaml | 4 +-
artifacts/live_response/process/fstat.yaml | 4 +-
.../process/hash_running_processes.yaml | 40 +-
artifacts/live_response/process/lsof.yaml | 10 +-
.../process/procfs_information.yaml | 439 ++++-
artifacts/live_response/process/procstat.yaml | 23 +-
artifacts/live_response/process/proctree.yaml | 4 +-
artifacts/live_response/process/ps.yaml | 30 +-
artifacts/live_response/process/pstat.yaml | 4 +-
artifacts/live_response/process/pstree.yaml | 10 +-
artifacts/live_response/process/ptree.yaml | 4 +-
.../process/strings_running_processes.yaml | 162 +-
artifacts/live_response/process/top.yaml | 6 +-
artifacts/live_response/storage/arcstat.yaml | 4 +-
artifacts/live_response/storage/blkid.yaml | 4 +-
artifacts/live_response/storage/df.yaml | 6 +-
artifacts/live_response/storage/diskutil.yaml | 4 +-
artifacts/live_response/storage/esxcli.yaml | 4 +-
artifacts/live_response/storage/fdisk.yaml | 4 +-
artifacts/live_response/storage/findmnt.yaml | 4 +-
artifacts/live_response/storage/format.yaml | 4 +-
artifacts/live_response/storage/fs_usage.yaml | 4 +-
artifacts/live_response/storage/geom.yaml | 8 +-
artifacts/live_response/storage/gstat.yaml | 4 +-
artifacts/live_response/storage/iostat.yaml | 4 +-
artifacts/live_response/storage/iscsiadm.yaml | 4 +-
artifacts/live_response/storage/lparstat.yaml | 4 +-
.../live_response/storage/ls_dev_disk.yaml | 3 +-
.../storage/ls_vmfs_devices.yaml | 3 +-
artifacts/live_response/storage/lsblk.yaml | 4 +-
artifacts/live_response/storage/lsfs.yaml | 4 +-
artifacts/live_response/storage/lspv.yaml | 4 +-
artifacts/live_response/storage/lsvg.yaml | 4 +-
.../live_response/storage/lvdisplay.yaml | 4 +-
artifacts/live_response/storage/lvs.yaml | 4 +-
artifacts/live_response/storage/mdadm.yaml | 4 +-
artifacts/live_response/storage/mount.yaml | 6 +-
artifacts/live_response/storage/pdisk.yaml | 4 +-
.../live_response/storage/pvdisplay.yaml | 4 +-
artifacts/live_response/storage/pvesm.yaml | 4 +-
artifacts/live_response/storage/pvs.yaml | 4 +-
.../live_response/storage/vgdisplay.yaml | 4 +-
artifacts/live_response/storage/vgs.yaml | 4 +-
artifacts/live_response/storage/zfs.yaml | 4 +-
artifacts/live_response/storage/zpool.yaml | 4 +-
artifacts/live_response/system/auditctl.yaml | 6 +-
artifacts/live_response/system/chkconfig.yaml | 4 +-
artifacts/live_response/system/crle.yaml | 6 +-
artifacts/live_response/system/csrutil.yaml | 4 +-
artifacts/live_response/system/date.yaml | 3 +-
artifacts/live_response/system/ebpf.yaml | 5 +-
artifacts/live_response/system/eeprom.yaml | 4 +-
artifacts/live_response/system/env.yaml | 3 +-
artifacts/live_response/system/errpt.yaml | 4 +-
artifacts/live_response/system/esxcli.yaml | 4 +-
artifacts/live_response/system/falconctl.yaml | 4 +-
artifacts/live_response/system/free.yaml | 6 +-
artifacts/live_response/system/genkex.yaml | 4 +-
.../live_response/system/getenforce.yaml | 6 +-
artifacts/live_response/system/getprop.yaml | 9 -
.../live_response/system/ha-manager.yaml | 4 +-
.../system/hidden_directories.yaml | 6 +-
.../live_response/system/hidden_files.yaml | 6 +-
artifacts/live_response/system/hwclock.yaml | 6 +-
artifacts/live_response/system/isainfo.yaml | 4 +-
.../live_response/system/kernel_modules.yaml | 7 +-
.../system/kernel_tainted_state.yaml | 3 +-
artifacts/live_response/system/kextstat.yaml | 4 +-
artifacts/live_response/system/kldstat.yaml | 4 +-
artifacts/live_response/system/last.yaml | 4 +-
artifacts/live_response/system/lastb.yaml | 4 +-
artifacts/live_response/system/lastcomm.yaml | 9 +-
artifacts/live_response/system/lastlog.yaml | 4 +-
artifacts/live_response/system/launchctl.yaml | 4 +-
artifacts/live_response/system/loginctl.yaml | 4 +-
artifacts/live_response/system/lsmod.yaml | 6 +-
artifacts/live_response/system/lsps.yaml | 4 +-
artifacts/live_response/system/mdatp.yaml | 4 +-
artifacts/live_response/system/modinfo.yaml | 18 +-
artifacts/live_response/system/mpstat.yaml | 4 +-
artifacts/live_response/system/oslevel.yaml | 4 +-
artifacts/live_response/system/prtdiag.yaml | 4 +-
artifacts/live_response/system/pvecm.yaml | 4 +-
.../live_response/system/pvesubscription.yaml | 4 +-
artifacts/live_response/system/pveum.yaml | 4 +-
.../live_response/system/pveversion.yaml | 4 +-
artifacts/live_response/system/runlevel.yaml | 4 +-
artifacts/live_response/system/service.yaml | 10 +-
artifacts/live_response/system/sestatus.yaml | 4 +-
artifacts/live_response/system/sgid.yaml | 8 +-
artifacts/live_response/system/showrev.yaml | 4 +-
.../live_response/system/socket_files.yaml | 6 +-
artifacts/live_response/system/suid.yaml | 8 +-
artifacts/live_response/system/svcs.yaml | 4 +-
artifacts/live_response/system/sw_vers.yaml | 4 +-
artifacts/live_response/system/swapctl.yaml | 4 +-
artifacts/live_response/system/swapinfo.yaml | 4 +-
.../live_response/system/sys_modules.yaml | 3 +-
artifacts/live_response/system/sysctl.yaml | 6 +-
artifacts/live_response/system/sysdef.yaml | 4 +-
.../live_response/system/system_profiler.yaml | 4 +-
artifacts/live_response/system/systemctl.yaml | 4 +-
.../live_response/system/timedatectl.yaml | 4 +-
artifacts/live_response/system/tmutil.yaml | 4 +-
artifacts/live_response/system/uname.yaml | 3 +-
artifacts/live_response/system/uptime.yaml | 5 +-
artifacts/live_response/system/vm_stat.yaml | 4 +-
artifacts/live_response/system/vmstat.yaml | 6 +-
artifacts/live_response/system/who.yaml | 4 +-
.../system/world_writable_directories.yaml | 8 +-
.../system/world_writable_files.yaml | 8 +-
artifacts/live_response/system/zoneadm.yaml | 4 +-
artifacts/live_response/vms/esxcli.yaml | 4 +-
artifacts/live_response/vms/qm.yaml | 4 +-
artifacts/live_response/vms/vim-cmd.yaml | 4 +-
artifacts/live_response/vms/virsh.yaml | 4 +-
artifacts/live_response/vms/virt-top.yaml | 4 +-
artifacts/live_response/vms/virtualbox.yaml | 4 +-
artifacts/live_response/vms/vm-support.yaml | 4 +-
artifacts/live_response/vms/vmctl.yaml | 4 +-
artifacts/memory_dump/avml.yaml | 6 +-
.../process_memory_sections_strings.yaml | 7 +-
.../memory_dump/process_memory_strings.yaml | 7 +-
bin/README.txt | 36 +-
bin/linux/avml | Bin 0 -> 7136072 bytes
.../linux}/linux_procmemdump.sh | 0
config/uac.conf | 48 +-
lib/archive_compress_data.sh | 65 -
lib/archive_data.sh | 65 -
lib/array_to_list.sh | 44 -
lib/array_to_psv.sh | 34 +
lib/artifact_file_exist.sh | 27 -
lib/astrings.sh | 22 +
lib/aws_s3_presigned_url_transfer.sh | 34 +
lib/azure_storage_sas_url_transfer.sh | 52 +-
lib/azure_storage_sas_url_transfer_test.sh | 32 -
lib/build_artifact_list.sh | 29 +
lib/build_find_command.sh | 434 +++++
lib/check_available_system_tools.sh | 269 ---
lib/command_collector.sh | 294 +--
lib/command_exists.sh | 10 +-
lib/copy_data.sh | 48 +-
lib/create_acquisition_log.sh | 112 +-
lib/create_artifact_list.sh | 54 -
lib/error_msg.sh | 13 +
lib/exit_fatal.sh | 16 +
lib/exit_success.sh | 16 +
lib/file_collector.sh | 166 --
lib/file_system_symlink_support.sh | 29 -
lib/filter_list.sh | 30 +
lib/find_based_collector.sh | 267 +++
lib/find_collector.sh | 181 --
lib/find_wrapper.sh | 412 -----
lib/get_absolute_directory_path.sh | 25 -
lib/get_absolute_path.sh | 14 +
lib/get_bin_path.sh | 84 +
lib/get_current_user.sh | 33 +-
lib/get_days_since_date_until_now.sh | 44 +-
lib/get_epoch_date.sh | 55 +-
lib/get_hostname.sh | 55 +-
lib/get_mount_point_by_file_system.sh | 130 +-
lib/get_nproc.sh | 41 +
lib/get_operating_system.sh | 51 +-
lib/get_profile_by_name.sh | 22 +
lib/get_profile_file.sh | 29 -
lib/get_system_arch.sh | 27 +-
lib/get_user_home_list.sh | 132 +-
lib/grep_o.sh | 13 +
lib/hash_collector.sh | 448 -----
lib/http_transfer.sh | 75 +
lib/ibm_cos_transfer.sh | 36 -
lib/ibm_cos_transfer_test.sh | 34 -
lib/init_temp_data_dir.sh | 29 +
lib/is_digit.sh | 19 +
lib/is_element_in_list.sh | 67 -
lib/is_in_list.sh | 28 +
lib/is_integer.sh | 32 -
lib/is_output_format_supported.sh | 55 +
lib/is_psv.sh | 18 +
lib/is_root.sh | 25 +
lib/is_running_with_root_privileges.sh | 41 -
lib/is_valid_operating_system.sh | 36 -
lib/list_artifacts.sh | 77 +-
lib/list_profiles.sh | 42 +-
lib/load_config_file.sh | 163 +-
lib/load_lib_files.sh | 58 -
lib/load_libraries.sh | 68 +
lib/log_message.sh | 40 -
lib/log_msg.sh | 29 +
lib/lrstrip.sh | 24 -
lib/output_exists.sh | 24 +
lib/output_file_exists.sh | 27 -
lib/parse_artifact.sh | 492 ++++++
lib/parse_artifacts_file.sh | 450 -----
lib/parse_command_line_arguments.sh | 402 +++++
lib/parse_profile.sh | 30 +
lib/presigned_url_transfer.sh | 44 +
lib/profile_file_to_artifact_list.sh | 35 -
lib/remove_non_regular_files.sh | 32 +
lib/remove_temp_data_dir.sh | 20 +
lib/run_command.sh | 45 +
lib/s3_presigned_url_transfer.sh | 33 -
lib/s3_presigned_url_transfer_test.sh | 31 -
lib/s3_transfer_amazon.sh | 46 +
lib/s3_transfer_google.sh | 40 +
lib/s3_transfer_ibm.sh | 42 +
lib/sanitize_artifact_list.sh | 40 -
lib/sanitize_filename.sh | 35 -
lib/sanitize_output_directory.sh | 34 +
lib/sanitize_output_file.sh | 33 +
lib/sanitize_path.sh | 38 +-
lib/setup_tools.sh | 157 ++
lib/sftp_transfer.sh | 75 +-
lib/sftp_transfer_test.sh | 43 -
lib/sort_uniq_file.sh | 38 +-
lib/stat_collector.sh | 676 -------
lib/tar_data.sh | 46 +
lib/tar_gz_data.sh | 46 +
lib/terminate.sh | 26 +-
lib/usage.sh | 125 +-
lib/validate_artifact.sh | 477 +++++
lib/validate_artifact_list.sh | 95 +
lib/validate_artifacts_file.sh | 437 -----
lib/validate_profile.sh | 99 ++
lib/validate_profile_file.sh | 129 --
lib/verbose_msg.sh | 14 +
lib/zip_data.sh | 32 +
logo/uac-dark.svg | 96 +
logo/uac-light.svg | 96 +
tools/avml/linux/avml | Bin 4570624 -> 0 bytes
.../date_to_epoch_pl} | 4 +-
tools/{find.pl/find.pl => find_pl/find_pl} | 184 +-
tools/stat.pl/stat.pl | 38 -
tools/stat_pl/stat_pl | 60 +
tools/statx/linux/arm/statx | Bin 527000 -> 527000 bytes
tools/statx/linux/arm64/statx | Bin 606704 -> 606704 bytes
tools/statx/linux/i386/statx | Bin 703100 -> 703100 bytes
tools/statx/linux/mips/statx | Bin 624448 -> 624496 bytes
tools/statx/linux/mips64/statx | Bin 696496 -> 696496 bytes
tools/statx/linux/ppc/statx | Bin 709316 -> 709316 bytes
tools/statx/linux/ppc64/statx | Bin 796056 -> 796056 bytes
tools/statx/linux/ppc64le/statx | Bin 866448 -> 866448 bytes
tools/statx/linux/{s390 => s390x}/statx | Bin 617592 -> 617592 bytes
tools/statx/linux/sparc64/statx | Bin 646680 -> 646680 bytes
tools/statx/linux/x86_64/statx | Bin 818704 -> 814760 bytes
tools/zip/esxi_linux/arm/zip | Bin 0 -> 709304 bytes
tools/zip/esxi_linux/arm64/zip | Bin 0 -> 798320 bytes
tools/zip/esxi_linux/i386/zip | Bin 0 -> 1062636 bytes
tools/zip/esxi_linux/x86_64/zip | Bin 0 -> 1139152 bytes
tools/zip/freebsd_netscaler/i386/zip | Bin 0 -> 413328 bytes
tools/zip/freebsd_netscaler/x86_64/zip | Bin 0 -> 449336 bytes
uac | 1569 +++++++----------
385 files changed, 7186 insertions(+), 6781 deletions(-)
create mode 100644 .github/workflows/unit-testing.yaml
delete mode 100644 .github/workflows/validate-artifacts-file.yaml
create mode 100644 .github/workflows/validate-artifacts.yaml
create mode 100644 .github/workflows/validate-profiles.yaml
rename artifacts/files/logs/{additional_logs.yaml => advanced_log_search.yaml} (95%)
rename artifacts/files/logs/{openbsd.yaml => relink.yaml} (64%)
rename artifacts/files/system/{device_db.yaml => dev_db.yaml} (91%)
delete mode 100644 artifacts/live_response/system/getprop.yaml
create mode 100755 bin/linux/avml
rename {tools/linux_procmemdump.sh => bin/linux}/linux_procmemdump.sh (100%)
delete mode 100644 lib/archive_compress_data.sh
delete mode 100644 lib/archive_data.sh
delete mode 100644 lib/array_to_list.sh
create mode 100644 lib/array_to_psv.sh
delete mode 100644 lib/artifact_file_exist.sh
create mode 100644 lib/astrings.sh
create mode 100644 lib/aws_s3_presigned_url_transfer.sh
delete mode 100644 lib/azure_storage_sas_url_transfer_test.sh
create mode 100644 lib/build_artifact_list.sh
create mode 100644 lib/build_find_command.sh
delete mode 100644 lib/check_available_system_tools.sh
mode change 100755 => 100644 lib/command_exists.sh
delete mode 100644 lib/create_artifact_list.sh
create mode 100644 lib/error_msg.sh
create mode 100644 lib/exit_fatal.sh
create mode 100644 lib/exit_success.sh
delete mode 100644 lib/file_collector.sh
delete mode 100644 lib/file_system_symlink_support.sh
create mode 100644 lib/filter_list.sh
create mode 100644 lib/find_based_collector.sh
delete mode 100644 lib/find_collector.sh
delete mode 100644 lib/find_wrapper.sh
delete mode 100644 lib/get_absolute_directory_path.sh
create mode 100644 lib/get_absolute_path.sh
create mode 100644 lib/get_bin_path.sh
create mode 100644 lib/get_nproc.sh
create mode 100644 lib/get_profile_by_name.sh
delete mode 100644 lib/get_profile_file.sh
create mode 100644 lib/grep_o.sh
delete mode 100644 lib/hash_collector.sh
create mode 100644 lib/http_transfer.sh
delete mode 100644 lib/ibm_cos_transfer.sh
delete mode 100644 lib/ibm_cos_transfer_test.sh
create mode 100644 lib/init_temp_data_dir.sh
create mode 100644 lib/is_digit.sh
delete mode 100644 lib/is_element_in_list.sh
create mode 100644 lib/is_in_list.sh
delete mode 100644 lib/is_integer.sh
create mode 100644 lib/is_output_format_supported.sh
create mode 100644 lib/is_psv.sh
create mode 100644 lib/is_root.sh
delete mode 100644 lib/is_running_with_root_privileges.sh
delete mode 100644 lib/is_valid_operating_system.sh
delete mode 100644 lib/load_lib_files.sh
create mode 100644 lib/load_libraries.sh
delete mode 100644 lib/log_message.sh
create mode 100644 lib/log_msg.sh
delete mode 100644 lib/lrstrip.sh
create mode 100644 lib/output_exists.sh
delete mode 100644 lib/output_file_exists.sh
create mode 100644 lib/parse_artifact.sh
delete mode 100644 lib/parse_artifacts_file.sh
create mode 100644 lib/parse_command_line_arguments.sh
create mode 100644 lib/parse_profile.sh
create mode 100644 lib/presigned_url_transfer.sh
delete mode 100644 lib/profile_file_to_artifact_list.sh
create mode 100644 lib/remove_non_regular_files.sh
create mode 100644 lib/remove_temp_data_dir.sh
create mode 100644 lib/run_command.sh
delete mode 100644 lib/s3_presigned_url_transfer.sh
delete mode 100644 lib/s3_presigned_url_transfer_test.sh
create mode 100644 lib/s3_transfer_amazon.sh
create mode 100644 lib/s3_transfer_google.sh
create mode 100644 lib/s3_transfer_ibm.sh
delete mode 100644 lib/sanitize_artifact_list.sh
delete mode 100644 lib/sanitize_filename.sh
create mode 100644 lib/sanitize_output_directory.sh
create mode 100644 lib/sanitize_output_file.sh
create mode 100644 lib/setup_tools.sh
delete mode 100644 lib/sftp_transfer_test.sh
delete mode 100644 lib/stat_collector.sh
create mode 100644 lib/tar_data.sh
create mode 100644 lib/tar_gz_data.sh
create mode 100644 lib/validate_artifact.sh
create mode 100644 lib/validate_artifact_list.sh
delete mode 100644 lib/validate_artifacts_file.sh
create mode 100644 lib/validate_profile.sh
delete mode 100644 lib/validate_profile_file.sh
create mode 100644 lib/verbose_msg.sh
create mode 100644 lib/zip_data.sh
create mode 100644 logo/uac-dark.svg
create mode 100644 logo/uac-light.svg
delete mode 100755 tools/avml/linux/avml
rename tools/{date_to_epoch.pl/date_to_epoch.pl => date_to_epoch_pl/date_to_epoch_pl} (83%)
mode change 100644 => 100755
rename tools/{find.pl/find.pl => find_pl/find_pl} (71%)
mode change 100644 => 100755
delete mode 100644 tools/stat.pl/stat.pl
create mode 100755 tools/stat_pl/stat_pl
rename tools/statx/linux/{s390 => s390x}/statx (62%)
create mode 100755 tools/zip/esxi_linux/arm/zip
create mode 100755 tools/zip/esxi_linux/arm64/zip
create mode 100755 tools/zip/esxi_linux/i386/zip
create mode 100755 tools/zip/esxi_linux/x86_64/zip
create mode 100755 tools/zip/freebsd_netscaler/i386/zip
create mode 100755 tools/zip/freebsd_netscaler/x86_64/zip
diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml
index b757ad23..771690b3 100644
--- a/.github/workflows/shellcheck.yaml
+++ b/.github/workflows/shellcheck.yaml
@@ -1,42 +1,27 @@
name: ShellCheck
on:
- push:
- branches:
- - develop
- - main
- - 'releases/**'
- paths:
- - 'lib/**'
- - 'tools/**'
- - 'uac'
-
pull_request:
branches:
- develop
- main
- - 'releases/**'
paths:
- 'lib/**'
- - 'tools/**'
- 'uac'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
- shellcheck:
+ build:
name: ShellCheck
runs-on: ubuntu-latest
steps:
- name: Clone uac repo
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
path: uac
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master
- with:
- ignore_paths: artifacts bin config profiles
-
\ No newline at end of file
diff --git a/.github/workflows/unit-testing.yaml b/.github/workflows/unit-testing.yaml
new file mode 100644
index 00000000..97e2e2fe
--- /dev/null
+++ b/.github/workflows/unit-testing.yaml
@@ -0,0 +1,45 @@
+name: Unit testing
+
+on:
+ pull_request:
+ branches:
+ - develop
+ - main
+ paths:
+ - 'lib/**'
+ - 'uac'
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+jobs:
+ build:
+ name: Unit testing
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Clone uac repo
+ uses: actions/checkout@v3
+ with:
+ path: uac
+
+ - name: Clone ushunit repo
+ uses: actions/checkout@v4
+ with:
+ repository: tclahr/ushunit
+ token: ${{ secrets.ACTIONS_SECRET }}
+ ref: main
+ path: ushunit
+
+ - name: Clone uac-tests repo
+ uses: actions/checkout@v4
+ with:
+ repository: tclahr/uac-tests
+ token: ${{ secrets.ACTIONS_SECRET }}
+ ref: main
+ path: uac-tests
+
+ - name: Run tests
+ working-directory: ushunit
+ run: |
+ UAC_DIR="../uac" ./ushunit -i ../uac-tests/tests/lib/*.sh ../uac-tests/tests/*.sh
diff --git a/.github/workflows/validate-artifacts-file.yaml b/.github/workflows/validate-artifacts-file.yaml
deleted file mode 100644
index 1b79f030..00000000
--- a/.github/workflows/validate-artifacts-file.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-name: Validate Artifacts File
-
-on:
- push:
- branches:
- - develop
- - main
- - 'releases/**'
- paths:
- - 'artifacts/**'
-
- pull_request:
- branches:
- - develop
- - main
- - 'releases/**'
- paths:
- - 'artifacts/**'
-
-jobs:
- validate-artifacts-file:
- runs-on: ubuntu-latest
-
- steps:
- - name: Clone uac repo
- uses: actions/checkout@v3
- with:
- path: uac
-
- - name: Get added/modified files
- id: files
- uses: jitterbit/get-changed-files@v1
-
- - name: Validate all added/modified artifacts files
- run: |
- cd uac
- for file in ${{ steps.files.outputs.added_modified }}; do
- if [[ "${file}" == "artifacts/"*.yaml ]]; then
- ./uac --validate-artifacts-file "$file"
- fi
- done
diff --git a/.github/workflows/validate-artifacts.yaml b/.github/workflows/validate-artifacts.yaml
new file mode 100644
index 00000000..a24b02a0
--- /dev/null
+++ b/.github/workflows/validate-artifacts.yaml
@@ -0,0 +1,31 @@
+name: Validate Artifacts
+
+on:
+ pull_request:
+ branches:
+ - develop
+ - main
+ paths:
+ - 'artifacts/**'
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+jobs:
+ validate-artifact-files:
+ name: Validate Artifacts
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Clone uac repo
+ uses: actions/checkout@v4
+ with:
+ path: uac
+
+ - name: Validate Artifacts
+ working-directory: uac
+ run: |
+ find artifacts/* -name "*.yaml" -type f \
+ | while read file || [ -n "${file}" ]; do
+ ./uac --validate-artifact "${file}"
+ done
diff --git a/.github/workflows/validate-profiles.yaml b/.github/workflows/validate-profiles.yaml
new file mode 100644
index 00000000..ca673af3
--- /dev/null
+++ b/.github/workflows/validate-profiles.yaml
@@ -0,0 +1,32 @@
+name: Validate Profiles
+
+on:
+ pull_request:
+ branches:
+ - develop
+ - main
+ paths:
+ - 'profiles/**'
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+jobs:
+ validate-profile-files:
+ name: Validate Profiles
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Clone uac repo
+ uses: actions/checkout@v4
+ with:
+ path: uac
+
+ - name: Validate Profiles
+ working-directory: uac
+ run: |
+ find profiles/* -name "*.yaml" -type f \
+ | while read file || [ -n "${file}" ]; do
+ ./uac --validate-profile "${file}"
+ done
+
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1b3a0c73..60436ea8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,5 +2,85 @@
## DEVELOPMENT VERSION
+### Features
+
+- UAC now completely skips an artifact file (YAML) that has no artifacts to be collected for the target operating system. You can use '--artifacts list [OPERATING_SYSTEM]' to display artifacts for a specific operating system only.
+- New output file formats:
+ - none: Collected data will not be archived or compressed. Instead, it will be copied directly to an output directory ([#188](https://github.com/tclahr/uac/issues/188)).
+ - zip: Collected data will be archived and compressed into a zip file. Additionally, you can create a password-protected zip file using the '--output-password' option ([#149](https://github.com/tclahr/uac/issues/149)).
+- You can now set a custom output file name using the '-o/--output-base-name' command line option. Variables are available to format the filename ([#179](https://github.com/tclahr/uac/issues/179)).
+- Now you have the option to supply a file path to a custom profile located outside the profiles directory.
+- Now you have the option to supply a file path to a custom artifact located outside the artifacts directory ([#154](https://github.com/tclahr/uac/issues/154)).
+- Now you can have the option to supply a file path to a custom config file located outside the config directory using the '-c/--config' command line option.
+- New remote transfer options for Amazon, Google and IBM cloud storage locations.
+- UAC will now use 'wget' to transfer files to remote cloud storage locations when 'curl' is not available.
+- You can now increase the verbosity level using the '-v/--verbose' command line option. Enabling a higher verbosity level will result in the display of all executed commands.
+- UAC will now use the built-in function 'astrings' to extract strings from binary files when 'strings' is not available on the system.
+- The message 'The strings command requires the command line developer tools.' will no longer appear on macOS systems without developer tools installed ([#171](https://github.com/tclahr/uac/issues/171)).
+- Error messages generated by executed commands (stderr) are now recorded in the uac.log file ([#150](https://github.com/tclahr/uac/issues/150)).
+- New '-H/--hash-collected' command line option. Enabling this option will cause UAC to hash all collected files and save the results in a hash file. To accomplish this, all collected data must first be copied to the destination directory. Therefore, ensure you have twice the free space available on the system: once for the collected data and once for the output file. Additionally, note that this process will increase the running time ([#189](https://github.com/tclahr/uac/issues/189)).
+- New '-t/--max-thread' command line option. It can be used to specify the number of files that will be processed in parallel by the 'hash' and 'stat' collectors.
+- You can now validate profiles using the '--validate-profile' command line option.
+
### Artifacts
+- bodyfile/bodyfile.yaml: Updated to remove max_depth limit.
+- files/applications/whatsapp.yaml: Added collection of WhatsApp Desktop files [macos].
+- files/logs/additional_logs.yaml: Artifact was renamed to advanced_log_search.yaml.
+- files/logs/relink.yaml: Added collection of the kernel relink log file [openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/acct.yaml: Added collection of system accounting files [freebsd, netbsd, openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/dev_db.yaml: Added collection of the database file used for device lookups [netbsd, openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/dev_shm.yaml: Updated to increase max_file_size to 10MB.
+- files/system/locate_db.yaml: Added collection of the database file used by locate command, representing a snapshot of the virtual file system accessible with minimal permissions [freebsd, netbsd, openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/netscaler.yaml: Updated to increase max_file_size to 10MB.
+- files/system/run_shm.yaml: Updated to increase max_file_size to 10MB.
+- files/system/security_backups.yaml: Added collection of file backups and hashes created by the integrated security script [freebsd, netbsd, openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
+- files/system/tmp.yaml: Updated to increase max_file_size to 10MB.
+- files/system/var_tmp.yaml: Updated to increase max_file_size to 10MB.
+- hash_executables/hash_executables.yaml: Updated to remove max_depth and max_file_size properties.
+- live_response/hardware/dmesg.yaml: Updated collection of console message bufffer [esxi, freebsd, netscaler, openbsd, solaris] [Herbert-Karl](https://github.com/Herbert-Karl)).
+- live_response/process/deleted.yaml: Collection of deleted processes will no longer use dd conv=swab. The binary file will be collected in its raw format now [linux].
+- live_response/process/deleted.yaml: Updated to fix the collection of open files of (malicious) processes [linux] [mnrkbys](https://github.com/mnrkbys)).
+- live_response/process/hash_running_processes.yaml: Updated to add support to hash running processes on FreeBSD systems that are using procfs (/proc) [freebsd].
+- live_response/process/procfs_information.yaml: Added artifact collection using cat when strings is not available.
+- live_response/process/strings_running_processes.yaml: Added collection of strings from running processes for ESXi systems [esxi].
+- live_response/process/strings_running_processes.yaml: Added condition to check whether developer tools are installed before running strings on macOS [macos].
+- live_response/process/strings_running_processes.yaml: Added support for collecting strings even when the strings command is unavailable. In such cases, the built-in astrings command will be used instead [all].
+- live_response/system/hidden_directories.yaml: Updated to remove max_depth limit.
+- live_response/system/hidden_files.yaml: Updated to remove max_depth limit.
+- live_response/system/lastcomm.yaml: Added collection of the last commands executed in a reverse order based on the default and historic accounting file [freebsd, netbsd, openbsd] [Herbert-Karl](https://github.com/Herbert-Karl)).
+- live_response/system/sgid.yaml: Updated to remove max_depth limit.
+- live_response/system/socket_files.yaml: Updated to remove max_depth limit.
+- live_response/system/suid.yaml: Updated to remove max_depth limit.
+- live_response/system/world_writable_directories.yaml: Updated to remove max_depth limit.
+- live_response/system/world_writable_files.yaml: Updated to remove max_depth limit.
+
+### Command Line Option Changes
+
+- '--date-range-start' was renamed to '--start-date' ([#186](https://github.com/tclahr/uac/issues/186)).
+- '--date-range-end' was renamed to '--end-date' ([#186](https://github.com/tclahr/uac/issues/186)).
+- '--validate-artifacts-file' was renamed to '--validate-artifact'.
+- '--s3-presigned-url' was renamed to '--aws-s3-presigned-url'.
+- '--s3-presigned-url-log-file' was renamed to '--aws-s3-presigned-url-log-file'.
+- '--ibm-cos-url', '--ibm-cos-url-log-file' and '--ibm-cloud-api-key' were removed and now transfers to IBM cloud should be done using '--s3-provider', '--s3-region', '--s3-bucket' and '--s3-token' options.
+
+### Artifacts Properties
+
+- The 'output_directory' property is now mandatory for the following collectors: command, find, hash and stat.
+- Introduced a new 'condition' property that ensures the collection runs only if the specified condition returns true.
+
+### uac.conf
+
+- Introduced a new global 'max_depth' configuration option to limit the depth of directory tree searches globally.
+
+### Tools
+
+- Statically linked 'zip' is now available for the following systems:
+ - linux/esxi (arm, arm64, i386 and x86_64)
+ - freebsd/netscaler (i386 and x86_64)
+- 'avml' and 'linux_procmemdump.sh' tools were moved to the 'bin' directory.
+- AVML updated to v0.14.0.
+
+### Deprecated
+
+- Android support was removed, but UAC can still be executed on Android systems using '--operating-system linux' option.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 622ea5ee..10fa6d46 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -8,13 +8,13 @@ Here are a couple of things we are looking for help with:
## New artifacts
-Have you identified a new artifact that is still not collected by UAC? Please create a new artifact file and submit it via a new Pull Request.
+Have you identified a new artifact that is still not collected by UAC? Please create a new artifact and submit it via a new Pull Request.
-Please see [Artifacts file definition](https://tclahr.github.io/uac-docs/latest/artifacts_file/) docs for more information.
+Please see [Artifacts definition](https://tclahr.github.io/uac-docs/artifacts/) docs for more information.
## New features
-You can request a new feature by submitting an issue to our GitHub Repository. If you would like to implement a new feature, please submit an issue with a proposal for your work first, to be sure that we can use it. This will also allow us to better coordinate our efforts, prevent duplication of work, and help you to craft the change so that it is successfully accepted into the project.
+You can request a new feature by submitting an issue to our GitHub Repository. If you would like to implement a new feature, please submit an issue with a proposal for your work first, to be sure that we can use it. This will also allow us to better coordinate our efforts, prevent duplication of work, and help you craft the change so that it is successfully accepted into the project.
## Found a bug?
@@ -84,7 +84,7 @@ git checkout -b my-feature-branch develop
1. Create your code following our [Coding Rules](#coding-rules).
-1. Test your code against as many systems as you can using the [uac-unit-test](https://github.com/tclahr/uac-unit-test). For instance, your code can fully work on a Linux but not on a FreeBSD system.
+1. Test your code against as many systems as you can. For instance, your code can fully work on a Linux but not on a FreeBSD system.
1. Commit your changes using a descriptive commit message that follows our [commit message guidelines](#commit-message-guidelines). *Don’t commit code as an unrecognized author. Having commits with unrecognized authors makes it more difficult to track who wrote which part of the code. Ensure your Git client is configured with the correct email address and linked to your GitHub user.*
diff --git a/LICENSE b/LICENSE
index d6456956..261eeb9e 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,3 @@
-
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
diff --git a/LICENSES.md b/LICENSES.md
index 89879f52..751226fe 100644
--- a/LICENSES.md
+++ b/LICENSES.md
@@ -3,5 +3,6 @@ Use of the following Third-Party Software is subject to the license agreements a
|Product|Copyright|URL|
|---|---|---|
|AVML|Use rights in accordance with the information displayed at: https://github.com/microsoft/avml/blob/main/LICENSE|https://github.com/microsoft/avml|
-|linux_procmemdump.sh|Use rights in accordance with the information displayed at: https://creativecommons.org/licenses/by-sa/4.0||
+|linux_procmemdump.sh|Use rights in accordance with the information displayed at: https://creativecommons.org/licenses/by-sa/4.0|
|statx|Use rights in accordance with the information displayed at: https://github.com/tclahr/statx/blob/main/LICENSE|https://github.com/tclahr/statx|
+|zip|Use rights in accordance with the information displayed at: https://infozip.sourceforge.net/license.html|https://infozip.sourceforge.net|
diff --git a/README.md b/README.md
index 531d2dd5..3eecf540 100644
--- a/README.md
+++ b/README.md
@@ -1,50 +1,68 @@
-## Unix-like Artifacts Collector
-
-[![ShellCheck](https://github.com/tclahr/uac/actions/workflows/shellcheck.yaml/badge.svg)](https://github.com/tclahr/uac/actions/workflows/shellcheck.yaml)
-[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5640/badge)](https://bestpractices.coreinfrastructure.org/projects/5640)
-[![GitHub release (latest by date including pre-releases)](https://img.shields.io/github/v/release/tclahr/uac?include_prereleases&style=flat)](https://github.com/tclahr/uac/releases)
-[![GitHub](https://img.shields.io/github/license/tclahr/uac?style=flat)](LICENSE)
-
-UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements.
-
-[Documentation](#-documentation) •
-[Main Features](#-main-features) •
-[Supported Operating Systems](#-supported-operating-systems) •
-[Using UAC](#-using-uac) •
-[Contributing](#-contributing) •
-[Support](#-community-support) •
-[License](#-license)
-
-[![Imgur](https://i.imgur.com/1aEnAyA.gif)](#)
-
-***
+
+
+
+
Unix-like Artifacts Collector
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Documentation
+ •
+ Main Features
+ •
+ Supported Operating Systems
+ •
+ Using UAC
+ •
+ Contributing
+ •
+ Support
+ •
+ License
+
+
+
+
+## 🔎 About UAC
+
+UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts. It was created to facilitate and speed up data collection, and depend less on remote support during incident response engagements.
+
+UAC reads YAML files on the fly and, based on their contents, collects relevant artifacts. This makes UAC very customizable and extensible.
+
+[![uac_collection](https://tclahr.github.io/uac-docs/img/uac_collection.gif)](#)
## 📘 Documentation
Project documentation page: [https://tclahr.github.io/uac-docs](https://tclahr.github.io/uac-docs)
-***
-
## 🌟 Main Features
- Run everywhere with no dependencies (no installation required).
- Customizable and extensible collections and artifacts.
- Respect the order of volatility during artifact collection.
-- Collect information from processes running without a binary on disk.
+- Collect information about current running processes (including processes without a binary on disk).
- Hash running processes and executable files.
-- Extract information from files and directories to create a bodyfile (including enhanced file attributes for ext4).
-- Collect user and system configuration files and logs.
-- Collect artifacts from applications.
+- Extract files and directories status to create a bodyfile.
+- Collect system and user-specific data, configuration files and logs.
- Acquire volatile memory from Linux systems using different methods and tools.
-***
-
## 💾 Supported Operating Systems
-UAC runs on any Unix-like system (regardless of the processor architecture). All UAC needs is shell :)
+UAC runs on any Unix-like system, regardless of the processor architecture. All UAC needs is shell :)
[![AIX](https://img.shields.io/static/v1?label=&message=AIX&color=brightgreen&style=for-the-badge)](#-supported-operating-systems)
-[![Android](https://img.shields.io/static/v1?label=&message=Android&color=green&style=for-the-badge)](#-supported-operating-systems)
[![ESXi](https://img.shields.io/static/v1?label=&message=ESXi&color=blue&style=for-the-badge)](#-supported-operating-systems)
[![FreeBSD](https://img.shields.io/static/v1?label=&message=FreeBSD&color=red&style=for-the-badge)](#-supported-operating-systems)
[![Linux](https://img.shields.io/static/v1?label=&message=Linux&color=lightgray&style=for-the-badge)](#-supported-operating-systems)
@@ -56,71 +74,53 @@ UAC runs on any Unix-like system (regardless of the processor architecture). All
*Note that UAC even runs on systems like Network Attached Storage (NAS) devices, Network devices such as OpenWrt, and IoT devices.*
-***
-
-## 🚀 Using UAC
-
-UAC does not need to be installed on the target system. You only need to download the latest version from the [releases page](https://github.com/tclahr/uac/releases), uncompress and run it. As simple as that!
+## 🚀 Usage
-A profile name and/or a list of artifacts, and the destination directory need to be provided to run a collection. The remaining parameters are optional.
+UAC does not need to be installed on the target system. Simply download the latest version from the [releases page](https://github.com/tclahr/uac/releases), uncompress it, and launch. It's that simple!
> **Full Disk Access** permission is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing important data, such as Mail, Messages, and Safari files. So it is strongly recommended that you manually [grant permission for Terminal application](https://support.apple.com/guide/mac-help/allow-access-to-system-configuration-files-mchlccb25729/mac) before running UAC from the terminal, or [grant permission for remote users](https://support.apple.com/guide/mac-help/allow-a-remote-computer-to-access-your-mac-mchlp1066/mac) before running UAC via ssh.
-Common usage scenarios may include the following:
+To execute a collection, you must supply at least a profile and/or a list of artifacts, and specify the destination directory. Any additional parameters are optional.
-**Collect all artifacts based on the ```full``` profile, and create the output file in ```/tmp```.**
+Examples:
-```shell
-./uac -p full /tmp
-```
-
-**Collect all ```live_response```, and the ```bodyfile/bodyfile.yaml``` artifact, and create the output file in the current directory.**
-
-```shell
-./uac -a live_response/\*,bodyfile/bodyfile.yaml .
-```
-
-**Collect all artifacts based on the ```full``` profile, but exclude the ```bodyfile/bodyfile.yaml``` artifact, and create the output file in ```/tmp```.**
+Collect all artifacts based on the ir_triage profile, and save the output file to /tmp.
```shell
-./uac -p full -a \!bodyfile/bodyfile.yaml /tmp
+./uac -p ir_triage /tmp
```
-**Collect the memory dump, then all artifacts based on the ```full``` profile.**
+Collect all artifacts located in the artifacts/live_response directory, and save the output file to /tmp.
```shell
-./uac -a artifacts/memory_dump/avml.yaml -p full /tmp
+./uac -a ./artifacts/live_response/\* /tmp
```
-**Collect the memory dump, then all artifacts based on the ```ir_triage``` profile excluding the ```bodyfile/bodyfile.yaml``` artifact.**
+Collect all artifacts based on the ir_triage profile, along with all artifacts located in the /my_custom_artifacts directory, and save the output file to /mnt/sda1.
```shell
-./uac -a ./artifacts/memory_dump/avml.yaml -p ir_triage -a \!artifacts/bodyfile/bodyfile.yaml /tmp
+./uac -p ir_triage -a /my_custom_artifacts/\* /mnt/sda1
```
-**Collect all artifacts based on the ```full``` profile, but limit the data collection based on the date range provided.**
+Collect a memory dump and all artifacts based on the full profile.
```shell
-./uac -p full /tmp --date-range-start 2021-05-01 --date-range-end 2021-08-31
+./uac -a ./artifacts/memory_dump/avml.yaml -p full /tmp
```
-**Collect all but live response artifacts from a Linux disk image mounted in ```/mnt/ewf```.**
+Collect all artifacts based on the ir_triage profile excluding the bodyfile/bodyfile.yaml artifact.
```shell
-./uac -p full -a \!live_response/\* /tmp --mount-point /mnt/ewf --operating-system linux
+./uac -p ir_triage -a \!artifacts/bodyfile/bodyfile.yaml /tmp
```
-Please check the [project documentation page](https://tclahr.github.io/uac-docs) for more information about command line options, how to create your own artifacts, profiles, and more!
-
-***
-
## 💙 Contributing
-Have you created any artifact files? Please share them with us!
+Contributions are what makes the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
-You can contribute with new artifacts, profiles, bug fixes or even propose new features. Please read our [Contributing Guide](CONTRIBUTING.md) before submitting a Pull Request to the project.
+Have you created any artifacts? Please share them with us!
-***
+You can contribute with new artifacts, profiles, bug fixes or even propose new features. Please read our [Contributing Guide](CONTRIBUTING.md) before submitting a Pull Request to the project.
## 👨💻 Community Support
@@ -130,8 +130,6 @@ For general help using UAC, please refer to the [project documentation page](htt
- [GitHub](https://github.com/tclahr/uac/issues) (Bug reports and contributions)
- [Twitter](https://twitter.com/tclahr) (Get the news fast)
-***
-
## 📜 License
-The UAC project uses the [Apache License Version 2.0](LICENSE) software license.
\ No newline at end of file
+The UAC project uses the [Apache License Version 2.0](LICENSE) software license.
diff --git a/artifacts/bodyfile/bodyfile.yaml b/artifacts/bodyfile/bodyfile.yaml
index d5e5f00d..3a62690b 100644
--- a/artifacts/bodyfile/bodyfile.yaml
+++ b/artifacts/bodyfile/bodyfile.yaml
@@ -1,10 +1,18 @@
-version: 2.0
+version: 3.0
+output_directory: /bodyfile
artifacts:
-
description: Collect file stat information to create a bodyfile.
- supported_os: [all]
+ supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: stat
path: /
exclude_file_system: [proc, procfs]
- max_depth: 6
+ output_file: bodyfile.txt
+ -
+ description: Collect file stat information to create a bodyfile.
+ supported_os: [macos]
+ collector: stat
+ path: /
+ exclude_path_pattern: ["/System/Volumes/Data", "/System/Volumes/Preboot", "/System/Volumes/Recovery", "/System/Volumes/VM"]
+ exclude_file_system: [proc, procfs]
output_file: bodyfile.txt
\ No newline at end of file
diff --git a/artifacts/chkrootkit/chkrootkit.yaml b/artifacts/chkrootkit/chkrootkit.yaml
index de199be9..9eb96483 100644
--- a/artifacts/chkrootkit/chkrootkit.yaml
+++ b/artifacts/chkrootkit/chkrootkit.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "chkrootkit"
+output_directory: /chkrootkit
artifacts:
-
description: Locally checks for signs of a rootkit.
@@ -12,4 +14,4 @@ artifacts:
collector: command
command: chkrootkit -n -x -r "%mount_point%"
output_file: chkrootkit_-n_-r_-x.txt
-
\ No newline at end of file
+
diff --git a/artifacts/files/applications/anydesk.yaml b/artifacts/files/applications/anydesk.yaml
index cb0b61b1..64c34766 100644
--- a/artifacts/files/applications/anydesk.yaml
+++ b/artifacts/files/applications/anydesk.yaml
@@ -22,7 +22,7 @@ artifacts:
collector: file
path: /%user_home%/
name_pattern: ["anydesk*.png"]
- file_type: f
+ file_type: [f]
max_depth: 4
exclude_nologin_users: true
-
@@ -31,7 +31,7 @@ artifacts:
collector: file
path: /%user_home%/
name_pattern: ["*.anydesk"]
- file_type: f
+ file_type: [f]
max_depth: 4
exclude_nologin_users: true
-
diff --git a/artifacts/files/applications/dropbox.yaml b/artifacts/files/applications/dropbox.yaml
index e2ec53e9..cf6b1271 100644
--- a/artifacts/files/applications/dropbox.yaml
+++ b/artifacts/files/applications/dropbox.yaml
@@ -5,6 +5,6 @@ artifacts:
supported_os: [linux, macos]
collector: file
path: /%user_home%/.dropbox
- file_type: f
+ file_type: [f]
ignore_date_range: true
exclude_nologin_users: true
diff --git a/artifacts/files/applications/steam.yaml b/artifacts/files/applications/steam.yaml
index f207ef98..83d739c5 100644
--- a/artifacts/files/applications/steam.yaml
+++ b/artifacts/files/applications/steam.yaml
@@ -52,7 +52,7 @@ artifacts:
collector: file
path: /%user_home%/.local/share/Steam/config/htmlcache
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -100,7 +100,7 @@ artifacts:
collector: file
path: /%user_home%/Library/"Application Support"/Steam/config/htmlcache
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
diff --git a/artifacts/files/applications/whatsapp.yaml b/artifacts/files/applications/whatsapp.yaml
index a68b9306..418b88e9 100644
--- a/artifacts/files/applications/whatsapp.yaml
+++ b/artifacts/files/applications/whatsapp.yaml
@@ -1,4 +1,4 @@
-version: 1.0
+version: 2.0
artifacts:
-
description: Collect WhatsApp cache files.
@@ -12,6 +12,12 @@ artifacts:
collector: file
path: /%user_home%/Library/"Application Support"/WhatsApp/"Local Storage"/leveldb
exclude_nologin_users: true
+ -
+ description: Collect WhatsApp Desktop files.
+ supported_os: [macos]
+ collector: file
+ path: /%user_home%/Library/"Group Containers"/group.net.whatsapp.WhatsApp.shared
+ exclude_nologin_users: true
# WhatsApp is a cloud-based application. All chats are in the cloud. In part, chats can be found on mobile devices.
#
diff --git a/artifacts/files/browsers/brave.yaml b/artifacts/files/browsers/brave.yaml
index de88a52b..e69a6b5c 100644
--- a/artifacts/files/browsers/brave.yaml
+++ b/artifacts/files/browsers/brave.yaml
@@ -14,7 +14,7 @@ artifacts:
collector: file
path: /%user_home%/.config/BraveSoftware/Brave-Browser
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -31,7 +31,7 @@ artifacts:
collector: file
path: /%user_home%/.var/app/com.brave.Browser
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -48,7 +48,7 @@ artifacts:
collector: file
path: /%user_home%/snap/brave
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -65,7 +65,7 @@ artifacts:
collector: file
path: /%user_home%/Library/"Application Support"/BraveSoftware/Brave-Browser
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
diff --git a/artifacts/files/browsers/chrome.yaml b/artifacts/files/browsers/chrome.yaml
index e4db2ce2..33899be3 100644
--- a/artifacts/files/browsers/chrome.yaml
+++ b/artifacts/files/browsers/chrome.yaml
@@ -14,7 +14,7 @@ artifacts:
collector: file
path: /%user_home%/.config/google-chrome
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -31,7 +31,7 @@ artifacts:
collector: file
path: /%user_home%/.var/app/com.google.Chrome
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -48,7 +48,7 @@ artifacts:
collector: file
path: /%user_home%/Library/"Application Support"/Google/Chrome
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
diff --git a/artifacts/files/browsers/chromium.yaml b/artifacts/files/browsers/chromium.yaml
index 60035cc5..a63a255c 100644
--- a/artifacts/files/browsers/chromium.yaml
+++ b/artifacts/files/browsers/chromium.yaml
@@ -14,7 +14,7 @@ artifacts:
collector: file
path: /%user_home%/.var/app/org.chromium.Chromium
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -31,7 +31,7 @@ artifacts:
collector: file
path: /%user_home%/snap/chromium
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
diff --git a/artifacts/files/browsers/edge.yaml b/artifacts/files/browsers/edge.yaml
index 0c7f9719..6588f64f 100644
--- a/artifacts/files/browsers/edge.yaml
+++ b/artifacts/files/browsers/edge.yaml
@@ -14,7 +14,7 @@ artifacts:
collector: file
path: /%user_home%/.config/microsoft-edge
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -31,7 +31,7 @@ artifacts:
collector: file
path: /%user_home%/.var/app/com.microsoft.Edge
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -48,7 +48,7 @@ artifacts:
collector: file
path: /%user_home%/Library/"Application Support"/"Microsoft Edge"
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
diff --git a/artifacts/files/browsers/firefox.yaml b/artifacts/files/browsers/firefox.yaml
index 3d0908dc..39a44b00 100644
--- a/artifacts/files/browsers/firefox.yaml
+++ b/artifacts/files/browsers/firefox.yaml
@@ -14,7 +14,7 @@ artifacts:
collector: file
path: /%user_home%/.mozilla/firefox
name_pattern: ["bookmarkbackups", "sessionstore*"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -31,7 +31,7 @@ artifacts:
collector: file
path: /%user_home%/.var/app/org.mozilla.firefox
name_pattern: ["bookmarkbackups", "sessionstore*"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -48,7 +48,7 @@ artifacts:
collector: file
path: /%user_home%/snap/firefox
name_pattern: ["bookmarkbackups", "sessionstore*"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -65,7 +65,7 @@ artifacts:
collector: file
path: /%user_home%/Library/"Application Support"/Firefox
name_pattern: ["bookmarkbackups", "sessionstore*"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
diff --git a/artifacts/files/browsers/opera.yaml b/artifacts/files/browsers/opera.yaml
index c46abdc4..c1d87069 100644
--- a/artifacts/files/browsers/opera.yaml
+++ b/artifacts/files/browsers/opera.yaml
@@ -14,7 +14,7 @@ artifacts:
collector: file
path: /%user_home%/.config/opera
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -31,7 +31,7 @@ artifacts:
collector: file
path: /%user_home%/.var/app/com.opera.Opera
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -48,7 +48,7 @@ artifacts:
collector: file
path: /%user_home%/snap/opera
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -67,7 +67,7 @@ artifacts:
# will match com.operasoftware.Opera and Opera
path: /%user_home%/Library/"Application Support"/*Opera
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
diff --git a/artifacts/files/browsers/safari.yaml b/artifacts/files/browsers/safari.yaml
index fd234671..396614d3 100644
--- a/artifacts/files/browsers/safari.yaml
+++ b/artifacts/files/browsers/safari.yaml
@@ -22,7 +22,7 @@ artifacts:
collector: file
path: /%user_home%/Library/Safari*
name_pattern: ["Favicon Cache", "Form Values"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
diff --git a/artifacts/files/browsers/vivaldi.yaml b/artifacts/files/browsers/vivaldi.yaml
index a5ad0a24..edb288f0 100644
--- a/artifacts/files/browsers/vivaldi.yaml
+++ b/artifacts/files/browsers/vivaldi.yaml
@@ -14,7 +14,7 @@ artifacts:
collector: file
path: /%user_home%/.config/vivaldi
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -31,7 +31,7 @@ artifacts:
collector: file
path: /%user_home%/.var/app/com.vivaldi.Vivaldi
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
-
@@ -48,6 +48,6 @@ artifacts:
collector: file
path: /%user_home%/Library/"Application Support"/Vivaldi
name_pattern: ["Extensions", "File System", "Sessions"]
- file_type: d
+ file_type: [d]
ignore_date_range: true
exclude_nologin_users: true
diff --git a/artifacts/files/logs/additional_logs.yaml b/artifacts/files/logs/advanced_log_search.yaml
similarity index 95%
rename from artifacts/files/logs/additional_logs.yaml
rename to artifacts/files/logs/advanced_log_search.yaml
index 06faaca5..da72ee6d 100644
--- a/artifacts/files/logs/additional_logs.yaml
+++ b/artifacts/files/logs/advanced_log_search.yaml
@@ -1,4 +1,4 @@
-version: 1.0
+version: 2.0
artifacts:
-
description: Collect all log files and directories.
diff --git a/artifacts/files/logs/openbsd.yaml b/artifacts/files/logs/relink.yaml
similarity index 64%
rename from artifacts/files/logs/openbsd.yaml
rename to artifacts/files/logs/relink.yaml
index 6124cceb..ba3a6df8 100644
--- a/artifacts/files/logs/openbsd.yaml
+++ b/artifacts/files/logs/relink.yaml
@@ -4,5 +4,5 @@ artifacts:
description: Collect kernel relink log file.
supported_os: [openbsd]
collector: file
- path: /usr/share/relink/kernel
- path_pattern: ["*/relink.log"]
+ path: /usr/share/relink/kernel/relink.log
+
\ No newline at end of file
diff --git a/artifacts/files/shell/history.yaml b/artifacts/files/shell/history.yaml
index 5ebbfdbb..da6daa5b 100644
--- a/artifacts/files/shell/history.yaml
+++ b/artifacts/files/shell/history.yaml
@@ -1,4 +1,4 @@
-version: 2.1
+version: 3.0
artifacts:
-
description: Collect shell history files.
@@ -8,6 +8,3 @@ artifacts:
# lesshst: less command history file
name_pattern: [".*_history", ".*history", "*.historynew", ".lesshst", ".zhistory", "fish_history"]
max_depth: 4
-
-# References:
-# https://dfir.ch/posts/today_i_learned_zsh_sessions/
\ No newline at end of file
diff --git a/artifacts/files/shell/sessions.yaml b/artifacts/files/shell/sessions.yaml
index e59c1046..0ec57faf 100644
--- a/artifacts/files/shell/sessions.yaml
+++ b/artifacts/files/shell/sessions.yaml
@@ -1,4 +1,4 @@
-version: 1.1
+version: 2.0
artifacts:
-
description: Collect shell sessions files.
@@ -8,5 +8,3 @@ artifacts:
name_pattern: ["*.session", "*.sessions", ".*_sessions"]
max_depth: 2
-# References:
-# https://dfir.ch/posts/today_i_learned_zsh_sessions/
\ No newline at end of file
diff --git a/artifacts/files/system/acct.yaml b/artifacts/files/system/acct.yaml
index c27e8583..a9150cae 100644
--- a/artifacts/files/system/acct.yaml
+++ b/artifacts/files/system/acct.yaml
@@ -1,5 +1,7 @@
version: 1.0
artifacts:
+ # system accounting files, covering processes that terminated on the system, allowing one to see past program executions
+ # this is deactivated by default, but quite usefull when active
-
description: Collect system accounting files.
supported_os: [freebsd, netbsd, openbsd]
@@ -17,4 +19,4 @@ artifacts:
supported_os: [freebsd, netbsd, openbsd]
collector: file
path: /var/account/savacct
- ignore_date_range: true
+ ignore_date_range: true
\ No newline at end of file
diff --git a/artifacts/files/system/device_db.yaml b/artifacts/files/system/dev_db.yaml
similarity index 91%
rename from artifacts/files/system/device_db.yaml
rename to artifacts/files/system/dev_db.yaml
index ce25a399..d3e162d8 100644
--- a/artifacts/files/system/device_db.yaml
+++ b/artifacts/files/system/dev_db.yaml
@@ -9,4 +9,4 @@ artifacts:
description: Collect database file used for device lookups.
supported_os: [netbsd]
collector: file
- path: /var/run/dev.cdb
+ path: /var/run/dev.cdb
\ No newline at end of file
diff --git a/artifacts/files/system/dev_shm.yaml b/artifacts/files/system/dev_shm.yaml
index 0f2a8bc0..305ce9e8 100644
--- a/artifacts/files/system/dev_shm.yaml
+++ b/artifacts/files/system/dev_shm.yaml
@@ -1,9 +1,9 @@
-version: 1.0
+version: 2.0
artifacts:
-
description: Collect system temporary files.
supported_os: [all]
collector: file
path: /dev/shm
- file_type: f
- max_file_size: 5242880 # 5MB
+ file_type: [f]
+ max_file_size: 10485760 # 10MB
diff --git a/artifacts/files/system/ds_store.yaml b/artifacts/files/system/ds_store.yaml
index decb42f2..7f460a71 100644
--- a/artifacts/files/system/ds_store.yaml
+++ b/artifacts/files/system/ds_store.yaml
@@ -6,5 +6,5 @@ artifacts:
collector: file
path: /
name_pattern: [".DS_Store"]
- file_type: f
+ file_type: [f]
\ No newline at end of file
diff --git a/artifacts/files/system/etc.yaml b/artifacts/files/system/etc.yaml
index f55e1caf..dd3292c8 100644
--- a/artifacts/files/system/etc.yaml
+++ b/artifacts/files/system/etc.yaml
@@ -2,16 +2,18 @@ version: 4.0
artifacts:
-
description: Collect system configuration files.
- supported_os: [aix, android, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: file
path: /etc
exclude_name_pattern: ["shadow", "shadow-", "master.passwd", "spwd.db", "gshadow", "gshadow-"]
+ file_type: [f]
ignore_date_range: true
-
description: Collect system configuration files.
- supported_os: [aix, android, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: file
path: /usr/local/etc
+ file_type: [f]
ignore_date_range: true
-
description: Collect system configuration files.
@@ -19,4 +21,5 @@ artifacts:
collector: file
path: /private/etc
exclude_name_pattern: ["shadow", "shadow-"]
+ file_type: [f]
ignore_date_range: true
diff --git a/artifacts/files/system/locate_db.yaml b/artifacts/files/system/locate_db.yaml
index 11d935fa..9eea7fb6 100644
--- a/artifacts/files/system/locate_db.yaml
+++ b/artifacts/files/system/locate_db.yaml
@@ -1,7 +1,10 @@
version: 1.0
artifacts:
+ # snapshot of file system paths that can be queried with "locate".
+ # can be used to compare file system structure at the time of database update against current file system structure.
-
description: Collect database file used by locate command, representing a snapshot of the virtual file system accessible with minimal permissions.
supported_os: [freebsd, netbsd, openbsd]
collector: file
path: /var/db/locate.database
+
\ No newline at end of file
diff --git a/artifacts/files/system/netscaler.yaml b/artifacts/files/system/netscaler.yaml
index 2dac0fd8..70c92d2b 100644
--- a/artifacts/files/system/netscaler.yaml
+++ b/artifacts/files/system/netscaler.yaml
@@ -1,4 +1,4 @@
-version: 2.0
+version: 3.0
artifacts:
-
description: Collect system configuration files.
@@ -11,19 +11,19 @@ artifacts:
supported_os: [netscaler]
collector: file
path: /var/vpn
- max_file_size: 5242880 # 5 MB
+ max_file_size: 10485760 # 10MB
-
description: Collect files from /var/netscaler/logon.
supported_os: [netscaler]
collector: file
path: /var/netscaler/logon
- max_file_size: 5242880 # 5 MB
+ max_file_size: 10485760 # 10MB
-
description: Collect files from /netscaler/ns_gui.
supported_os: [netscaler]
collector: file
path: /netscaler/ns_gui
- max_file_size: 5242880 # 5 MB
+ max_file_size: 10485760 # 10MB
# References:
# https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
diff --git a/artifacts/files/system/run_shm.yaml b/artifacts/files/system/run_shm.yaml
index e646b2b5..78ede603 100644
--- a/artifacts/files/system/run_shm.yaml
+++ b/artifacts/files/system/run_shm.yaml
@@ -1,10 +1,10 @@
-version: 1.0
+version: 3.0
artifacts:
-
description: Collect system temporary files.
supported_os: [all]
collector: file
path: /run/shm
- file_type: f
- max_file_size: 5242880 # 5MB
+ file_type: [f]
+ max_file_size: 10485760 # 10MB
diff --git a/artifacts/files/system/security_backups.yaml b/artifacts/files/system/security_backups.yaml
index e828b5ef..75e57740 100644
--- a/artifacts/files/system/security_backups.yaml
+++ b/artifacts/files/system/security_backups.yaml
@@ -5,6 +5,6 @@ artifacts:
supported_os: [freebsd, netbsd, openbsd]
collector: file
path: /var/backups
- name_pattern: ["*.current", "*.backup", "*.current.sha256", "*.backup.sha256"]
+ name_pattern: ["*.backup", "*.backup.sha256", "*.current", "*.current.sha256"]
exclude_name_pattern: ["master.passwd.current", "master.passwd.backup"]
- ignore_date_range: true
+ ignore_date_range: true
\ No newline at end of file
diff --git a/artifacts/files/system/systemd.yaml b/artifacts/files/system/systemd.yaml
index ce60ef21..c63483f6 100644
--- a/artifacts/files/system/systemd.yaml
+++ b/artifacts/files/system/systemd.yaml
@@ -17,7 +17,7 @@ artifacts:
supported_os: [linux]
collector: file
path: /run/systemd/sessions
- file_type: f
+ file_type: [f]
-
description: Collect systemd scope and transient timer files.
supported_os: [linux]
@@ -34,4 +34,4 @@ artifacts:
description: Collect systemd per-user configuration.
supported_os: [linux]
collector: file
- path: /%user_home%/.config/systemd
+ path: /%user_home%/.config/systemd
\ No newline at end of file
diff --git a/artifacts/files/system/tmp.yaml b/artifacts/files/system/tmp.yaml
index 1d977b51..b9f050bf 100644
--- a/artifacts/files/system/tmp.yaml
+++ b/artifacts/files/system/tmp.yaml
@@ -1,16 +1,16 @@
-version: 3.0
+version: 4.0
artifacts:
-
description: Collect system temporary files.
supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: file
path: /tmp
- file_type: f
- max_file_size: 5242880 # 5MB
+ file_type: [f]
+ max_file_size: 10485760 # 10MB
-
description: Collect system temporary files.
supported_os: [macos]
collector: file
path: /private/tmp
- file_type: f
- max_file_size: 5242880 # 5MB
+ file_type: [f]
+ max_file_size: 10485760 # 10MB
diff --git a/artifacts/files/system/var_spool.yaml b/artifacts/files/system/var_spool.yaml
index d7e588d6..02c0c75b 100644
--- a/artifacts/files/system/var_spool.yaml
+++ b/artifacts/files/system/var_spool.yaml
@@ -2,7 +2,7 @@ version: 2.0
artifacts:
-
description: Collect spool files.
- supported_os: [aix, android, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: file
path: /var/spool
-
diff --git a/artifacts/files/system/var_tmp.yaml b/artifacts/files/system/var_tmp.yaml
index 3f9f2539..61a807b4 100644
--- a/artifacts/files/system/var_tmp.yaml
+++ b/artifacts/files/system/var_tmp.yaml
@@ -1,16 +1,16 @@
-version: 2.0
+version: 3.0
artifacts:
-
description: Collect system temporary files.
supported_os: [aix, esxi, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: file
path: /var/tmp
- file_type: f
- max_file_size: 5242880 # 5MB
+ file_type: [f]
+ max_file_size: 10485760 # 10MB
-
description: Collect system temporary files.
supported_os: [macos]
collector: file
path: /private/var/tmp
- file_type: f
- max_file_size: 5242880 # 5MB
+ file_type: [f]
+ max_file_size: 10485760 # 10MB
diff --git a/artifacts/hash_executables/hash_executables.yaml b/artifacts/hash_executables/hash_executables.yaml
index 14078190..a059fb9a 100644
--- a/artifacts/hash_executables/hash_executables.yaml
+++ b/artifacts/hash_executables/hash_executables.yaml
@@ -1,43 +1,12 @@
-version: 1.0
+version: 2.0
+output_directory: /hash_executables
artifacts:
-
- description: Find files that contain at least +x flag set for other.
+ description: Find files that contain the +x flag set.
supported_os: [all]
- collector: find
- path: /
- exclude_file_system: [proc, procfs]
- file_type: f
- max_depth: 4
- max_file_size: 3072000
- permissions: -001
- output_file: list_of_executable_files.txt
- -
- description: Find files that contain at least +x flag set for group.
- supported_os: [all]
- collector: find
- path: /
- exclude_file_system: [proc, procfs]
- file_type: f
- max_depth: 4
- max_file_size: 3072000
- permissions: -010
- output_file: list_of_executable_files.txt
- -
- description: Find files that contain at least +x flag set for owner.
- supported_os: [all]
- collector: find
+ collector: hash
path: /
exclude_file_system: [proc, procfs]
- file_type: f
- max_depth: 4
- max_file_size: 3072000
- permissions: -100
- output_file: list_of_executable_files.txt
- -
- description: Hash files that contain at least +x flag set for owner.
- supported_os: [all]
- collector: hash
- path: list_of_executable_files.txt
- is_file_list: true
+ file_type: [f]
+ permissions: [-001, -010, -100]
output_file: hash_executables
-
\ No newline at end of file
diff --git a/artifacts/live_response/containers/containerd.yaml b/artifacts/live_response/containers/containerd.yaml
index 61c7e5f5..4a7936c1 100644
--- a/artifacts/live_response/containers/containerd.yaml
+++ b/artifacts/live_response/containers/containerd.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "containerd"
+output_directory: /live_response/containers
artifacts:
-
description: Dump containerd configuration.
diff --git a/artifacts/live_response/containers/docker.yaml b/artifacts/live_response/containers/docker.yaml
index 99b60c6b..75315395 100644
--- a/artifacts/live_response/containers/docker.yaml
+++ b/artifacts/live_response/containers/docker.yaml
@@ -1,4 +1,6 @@
-version: 2.1
+version: 2.0
+condition: command_exists "docker"
+output_directory: /live_response/containers
artifacts:
-
description: List all containers.
@@ -98,4 +100,3 @@ artifacts:
foreach: docker container ps --all | sed 1d | awk '{print $1}'
command: docker stats --no-stream --no-trunc %line%
output_file: docker_stats_%line%.txt
-
\ No newline at end of file
diff --git a/artifacts/live_response/containers/lxc.yaml b/artifacts/live_response/containers/lxc.yaml
index 89bb4a6a..274b338c 100644
--- a/artifacts/live_response/containers/lxc.yaml
+++ b/artifacts/live_response/containers/lxc.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lxc" || command_exists "lxc-ls"
+output_directory: /live_response/containers
artifacts:
-
description: List all containers and virtual machines.
@@ -77,4 +79,17 @@ artifacts:
foreach: lxc storage list --format compact | sed 1d | awk '{print $1}'
command: lxc storage show %line%
output_file: lxc_storage_show_%line%.txt
-
\ No newline at end of file
+ -
+ description: List the containers existing on the system..
+ supported_os: [linux]
+ collector: command
+ command: lxc-ls -f
+ output_file: lxc-ls_-f.txt
+ -
+ description: Show information about all containers.
+ supported_os: [linux]
+ collector: command
+ foreach: lxc-ls -1
+ command: lxc-info -i -p -S -s %line%
+ output_file: lxc-info_-i_-p_-S_-s_%line%.txt
+
\ No newline at end of file
diff --git a/artifacts/live_response/containers/pct.yaml b/artifacts/live_response/containers/pct.yaml
index e215c203..0ec43682 100644
--- a/artifacts/live_response/containers/pct.yaml
+++ b/artifacts/live_response/containers/pct.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pct"
+output_directory: /live_response/containers
artifacts:
-
description: List all Proxmox VE active and inactive LXC containers.
diff --git a/artifacts/live_response/containers/podman.yaml b/artifacts/live_response/containers/podman.yaml
index 5bfbead2..7f4b2ebe 100644
--- a/artifacts/live_response/containers/podman.yaml
+++ b/artifacts/live_response/containers/podman.yaml
@@ -1,4 +1,6 @@
version: 2.0
+condition: command_exists "podman"
+output_directory: /live_response/containers
artifacts:
-
description: List all containers.
@@ -25,7 +27,7 @@ artifacts:
command: podman version
output_file: podman_version.txt
-
- description: Display a live stream of one or more container’s resource usage statistics.
+ description: Display a live stream of one or more container's resource usage statistics.
supported_os: [linux]
collector: command
command: podman stats --all --no-stream
diff --git a/artifacts/live_response/hardware/alog.yaml b/artifacts/live_response/hardware/alog.yaml
index 5011d586..c390f8bb 100644
--- a/artifacts/live_response/hardware/alog.yaml
+++ b/artifacts/live_response/hardware/alog.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "alog"
+output_directory: /live_response/hardware
artifacts:
-
description: Print boot log.
diff --git a/artifacts/live_response/hardware/bootlist.yaml b/artifacts/live_response/hardware/bootlist.yaml
index 7610eb98..87bd3436 100644
--- a/artifacts/live_response/hardware/bootlist.yaml
+++ b/artifacts/live_response/hardware/bootlist.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "bootlist"
+output_directory: /live_response/hardware
artifacts:
-
description: Display the list of boot devices available to the system.
diff --git a/artifacts/live_response/hardware/cfgadm.yaml b/artifacts/live_response/hardware/cfgadm.yaml
index 7366ae82..cf1d8cee 100644
--- a/artifacts/live_response/hardware/cfgadm.yaml
+++ b/artifacts/live_response/hardware/cfgadm.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "cfgadm"
+output_directory: /live_response/hardware
artifacts:
-
description: Display configuration administration status information.
diff --git a/artifacts/live_response/hardware/cpuinfo.yaml b/artifacts/live_response/hardware/cpuinfo.yaml
index 6ddddcda..bf118e4f 100644
--- a/artifacts/live_response/hardware/cpuinfo.yaml
+++ b/artifacts/live_response/hardware/cpuinfo.yaml
@@ -1,8 +1,10 @@
-version: 1.0
+version: 2.0
+condition: command_exists "cpuinfo"
+output_directory: /live_response/hardware
artifacts:
-
description: Display CPU information.
- supported_os: [android, linux, netbsd]
+ supported_os: [linux, netbsd]
collector: command
command: cat /proc/cpuinfo
output_file: cpuinfo.txt
diff --git a/artifacts/live_response/hardware/devinfo.yaml b/artifacts/live_response/hardware/devinfo.yaml
index 5f0f6670..cb658f1b 100644
--- a/artifacts/live_response/hardware/devinfo.yaml
+++ b/artifacts/live_response/hardware/devinfo.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "devinfo"
+output_directory: /live_response/hardware
artifacts:
-
description: Display information about system device configuration.
diff --git a/artifacts/live_response/hardware/dmesg.yaml b/artifacts/live_response/hardware/dmesg.yaml
index e4dbcab0..5050acbb 100644
--- a/artifacts/live_response/hardware/dmesg.yaml
+++ b/artifacts/live_response/hardware/dmesg.yaml
@@ -1,20 +1,23 @@
-version: 1.1
+version: 3.0
+condition: command_exists "dmesg"
+output_directory: /live_response/hardware
artifacts:
-
description: Display the system/kernel message buffer.
- supported_os: [android, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+ supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
collector: command
command: dmesg
output_file: dmesg.txt
- -
- description: Display the console message buffer.
- supported_os: [openbsd]
- collector: command
- command: dmesg -s
- output_file: dmesg_-s.txt
-
description: Display all data from the message buffer, including syslog records and console output.
- supported_os: [freebsd]
+ supported_os: [esxi, freebsd, netscaler, solaris]
collector: command
command: dmesg -a
output_file: dmesg_-a.txt
+ -
+ description: Display the console message buffer.
+ supported_os: [esxi, openbsd, solaris]
+ collector: command
+ command: dmesg -s
+ output_file: dmesg_-s.txt
+
\ No newline at end of file
diff --git a/artifacts/live_response/hardware/dmidecode.yaml b/artifacts/live_response/hardware/dmidecode.yaml
index e0f30544..43abf8a2 100644
--- a/artifacts/live_response/hardware/dmidecode.yaml
+++ b/artifacts/live_response/hardware/dmidecode.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "dmidecode"
+output_directory: /live_response/hardware
artifacts:
-
description: Display the computer's DMI (some say SMBIOS) table contents in a human-readable format.
diff --git a/artifacts/live_response/hardware/esxcli.yaml b/artifacts/live_response/hardware/esxcli.yaml
index 22cb5da7..d6c0635c 100644
--- a/artifacts/live_response/hardware/esxcli.yaml
+++ b/artifacts/live_response/hardware/esxcli.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "esxcli"
+output_directory: /live_response/hardware
artifacts:
-
description: List all of the CPUs on this host.
diff --git a/artifacts/live_response/hardware/hostinfo.yaml b/artifacts/live_response/hardware/hostinfo.yaml
index f7ad97e1..a340745f 100644
--- a/artifacts/live_response/hardware/hostinfo.yaml
+++ b/artifacts/live_response/hardware/hostinfo.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "hostinfo"
+output_directory: /live_response/hardware
artifacts:
-
description: Display kernel version description, processor configuration data, available physical memory, and various scheduling statistics.
diff --git a/artifacts/live_response/hardware/hwinfo.yaml b/artifacts/live_response/hardware/hwinfo.yaml
index f1957645..46a8424f 100644
--- a/artifacts/live_response/hardware/hwinfo.yaml
+++ b/artifacts/live_response/hardware/hwinfo.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "hwinfo"
+output_directory: /live_response/hardware
artifacts:
-
description: Display hardware information.
diff --git a/artifacts/live_response/hardware/ioreg.yaml b/artifacts/live_response/hardware/ioreg.yaml
index 048be113..3df24e38 100644
--- a/artifacts/live_response/hardware/ioreg.yaml
+++ b/artifacts/live_response/hardware/ioreg.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ioreg"
+output_directory: /live_response/hardware
artifacts:
-
description: Display I/O Kit registry.
diff --git a/artifacts/live_response/hardware/lscpu.yaml b/artifacts/live_response/hardware/lscpu.yaml
index 79e02c32..026b0737 100644
--- a/artifacts/live_response/hardware/lscpu.yaml
+++ b/artifacts/live_response/hardware/lscpu.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lscpu"
+output_directory: /live_response/hardware
artifacts:
-
description: Display information about the CPU architecture.
diff --git a/artifacts/live_response/hardware/lsdev.yaml b/artifacts/live_response/hardware/lsdev.yaml
index 89ac43a5..c718b528 100644
--- a/artifacts/live_response/hardware/lsdev.yaml
+++ b/artifacts/live_response/hardware/lsdev.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lsdev"
+output_directory: /live_response/hardware
artifacts:
-
description: Display devices in the system and their characteristics.
diff --git a/artifacts/live_response/hardware/lshw.yaml b/artifacts/live_response/hardware/lshw.yaml
index 27578949..3ad54b8a 100644
--- a/artifacts/live_response/hardware/lshw.yaml
+++ b/artifacts/live_response/hardware/lshw.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lshw"
+output_directory: /live_response/hardware
artifacts:
-
description: Display hardware information.
diff --git a/artifacts/live_response/hardware/lspci.yaml b/artifacts/live_response/hardware/lspci.yaml
index d56e3306..d9d02fd2 100644
--- a/artifacts/live_response/hardware/lspci.yaml
+++ b/artifacts/live_response/hardware/lspci.yaml
@@ -1,17 +1,13 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lspci"
+output_directory: /live_response/hardware
artifacts:
-
description: List all PCI devices.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: lspci
output_file: lspci.txt
- -
- description: List all PCI devices including the kernel driver.
- supported_os: [android]
- collector: command
- command: lspci -e -k
- output_file: lspci_-e_-k.txt
-
description: List all PCI devices.
supported_os: [linux]
diff --git a/artifacts/live_response/hardware/lsscsi.yaml b/artifacts/live_response/hardware/lsscsi.yaml
index 8f6ad6b0..06593bfd 100644
--- a/artifacts/live_response/hardware/lsscsi.yaml
+++ b/artifacts/live_response/hardware/lsscsi.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lsscsi"
+output_directory: /live_response/hardware
artifacts:
-
description: Display SCSI devices (or hosts) and their attributes.
diff --git a/artifacts/live_response/hardware/lsusb.yaml b/artifacts/live_response/hardware/lsusb.yaml
index 2b5b9b19..211d641f 100644
--- a/artifacts/live_response/hardware/lsusb.yaml
+++ b/artifacts/live_response/hardware/lsusb.yaml
@@ -1,8 +1,10 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lsusb"
+output_directory: /live_response/hardware
artifacts:
-
description: Display information about USB devices.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: lsusb
output_file: lsusb.txt
diff --git a/artifacts/live_response/hardware/mpstat.yaml b/artifacts/live_response/hardware/mpstat.yaml
index 0ac7b5ca..f5b15e98 100644
--- a/artifacts/live_response/hardware/mpstat.yaml
+++ b/artifacts/live_response/hardware/mpstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "mpstat"
+output_directory: /live_response/hardware
artifacts:
-
description: Collect and display performance statistics for all logical processors in the system.
diff --git a/artifacts/live_response/hardware/nvram.yaml b/artifacts/live_response/hardware/nvram.yaml
index f996d728..512fd713 100644
--- a/artifacts/live_response/hardware/nvram.yaml
+++ b/artifacts/live_response/hardware/nvram.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "nvram"
+output_directory: /live_response/hardware
artifacts:
-
description: Print all of the firmware variables.
diff --git a/artifacts/live_response/hardware/pciconf.yaml b/artifacts/live_response/hardware/pciconf.yaml
index 7b5995f9..e4bbe261 100644
--- a/artifacts/live_response/hardware/pciconf.yaml
+++ b/artifacts/live_response/hardware/pciconf.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pciconf"
+output_directory: /live_response/hardware
artifacts:
-
description: Display PCI devices information.
diff --git a/artifacts/live_response/hardware/pcidump.yaml b/artifacts/live_response/hardware/pcidump.yaml
index 6f757d80..2b3df14a 100644
--- a/artifacts/live_response/hardware/pcidump.yaml
+++ b/artifacts/live_response/hardware/pcidump.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pcidump"
+output_directory: /live_response/hardware
artifacts:
-
description: Display PCI device data.
diff --git a/artifacts/live_response/hardware/prtconf.yaml b/artifacts/live_response/hardware/prtconf.yaml
index 69d8b018..e74d816c 100644
--- a/artifacts/live_response/hardware/prtconf.yaml
+++ b/artifacts/live_response/hardware/prtconf.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "prtconf"
+output_directory: /live_response/hardware
artifacts:
-
description: Display system configuration information.
diff --git a/artifacts/live_response/hardware/psrinfo.yaml b/artifacts/live_response/hardware/psrinfo.yaml
index d9ddd2b5..fa9b0959 100644
--- a/artifacts/live_response/hardware/psrinfo.yaml
+++ b/artifacts/live_response/hardware/psrinfo.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "psrinfo"
+output_directory: /live_response/hardware
artifacts:
-
description: Display information about processors.
diff --git a/artifacts/live_response/hardware/smbios.yaml b/artifacts/live_response/hardware/smbios.yaml
index 48c9e5e3..3cfa6ca6 100644
--- a/artifacts/live_response/hardware/smbios.yaml
+++ b/artifacts/live_response/hardware/smbios.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "smbios"
+output_directory: /live_response/hardware
artifacts:
-
description: Display the contents of the System Management BIOS image.
diff --git a/artifacts/live_response/hardware/systemstats.yaml b/artifacts/live_response/hardware/systemstats.yaml
index 59e47883..deaba042 100644
--- a/artifacts/live_response/hardware/systemstats.yaml
+++ b/artifacts/live_response/hardware/systemstats.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "systemstats"
+output_directory: /live_response/hardware
artifacts:
-
description: Display a selection of statistics about system power usage.
diff --git a/artifacts/live_response/hardware/usbconfig.yaml b/artifacts/live_response/hardware/usbconfig.yaml
index c1a46877..915bf085 100644
--- a/artifacts/live_response/hardware/usbconfig.yaml
+++ b/artifacts/live_response/hardware/usbconfig.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "usbconfig"
+output_directory: /live_response/hardware
artifacts:
-
description: Display all connected USB devices and their attached interface drivers.
diff --git a/artifacts/live_response/hardware/usbdevs.yaml b/artifacts/live_response/hardware/usbdevs.yaml
index aeafcda8..c6247581 100644
--- a/artifacts/live_response/hardware/usbdevs.yaml
+++ b/artifacts/live_response/hardware/usbdevs.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "usbdevs"
+output_directory: /live_response/hardware
artifacts:
-
description: Display USB devices connected to the system.
diff --git a/artifacts/live_response/network/arp.yaml b/artifacts/live_response/network/arp.yaml
index 3d0d102b..9985bf94 100644
--- a/artifacts/live_response/network/arp.yaml
+++ b/artifacts/live_response/network/arp.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "arp"
+output_directory: /live_response/network
artifacts:
-
description: Collect the kernel's IPv4 network neighbour cache.
diff --git a/artifacts/live_response/network/esxcli.yaml b/artifacts/live_response/network/esxcli.yaml
index 28547a18..7aa77f8e 100644
--- a/artifacts/live_response/network/esxcli.yaml
+++ b/artifacts/live_response/network/esxcli.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "esxcli"
+output_directory: /live_response/network
artifacts:
-
description: List active TCP/IP connections.
diff --git a/artifacts/live_response/network/firewall-cmd.yaml b/artifacts/live_response/network/firewall-cmd.yaml
index a6344021..e884ef73 100644
--- a/artifacts/live_response/network/firewall-cmd.yaml
+++ b/artifacts/live_response/network/firewall-cmd.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "firewall-cmd"
+output_directory: /live_response/network
artifacts:
-
description: Collect currently active zones altogether with interfaces and sources used in these zones.
@@ -29,4 +31,4 @@ artifacts:
supported_os: [linux]
collector: command
command: firewall-cmd --list-all-zones
- output_file: firewall-cmd_--list-all-zones.txt
\ No newline at end of file
+ output_file: firewall-cmd_--list-all-zones.txt
diff --git a/artifacts/live_response/network/hostname.yaml b/artifacts/live_response/network/hostname.yaml
index b3d1bbcd..07223f66 100644
--- a/artifacts/live_response/network/hostname.yaml
+++ b/artifacts/live_response/network/hostname.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/network
artifacts:
-
description: Collect the system's host name.
@@ -17,6 +18,7 @@ artifacts:
supported_os: [linux]
collector: command
command: hostnamectl
+ condition: command_exists "hostnamectl"
output_file: hostnamectl.txt
-
description: Collect the system's host name.
diff --git a/artifacts/live_response/network/ifconfig.yaml b/artifacts/live_response/network/ifconfig.yaml
index f8356d05..207a5705 100644
--- a/artifacts/live_response/network/ifconfig.yaml
+++ b/artifacts/live_response/network/ifconfig.yaml
@@ -1,8 +1,10 @@
-version: 2.0
+version: 3.0
+condition: command_exists "ifconfig"
+output_directory: /live_response/network
artifacts:
-
description: Collect information about all interfaces which are currently available, even if down.
- supported_os: [android, aix, freebsd, linux, openbsd, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, freebsd, linux, openbsd, netbsd, netscaler, openbsd, solaris]
collector: command
command: ifconfig -a
output_file: ifconfig_-a.txt
\ No newline at end of file
diff --git a/artifacts/live_response/network/inetadm.yaml b/artifacts/live_response/network/inetadm.yaml
index 8a0ebb37..77b5eee7 100644
--- a/artifacts/live_response/network/inetadm.yaml
+++ b/artifacts/live_response/network/inetadm.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "inetadm"
+output_directory: /live_response/network
artifacts:
-
description: Collect information about inetd services.
diff --git a/artifacts/live_response/network/ip.yaml b/artifacts/live_response/network/ip.yaml
index 1429ba7b..b1a923fd 100644
--- a/artifacts/live_response/network/ip.yaml
+++ b/artifacts/live_response/network/ip.yaml
@@ -1,26 +1,28 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ip"
+output_directory: /live_response/network
artifacts:
-
description: Collect addresses assigned to all network interfaces.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ip addr show
output_file: ip_addr_show.txt
-
description: Collect information about network devices.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ip link show
output_file: ip_link_show.txt
-
description: Collect neightbour entries.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ip neighbor show
output_file: ip_neighbor_show.txt
-
description: Collect the kernel routing tables.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ip route show
output_file: ip_route_show.txt
\ No newline at end of file
diff --git a/artifacts/live_response/network/ip6tables.yaml b/artifacts/live_response/network/ip6tables.yaml
index f7e67200..dbed6416 100644
--- a/artifacts/live_response/network/ip6tables.yaml
+++ b/artifacts/live_response/network/ip6tables.yaml
@@ -1,14 +1,16 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ip6table"
+output_directory: /live_response/network
artifacts:
-
description: Collect firewall rules from all chains with numerical addresses instead of trying to determine symbolic host, port or user names.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ip6tables -L -v -n
output_file: iptables_-L_-v_-n.txt
-
description: Collect firewall rules from nat chain with numerical addresses instead of trying to determine symbolic host, port or user names.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ip6tables -t nat -L -v -n
output_file: iptables_-t_nat_-L_-v_-n.txt
\ No newline at end of file
diff --git a/artifacts/live_response/network/ipfstat.yaml b/artifacts/live_response/network/ipfstat.yaml
index 8156624c..e4d07a88 100644
--- a/artifacts/live_response/network/ipfstat.yaml
+++ b/artifacts/live_response/network/ipfstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ipfstat"
+output_directory: /live_response/network
artifacts:
-
description: Collect packet filter statistics and filter list.
diff --git a/artifacts/live_response/network/ipfw.yaml b/artifacts/live_response/network/ipfw.yaml
index 1bb5e430..4f377823 100644
--- a/artifacts/live_response/network/ipfw.yaml
+++ b/artifacts/live_response/network/ipfw.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ipfw"
+output_directory: /live_response/network
artifacts:
-
description: List all firewall entries.
diff --git a/artifacts/live_response/network/iptables.yaml b/artifacts/live_response/network/iptables.yaml
index 4b4b6b08..40ec3cbf 100644
--- a/artifacts/live_response/network/iptables.yaml
+++ b/artifacts/live_response/network/iptables.yaml
@@ -1,14 +1,16 @@
-version: 2.0
+version: 3.0
+condition: command_exists "iptables"
+output_directory: /live_response/network
artifacts:
-
description: Collect firewall rules from all chains with numerical addresses instead of trying to determine symbolic host, port or user names.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: iptables -L -v -n
output_file: iptables_-L_-v_-n.txt
-
description: Collect firewall rules from nat chain with numerical addresses instead of trying to determine symbolic host, port or user names.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: iptables -t nat -L -v -n
output_file: iptables_-t_nat_-L_-v_-n.txt
\ No newline at end of file
diff --git a/artifacts/live_response/network/lsdev.yaml b/artifacts/live_response/network/lsdev.yaml
index f41c239b..77e92bc8 100644
--- a/artifacts/live_response/network/lsdev.yaml
+++ b/artifacts/live_response/network/lsdev.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lsdev"
+output_directory: /live_response/network
artifacts:
-
description: Collect information about tcpip class devices in the system and their characteristics.
diff --git a/artifacts/live_response/network/lsof.yaml b/artifacts/live_response/network/lsof.yaml
index 67a239aa..d57e2fa8 100644
--- a/artifacts/live_response/network/lsof.yaml
+++ b/artifacts/live_response/network/lsof.yaml
@@ -1,4 +1,6 @@
-version: 3.0
+version: 4.0
+condition: command_exists "lsof"
+output_directory: /live_response/network
artifacts:
-
description: Collect the listing of all Internet network files.
diff --git a/artifacts/live_response/network/lssrc.yaml b/artifacts/live_response/network/lssrc.yaml
index 28d71a32..115c1017 100644
--- a/artifacts/live_response/network/lssrc.yaml
+++ b/artifacts/live_response/network/lssrc.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lssrc"
+output_directory: /live_response/network
artifacts:
-
description: Display status of the subsystem, group of subsystems, or subserver.
diff --git a/artifacts/live_response/network/macos_network_preferences.yaml b/artifacts/live_response/network/macos_network_preferences.yaml
index 7acbbb28..5704d585 100644
--- a/artifacts/live_response/network/macos_network_preferences.yaml
+++ b/artifacts/live_response/network/macos_network_preferences.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/network
artifacts:
-
description: Collect network preferences.
diff --git a/artifacts/live_response/network/ndp.yaml b/artifacts/live_response/network/ndp.yaml
index d7378459..803a13d9 100644
--- a/artifacts/live_response/network/ndp.yaml
+++ b/artifacts/live_response/network/ndp.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ndp"
+output_directory: /live_response/network
artifacts:
-
description: Collect the kernel's IPv6 network neighbour cache.
diff --git a/artifacts/live_response/network/netstat.yaml b/artifacts/live_response/network/netstat.yaml
index f70fc35e..c44d40db 100644
--- a/artifacts/live_response/network/netstat.yaml
+++ b/artifacts/live_response/network/netstat.yaml
@@ -1,32 +1,34 @@
-version: 2.0
+version: 3.0
+condition: command_exists "netstat"
+output_directory: /live_response/network
artifacts:
-
description: Collect both listening and non-listening (for TCP this means established connections) sockets.
- supported_os: [android, aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: command
command: netstat -a
output_file: netstat_-a.txt
-
description: Collect both listening and non-listening (for TCP this means established connections) sockets with numerical addresses instead of trying to determine symbolic host, port or user names.
- supported_os: [android, aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: command
command: netstat -an
output_file: netstat_-an.txt
-
description: Collect a table of all network interfaces.
- supported_os: [android, aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: command
command: netstat -i
output_file: netstat_-i.txt
-
description: Collect the kernel routing tables.
- supported_os: [android, aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: command
command: netstat -r
output_file: netstat_-r.txt
-
description: Collect the kernel routing tables with numerical addresses instead of trying to determine symbolic host, port or user names.
- supported_os: [android, aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: command
command: netstat -rn
output_file: netstat_-rn.txt
@@ -50,13 +52,13 @@ artifacts:
output_file: netstat_-v.txt
-
description: Collect both listening and non-listening (for TCP this means established connections) sockets with numerical addresses instead of trying to determine symbolic host, port or user names, and show the PID and name of the program to which each socket belongs.
- supported_os: [android, linux, solaris]
+ supported_os: [linux, solaris]
collector: command
command: netstat -anp
output_file: netstat_-anp.txt
-
description: Collect extended information about listening and non-listening (for TCP this means established connections) sockets, the PID and name of the program to which each socket belongs with numerical addresses instead of trying to determine symbolic host, port or user names.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: netstat -lpeanut
- output_file: netstat_-lpeanut.txt
+ output_file: netstat_-lpeanut.txt
\ No newline at end of file
diff --git a/artifacts/live_response/network/nfso.yaml b/artifacts/live_response/network/nfso.yaml
index e9c9c1cb..97a7b52e 100644
--- a/artifacts/live_response/network/nfso.yaml
+++ b/artifacts/live_response/network/nfso.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "nfso"
+output_directory: /live_response/network
artifacts:
-
description: Collect the the current, reboot (when used in conjunction with -r) or permanent (when used in conjunction with -p) value for all tunable parameters, one per line in pairs Tunable = Value.
diff --git a/artifacts/live_response/network/nfsstat.yaml b/artifacts/live_response/network/nfsstat.yaml
index bce58b49..5983bb07 100644
--- a/artifacts/live_response/network/nfsstat.yaml
+++ b/artifacts/live_response/network/nfsstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "nfsstat"
+output_directory: /live_response/network
artifacts:
-
description: Collect statistics kept about NFS client and server activity.
diff --git a/artifacts/live_response/network/nft.yaml b/artifacts/live_response/network/nft.yaml
index 31fe1c0b..a2bdd826 100644
--- a/artifacts/live_response/network/nft.yaml
+++ b/artifacts/live_response/network/nft.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "nft"
+output_directory: /live_response/network
artifacts:
-
description: Collect complete nftables ruleset.
diff --git a/artifacts/live_response/network/pfctl.yaml b/artifacts/live_response/network/pfctl.yaml
index c1955c5e..04f4d4cf 100644
--- a/artifacts/live_response/network/pfctl.yaml
+++ b/artifacts/live_response/network/pfctl.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pfctl"
+output_directory: /live_response/network
artifacts:
-
description: Collect all packet filter information.
diff --git a/artifacts/live_response/network/scutil.yaml b/artifacts/live_response/network/scutil.yaml
index 1f64a003..e41acccf 100644
--- a/artifacts/live_response/network/scutil.yaml
+++ b/artifacts/live_response/network/scutil.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "scutil"
+output_directory: /live_response/network
artifacts:
-
description: Collect DNS configuration.
diff --git a/artifacts/live_response/network/showmount.yaml b/artifacts/live_response/network/showmount.yaml
index 1a6da661..5e1b7a22 100644
--- a/artifacts/live_response/network/showmount.yaml
+++ b/artifacts/live_response/network/showmount.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "showmount"
+output_directory: /live_response/network
artifacts:
-
description: Collect both the client hostname or IP address and mounted directory in host:dir format.
diff --git a/artifacts/live_response/network/sockstat.yaml b/artifacts/live_response/network/sockstat.yaml
index c853255a..5ac74714 100644
--- a/artifacts/live_response/network/sockstat.yaml
+++ b/artifacts/live_response/network/sockstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "sockstat"
+output_directory: /live_response/network
artifacts:
-
description: Collect the list of open sockets.
diff --git a/artifacts/live_response/network/ss.yaml b/artifacts/live_response/network/ss.yaml
index 40297214..9d792726 100644
--- a/artifacts/live_response/network/ss.yaml
+++ b/artifacts/live_response/network/ss.yaml
@@ -1,62 +1,64 @@
-version: 2.0
+version: 3.0
+condition: command_exists "ss"
+output_directory: /live_response/network
artifacts:
-
description: Display both listening and non-listening (for TCP this means established connections) sockets with numerical addresses instead of trying to determine symbolic host, port or user names, and show the PID and name of the program to which each socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -anp
output_file: ss_-anp.txt
-
description: Display both listening and non-listening (for TCP this means established connections) sockets, and show the PID and name of the program to which each socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -ap
output_file: ss_-ap.txt
-
description: Display both listening and non-listening TCP sockets only with numerical addresses instead of trying to determine symbolic host, and show the PID of the program to which socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -tanp
output_file: ss_-tanp.txt
-
description: Display both listening and non-listening TCP sockets only, and show the PID of the program to which socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -tap
output_file: ss_-tap.txt
-
description: Display both listening and non-listening UDP sockets only with numerical addresses instead of trying to determine symbolic host, and show the PID of the program to which socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -uanp
output_file: ss_-uanp.txt
-
description: Display both listening and non-listening UDP sockets only, and show the PID of the program to which socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -uap
output_file: ss_-uap.txt
-
description: Display listening TCP sockets only, and show the PID of the program to which socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -tlp
output_file: ss_-tlp.txt
-
description: Display listening TCP sockets only with numerical addresses instead of trying to determine symbolic host, and show the PID of the program to which socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -tlnp
output_file: ss_-tlnp.txt
-
description: Display listening UDP sockets only, and show the PID of the program to which socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -ulp
output_file: ss_-ulp.txt
-
description: Display listening UDP sockets only with numerical addresses instead of trying to determine symbolic host, and show the PID of the program to which socket belongs.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: ss -ulnp
output_file: ss_-ulnp.txt
\ No newline at end of file
diff --git a/artifacts/live_response/network/ufw.yaml b/artifacts/live_response/network/ufw.yaml
index 3a7a6181..8e3d728f 100644
--- a/artifacts/live_response/network/ufw.yaml
+++ b/artifacts/live_response/network/ufw.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ufw"
+output_directory: /live_response/network
artifacts:
-
description: Show status of firewall and ufw managed rules.
diff --git a/artifacts/live_response/network/vim-cmd.yaml b/artifacts/live_response/network/vim-cmd.yaml
index c8889f8f..a0673ad2 100644
--- a/artifacts/live_response/network/vim-cmd.yaml
+++ b/artifacts/live_response/network/vim-cmd.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "vim-cmd"
+output_directory: /live_response/network
artifacts:
-
description: Get the network configuration.
diff --git a/artifacts/live_response/packages/brew.yaml b/artifacts/live_response/packages/brew.yaml
index 126ab2e5..7061ed0f 100644
--- a/artifacts/live_response/packages/brew.yaml
+++ b/artifacts/live_response/packages/brew.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "brew"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/dnf.yaml b/artifacts/live_response/packages/dnf.yaml
index 4f22cd0e..a43421ec 100644
--- a/artifacts/live_response/packages/dnf.yaml
+++ b/artifacts/live_response/packages/dnf.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "dnf"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/dpkg.yaml b/artifacts/live_response/packages/dpkg.yaml
index bb988472..f150ec6d 100644
--- a/artifacts/live_response/packages/dpkg.yaml
+++ b/artifacts/live_response/packages/dpkg.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "dpkg"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/equo.yaml b/artifacts/live_response/packages/equo.yaml
index 5a3ef865..70c6b8df 100644
--- a/artifacts/live_response/packages/equo.yaml
+++ b/artifacts/live_response/packages/equo.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "equo"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/esxcli.yaml b/artifacts/live_response/packages/esxcli.yaml
index 2a10bf0d..47e46cd7 100644
--- a/artifacts/live_response/packages/esxcli.yaml
+++ b/artifacts/live_response/packages/esxcli.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "esxcli"
+output_directory: /live_response/packages
artifacts:
-
description: Lists the installed VIB packages.
diff --git a/artifacts/live_response/packages/flatpak.yaml b/artifacts/live_response/packages/flatpak.yaml
index 873e1632..752c9143 100644
--- a/artifacts/live_response/packages/flatpak.yaml
+++ b/artifacts/live_response/packages/flatpak.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "flatpak"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed FlatPak packages.
diff --git a/artifacts/live_response/packages/instfix.yaml b/artifacts/live_response/packages/instfix.yaml
index f32a1f3a..c49399ff 100644
--- a/artifacts/live_response/packages/instfix.yaml
+++ b/artifacts/live_response/packages/instfix.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "instfix"
+output_directory: /live_response/packages
artifacts:
-
description: Displays information about each fileset associated with a fix or keyword. Also display filesets that are not installed.
diff --git a/artifacts/live_response/packages/ipkg.yaml b/artifacts/live_response/packages/ipkg.yaml
index c3158248..12744b0c 100644
--- a/artifacts/live_response/packages/ipkg.yaml
+++ b/artifacts/live_response/packages/ipkg.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ipkg"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
@@ -12,4 +14,4 @@ artifacts:
collector: command
command: ipkg list_installed
output_file: ipkg_list_installed.txt
-
\ No newline at end of file
+
diff --git a/artifacts/live_response/packages/lppchk.yaml b/artifacts/live_response/packages/lppchk.yaml
index 007478db..b1f7465f 100644
--- a/artifacts/live_response/packages/lppchk.yaml
+++ b/artifacts/live_response/packages/lppchk.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lppchk"
+output_directory: /live_response/packages
artifacts:
-
description: Verifies that all software products installed on the / (root) file system are also installed on the /usr file system and, conversely, all the software products installed in the /usr file system are also installed on the / (root) file system.
diff --git a/artifacts/live_response/packages/lsappinfo.yaml b/artifacts/live_response/packages/lsappinfo.yaml
index b650f903..79f36f60 100644
--- a/artifacts/live_response/packages/lsappinfo.yaml
+++ b/artifacts/live_response/packages/lsappinfo.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lsappinfo"
+output_directory: /live_response/packages
artifacts:
-
description: List all of the running applications.
diff --git a/artifacts/live_response/packages/lslpp.yaml b/artifacts/live_response/packages/lslpp.yaml
index d7ce2d51..6c26633f 100644
--- a/artifacts/live_response/packages/lslpp.yaml
+++ b/artifacts/live_response/packages/lslpp.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lslpp"
+output_directory: /live_response/packages
artifacts:
-
description: Displays the installation and update history information for the specified fileset.
diff --git a/artifacts/live_response/packages/macos_applications.yaml b/artifacts/live_response/packages/macos_applications.yaml
index 63f882a6..d37d5a8d 100644
--- a/artifacts/live_response/packages/macos_applications.yaml
+++ b/artifacts/live_response/packages/macos_applications.yaml
@@ -1,10 +1,11 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/packages
artifacts:
-
description: Display all applications located at /Applications directory.
supported_os: [macos]
collector: command
- command: ls -l -a /Applications
+ command: ls -l -a /%mount_point%/Applications
output_file: ls_-l_-a_Applications.txt
-
description: Display all applications located at /Users/%user%/Applications directory.
@@ -12,3 +13,4 @@ artifacts:
collector: command
command: ls -l -a /%user_home%/Applications
output_file: ls_-l_-a_%user_home%_Applications.txt
+ exclude_nologin_users: true
diff --git a/artifacts/live_response/packages/nix.yaml b/artifacts/live_response/packages/nix.yaml
index 73bafaed..b8eb4794 100644
--- a/artifacts/live_response/packages/nix.yaml
+++ b/artifacts/live_response/packages/nix.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "nix-env"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/opkg.yaml b/artifacts/live_response/packages/opkg.yaml
index eb6f5891..484cf842 100644
--- a/artifacts/live_response/packages/opkg.yaml
+++ b/artifacts/live_response/packages/opkg.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "opkg"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/pacman.yaml b/artifacts/live_response/packages/pacman.yaml
index 132348f2..ad950114 100644
--- a/artifacts/live_response/packages/pacman.yaml
+++ b/artifacts/live_response/packages/pacman.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pacman"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/pip.yaml b/artifacts/live_response/packages/pip.yaml
index 47f3dfa2..6f7ebf9a 100644
--- a/artifacts/live_response/packages/pip.yaml
+++ b/artifacts/live_response/packages/pip.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pip"
+output_directory: /live_response/packages
artifacts:
-
description: Display Python packages installed through pip.
diff --git a/artifacts/live_response/packages/pisi.yaml b/artifacts/live_response/packages/pisi.yaml
index 165652c5..365bb0cc 100644
--- a/artifacts/live_response/packages/pisi.yaml
+++ b/artifacts/live_response/packages/pisi.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pisi"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/pkg.yaml b/artifacts/live_response/packages/pkg.yaml
index fb74cb5d..c1ba44d7 100644
--- a/artifacts/live_response/packages/pkg.yaml
+++ b/artifacts/live_response/packages/pkg.yaml
@@ -1,4 +1,6 @@
-version: 2.0
+version: 3.0
+condition: command_exists "pkg"
+output_directory: /live_response/packages
artifacts:
-
description: Displays information about installed packages.
@@ -6,4 +8,4 @@ artifacts:
collector: command
command: pkg info
output_file: pkg_info.txt
-
\ No newline at end of file
+
diff --git a/artifacts/live_response/packages/pkg_info.yaml b/artifacts/live_response/packages/pkg_info.yaml
index 8a05842f..e8e6b20b 100644
--- a/artifacts/live_response/packages/pkg_info.yaml
+++ b/artifacts/live_response/packages/pkg_info.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pkg_info"
+output_directory: /live_response/packages
artifacts:
-
description: Display information for all currently installed packages, including internal packages.
diff --git a/artifacts/live_response/packages/pkginfo.yaml b/artifacts/live_response/packages/pkginfo.yaml
index 588aa4f6..db815bac 100644
--- a/artifacts/live_response/packages/pkginfo.yaml
+++ b/artifacts/live_response/packages/pkginfo.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pkginfo"
+output_directory: /live_response/packages
artifacts:
-
description: Display information for fully installed packages only.
diff --git a/artifacts/live_response/packages/pkgutil.yaml b/artifacts/live_response/packages/pkgutil.yaml
index 473c1045..0cd507bc 100644
--- a/artifacts/live_response/packages/pkgutil.yaml
+++ b/artifacts/live_response/packages/pkgutil.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pkgutil"
+output_directory: /live_response/packages
artifacts:
-
description: Display all installed packages and receipts.
diff --git a/artifacts/live_response/packages/qlist.yaml b/artifacts/live_response/packages/qlist.yaml
index b0d3d02b..ed1e5fe9 100644
--- a/artifacts/live_response/packages/qlist.yaml
+++ b/artifacts/live_response/packages/qlist.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "qlist"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages with repository (Gentoo).
diff --git a/artifacts/live_response/packages/rpm.yaml b/artifacts/live_response/packages/rpm.yaml
index 817322aa..83cad07a 100644
--- a/artifacts/live_response/packages/rpm.yaml
+++ b/artifacts/live_response/packages/rpm.yaml
@@ -1,4 +1,6 @@
-version: 2.0
+version: 3.0
+condition: command_exists "rpm"
+output_directory: /live_response/packages
artifacts:
-
description: Displays all installed packages.
diff --git a/artifacts/live_response/packages/snap.yaml b/artifacts/live_response/packages/snap.yaml
index 5e8a4c9a..594110f4 100644
--- a/artifacts/live_response/packages/snap.yaml
+++ b/artifacts/live_response/packages/snap.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "snap"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed Snap packages.
diff --git a/artifacts/live_response/packages/softwareupdate.yaml b/artifacts/live_response/packages/softwareupdate.yaml
index 6cc45ed5..a8d9a69a 100644
--- a/artifacts/live_response/packages/softwareupdate.yaml
+++ b/artifacts/live_response/packages/softwareupdate.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "softwareupdate"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed updates.
diff --git a/artifacts/live_response/packages/swupd.yaml b/artifacts/live_response/packages/swupd.yaml
index ac42a74c..f7c3ee61 100644
--- a/artifacts/live_response/packages/swupd.yaml
+++ b/artifacts/live_response/packages/swupd.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "swupd"
+output_directory: /live_response/packages
artifacts:
-
description: List installed bundles.
diff --git a/artifacts/live_response/packages/synopkg.yaml b/artifacts/live_response/packages/synopkg.yaml
index f1d38038..a8732f0e 100644
--- a/artifacts/live_response/packages/synopkg.yaml
+++ b/artifacts/live_response/packages/synopkg.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "synopkg"
+output_directory: /live_response/packages
artifacts:
-
description: Displays information about installed packages on Synology DSM system.
diff --git a/artifacts/live_response/packages/xbps.yaml b/artifacts/live_response/packages/xbps.yaml
index deefaefe..e8294b4e 100644
--- a/artifacts/live_response/packages/xbps.yaml
+++ b/artifacts/live_response/packages/xbps.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "xbps-query"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/yay.yaml b/artifacts/live_response/packages/yay.yaml
index fc4ca162..ad233703 100644
--- a/artifacts/live_response/packages/yay.yaml
+++ b/artifacts/live_response/packages/yay.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "yay"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/yum.yaml b/artifacts/live_response/packages/yum.yaml
index a773dc3a..a7c0962e 100644
--- a/artifacts/live_response/packages/yum.yaml
+++ b/artifacts/live_response/packages/yum.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "yum"
+output_directory: /live_response/packages
artifacts:
-
description: Display installed packages.
diff --git a/artifacts/live_response/packages/zypper.yaml b/artifacts/live_response/packages/zypper.yaml
index 9ba97e25..c193c4f0 100644
--- a/artifacts/live_response/packages/zypper.yaml
+++ b/artifacts/live_response/packages/zypper.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "zypper"
+output_directory: /live_response/packages
artifacts:
-
description: List installed packages. zypper is a command-line interface to ZYpp system management library (libzypp).
diff --git a/artifacts/live_response/process/deleted.yaml b/artifacts/live_response/process/deleted.yaml
index e619e809..fbfc9fcf 100644
--- a/artifacts/live_response/process/deleted.yaml
+++ b/artifacts/live_response/process/deleted.yaml
@@ -1,91 +1,83 @@
-version: 3.0
+version: 4.0
artifacts:
-
description: Collect the binary of (malicious) processes if they are shown up as being (deleted).
- # the collection will be limited to the first 50M of data only.
+ # the collection will be limited to the first 20M of data only.
# this is to avoid dd hitting an invalid file descriptor (such as /dev/null) and generating an endless output file
supported_os: [linux]
collector: command
foreach: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | grep -v -E "> /proc/" | awk -F"/proc/|/exe" '{print $2}'
- command: dd if=/proc/%line%/exe of=%output_file% conv=swab bs=1024 count=50000
- output_directory: proc/%line%
- output_file: recovered_exe.dd.swab
+ command: dd if=/proc/%line%/exe of=recovered_exe bs=1024 count=20000
+ output_directory: /live_response/process/proc/%line%
-
description: Collect the memory sections and strings from (deleted) processes.
supported_os: [linux]
collector: command
foreach: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | grep -v -E "> /proc/" | awk -F"/proc/|/exe" '{print $2}'
- command: linux_procmemdump.sh -p %line% -u -b -d %output_file%
- output_file: proc
- stderr_output_file: linux_procmemdump.txt.stderr
+ command: linux_procmemdump.sh -p %line% -u -b -d proc
+ output_directory: /live_response/process
-
description: Collect the list of deleted files of (malicious) processes if they are shown up as being (deleted).
supported_os: [linux]
collector: command
foreach: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | awk -F"/proc/|/exe" '{print $2}'
command: ls -l /proc/%line%/fd/[0-9]* | grep -E "\(deleted\)" | grep -v -E "> /dev/|> /proc/" | awk -F"/proc/%line%/fd/| ->" '{print "%line%/fd/"$2}'
- output_file: .deleted_file_descriptors.txt
+ output_directory: /%temp_directory%/process
+ output_file: file_descriptors_of_deleted_processes.txt
-
description: Collect the list of deleted files located in /dev/shm of (malicious) processes if they are shown up as being (deleted).
supported_os: [linux]
collector: command
foreach: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | awk -F"/proc/|/exe" '{print $2}'
command: ls -l /proc/%line%/fd/[0-9]* | grep -E "\(deleted\)" | grep -E "> /dev/shm" | awk -F"/proc/%line%/fd/| ->" '{print "%line%/fd/"$2}'
- output_file: .deleted_file_descriptors.txt
+ output_directory: /%temp_directory%/process
+ output_file: file_descriptors_of_deleted_processes.txt
-
description: Collect open files of (malicious) processes if they are shown up as being (deleted).
- # the collection will be limited to the first 50M of data only.
+ # the collection will be limited to the first 20M of data only.
# this is to avoid dd hitting an invalid file descriptor (such as /dev/null) and generating an endless output file
supported_os: [linux]
collector: command
- foreach: cat "%destination_directory%/.deleted_file_descriptors.txt"
- command: dd if=/proc/%line% of=%output_file% bs=1024 count=50000
- output_directory: proc/%line%
- output_file: recovered_file.dd
+ foreach: cat "/%temp_directory%/process/file_descriptors_of_deleted_processes.txt"
+ command: dd if=/proc/%line% of=recovered_file bs=1024 count=20000
+ output_directory: /live_response/process/proc/%line%
-
description: Collect the list of files being hidden in a memfd socket.
supported_os: [linux]
collector: command
foreach: ls -l /proc/[0-9]*/exe | awk -F"/proc/|/exe" '{print $2}'
command: ls -l /proc/%line%/fd/[0-9]* | grep "memfd" | grep -E "\(deleted\)" | awk -F"/proc/%line%/fd/| ->" '{print "%line%/fd/"$2}'
- output_file: .files_hidden_in_memfd_socket.txt
+ output_directory: /%temp_directory%/process
+ output_file: files_hidden_in_memfd_socket.txt
-
description: Collect open files of (malicious) processes if they are being hidden in a memfd socket.
- # the collection will be limited to the first 50M of data only.
+ # the collection will be limited to the first 20M of data only.
# this is to avoid dd hitting an invalid file descriptor (such as /dev/null) and generating an endless output file
supported_os: [linux]
collector: command
- foreach: cat "%destination_directory%/.files_hidden_in_memfd_socket.txt"
- command: dd if=/proc/%line% of=%output_file% bs=1024 count=50000
- output_directory: proc/%line%
- output_file: recovered_file.dd
+ foreach: cat "/%temp_directory%/process/files_hidden_in_memfd_socket.txt"
+ command: dd if=/proc/%line% of=recovered_file bs=1024 count=20000
+ output_directory: /live_response/process/proc/%line%
-
description: List of open files of (malicious) processes.
supported_os: [linux]
collector: command
foreach: ls -l /proc/[0-9]*/exe | grep -E "\(deleted\)" | awk -F"/proc/|/exe" '{print $2}'
command: ls -l /proc/%line%/fd/[0-9]* | grep -v -E "\(deleted\)" | awk -F'-> ' '{print $2}' | sed -e "s:^'::" -e "s:'$::" -e ':^"::' -e ':"$::'
- output_file: .list_open_file_descriptors.txt
- -
- description: Find open files of (malicious) processes.
- supported_os: [linux]
- collector: command
- foreach: cat "%destination_directory%/.list_open_file_descriptors.txt"
- command: find %line% -type f -print
- output_file: .open_file_descriptors.txt
+ output_directory: /%temp_directory%/process
+ output_file: list_open_file_descriptors.txt
-
description: Collect open files of (malicious) processes.
supported_os: [linux]
collector: file
- path: .open_file_descriptors.txt
+ path: /%temp_directory%/process/list_open_file_descriptors.txt
is_file_list: true
-
description: Collect the binary of (malicious) processes if they are shown up as being (deleted).
- # the collection will be limited to the first 50M of data only.
+ # the collection will be limited to the first 20M of data only.
# this is to avoid dd hitting an invalid file descriptor (such as /dev/null) and generating an endless output file
supported_os: [solaris]
collector: command
foreach: ls -l /proc/[0-9]*/path/a.out | grep -E "a\.out$" | awk -F"/proc/|/path/" '{print $2}'
- command: dd if=/proc/%line%/object/a.out of=%output_file% conv=swab bs=1024 count=50000
- output_directory: proc/%line%
- output_file: recovered_a.out.dd.swab
+ command: dd if=/proc/%line%/object/a.out of=recovered_a.out bs=1024 count=20000
+ output_directory: /live_response/process/proc/%line%
diff --git a/artifacts/live_response/process/esxcli.yaml b/artifacts/live_response/process/esxcli.yaml
index 9b1e72c8..9a09d748 100644
--- a/artifacts/live_response/process/esxcli.yaml
+++ b/artifacts/live_response/process/esxcli.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "esxcli"
+output_directory: /live_response/process
artifacts:
-
description: List the VMkernel UserWorld processes currently on the host.
diff --git a/artifacts/live_response/process/fstat.yaml b/artifacts/live_response/process/fstat.yaml
index 87dd5923..25032a3b 100644
--- a/artifacts/live_response/process/fstat.yaml
+++ b/artifacts/live_response/process/fstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "fstat"
+output_directory: /live_response/process
artifacts:
-
description: Collect status of open files.
diff --git a/artifacts/live_response/process/hash_running_processes.yaml b/artifacts/live_response/process/hash_running_processes.yaml
index dc7622e7..a75b8191 100644
--- a/artifacts/live_response/process/hash_running_processes.yaml
+++ b/artifacts/live_response/process/hash_running_processes.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/process
artifacts:
-
description: Hash running processes.
@@ -8,10 +9,17 @@ artifacts:
output_file: hash_running_processes
-
description: Hash running processes.
- supported_os: [android, linux, netbsd]
+ supported_os: [linux, netbsd]
collector: hash
path: /proc/[0-9]*/exe
output_file: hash_running_processes
+ -
+ description: Hash running processes.
+ supported_os: [freebsd]
+ collector: hash
+ condition: ls /proc/$$
+ path: /proc/[0-9]*/file
+ output_file: hash_running_processes
-
description: Hash running processes.
supported_os: [netscaler]
@@ -26,20 +34,38 @@ artifacts:
output_file: hash_running_processes
-
description: Collect running processes executable path.
- supported_os: [freebsd, macos, openbsd]
+ supported_os: [esxi]
collector: command
- command: ps -eo args | grep "^/" | awk '{print $1}' | sort -u
+ command: ps -c | awk '{print $4}' | grep "^/" | sort -u
+ output_directory: /%temp_directory%/process
output_file: hash_running_processes_full_paths.txt
-
description: Collect running processes executable path.
- supported_os: [esxi]
+ supported_os: [freebsd]
+ collector: command
+ condition: ! ls /proc/$$
+ command: ps -axo args | grep "^/" | awk '{print $1}' | sort -u
+ output_directory: /%temp_directory%/process
+ output_file: hash_running_processes_full_paths.txt
+ -
+ description: Collect running processes executable path.
+ supported_os: [macos]
+ collector: command
+ command: ps -axo comm | grep "^/" | sort -u
+ output_directory: /%temp_directory%/process
+ output_file: hash_running_processes_full_paths.txt
+ -
+ description: Collect running processes executable path.
+ supported_os: [openbsd]
collector: command
- command: ps -c | awk '{print $4}' | sort -u | grep "^/"
+ command: ps -axo args | grep "^/" | awk '{print $1}' | sort -u
+ output_directory: /%temp_directory%/process
output_file: hash_running_processes_full_paths.txt
-
description: Hash running processes.
supported_os: [esxi, freebsd, macos, openbsd]
collector: hash
- path: hash_running_processes_full_paths.txt
+ condition: ! ls /proc/$$
+ path: /%temp_directory%/process/hash_running_processes_full_paths.txt
is_file_list: true
output_file: hash_running_processes
\ No newline at end of file
diff --git a/artifacts/live_response/process/lsof.yaml b/artifacts/live_response/process/lsof.yaml
index aa47c143..b4c7d79a 100644
--- a/artifacts/live_response/process/lsof.yaml
+++ b/artifacts/live_response/process/lsof.yaml
@@ -1,11 +1,7 @@
-version: 2.0
+version: 3.0
+condition: command_exists "lsof"
+output_directory: /live_response/process
artifacts:
- -
- description: Collect the list open files.
- supported_os: [android]
- collector: command
- command: lsof -l
- output_file: lsof_-l.txt
-
description: Collect the list open files.
supported_os: [aix, esxi, freebsd, linux, macos, netscaler, openbsd, solaris]
diff --git a/artifacts/live_response/process/procfs_information.yaml b/artifacts/live_response/process/procfs_information.yaml
index 7da7b4a0..6301299b 100644
--- a/artifacts/live_response/process/procfs_information.yaml
+++ b/artifacts/live_response/process/procfs_information.yaml
@@ -1,11 +1,18 @@
version: 2.0
+output_directory: /live_response/process
artifacts:
-
description: Collect current running processes information.
- supported_os: [aix, android, linux, netbsd, netscaler]
+ supported_os: [aix, freebsd, linux, netbsd, netscaler, solaris]
collector: command
command: ls -l /proc/[0-9]*
output_file: ls_-l_proc.txt
+
+ # each operating system has its own particularities and artifacts available in /proc
+ # to make this artifact easier to read and more organized, each operating system
+ # will have its own section
+
+ # aix
-
description: Collect running processes executable path.
supported_os: [aix]
@@ -13,147 +20,451 @@ artifacts:
command: ls -l /proc/[0-9]*/object/a.out
output_file: running_processes_full_paths.txt
-
- description: Collect running processes executable path.
- supported_os: [android, linux, netbsd]
+ description: Collect the path to the current working directory of the process.
+ supported_os: [aix]
collector: command
- command: ls -l /proc/[0-9]*/exe
- output_file: running_processes_full_paths.txt
+ command: ls -l /proc/[0-9]*/cwd
+ output_file: ls_-l_proc_pid_cwd.txt
+ -
+ description: Collect the list of files which the process has open.
+ supported_os: [aix]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: ls -la /proc/%line%/fd
+ output_directory: /live_response/process/proc/%line%
+ output_file: fd.txt
+ -
+ description: Collect information about all file descriptors opened by a process.
+ supported_os: [aix]
+ collector: command
+ condition: command_exists "procfiles"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: procfiles -n -c %line%
+ output_directory: /live_response/process/proc/%line%
+ output_file: procfiles.txt
+ # aix: strings available
+ -
+ description: Collect running process information.
+ supported_os: [aix]
+ collector: command
+ condition: command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: strings /proc/%line%/psinfo
+ output_directory: /live_response/process/proc/%line%
+ output_file: psinfo.txt
+ -
+ description: Collect status information about the process.
+ supported_os: [aix]
+ collector: command
+ condition: command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: strings /proc/%line%/status
+ output_directory: /live_response/process/proc/%line%
+ output_file: status.txt
+ # aix: no strings available
+ -
+ description: Collect running process information.
+ supported_os: [aix]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/psinfo
+ output_directory: /live_response/process/proc/%line%
+ output_file: psinfo.txt
+ -
+ description: Collect status information about the process.
+ supported_os: [aix]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/status
+ output_directory: /live_response/process/proc/%line%
+ output_file: status.txt
+
+ # freebsd
+ # some freebsd systems use profcs, some don't
-
description: Collect running processes executable path.
- supported_os: [freebsd, macos, openbsd]
+ supported_os: [freebsd]
collector: command
- command: ps -eo args | grep ^/ | awk '{print $1}' | sort -u
+ condition: ls /proc/$$
+ command: ls -l /proc/[0-9]*/file
output_file: running_processes_full_paths.txt
-
description: Collect running processes executable path.
- supported_os: [netscaler]
+ supported_os: [freebsd]
collector: command
- command: ls -l /proc/[0-9]*/file
+ condition: ! ls /proc/$$
+ command: ps -axo args | grep ^/ | awk '{print $1}' | sort -u
output_file: running_processes_full_paths.txt
+ -
+ description: Collect command line arguments for a process.
+ supported_os: [freebsd]
+ collector: command
+ condition: ls /proc/$$
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/cmdline
+ output_directory: /live_response/process/proc/%line%
+ output_file: cmdline.txt
+ -
+ description: Collect mapped memory regions and their access permissions.
+ supported_os: [freebsd]
+ collector: command
+ condition: ls /proc/$$
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/map
+ output_directory: /live_response/process/proc/%line%
+ output_file: map.txt
+ -
+ description: Collect status information about the process.
+ supported_os: [freebsd]
+ collector: command
+ condition: ls /proc/$$
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/status
+ output_directory: /live_response/process/proc/%line%
+ output_file: status.txt
+
+ # linux
-
description: Collect running processes executable path.
- supported_os: [solaris]
+ supported_os: [linux]
collector: command
- command: ls -l /proc/[0-9]*/path/a.out
+ command: ls -l /proc/[0-9]*/exe
output_file: running_processes_full_paths.txt
-
description: Collect the path to the current working directory of the process.
- supported_os: [aix, android, linux, netbsd, solaris]
+ supported_os: [linux]
collector: command
command: ls -l /proc/[0-9]*/cwd
output_file: ls_-l_proc_pid_cwd.txt
+ -
+ description: Collect the list of files which the process has open.
+ supported_os: [linux]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: ls -la /proc/%line%/fd
+ output_directory: /live_response/process/proc/%line%
+ output_file: fd.txt
+ -
+ description: Collect information about entries corresponding to memory-mapped files.
+ supported_os: [linux]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: ls -la /proc/%line%/map_files
+ output_directory: /live_response/process/proc/%line%
+ output_file: map_files.txt
+ -
+ description: Collect command line arguments for a process.
+ supported_os: [linux]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/cmdline
+ output_directory: /live_response/process/proc/%line%
+ output_file: cmdline.txt
+ -
+ description: Collect the list of child tasks of a process.
+ supported_os: [linux]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/task/%line%/children
+ output_directory: /live_response/process/proc/%line%
+ output_file: children.txt
-
description: Collect the command name associated with a process.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: cat /proc/%line%/comm
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: comm.txt
+ -
+ description: Collect mapped memory regions and their access permissions.
+ supported_os: [linux]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/maps
+ output_directory: /live_response/process/proc/%line%
+ output_file: maps.txt
+ -
+ description: Collect the initial process' stack trace.
+ supported_os: [linux]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/stack
+ output_directory: /live_response/process/proc/%line%
+ output_file: stack.txt
+ -
+ description: Collect status information about the process.
+ supported_os: [linux]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/status
+ output_directory: /live_response/process/proc/%line%
+ output_file: status.txt
+ -
+ description: Display the list of UNIX sockets.
+ supported_os: [linux]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/net/unix
+ output_directory: /live_response/process/proc/%line%/net
+ output_file: unix.txt
+ # linux: strings available
+ -
+ description: Collect initial environment that was set when the process was started.
+ supported_os: [linux]
+ collector: command
+ condition: command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: strings /proc/%line%/environ
+ output_directory: /live_response/process/proc/%line%
+ output_file: environ.txt
+ # linux: no strings available
+ -
+ description: Collect initial environment that was set when the process was started.
+ supported_os: [linux]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/environ
+ output_directory: /live_response/process/proc/%line%
+ output_file: environ.txt
+
+ # macos
+ -
+ description: Collect running processes executable path.
+ supported_os: [macos]
+ collector: command
+ command: ps -axo comm | grep ^/ | sort -u
+ output_file: running_processes_full_paths.txt
+
+ # netbsd
+ -
+ description: Collect running processes executable path.
+ supported_os: [netbsd]
+ collector: command
+ command: ls -l /proc/[0-9]*/exe
+ output_file: running_processes_full_paths.txt
+ -
+ description: Collect the path to the current working directory of the process.
+ supported_os: [netbsd]
+ collector: command
+ command: ls -l /proc/[0-9]*/cwd
+ output_file: ls_-l_proc_pid_cwd.txt
+ -
+ description: Collect the list of files which the process has open.
+ supported_os: [netbsd]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: ls -la /proc/%line%/fd
+ output_directory: /live_response/process/proc/%line%
+ output_file: fd.txt
-
description: Collect command line arguments for a process.
- supported_os: [android, linux, netbsd, netscaler, solaris]
+ supported_os: [netbsd]
collector: command
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
- command: strings /proc/%line%/cmdline
- output_directory: proc/%line%
+ command: cat /proc/%line%/cmdline
+ output_directory: /live_response/process/proc/%line%
output_file: cmdline.txt
-
description: Collect mapped memory regions and their access permissions.
- supported_os: [netbsd, netscaler]
+ supported_os: [netbsd]
collector: command
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: cat /proc/%line%/map
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: map.txt
-
description: Collect mapped memory regions and their access permissions.
- supported_os: [android, linux, netbsd]
+ supported_os: [netbsd]
collector: command
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: cat /proc/%line%/maps
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: maps.txt
+ -
+ description: Collect status information about the process.
+ supported_os: [netbsd]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/status
+ output_directory: /live_response/process/proc/%line%
+ output_file: status.txt
+ # netbsd: strings available
-
description: Collect initial environment that was set when the process was started.
- supported_os: [android, linux, solaris]
+ supported_os: [netbsd]
collector: command
+ condition: command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: strings /proc/%line%/environ
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: environ.txt
+ # netbsd: no strings available
-
- description: Collect the list of child tasks of a process.
- supported_os: [android, linux]
+ description: Collect initial environment that was set when the process was started.
+ supported_os: [netbsd]
collector: command
+ condition: ! command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
- command: cat /proc/%line%/task/%line%/children
- output_directory: proc/%line%
- output_file: children.txt
+ command: astrings /proc/%line%/environ
+ output_directory: /live_response/process/proc/%line%
+ output_file: environ.txt
+
+ # netscaler
+ -
+ description: Collect running processes executable path.
+ supported_os: [netscaler]
+ collector: command
+ command: ls -l /proc/[0-9]*/file
+ output_file: running_processes_full_paths.txt
+ -
+ description: Collect command line arguments for a process.
+ supported_os: [netscaler]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/cmdline
+ output_directory: /live_response/process/proc/%line%
+ output_file: cmdline.txt
+ -
+ description: Collect mapped memory regions and their access permissions.
+ supported_os: [netscaler]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/map
+ output_directory: /live_response/process/proc/%line%
+ output_file: map.txt
+ -
+ description: Collect status information about the process.
+ supported_os: [netscaler]
+ collector: command
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: cat /proc/%line%/status
+ output_directory: /live_response/process/proc/%line%
+ output_file: status.txt
+
+ # openbsd
+ -
+ description: Collect running processes executable path.
+ supported_os: [openbsd]
+ collector: command
+ command: ps -axo args | grep ^/ | awk '{print $1}' | sort -u
+ output_file: running_processes_full_paths.txt
+
+ # solaris
+ -
+ description: Collect running processes executable path.
+ supported_os: [solaris]
+ collector: command
+ command: ls -l /proc/[0-9]*/path/a.out
+ output_file: running_processes_full_paths.txt
+ -
+ description: Collect the path to the current working directory of the process.
+ supported_os: [solaris]
+ collector: command
+ command: ls -l /proc/[0-9]*/cwd
+ output_file: ls_-l_proc_pid_cwd.txt
-
description: Collect the list of files which the process has open.
- supported_os: [android, linux]
+ supported_os: [solaris]
collector: command
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: ls -la /proc/%line%/fd
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: fd.txt
-
- description: Collect information about entries corresponding to memory-mapped files.
- supported_os: [linux]
+ description: Collect the list of files which the process has open.
+ supported_os: [solaris]
collector: command
+ condition: command_exists "pfiles"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
- command: ls -la /proc/%line%/map_files
- output_directory: proc/%line%
- output_file: map_files.txt
+ command: pfiles -F %line%
+ output_directory: /live_response/process/proc/%line%
+ output_file: pfiles.txt
-
- description: Collect the initial process' stack trace.
- supported_os: [android, linux]
+ description: Collect command line arguments for a process.
+ supported_os: [solaris]
collector: command
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
- command: cat /proc/%line%/stack
- output_directory: proc/%line%
- output_file: stack.txt
+ command: cat /proc/%line%/cmdline
+ output_directory: /live_response/process/proc/%line%
+ output_file: cmdline.txt
+
+ # solaris: strings available
-
- description: Collect status information about the process.
- supported_os: [android, linux, netbsd, netscaler]
+ description: Collect initial environment that was set when the process was started.
+ supported_os: [solaris]
collector: command
+ condition: command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
- command: cat /proc/%line%/status
- output_directory: proc/%line%
- output_file: status.txt
+ command: strings /proc/%line%/environ
+ output_directory: /live_response/process/proc/%line%
+ output_file: environ.txt
-
- description: Display the list of UNIX sockets.
- supported_os: [linux]
+ description: Collect mapped memory regions and their access permissions.
+ supported_os: [solaris]
collector: command
+ condition: command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
- command: cat /proc/%line%/net/unix
- output_directory: proc/%line%/net
- output_file: unix.txt
+ command: strings /proc/%line%/map
+ output_directory: /live_response/process/proc/%line%
+ output_file: map.txt
-
description: Collect running process information.
- supported_os: [aix, solaris]
+ supported_os: [solaris]
collector: command
+ condition: command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: strings /proc/%line%/psinfo
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: psinfo.txt
-
- description: Collect information about all file descriptors opened by a process.
- supported_os: [aix]
+ description: Collect status information about the process.
+ supported_os: [solaris]
collector: command
+ condition: command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
- command: procfiles -n -c %line%
- output_directory: proc/%line%
- output_file: procfiles.txt
+ command: strings /proc/%line%/status
+ output_directory: /live_response/process/proc/%line%
+ output_file: status.txt
+
+ # solaris: no strings available
-
- description: Collect the list of files which the process has open.
+ description: Collect initial environment that was set when the process was started.
supported_os: [solaris]
collector: command
+ condition: ! command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
- command: pfiles -F %line%
- output_directory: proc/%line%
- output_file: pfiles.txt
-
-# References:
-# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
+ command: astrings /proc/%line%/environ
+ output_directory: /live_response/process/proc/%line%
+ output_file: environ.txt
+ -
+ description: Collect mapped memory regions and their access permissions.
+ supported_os: [solaris]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/map
+ output_directory: /live_response/process/proc/%line%
+ output_file: map.txt
+ -
+ description: Collect running process information.
+ supported_os: [solaris]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/psinfo
+ output_directory: /live_response/process/proc/%line%
+ output_file: psinfo.txt
+ -
+ description: Collect status information about the process.
+ supported_os: [solaris]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/status
+ output_directory: /live_response/process/proc/%line%
+ output_file: status.txt
+
\ No newline at end of file
diff --git a/artifacts/live_response/process/procstat.yaml b/artifacts/live_response/process/procstat.yaml
index ee4ecd8d..5da8ac2e 100644
--- a/artifacts/live_response/process/procstat.yaml
+++ b/artifacts/live_response/process/procstat.yaml
@@ -1,42 +1,43 @@
-version: 1.0
+version: 2.0
+condition: command_exists "procstat"
artifacts:
-
description: Collect command line arguments for a process.
supported_os: [freebsd]
collector: command
- foreach: ps -eo pid | sed -e 's:^ *::' | grep ^[0-9]
+ foreach: ps -axo pid | sed -e 's:^ *::' | grep ^[0-9]
command: procstat arguments %line%
- output_directory: procstat/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: arguments.txt
-
description: Collect binary information for a process.
supported_os: [freebsd]
collector: command
- foreach: ps -eo pid | sed -e 's:^ *::' | grep ^[0-9]
+ foreach: ps -axo pid | sed -e 's:^ *::' | grep ^[0-9]
command: procstat binary %line%
- output_directory: procstat/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: binary.txt
-
description: Collect environment variables for a process.
supported_os: [freebsd]
collector: command
- foreach: ps -eo pid | sed -e 's:^ *::' | grep ^[0-9]
+ foreach: ps -axo pid | sed -e 's:^ *::' | grep ^[0-9]
command: procstat environment %line%
- output_directory: procstat/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: environment.txt
-
description: Collect file descriptor information for a process.
supported_os: [freebsd]
collector: command
- foreach: ps -eo pid | sed -e 's:^ *::' | grep ^[0-9]
+ foreach: ps -axo pid | sed -e 's:^ *::' | grep ^[0-9]
command: procstat files %line%
- output_directory: procstat/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: files.txt
-
description: Collect virtual memory mappings for a process.
supported_os: [freebsd]
collector: command
- foreach: ps -eo pid | sed -e 's:^ *::' | grep ^[0-9]
+ foreach: ps -axo pid | sed -e 's:^ *::' | grep ^[0-9]
command: procstat vm %line%
- output_directory: procstat/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: vm.txt
\ No newline at end of file
diff --git a/artifacts/live_response/process/proctree.yaml b/artifacts/live_response/process/proctree.yaml
index a99d0220..84e345ad 100644
--- a/artifacts/live_response/process/proctree.yaml
+++ b/artifacts/live_response/process/proctree.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "proctree"
+output_directory: /live_response/process
artifacts:
-
description: Print the process tree containing the specified process IDs or users.
diff --git a/artifacts/live_response/process/ps.yaml b/artifacts/live_response/process/ps.yaml
index af66068f..bd3bec74 100644
--- a/artifacts/live_response/process/ps.yaml
+++ b/artifacts/live_response/process/ps.yaml
@@ -1,4 +1,5 @@
-version: 2.0
+version: 3.0
+output_directory: /live_response/process
artifacts:
-
description: Report a snapshot of the current processes.
@@ -20,25 +21,37 @@ artifacts:
output_file: ps_auxwwwf.txt
-
description: Report a snapshot of the current processes.
- supported_os: [aix, android, freebsd, linux, macos, netscaler, solaris]
+ supported_os: [aix, freebsd, linux, macos, netscaler, solaris]
collector: command
command: ps -deaf
output_file: ps_-deaf.txt
-
description: Report a snapshot of the current processes.
- supported_os: [aix, android, freebsd, linux, macos, netscaler, solaris]
+ supported_os: [aix, freebsd, linux, macos, netscaler, solaris]
collector: command
command: ps -ef
output_file: ps_-ef.txt
-
description: Report a snapshot of the current processes.
- supported_os: [aix, android, freebsd, linux, macos, netscaler, solaris]
+ supported_os: [aix, freebsd, linux, macos, netscaler, solaris]
collector: command
command: ps -efl
output_file: ps_-efl.txt
-
description: Report a snapshot of the current processes including elapsed time since the process was started.
- supported_os: [aix, android, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix]
+ collector: command
+ command: ps -eo pid,user,etime,args
+ output_file: ps_-eo_pid_user_etime_args.txt
+ -
+ description: Report a snapshot of the current processes including elapsed time since the process was started.
+ supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
+ collector: command
+ command: ps -axo pid,user,etime,args
+ output_file: ps_-eo_pid_user_etime_args.txt
+ -
+ description: Report a snapshot of the current processes including elapsed time since the process was started.
+ supported_os: [solaris]
collector: command
command: ps -eo pid,user,etime,args
output_file: ps_-eo_pid_user_etime_args.txt
@@ -46,17 +59,18 @@ artifacts:
description: Report a snapshot of the current processes including time the command started.
supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
collector: command
- command: ps -eo pid,user,lstart,args
+ command: ps -axo pid,user,lstart,args
output_file: ps_-eo_pid_user_lstart_args.txt
-
description: Report a snapshot of the current processes including the control groups to which the process belongs.
supported_os: [linux]
collector: command
- command: ps -eo pid,user,cgroup
+ command: ps -axo pid,user,cgroup
output_file: ps_-eo_pid_user_cgroup.txt
-
description: Report a snapshot of the current processes including used time, verbose, session ID and process group, state and type.
supported_os: [esxi]
collector: command
command: ps -P -T -c -g -s -t -J
- output_file: ps_-P_-T_-c_-g_-s_-t_-J.txt
\ No newline at end of file
+ output_file: ps_-P_-T_-c_-g_-s_-t_-J.txt
+
\ No newline at end of file
diff --git a/artifacts/live_response/process/pstat.yaml b/artifacts/live_response/process/pstat.yaml
index 96e3d406..67b63326 100644
--- a/artifacts/live_response/process/pstat.yaml
+++ b/artifacts/live_response/process/pstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pstat"
+output_directory: /live_response/process
artifacts:
-
description: Display entries in the process table.
diff --git a/artifacts/live_response/process/pstree.yaml b/artifacts/live_response/process/pstree.yaml
index 4ceab7fd..d710cdf6 100644
--- a/artifacts/live_response/process/pstree.yaml
+++ b/artifacts/live_response/process/pstree.yaml
@@ -1,20 +1,22 @@
-version: 2.0
+version: 3.0
+condition: command_exists "pstree"
+output_directory: /live_response/process
artifacts:
-
description: Display a tree of processes.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: pstree
output_file: pstree.txt
-
description: Display a tree of processes including command line arguments.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: pstree -a
output_file: pstree_-a.txt
-
description: Display a tree of processes with the same parent sorted by PID instead of by name (numeric sort).
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: pstree -p -n
output_file: pstree_-p_-n.txt
\ No newline at end of file
diff --git a/artifacts/live_response/process/ptree.yaml b/artifacts/live_response/process/ptree.yaml
index 9ebdce00..d4108ecc 100644
--- a/artifacts/live_response/process/ptree.yaml
+++ b/artifacts/live_response/process/ptree.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ptree"
+output_directory: /live_response/process
artifacts:
-
description: Display a tree of processes.
diff --git a/artifacts/live_response/process/strings_running_processes.yaml b/artifacts/live_response/process/strings_running_processes.yaml
index 3a6a2ae9..73094b3e 100644
--- a/artifacts/live_response/process/strings_running_processes.yaml
+++ b/artifacts/live_response/process/strings_running_processes.yaml
@@ -1,48 +1,190 @@
-version: 1.0
+version: 2.0
artifacts:
+ # aix
-
description: Extract strings from running processes.
supported_os: [aix]
collector: command
+ condition: command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: strings -a /proc/%line%/object/a.out
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
output_file: strings.txt
compress_output_file: true
-
description: Extract strings from running processes.
- supported_os: [freebsd, macos, openbsd]
+ supported_os: [aix]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/object/a.out
+ output_directory: /live_response/process/proc/%line%
+ output_file: strings.txt
+ compress_output_file: true
+ # esxi
+ -
+ description: Extract strings from running processes.
+ supported_os: [esxi]
collector: command
- foreach: ps -eo args | grep ^/ | awk '{print $1}' | sort -u
+ condition: command_exists "strings"
+ foreach: ps -c | awk '{print $4}' | grep "^/" | sort -u
command: strings -a %line%
- output_directory: strings
+ output_directory: /live_response/process/strings
output_file: %line%.txt
compress_output_file: true
-
description: Extract strings from running processes.
- supported_os: [android, linux, netbsd]
+ supported_os: [esxi]
collector: command
+ condition: ! command_exists "strings"
+ foreach: ps -c | awk '{print $4}' | grep "^/" | sort -u
+ command: astrings %line%
+ output_directory: /live_response/process/strings
+ output_file: %line%.txt
+ compress_output_file: true
+ # freebsd
+ -
+ description: Extract strings from running processes if procfs and strings are available.
+ supported_os: [freebsd]
+ collector: command
+ condition: ls /proc/$$ && command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: strings -a /proc/%line%/file
+ output_directory: /live_response/process/proc/%line%
+ output_file: strings.txt
+ compress_output_file: true
+ -
+ description: Extract strings from running processes if procfs is not available and strings is available.
+ supported_os: [freebsd]
+ collector: command
+ condition: if ls /proc/$$; then false; else true; fi && command_exists "strings"
+ foreach: ps -axo args | grep "^/" | awk '{print $1}' | sort -u
+ command: strings -a %line%
+ output_directory: /live_response/process/strings
+ output_file: %line%.txt
+ compress_output_file: true
+ -
+ description: Extract strings from running processes if procfs is available and strings is not available.
+ supported_os: [freebsd]
+ collector: command
+ condition: ls /proc/$$ && if command_exists "strings"; then false; else true; fi
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/file
+ output_directory: /live_response/process/proc/%line%
+ output_file: strings.txt
+ compress_output_file: true
+ -
+ description: Extract strings from running processes if neither procfs nor strings are available.
+ supported_os: [freebsd]
+ collector: command
+ condition: if ls /proc/$$; then false; else true; fi && if command_exists "strings"; then false; else true; fi
+ foreach: ps -axo args | grep "^/" | awk '{print $1}' | sort -u
+ command: astrings %line%
+ output_directory: /live_response/process/strings
+ output_file: %line%.txt
+ compress_output_file: true
+ # linux, netbsd
+ -
+ description: Extract strings from running processes.
+ supported_os: [linux, netbsd]
+ collector: command
+ condition: command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: strings -a /proc/%line%/exe
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
+ output_file: strings.txt
+ compress_output_file: true
+ -
+ description: Extract strings from running processes.
+ supported_os: [linux, netbsd]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/exe
+ output_directory: /live_response/process/proc/%line%
output_file: strings.txt
compress_output_file: true
+ # macos
+ -
+ description: Extract strings from running processes.
+ supported_os: [macos]
+ collector: command
+ condition: xcode-select -p
+ foreach: ps -axo comm | grep "^/" | sort -u
+ command: strings -a %line%
+ output_directory: /live_response/process/strings
+ output_file: %line%.txt
+ compress_output_file: true
+ -
+ description: Extract strings from running processes.
+ supported_os: [macos]
+ collector: command
+ condition: ! xcode-select -p
+ foreach: ps -axo comm | grep "^/" | sort -u
+ command: astrings %line%
+ output_directory: /live_response/process/strings
+ output_file: %line%.txt
+ compress_output_file: true
+ # netscaler
-
description: Extract strings from running processes.
supported_os: [netscaler]
collector: command
+ condition: command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: strings -a /proc/%line%/file
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
+ output_file: strings.txt
+ compress_output_file: true
+ -
+ description: Extract strings from running processes.
+ supported_os: [netscaler]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/file
+ output_directory: /live_response/process/proc/%line%
output_file: strings.txt
compress_output_file: true
+ # openbsd
+ -
+ description: Extract strings from running processes.
+ supported_os: [openbsd]
+ collector: command
+ condition: command_exists "strings"
+ foreach: ps -axo args | grep "^/" | awk '{print $1}' | sort -u
+ command: strings -a %line%
+ output_directory: /live_response/process/strings
+ output_file: %line%.txt
+ compress_output_file: true
+ -
+ description: Extract strings from running processes.
+ supported_os: [openbsd]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: ps -axo args | grep "^/" | awk '{print $1}' | sort -u
+ command: astrings %line%
+ output_directory: /live_response/process/strings
+ output_file: %line%.txt
+ compress_output_file: true
+ # solaris
-
description: Extract strings from running processes.
supported_os: [solaris]
collector: command
+ condition: command_exists "strings"
foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
command: strings -a /proc/%line%/path/a.out
- output_directory: proc/%line%
+ output_directory: /live_response/process/proc/%line%
+ output_file: strings.txt
+ compress_output_file: true
+ -
+ description: Extract strings from running processes.
+ supported_os: [solaris]
+ collector: command
+ condition: ! command_exists "strings"
+ foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done
+ command: astrings /proc/%line%/path/a.out
+ output_directory: /live_response/process/proc/%line%
output_file: strings.txt
compress_output_file: true
-
\ No newline at end of file
diff --git a/artifacts/live_response/process/top.yaml b/artifacts/live_response/process/top.yaml
index 94baede2..6f338695 100644
--- a/artifacts/live_response/process/top.yaml
+++ b/artifacts/live_response/process/top.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "top"
+output_directory: /live_response/process
artifacts:
-
description: Display current running processes.
@@ -8,7 +10,7 @@ artifacts:
output_file: top_-b.txt
-
description: Display current running processes.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: top -b -n1
output_file: top_-b_-n1.txt
diff --git a/artifacts/live_response/storage/arcstat.yaml b/artifacts/live_response/storage/arcstat.yaml
index fd911309..309edb63 100644
--- a/artifacts/live_response/storage/arcstat.yaml
+++ b/artifacts/live_response/storage/arcstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "arcstat"
+output_directory: /live_response/storage
artifacts:
-
description: Report ZFS ARC and L2ARC statistics.
diff --git a/artifacts/live_response/storage/blkid.yaml b/artifacts/live_response/storage/blkid.yaml
index e7369626..a4c5a238 100644
--- a/artifacts/live_response/storage/blkid.yaml
+++ b/artifacts/live_response/storage/blkid.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "blkid"
+output_directory: /live_response/storage
artifacts:
-
description: Locate/print block device attributes.
diff --git a/artifacts/live_response/storage/df.yaml b/artifacts/live_response/storage/df.yaml
index cf0ef420..c4b8bda6 100644
--- a/artifacts/live_response/storage/df.yaml
+++ b/artifacts/live_response/storage/df.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "df"
+output_directory: /live_response/storage
artifacts:
-
description: Report file system disk space usage.
@@ -8,7 +10,7 @@ artifacts:
output_file: df.txt
-
description: Report file system disk space usage.
- supported_os: [android, freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
+ supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd, solaris]
collector: command
command: df -h
output_file: df_-h.txt
diff --git a/artifacts/live_response/storage/diskutil.yaml b/artifacts/live_response/storage/diskutil.yaml
index 0c2a2658..cebbc816 100644
--- a/artifacts/live_response/storage/diskutil.yaml
+++ b/artifacts/live_response/storage/diskutil.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "diskutil"
+output_directory: /live_response/storage
artifacts:
-
description: List disks, including internal and external disks, whole disks and partitions, and various kinds of virtual or offline disks.
diff --git a/artifacts/live_response/storage/esxcli.yaml b/artifacts/live_response/storage/esxcli.yaml
index 7bb26f11..61bc19ec 100644
--- a/artifacts/live_response/storage/esxcli.yaml
+++ b/artifacts/live_response/storage/esxcli.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "esxcli"
+output_directory: /live_response/storage
artifacts:
-
description: List the NAS volumes currently known to the ESX host.
diff --git a/artifacts/live_response/storage/fdisk.yaml b/artifacts/live_response/storage/fdisk.yaml
index 5e491aec..e7e25e5d 100644
--- a/artifacts/live_response/storage/fdisk.yaml
+++ b/artifacts/live_response/storage/fdisk.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "fdisk"
+output_directory: /live_response/storage
artifacts:
-
description: List the partition tables for devices mentioned in /proc/partitions.
diff --git a/artifacts/live_response/storage/findmnt.yaml b/artifacts/live_response/storage/findmnt.yaml
index bd0339bd..e744487b 100644
--- a/artifacts/live_response/storage/findmnt.yaml
+++ b/artifacts/live_response/storage/findmnt.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "findmnt"
+output_directory: /live_response/storage
artifacts:
-
description: Display all mounted filesystems in the tree-like format.
diff --git a/artifacts/live_response/storage/format.yaml b/artifacts/live_response/storage/format.yaml
index 6bee86c2..e1bc7839 100644
--- a/artifacts/live_response/storage/format.yaml
+++ b/artifacts/live_response/storage/format.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "format"
+output_directory: /live_response/storage
artifacts:
-
description: List available disks.
diff --git a/artifacts/live_response/storage/fs_usage.yaml b/artifacts/live_response/storage/fs_usage.yaml
index 717909c8..d1e3aac3 100644
--- a/artifacts/live_response/storage/fs_usage.yaml
+++ b/artifacts/live_response/storage/fs_usage.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "fs_usage"
+output_directory: /live_response/storage
artifacts:
-
description: Report system calls and page faults related to filesystem activity in real-time.
diff --git a/artifacts/live_response/storage/geom.yaml b/artifacts/live_response/storage/geom.yaml
index 011afccc..629d93a4 100644
--- a/artifacts/live_response/storage/geom.yaml
+++ b/artifacts/live_response/storage/geom.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "geom"
+output_directory: /live_response/storage
artifacts:
-
description: Print the list of all providers from the DISK class.
@@ -7,8 +9,8 @@ artifacts:
command: geom disk list
output_file: geom_disk_list.txt
-
- description: Display geoms hierarchy as a tree.
+ description: Display geoms hierarchy as a tree.
supported_os: [freebsd]
collector: command
command: geom -t
- output_file: geom_-t.txt
\ No newline at end of file
+ output_file: geom_-t.txt
diff --git a/artifacts/live_response/storage/gstat.yaml b/artifacts/live_response/storage/gstat.yaml
index 23387207..d31fa7ab 100644
--- a/artifacts/live_response/storage/gstat.yaml
+++ b/artifacts/live_response/storage/gstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "gstat"
+output_directory: /live_response/storage
artifacts:
-
description: Print statistics about GEOM disks.
diff --git a/artifacts/live_response/storage/iostat.yaml b/artifacts/live_response/storage/iostat.yaml
index dac0b1b6..86aeeb6e 100644
--- a/artifacts/live_response/storage/iostat.yaml
+++ b/artifacts/live_response/storage/iostat.yaml
@@ -1,4 +1,6 @@
-version: 2.0
+version: 3.0
+condition: command_exists "iostat"
+output_directory: /live_response/storage
artifacts:
-
description: Report device I/O statistics.
diff --git a/artifacts/live_response/storage/iscsiadm.yaml b/artifacts/live_response/storage/iscsiadm.yaml
index a16cc1ab..d2a5987a 100644
--- a/artifacts/live_response/storage/iscsiadm.yaml
+++ b/artifacts/live_response/storage/iscsiadm.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "iscsiadm"
+output_directory: /live_response/storage
artifacts:
# iscsiadm is an open-iscsi administration utility.
-
diff --git a/artifacts/live_response/storage/lparstat.yaml b/artifacts/live_response/storage/lparstat.yaml
index cd26d9ce..e3b4a673 100644
--- a/artifacts/live_response/storage/lparstat.yaml
+++ b/artifacts/live_response/storage/lparstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lparstat"
+output_directory: /live_response/storage
artifacts:
-
description: Display logical partition (LPAR) related information and statistics.
diff --git a/artifacts/live_response/storage/ls_dev_disk.yaml b/artifacts/live_response/storage/ls_dev_disk.yaml
index 17da09ac..dcf663df 100644
--- a/artifacts/live_response/storage/ls_dev_disk.yaml
+++ b/artifacts/live_response/storage/ls_dev_disk.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/storage
artifacts:
-
description: Display the mapping of logical volumes with physical disks.
diff --git a/artifacts/live_response/storage/ls_vmfs_devices.yaml b/artifacts/live_response/storage/ls_vmfs_devices.yaml
index 78700372..c7c4dff0 100644
--- a/artifacts/live_response/storage/ls_vmfs_devices.yaml
+++ b/artifacts/live_response/storage/ls_vmfs_devices.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/storage
artifacts:
-
description: Display the mapping of logical volumes with physical disks.
diff --git a/artifacts/live_response/storage/lsblk.yaml b/artifacts/live_response/storage/lsblk.yaml
index a4dd3abd..2ba72e07 100644
--- a/artifacts/live_response/storage/lsblk.yaml
+++ b/artifacts/live_response/storage/lsblk.yaml
@@ -1,4 +1,6 @@
-version: 2.0
+version: 3.0
+condition: command_exists "lsblk"
+output_directory: /live_response/storage
artifacts:
-
description: List block devices.
diff --git a/artifacts/live_response/storage/lsfs.yaml b/artifacts/live_response/storage/lsfs.yaml
index 8937b7d9..a4cd2cc8 100644
--- a/artifacts/live_response/storage/lsfs.yaml
+++ b/artifacts/live_response/storage/lsfs.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lsfs"
+output_directory: /live_response/storage
artifacts:
-
description: Displays the characteristics of file systems.
diff --git a/artifacts/live_response/storage/lspv.yaml b/artifacts/live_response/storage/lspv.yaml
index c60245e4..9ad24eed 100644
--- a/artifacts/live_response/storage/lspv.yaml
+++ b/artifacts/live_response/storage/lspv.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lspv"
+output_directory: /live_response/storage
artifacts:
-
description: Displays information about a physical volume within a volume group.
diff --git a/artifacts/live_response/storage/lsvg.yaml b/artifacts/live_response/storage/lsvg.yaml
index 13d5b3bc..98ab90f0 100644
--- a/artifacts/live_response/storage/lsvg.yaml
+++ b/artifacts/live_response/storage/lsvg.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lsvg"
+output_directory: /live_response/storage
artifacts:
-
description: Displays information about volume groups.
diff --git a/artifacts/live_response/storage/lvdisplay.yaml b/artifacts/live_response/storage/lvdisplay.yaml
index 5cb5bfe7..4750ac60 100644
--- a/artifacts/live_response/storage/lvdisplay.yaml
+++ b/artifacts/live_response/storage/lvdisplay.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lvdisplay"
+output_directory: /live_response/storage
artifacts:
-
description: Display information about logical volumes.
diff --git a/artifacts/live_response/storage/lvs.yaml b/artifacts/live_response/storage/lvs.yaml
index 89151f22..c2a8b67f 100644
--- a/artifacts/live_response/storage/lvs.yaml
+++ b/artifacts/live_response/storage/lvs.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lvs"
+output_directory: /live_response/storage
artifacts:
-
description: Display information about logical volumes.
diff --git a/artifacts/live_response/storage/mdadm.yaml b/artifacts/live_response/storage/mdadm.yaml
index 2eca11ce..17845449 100644
--- a/artifacts/live_response/storage/mdadm.yaml
+++ b/artifacts/live_response/storage/mdadm.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "mdadm"
+output_directory: /live_response/storage
artifacts:
-
description: Display a snapshot of the kernel's RAID/md state.
diff --git a/artifacts/live_response/storage/mount.yaml b/artifacts/live_response/storage/mount.yaml
index 02967b30..b7b8d0e5 100644
--- a/artifacts/live_response/storage/mount.yaml
+++ b/artifacts/live_response/storage/mount.yaml
@@ -1,8 +1,10 @@
-version: 2.0
+version: 3.0
+condition: command_exists "mount"
+output_directory: /live_response/storage
artifacts:
-
description: Lists all mounted filesystems.
- supported_os: [android, aix, freebsd, linux, openbsd, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, freebsd, linux, openbsd, netbsd, netscaler, openbsd, solaris]
collector: command
command: mount
output_file: mount.txt
\ No newline at end of file
diff --git a/artifacts/live_response/storage/pdisk.yaml b/artifacts/live_response/storage/pdisk.yaml
index 9a4b89c5..cf208339 100644
--- a/artifacts/live_response/storage/pdisk.yaml
+++ b/artifacts/live_response/storage/pdisk.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pdisk"
+output_directory: /live_response/storage
artifacts:
-
description: List partition tables for all available drives.
diff --git a/artifacts/live_response/storage/pvdisplay.yaml b/artifacts/live_response/storage/pvdisplay.yaml
index 413df2c8..f9da9947 100644
--- a/artifacts/live_response/storage/pvdisplay.yaml
+++ b/artifacts/live_response/storage/pvdisplay.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pvdisplay"
+output_directory: /live_response/storage
artifacts:
-
description: Display various attributes of physical volumes.
diff --git a/artifacts/live_response/storage/pvesm.yaml b/artifacts/live_response/storage/pvesm.yaml
index a894a2b4..3bdc0cd1 100644
--- a/artifacts/live_response/storage/pvesm.yaml
+++ b/artifacts/live_response/storage/pvesm.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pvesm"
+output_directory: /live_response/storage
artifacts:
-
description: Get status for all Proxmox VE datastores.
diff --git a/artifacts/live_response/storage/pvs.yaml b/artifacts/live_response/storage/pvs.yaml
index 01ba5d4a..c5259aac 100644
--- a/artifacts/live_response/storage/pvs.yaml
+++ b/artifacts/live_response/storage/pvs.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pvs"
+output_directory: /live_response/storage
artifacts:
-
description: Display information about physical volumes.
diff --git a/artifacts/live_response/storage/vgdisplay.yaml b/artifacts/live_response/storage/vgdisplay.yaml
index bd1eedce..addcd455 100644
--- a/artifacts/live_response/storage/vgdisplay.yaml
+++ b/artifacts/live_response/storage/vgdisplay.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "vgdisplay"
+output_directory: /live_response/storage
artifacts:
-
description: Display volume group information.
diff --git a/artifacts/live_response/storage/vgs.yaml b/artifacts/live_response/storage/vgs.yaml
index 28feee86..9c2f28cb 100644
--- a/artifacts/live_response/storage/vgs.yaml
+++ b/artifacts/live_response/storage/vgs.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "vgs"
+output_directory: /live_response/storage
artifacts:
-
description: Display information about volume groups.
diff --git a/artifacts/live_response/storage/zfs.yaml b/artifacts/live_response/storage/zfs.yaml
index 7fe94ac0..6ddbd9aa 100644
--- a/artifacts/live_response/storage/zfs.yaml
+++ b/artifacts/live_response/storage/zfs.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "zfs"
+output_directory: /live_response/storage
artifacts:
-
description: Lists the property information for the given datasets in tabular form.
diff --git a/artifacts/live_response/storage/zpool.yaml b/artifacts/live_response/storage/zpool.yaml
index 32964b43..20f212e6 100644
--- a/artifacts/live_response/storage/zpool.yaml
+++ b/artifacts/live_response/storage/zpool.yaml
@@ -1,4 +1,6 @@
-version: 3.0
+version: 4.0
+condition: command_exists "zpool"
+output_directory: /live_response/storage
artifacts:
-
description: Displays the command history of all pools.
diff --git a/artifacts/live_response/system/auditctl.yaml b/artifacts/live_response/system/auditctl.yaml
index 19e91401..7956fb8c 100644
--- a/artifacts/live_response/system/auditctl.yaml
+++ b/artifacts/live_response/system/auditctl.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "auditctl"
+output_directory: /live_response/system
artifacts:
-
description: Display kernel's audit rules.
@@ -12,4 +14,4 @@ artifacts:
collector: command
command: auditctl -s
output_file: auditctl_-s.txt
-
+
\ No newline at end of file
diff --git a/artifacts/live_response/system/chkconfig.yaml b/artifacts/live_response/system/chkconfig.yaml
index 42015e17..1c419129 100644
--- a/artifacts/live_response/system/chkconfig.yaml
+++ b/artifacts/live_response/system/chkconfig.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "chkconfig"
+output_directory: /live_response/system
artifacts:
-
description: Display a list of all services and their current configuration.
diff --git a/artifacts/live_response/system/crle.yaml b/artifacts/live_response/system/crle.yaml
index ce5d2611..58da0f5c 100644
--- a/artifacts/live_response/system/crle.yaml
+++ b/artifacts/live_response/system/crle.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "crle"
+output_directory: /live_response/system
artifacts:
-
description: Displays configuration information.
@@ -6,4 +8,4 @@ artifacts:
collector: command
command: crle
output_file: crle.txt
-
\ No newline at end of file
+
diff --git a/artifacts/live_response/system/csrutil.yaml b/artifacts/live_response/system/csrutil.yaml
index 9808170e..8b683e4a 100644
--- a/artifacts/live_response/system/csrutil.yaml
+++ b/artifacts/live_response/system/csrutil.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "csrutil"
+output_directory: /live_response/system
artifacts:
-
description: Display the System Integrity Protection (SIP) status.
diff --git a/artifacts/live_response/system/date.yaml b/artifacts/live_response/system/date.yaml
index 3ac3aaed..6064ca6b 100644
--- a/artifacts/live_response/system/date.yaml
+++ b/artifacts/live_response/system/date.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: Display the system date and time.
diff --git a/artifacts/live_response/system/ebpf.yaml b/artifacts/live_response/system/ebpf.yaml
index 88a1398e..ff8e103b 100644
--- a/artifacts/live_response/system/ebpf.yaml
+++ b/artifacts/live_response/system/ebpf.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: List pinned eBPF progs.
@@ -8,4 +9,4 @@ artifacts:
output_file: ls_-la_sys_fs_bpf.txt
# References:
-# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
\ No newline at end of file
+# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
diff --git a/artifacts/live_response/system/eeprom.yaml b/artifacts/live_response/system/eeprom.yaml
index f9985079..67724886 100644
--- a/artifacts/live_response/system/eeprom.yaml
+++ b/artifacts/live_response/system/eeprom.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "eeprom"
+output_directory: /live_response/system
artifacts:
-
description: Display the values of parameters in the EEPROM.
diff --git a/artifacts/live_response/system/env.yaml b/artifacts/live_response/system/env.yaml
index f91c2a4b..d878f525 100644
--- a/artifacts/live_response/system/env.yaml
+++ b/artifacts/live_response/system/env.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: Display environment variables.
diff --git a/artifacts/live_response/system/errpt.yaml b/artifacts/live_response/system/errpt.yaml
index af3aab66..d4a5b1a7 100644
--- a/artifacts/live_response/system/errpt.yaml
+++ b/artifacts/live_response/system/errpt.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "errpt"
+output_directory: /live_response/system
artifacts:
-
description: Display a report of logged errors.
diff --git a/artifacts/live_response/system/esxcli.yaml b/artifacts/live_response/system/esxcli.yaml
index bda08434..b3c5f367 100644
--- a/artifacts/live_response/system/esxcli.yaml
+++ b/artifacts/live_response/system/esxcli.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "esxcli"
+output_directory: /live_response/system
artifacts:
-
description: List the VMkernel modules that the system knows about.
diff --git a/artifacts/live_response/system/falconctl.yaml b/artifacts/live_response/system/falconctl.yaml
index 20316025..98b17f42 100644
--- a/artifacts/live_response/system/falconctl.yaml
+++ b/artifacts/live_response/system/falconctl.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: ls "/opt/CrowdStrike/falconctl" || ls /Applications/Falcon.app/Contents/Resources/falconctl
+output_directory: /live_response/system
artifacts:
-
description: Display the AgentId
diff --git a/artifacts/live_response/system/free.yaml b/artifacts/live_response/system/free.yaml
index c2b2da9d..0d77472a 100644
--- a/artifacts/live_response/system/free.yaml
+++ b/artifacts/live_response/system/free.yaml
@@ -1,8 +1,10 @@
-version: 1.0
+version: 2.0
+condition: command_exists "free"
+output_directory: /live_response/system
artifacts:
-
description: Display amount of free and used memory in the system.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: free
output_file: free.txt
diff --git a/artifacts/live_response/system/genkex.yaml b/artifacts/live_response/system/genkex.yaml
index 5d21a5f1..d691e072 100644
--- a/artifacts/live_response/system/genkex.yaml
+++ b/artifacts/live_response/system/genkex.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "genkex"
+output_directory: /live_response/system
artifacts:
-
description: Display the list of kernel extensions currently loaded onto the system and displays the address, size, and path name for each kernel extension in the list.
diff --git a/artifacts/live_response/system/getenforce.yaml b/artifacts/live_response/system/getenforce.yaml
index 3f433b46..8c896702 100644
--- a/artifacts/live_response/system/getenforce.yaml
+++ b/artifacts/live_response/system/getenforce.yaml
@@ -1,8 +1,10 @@
-version: 1.0
+version: 2.0
+condition: command_exists "getenforce"
+output_directory: /live_response/system
artifacts:
-
description: Display the current mode of SELinux.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: getenforce
output_file: getenforce.txt
diff --git a/artifacts/live_response/system/getprop.yaml b/artifacts/live_response/system/getprop.yaml
deleted file mode 100644
index 9f436c23..00000000
--- a/artifacts/live_response/system/getprop.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-version: 1.0
-artifacts:
- -
- description: Display all properties and values from Android propery service.
- supported_os: [android]
- collector: command
- command: getprop
- output_file: getprop.txt
-
\ No newline at end of file
diff --git a/artifacts/live_response/system/ha-manager.yaml b/artifacts/live_response/system/ha-manager.yaml
index 9cb00d85..0d67ab04 100644
--- a/artifacts/live_response/system/ha-manager.yaml
+++ b/artifacts/live_response/system/ha-manager.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "ha-manager"
+output_directory: /live_response/system
artifacts:
-
description: Display Proxmox VE HA manager status.
diff --git a/artifacts/live_response/system/hidden_directories.yaml b/artifacts/live_response/system/hidden_directories.yaml
index 42776296..67129015 100644
--- a/artifacts/live_response/system/hidden_directories.yaml
+++ b/artifacts/live_response/system/hidden_directories.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: List all hidden directories outside of user home directory.
@@ -7,7 +8,6 @@ artifacts:
path: /
name_pattern: [".*"]
exclude_path_pattern: ["/root", "/home", "/export/home", "/Users"]
- file_type: d
- max_depth: 6
+ file_type: [d]
output_file: hidden_directories.txt
\ No newline at end of file
diff --git a/artifacts/live_response/system/hidden_files.yaml b/artifacts/live_response/system/hidden_files.yaml
index a83bc498..3c9e6e67 100644
--- a/artifacts/live_response/system/hidden_files.yaml
+++ b/artifacts/live_response/system/hidden_files.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: List all hidden files outside of user home directory.
@@ -7,7 +8,6 @@ artifacts:
path: /
name_pattern: [".*"]
exclude_path_pattern: ["/root", "/home", "/export/home", "/Users"]
- file_type: f
- max_depth: 6
+ file_type: [f]
output_file: hidden_files.txt
\ No newline at end of file
diff --git a/artifacts/live_response/system/hwclock.yaml b/artifacts/live_response/system/hwclock.yaml
index 9e2e597f..bb7fecaf 100644
--- a/artifacts/live_response/system/hwclock.yaml
+++ b/artifacts/live_response/system/hwclock.yaml
@@ -1,8 +1,10 @@
-version: 1.0
+version: 2.0
+condition: command_exists "hwclock"
+output_directory: /live_response/system
artifacts:
-
description: Display the Hardware Clock time.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: hwclock
output_file: hwclock.txt
diff --git a/artifacts/live_response/system/isainfo.yaml b/artifacts/live_response/system/isainfo.yaml
index 12288659..93be8474 100644
--- a/artifacts/live_response/system/isainfo.yaml
+++ b/artifacts/live_response/system/isainfo.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "isainfo"
+output_directory: /live_response/system
artifacts:
-
description: Display the name of the instruction set(s) used by the operating system kernel components such as device drivers and STREAMS modules.
diff --git a/artifacts/live_response/system/kernel_modules.yaml b/artifacts/live_response/system/kernel_modules.yaml
index a1d60d40..ec450d3b 100644
--- a/artifacts/live_response/system/kernel_modules.yaml
+++ b/artifacts/live_response/system/kernel_modules.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: Display the loaded kernel modules (compare with /proc/modules).
@@ -12,8 +13,8 @@ artifacts:
collector: command
foreach: for module in /sys/module/* ; do echo ${module} | sed -e 's:/sys/module/::'; done
command: ls -la /sys/module/%line%/parameters
- output_directory: module/%line%
+ output_directory: /live_response/system/module/%line%
output_file: parameters.txt
# References:
-# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
\ No newline at end of file
+# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf
diff --git a/artifacts/live_response/system/kernel_tainted_state.yaml b/artifacts/live_response/system/kernel_tainted_state.yaml
index 9dcb5586..4d8ebd62 100644
--- a/artifacts/live_response/system/kernel_tainted_state.yaml
+++ b/artifacts/live_response/system/kernel_tainted_state.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: Display the kernel tainted state.
diff --git a/artifacts/live_response/system/kextstat.yaml b/artifacts/live_response/system/kextstat.yaml
index dd5548f1..3b13d106 100644
--- a/artifacts/live_response/system/kextstat.yaml
+++ b/artifacts/live_response/system/kextstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "kextstat"
+output_directory: /live_response/system
artifacts:
-
description: Display status of loaded kernel extensions (kexts).
diff --git a/artifacts/live_response/system/kldstat.yaml b/artifacts/live_response/system/kldstat.yaml
index 6ebc949b..3b2fa11a 100644
--- a/artifacts/live_response/system/kldstat.yaml
+++ b/artifacts/live_response/system/kldstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "kldstat"
+output_directory: /live_response/system
artifacts:
-
description: Display status of dynamic kernel linker.
diff --git a/artifacts/live_response/system/last.yaml b/artifacts/live_response/system/last.yaml
index 1531533f..7fcfcbae 100644
--- a/artifacts/live_response/system/last.yaml
+++ b/artifacts/live_response/system/last.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "last"
+output_directory: /live_response/system
artifacts:
-
description: Show a listing of last logins and logouts.
diff --git a/artifacts/live_response/system/lastb.yaml b/artifacts/live_response/system/lastb.yaml
index f782cb05..e5c8a8bb 100644
--- a/artifacts/live_response/system/lastb.yaml
+++ b/artifacts/live_response/system/lastb.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lastb"
+output_directory: /live_response/system
artifacts:
-
description: Show a listing of last unsuccessful logins.
diff --git a/artifacts/live_response/system/lastcomm.yaml b/artifacts/live_response/system/lastcomm.yaml
index c2b744cf..fc70e634 100644
--- a/artifacts/live_response/system/lastcomm.yaml
+++ b/artifacts/live_response/system/lastcomm.yaml
@@ -1,4 +1,6 @@
version: 1.0
+condition: command_exists "lastcomm"
+output_directory: /live_response/system
artifacts:
-
description: Shows the last commands executed in a reverse order based on the default accounting file.
@@ -10,7 +12,6 @@ artifacts:
description: Shows the last commands executed in a reverse order from the historic accounting files.
supported_os: [freebsd, netbsd, openbsd]
collector: command
- foreach: for acctfile in /var/account/acct.[0123]; do echo ${acctfile} | sed -e 's:/var/account/acct.::'; done
- command: lastcomm -f /var/account/acct.%line%
- output_file: lastcomm_%line%.txt
-
+ foreach: ls /var/account/acct*
+ command: lastcomm -f %line%
+ output_file: lastcomm_%line%.txt
\ No newline at end of file
diff --git a/artifacts/live_response/system/lastlog.yaml b/artifacts/live_response/system/lastlog.yaml
index a1dc75ea..efab5838 100644
--- a/artifacts/live_response/system/lastlog.yaml
+++ b/artifacts/live_response/system/lastlog.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lastlog"
+output_directory: /live_response/system
artifacts:
-
description: Display the contents of the last login log /var/log/lastlog file.
diff --git a/artifacts/live_response/system/launchctl.yaml b/artifacts/live_response/system/launchctl.yaml
index 0bf55bac..e92c9ba4 100644
--- a/artifacts/live_response/system/launchctl.yaml
+++ b/artifacts/live_response/system/launchctl.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "launchctl"
+output_directory: /live_response/system
artifacts:
-
description: Display all loaded and unloaded jobs into launchd.
diff --git a/artifacts/live_response/system/loginctl.yaml b/artifacts/live_response/system/loginctl.yaml
index bae82f41..7746af09 100644
--- a/artifacts/live_response/system/loginctl.yaml
+++ b/artifacts/live_response/system/loginctl.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "loginctl"
+output_directory: /live_response/system
artifacts:
-
description: Show terse runtime status information about one or more logged in users, followed by the most recent log data from the journal.
diff --git a/artifacts/live_response/system/lsmod.yaml b/artifacts/live_response/system/lsmod.yaml
index 3987dc0c..2601a5cf 100644
--- a/artifacts/live_response/system/lsmod.yaml
+++ b/artifacts/live_response/system/lsmod.yaml
@@ -1,8 +1,10 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lsmod"
+output_directory: /live_response/system
artifacts:
-
description: Display the status of modules in the Linux Kernel.
- supported_os: [android, linux]
+ supported_os: [linux]
collector: command
command: lsmod
output_file: lsmod.txt
diff --git a/artifacts/live_response/system/lsps.yaml b/artifacts/live_response/system/lsps.yaml
index aa0e3ef9..167b23af 100644
--- a/artifacts/live_response/system/lsps.yaml
+++ b/artifacts/live_response/system/lsps.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "lsps"
+output_directory: /live_response/system
artifacts:
-
description: Displays the characteristics of a paging space.
diff --git a/artifacts/live_response/system/mdatp.yaml b/artifacts/live_response/system/mdatp.yaml
index 245497c9..81afacbb 100644
--- a/artifacts/live_response/system/mdatp.yaml
+++ b/artifacts/live_response/system/mdatp.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "mdatp"
+output_directory: /live_response/system
artifacts:
-
description: Display sensor health.
diff --git a/artifacts/live_response/system/modinfo.yaml b/artifacts/live_response/system/modinfo.yaml
index 7a257e16..45a25993 100644
--- a/artifacts/live_response/system/modinfo.yaml
+++ b/artifacts/live_response/system/modinfo.yaml
@@ -1,15 +1,19 @@
-version: 1.0
+version: 3.0
+condition: command_exists "modinfo"
artifacts:
- -
- description: Display information about loaded kernel modules.
- supported_os: [solaris]
- collector: command
- command: modinfo
- output_file: modinfo.txt
-
description: Display information about loaded kernel modules.
supported_os: [linux]
collector: command
foreach: lsmod | awk '{print $1}' | tail -n +2
command: modinfo %line%
+ output_directory: /live_response/system/modinfo
output_file: modinfo_%line%.txt
+ -
+ description: Display information about loaded kernel modules.
+ supported_os: [solaris]
+ collector: command
+ command: modinfo
+ output_directory: /live_response/system
+ output_file: modinfo.txt
+
\ No newline at end of file
diff --git a/artifacts/live_response/system/mpstat.yaml b/artifacts/live_response/system/mpstat.yaml
index 96fdaf42..7be433f3 100644
--- a/artifacts/live_response/system/mpstat.yaml
+++ b/artifacts/live_response/system/mpstat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "mpstat"
+output_directory: /live_response/system
artifacts:
-
description: Display processor statistics in tabular form.
diff --git a/artifacts/live_response/system/oslevel.yaml b/artifacts/live_response/system/oslevel.yaml
index e2e3ae9f..3acdadcf 100644
--- a/artifacts/live_response/system/oslevel.yaml
+++ b/artifacts/live_response/system/oslevel.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "oslevel"
+output_directory: /live_response/system
artifacts:
-
description: Display the latest installed level (technology level, maintenance level and service pack) of the system.
diff --git a/artifacts/live_response/system/prtdiag.yaml b/artifacts/live_response/system/prtdiag.yaml
index ebcc26b2..fd23a5f1 100644
--- a/artifacts/live_response/system/prtdiag.yaml
+++ b/artifacts/live_response/system/prtdiag.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "prtdiag"
+output_directory: /live_response/system
artifacts:
-
description: Display system diagnostic information.
diff --git a/artifacts/live_response/system/pvecm.yaml b/artifacts/live_response/system/pvecm.yaml
index 48af44f9..43f15c44 100644
--- a/artifacts/live_response/system/pvecm.yaml
+++ b/artifacts/live_response/system/pvecm.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pvecm"
+output_directory: /live_response/system
artifacts:
-
description: Display Proxmox VE local view of the cluster nodes.
diff --git a/artifacts/live_response/system/pvesubscription.yaml b/artifacts/live_response/system/pvesubscription.yaml
index ecc73ccc..6e636b6c 100644
--- a/artifacts/live_response/system/pvesubscription.yaml
+++ b/artifacts/live_response/system/pvesubscription.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pvesubscription"
+output_directory: /live_response/system
artifacts:
-
description: Display Proxmox VE subscription information.
diff --git a/artifacts/live_response/system/pveum.yaml b/artifacts/live_response/system/pveum.yaml
index 7bbe4df1..269be2ec 100644
--- a/artifacts/live_response/system/pveum.yaml
+++ b/artifacts/live_response/system/pveum.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pveum"
+output_directory: /live_response/system
artifacts:
-
description: Display Proxmox VE user list.
diff --git a/artifacts/live_response/system/pveversion.yaml b/artifacts/live_response/system/pveversion.yaml
index 61fdb8a3..fac683ee 100644
--- a/artifacts/live_response/system/pveversion.yaml
+++ b/artifacts/live_response/system/pveversion.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "pveversion"
+output_directory: /live_response/system
artifacts:
-
description: Display version information for Proxmox VE packages.
diff --git a/artifacts/live_response/system/runlevel.yaml b/artifacts/live_response/system/runlevel.yaml
index 1fa2eb00..41318da3 100644
--- a/artifacts/live_response/system/runlevel.yaml
+++ b/artifacts/live_response/system/runlevel.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "runlevel"
+output_directory: /live_response/system
artifacts:
-
description: Display previous and current SysV runlevel.
diff --git a/artifacts/live_response/system/service.yaml b/artifacts/live_response/system/service.yaml
index 46afb2c7..770ddacb 100644
--- a/artifacts/live_response/system/service.yaml
+++ b/artifacts/live_response/system/service.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "service"
+output_directory: /live_response/system
artifacts:
-
description: Display System V services status information.
@@ -6,10 +8,4 @@ artifacts:
collector: command
command: service --status-all
output_file: service_--status-all.txt
- -
- description: Display service names and their package names.
- supported_os: [android]
- collector: command
- command: service list
- output_file: service_list.txt
\ No newline at end of file
diff --git a/artifacts/live_response/system/sestatus.yaml b/artifacts/live_response/system/sestatus.yaml
index 784de382..950f9649 100644
--- a/artifacts/live_response/system/sestatus.yaml
+++ b/artifacts/live_response/system/sestatus.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "sestatus"
+output_directory: /live_response/system
artifacts:
-
description: Display the contexts of files and processes listed in the /etc/sestatus.conf file.
diff --git a/artifacts/live_response/system/sgid.yaml b/artifacts/live_response/system/sgid.yaml
index 4b82c773..72d03b22 100644
--- a/artifacts/live_response/system/sgid.yaml
+++ b/artifacts/live_response/system/sgid.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: Search for files that have SGID bit set.
@@ -6,8 +7,7 @@ artifacts:
collector: find
path: /
exclude_file_system: [proc, procfs]
- file_type: f
- max_depth: 6
- permissions: -2000
+ file_type: [f]
+ permissions: [-2000]
output_file: sgid.txt
\ No newline at end of file
diff --git a/artifacts/live_response/system/showrev.yaml b/artifacts/live_response/system/showrev.yaml
index 7a078b54..1b130c42 100644
--- a/artifacts/live_response/system/showrev.yaml
+++ b/artifacts/live_response/system/showrev.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "showrev"
+output_directory: /live_response/system
artifacts:
-
description: Display machine and software revision information.
diff --git a/artifacts/live_response/system/socket_files.yaml b/artifacts/live_response/system/socket_files.yaml
index 739aa4c3..6fa17d87 100644
--- a/artifacts/live_response/system/socket_files.yaml
+++ b/artifacts/live_response/system/socket_files.yaml
@@ -1,12 +1,12 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: List all socket files.
supported_os: [all]
collector: find
path: /
- file_type: s
- max_depth: 6
+ file_type: [s]
exclude_file_system: [proc, procfs]
output_file: socket_files.txt
\ No newline at end of file
diff --git a/artifacts/live_response/system/suid.yaml b/artifacts/live_response/system/suid.yaml
index 56bf65a3..cf890f1e 100644
--- a/artifacts/live_response/system/suid.yaml
+++ b/artifacts/live_response/system/suid.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: Search for files that have SUID bit set.
@@ -6,8 +7,7 @@ artifacts:
collector: find
path: /
exclude_file_system: [proc, procfs]
- file_type: f
- max_depth: 6
- permissions: -4000
+ file_type: [f]
+ permissions: [-4000]
output_file: suid.txt
\ No newline at end of file
diff --git a/artifacts/live_response/system/svcs.yaml b/artifacts/live_response/system/svcs.yaml
index f6387dba..e448844b 100644
--- a/artifacts/live_response/system/svcs.yaml
+++ b/artifacts/live_response/system/svcs.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "svcs"
+output_directory: /live_response/system
artifacts:
-
description: Display information about service instances as recorded in the service configuration repository.
diff --git a/artifacts/live_response/system/sw_vers.yaml b/artifacts/live_response/system/sw_vers.yaml
index c1ef4a3e..e8721187 100644
--- a/artifacts/live_response/system/sw_vers.yaml
+++ b/artifacts/live_response/system/sw_vers.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "sw_vers"
+output_directory: /live_response/system
artifacts:
-
description: Display macOS operating system version.
diff --git a/artifacts/live_response/system/swapctl.yaml b/artifacts/live_response/system/swapctl.yaml
index 59f18754..d9dbf844 100644
--- a/artifacts/live_response/system/swapctl.yaml
+++ b/artifacts/live_response/system/swapctl.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "swapctl"
+output_directory: /live_response/system
artifacts:
-
description: List the devices making up system swap.
diff --git a/artifacts/live_response/system/swapinfo.yaml b/artifacts/live_response/system/swapinfo.yaml
index d4b1c35b..6a0da5c1 100644
--- a/artifacts/live_response/system/swapinfo.yaml
+++ b/artifacts/live_response/system/swapinfo.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "swapinfo"
+output_directory: /live_response/system
artifacts:
-
description: Display system data structures.
diff --git a/artifacts/live_response/system/sys_modules.yaml b/artifacts/live_response/system/sys_modules.yaml
index 7955a696..74fa9d23 100644
--- a/artifacts/live_response/system/sys_modules.yaml
+++ b/artifacts/live_response/system/sys_modules.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: List loaded kernel modules.
diff --git a/artifacts/live_response/system/sysctl.yaml b/artifacts/live_response/system/sysctl.yaml
index b196826c..77a09d33 100644
--- a/artifacts/live_response/system/sysctl.yaml
+++ b/artifacts/live_response/system/sysctl.yaml
@@ -1,8 +1,10 @@
-version: 1.0
+version: 2.0
+condition: command_exists "sysctl"
+output_directory: /live_response/system
artifacts:
-
description: Display kernel parameters.
- supported_os: [android, freebsd, linux, macos, netbsd, netscaler, openbsd]
+ supported_os: [freebsd, linux, macos, netbsd, netscaler, openbsd]
collector: command
command: sysctl -a
output_file: sysctl_-a.txt
diff --git a/artifacts/live_response/system/sysdef.yaml b/artifacts/live_response/system/sysdef.yaml
index 808eee9a..356ee3d5 100644
--- a/artifacts/live_response/system/sysdef.yaml
+++ b/artifacts/live_response/system/sysdef.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "sysdef"
+output_directory: /live_response/system
artifacts:
-
description: Display all hardware devices, as well as pseudo devices, system devices, loadable modules, and the values of selected kernel tunable parameters.
diff --git a/artifacts/live_response/system/system_profiler.yaml b/artifacts/live_response/system/system_profiler.yaml
index a9762ea6..ea66387f 100644
--- a/artifacts/live_response/system/system_profiler.yaml
+++ b/artifacts/live_response/system/system_profiler.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "system_profiler"
+output_directory: /live_response/system
artifacts:
-
description: Reports system hardware and software configuration.
diff --git a/artifacts/live_response/system/systemctl.yaml b/artifacts/live_response/system/systemctl.yaml
index ed212875..8e1d0a96 100644
--- a/artifacts/live_response/system/systemctl.yaml
+++ b/artifacts/live_response/system/systemctl.yaml
@@ -1,4 +1,6 @@
-version: 1.1
+version: 2.0
+condition: command_exists "systemctl"
+output_directory: /live_response/system
artifacts:
-
description: Display all systemd system units.
diff --git a/artifacts/live_response/system/timedatectl.yaml b/artifacts/live_response/system/timedatectl.yaml
index fc027bc8..c3c51011 100644
--- a/artifacts/live_response/system/timedatectl.yaml
+++ b/artifacts/live_response/system/timedatectl.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "timedatectl"
+output_directory: /live_response/system
artifacts:
-
description: Display the current settings of the system clock and RTC, including whether network time synchronization is active.
diff --git a/artifacts/live_response/system/tmutil.yaml b/artifacts/live_response/system/tmutil.yaml
index 4fd900a1..db9cb87b 100644
--- a/artifacts/live_response/system/tmutil.yaml
+++ b/artifacts/live_response/system/tmutil.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "tmutil"
+output_directory: /live_response/system
artifacts:
-
description: Print paths for all of this computer's completed snapshots.
diff --git a/artifacts/live_response/system/uname.yaml b/artifacts/live_response/system/uname.yaml
index 457aa82a..e1669944 100644
--- a/artifacts/live_response/system/uname.yaml
+++ b/artifacts/live_response/system/uname.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: Display system information.
diff --git a/artifacts/live_response/system/uptime.yaml b/artifacts/live_response/system/uptime.yaml
index 43bd274e..e5bf621f 100644
--- a/artifacts/live_response/system/uptime.yaml
+++ b/artifacts/live_response/system/uptime.yaml
@@ -1,4 +1,5 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: Display how long system has been running.
@@ -8,7 +9,7 @@ artifacts:
output_file: uptime.txt
-
description: Display how long system has been running in yyyy-mm-dd HH:MM:SS format.
- supported_os: [all]
+ supported_os: [aix, esxi, linux, solaris]
collector: command
command: uptime -s
output_file: uptime_-s.txt
diff --git a/artifacts/live_response/system/vm_stat.yaml b/artifacts/live_response/system/vm_stat.yaml
index dbd6be33..acd1e068 100644
--- a/artifacts/live_response/system/vm_stat.yaml
+++ b/artifacts/live_response/system/vm_stat.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "vm_stat"
+output_directory: /live_response/system
artifacts:
-
description: Display virtual memory statistics.
diff --git a/artifacts/live_response/system/vmstat.yaml b/artifacts/live_response/system/vmstat.yaml
index a013bb2c..0723d9ef 100644
--- a/artifacts/live_response/system/vmstat.yaml
+++ b/artifacts/live_response/system/vmstat.yaml
@@ -1,8 +1,10 @@
-version: 1.0
+version: 2.0
+condition: command_exists "vmstat"
+output_directory: /live_response/system
artifacts:
-
description: Display virtual memory statistics.
- supported_os: [android, aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
+ supported_os: [aix, freebsd, linux, netbsd, netscaler, openbsd, solaris]
collector: command
command: vmstat
output_file: vmstat.txt
diff --git a/artifacts/live_response/system/who.yaml b/artifacts/live_response/system/who.yaml
index 8f4142ea..b94d26e9 100644
--- a/artifacts/live_response/system/who.yaml
+++ b/artifacts/live_response/system/who.yaml
@@ -1,4 +1,6 @@
-version: 3.0
+version: 4.0
+condition: command_exists "who"
+output_directory: /live_response/system
artifacts:
-
description: Display the current run-level of the process.
diff --git a/artifacts/live_response/system/world_writable_directories.yaml b/artifacts/live_response/system/world_writable_directories.yaml
index e05e4629..9c49cc02 100644
--- a/artifacts/live_response/system/world_writable_directories.yaml
+++ b/artifacts/live_response/system/world_writable_directories.yaml
@@ -1,13 +1,13 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: List all world writable directories.
supported_os: [all]
collector: find
path: /
- file_type: d
- max_depth: 6
- permissions: 777
+ file_type: [d]
+ permissions: [777]
exclude_file_system: [proc, procfs]
output_file: world_writable_directories.txt
\ No newline at end of file
diff --git a/artifacts/live_response/system/world_writable_files.yaml b/artifacts/live_response/system/world_writable_files.yaml
index 68cf86b0..375ffe21 100644
--- a/artifacts/live_response/system/world_writable_files.yaml
+++ b/artifacts/live_response/system/world_writable_files.yaml
@@ -1,13 +1,13 @@
-version: 1.0
+version: 2.0
+output_directory: /live_response/system
artifacts:
-
description: List all world writable files.
supported_os: [all]
collector: find
path: /
- file_type: f
- max_depth: 6
- permissions: 777
+ file_type: [f]
+ permissions: [777]
exclude_file_system: [proc, procfs]
output_file: world_writable_files.txt
\ No newline at end of file
diff --git a/artifacts/live_response/system/zoneadm.yaml b/artifacts/live_response/system/zoneadm.yaml
index 52e2805c..f551a008 100644
--- a/artifacts/live_response/system/zoneadm.yaml
+++ b/artifacts/live_response/system/zoneadm.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "zoneadm"
+output_directory: /live_response/system
artifacts:
-
description: Display all installed zones. A zone is an application container that is maintained by the operating system run-time.
diff --git a/artifacts/live_response/vms/esxcli.yaml b/artifacts/live_response/vms/esxcli.yaml
index 473923ad..cca69000 100644
--- a/artifacts/live_response/vms/esxcli.yaml
+++ b/artifacts/live_response/vms/esxcli.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "esxcli"
+output_directory: /live_response/vms
artifacts:
-
description: List networking information for the VM's that have active ports.
diff --git a/artifacts/live_response/vms/qm.yaml b/artifacts/live_response/vms/qm.yaml
index 0446f6e4..049959e7 100644
--- a/artifacts/live_response/vms/qm.yaml
+++ b/artifacts/live_response/vms/qm.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "qm"
+output_directory: /live_response/vms
artifacts:
-
description: List all Proxmox VE active and inactive virtual machines.
diff --git a/artifacts/live_response/vms/vim-cmd.yaml b/artifacts/live_response/vms/vim-cmd.yaml
index d9aa9a5c..1868e6d1 100644
--- a/artifacts/live_response/vms/vim-cmd.yaml
+++ b/artifacts/live_response/vms/vim-cmd.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "vim-cmd"
+output_directory: /live_response/vms
artifacts:
-
description: Get the list of virtual machines on the host.
diff --git a/artifacts/live_response/vms/virsh.yaml b/artifacts/live_response/vms/virsh.yaml
index 1eb45fb4..0306aa3c 100644
--- a/artifacts/live_response/vms/virsh.yaml
+++ b/artifacts/live_response/vms/virsh.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "virsh"
+output_directory: /live_response/vms
artifacts:
-
description: List active and inactive domains.
diff --git a/artifacts/live_response/vms/virt-top.yaml b/artifacts/live_response/vms/virt-top.yaml
index 6f171779..7dac483f 100644
--- a/artifacts/live_response/vms/virt-top.yaml
+++ b/artifacts/live_response/vms/virt-top.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "virt-top"
+output_directory: /live_response/vms
artifacts:
-
description: 'top'-like utility for virtualization stats.
diff --git a/artifacts/live_response/vms/virtualbox.yaml b/artifacts/live_response/vms/virtualbox.yaml
index b3ccbf55..353a12fa 100644
--- a/artifacts/live_response/vms/virtualbox.yaml
+++ b/artifacts/live_response/vms/virtualbox.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "VBoxManage"
+output_directory: /live_response/vms
artifacts:
-
description: List all registered VMs.
diff --git a/artifacts/live_response/vms/vm-support.yaml b/artifacts/live_response/vms/vm-support.yaml
index 123abe44..b95bd896 100644
--- a/artifacts/live_response/vms/vm-support.yaml
+++ b/artifacts/live_response/vms/vm-support.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "vm-support"
+output_directory: /live_response/vms
artifacts:
-
description: List registered VMs.
diff --git a/artifacts/live_response/vms/vmctl.yaml b/artifacts/live_response/vms/vmctl.yaml
index e8548101..f12ed7b5 100644
--- a/artifacts/live_response/vms/vmctl.yaml
+++ b/artifacts/live_response/vms/vmctl.yaml
@@ -1,4 +1,6 @@
-version: 1.0
+version: 2.0
+condition: command_exists "vmctl"
+output_directory: /live_response/vms
artifacts:
-
description: List running virtual machines on this system.
diff --git a/artifacts/memory_dump/avml.yaml b/artifacts/memory_dump/avml.yaml
index 0e0a724e..a09a6caf 100644
--- a/artifacts/memory_dump/avml.yaml
+++ b/artifacts/memory_dump/avml.yaml
@@ -1,8 +1,8 @@
-version: 1.0
+version: 2.0
+output_directory: /memory_dump
artifacts:
-
description: Capture a memory image.
supported_os: [linux]
collector: command
- command: avml %output_file%
- output_file: avml.raw
\ No newline at end of file
+ command: avml avml.raw
diff --git a/artifacts/memory_dump/process_memory_sections_strings.yaml b/artifacts/memory_dump/process_memory_sections_strings.yaml
index 37af92dc..2a33b92a 100644
--- a/artifacts/memory_dump/process_memory_sections_strings.yaml
+++ b/artifacts/memory_dump/process_memory_sections_strings.yaml
@@ -1,9 +1,8 @@
-version: 1.0
+version: 2.0
+output_directory: /memory_dump
artifacts:
-
description: Dump process memory sections and strings.
supported_os: [linux]
collector: command
- command: linux_procmemdump.sh -u -b -d %output_file%
- output_file: proc
- stderr_output_file: linux_procmemdump.txt.stderr
+ command: linux_procmemdump.sh -u -b -d proc
diff --git a/artifacts/memory_dump/process_memory_strings.yaml b/artifacts/memory_dump/process_memory_strings.yaml
index 2023ff03..1659ac75 100644
--- a/artifacts/memory_dump/process_memory_strings.yaml
+++ b/artifacts/memory_dump/process_memory_strings.yaml
@@ -1,9 +1,8 @@
-version: 1.0
+version: 2.0
+output_directory: /memory_dump
artifacts:
-
description: Dump strings from the memory space of running processes.
supported_os: [linux]
collector: command
- command: linux_procmemdump.sh -s -d %output_file%
- output_file: proc
- stderr_output_file: linux_procmemdump.txt.stderr
+ command: linux_procmemdump.sh -s -d proc
diff --git a/bin/README.txt b/bin/README.txt
index 46237bf7..857f89f3 100644
--- a/bin/README.txt
+++ b/bin/README.txt
@@ -1,13 +1,33 @@
-Place your validated binary files in the '[uac_directory]\bin' directory if you want them to be executed instead of the built-in ones provided by the target operating system.
+Place your validated executables (binary files and scripts) here!
-UAC will detect and run CPU architecture specific executable files, so they need to be placed within the following directory structure: '[uac_directory]\bin\[operating_system]\[architecture]'.
+In most cases, the executables should be placed in the '[UAC_DIRECTORY]/bin' directory,
+along with any additional support files it needs to run.
-Operating system must be one of the following options (in lowercase): android, aix, freebsd, linux, macos, netbsd, netscaler, openbsd or solaris.
+For example, if you have an artifact that uses an executable named 'my_script.sh', you should place
+this binary in the '[UAC_DIRECTORY]/bin' directory.
-Architecture is the kernel architecture (in lowercase). It can be retrieved using 'uname' tool.
+In the case where you have executables with the same name, but for multiple operating systems,
+they should be placed in the '[UAC_DIRECTORY]/bin/[OS]' directory.
-For example:
+For example, if you have an artifact that uses an executable named 'lsof', but you
+have two binary files, one for Linux and one for FreeBSD, you should place the binaries
+in the '[UAC_DIRECTORY]/bin/linux' and '[UAC_DIRECTORY]/bin/freebsd' directories.
+Note that the operating system name must be in lowercase.
-- if you have a 'ss' binary for Linux x86_64, it needs to be placed in the '[uac_directory]\bin\linux\x86_64' directory.
-- if you have a 'lsof' binary for AIX powerpc, it needs to be placed in the '[uac_directory]\bin\aix\powerpc' directory.
-- if you have a 'netstat' binary for Android aarch64, it needs to be placed in the '[uac_directory]\bin\android\aarch64' directory.
\ No newline at end of file
+In the case where you have executables that can be run on multiple operating systems, they
+should be placed in the '[UAC_DIRECTORY]/bin/[OS1_OS2_OS3]' directory. Note that you
+can have multiple operating systems separated by an underscore '_'.
+
+For example, if you have an artifact that uses an executable named 'netstat' that
+runs on both Linux and ESXi systems, you should place the binary either in the
+'[UAC_DIRECTORY]/bin/linux_esxi' directory, or place the binary in the '[UAC_DIRECTORY]/bin/linux' and
+'[UAC_DIRECTORY]/bin/esxi' directories.
+
+In the case where you have executables with the same name, but for multiple operating systems
+and multiple architectures, they should be placed in the '[UAC_DIRECTORY]/bin/[OS]/[ARCH]' directory.
+
+For example, if you have an artifact that uses an executable named 'ss', but you
+have binary files for Linux arm64 and ppc64, FreeBSD i386, and Solaris x86_64 and sparc64,
+you should place the binary files in the '[UAC_DIRECTORY]/bin/linux/arm64',
+'[UAC_DIRECTORY]/bin/linux/ppc64', '[UAC_DIRECTORY]/bin/freebsd/i386',
+'[UAC_DIRECTORY]/bin/solaris/x86_64' and '[UAC_DIRECTORY]/bin/solaris/sparc64' directories.
diff --git a/bin/linux/avml b/bin/linux/avml
new file mode 100755
index 0000000000000000000000000000000000000000..3556e57bddaf9de681bfaa33005a921e2e2e91c0
GIT binary patch
literal 7136072
zcmb5%4cN1D9r*u=GK5KGA`QtRTIFG-n5RsrMKU2PVkJz-ge*_ZL$&g>2uoxoT9k&;
zqBNl<)bi8{wNRGC^7xPQJ;(2S|9{`(`2QV8UGA5U_s*T4@2=~*FV}tF$8NjhdtbK1
z5{boMOC~l?yzryRvCF(j1^z+u-cR#)i9{ihPb~Yt|6etcesOlGm;TBB`)^Y790;doMm-XQwEnw?F*Q3NQNN?f?1jz2blW
zq?*|C#eZH+#ow0ijxH>}=1NhQ>wMY&e)Ph>*Q-X)zgLgHZE))rZ=+|MNW5^3FZ{3e
zLg4@M_KguI7H?meec`XA|M$Na{=TvMCtmnrqVdW2+tQ1gNKARVc)Zeshwb~qzjw>_
zA9?Yg`0Z)!=t3877mxSB|NVO}Jiq_1e{ow9JM(y<``JD?nq0i)Hof@VUj4rZTk?PZ
z+wT3lCOQY4``+v_D_#BW%%S%VA2@9F^>6lLd*R3bfBzbB-xl|0_J!zt
zjpYq|DnIWVAA0d2^Ph_D|Dy9%yea=CK9>Io&mIu(T!Yu;Kf{OepO!xS;`O9I9q;^t
z`KtV8ye}`D7d@}!f$`4om@mu!fOqA8!sqh8u<`J
z!N>At@oX*LSpl!hUyTptuffxY#5=3uRe1*Q%d>d$Gx1IiFUvQ+)Y@a*C7&L(?Dow|He=7;j?8#(`l-ro~%%lE;j^8NArk@3z!cvF5j
zK9(PYXFnJ3oQ&7yXW~Qo`FQ%Mc;^zlD!(4@%YTI@kB)bKi`dAMJ4}KaliR)>~=bw){WBF~zMxH%3-Z_qbUH*6aL-|9e
z>=wQMZ^S#Bog4M5@_#Ykmp@8B`Gt7r-*{R66yB9TkI&^xaX*X4#rvz`9r@QTkFI|r
zf6rx+Cy$SJE@nO_{|R1}-;OurcjI&UpYhBI@yC4*FUnW@esrBRc^+@ecf<$s3OWt(C=4bMMF`qj*e*H`GakD0W
z9o~~~g3shz{{M?RC^vQ^}B`JH&;Yw_pR
z+h(m7Uq?y#XuHT$@&cZg58e~aXXLFdBhShQTScCecj)Bh4LSvRZ?mXVl-HOq$tUlP
z=F9R9NLIy(^lp%5yw!O+%-Qt0~XWX~`4#P(GqRlIQTbJVhsQdVKGVEu!a@
zl-KZ-e8TnToIB#Y7;=EPli}O~MFV0&{zBq4n`Qp4a
zxfl)|D^LTTi|?Z+-dVyba}x^EQ&_cs(Z1h@X?ic}vL`
z=PfT^oVS8}ao&pZ3g@jPU!1p^yzuwv^Tw9^bz4X8_j>ZmG@2jDv&_%r9r}qge{b>i`3^r$$rqiRyzp>zJq7uMAD85dPFl)S}!US8um
z3-THFrzjsWUy_&DOIhAvz9ug`!pBGXuXo_%qkO{rNIqtME-yS9^^+IG?^_4Y$tVAe
z=1cOw(XYuX%(vwKSzN!o@{g!Lk}t7i^nB;?%8cvp#IHZ`ugG)q3D2t}Ux9v2UZB&G
zugiQ_em~xqKZp(EcQ_+3v$|v|po}x3Am!63_GkJ#jWVjm}$Jz6RcrFV0(6zBq3^`Qp6w
z<%{z+v~%7@^2K=@%S$}3iF|S1rt-ykOI;E_CyVozl`qa)PQEyAMR|?$Q<5iEiq2tK
zo?^Z(U!1pwd~x2I^2K>;$rtCXEnl3sj(l<6y7C6+ttVfcx4wLF-bV7n_`G^7&vV`;
z^2K?Z$`|KtCSRPlxqNZnlHK^;8=SY4d~x2=@(S;-GV;ZF%gPt$tt4NZx2k+`-fHp+
z9|!yL#W@+s7w2RsU!0SXd~r_3^2Irs$QS2iDz9-)X7a^3nadaFB=w#6UJm4(q~#yr
zoMhySbCQ)W&Ph(bI461e;+z!ioRgA#aZbwe#W|_S7w4oZU!0Scd~r^?^2Isn$rtBj
zE?=CJ#CPNOd2vpX^2Iqx$rtA&Enl3IjC^rUvhoV&Bqv{-le~O!P73lXu8KZ>mE_ms
z75Naa$$x`4oTk_5Ej=YHXMzZRd#Z^RRq$M64bcuIZ`o{|3z&&eOd3-V|2l012JbgnA$mGPQ<
z4ZIgy;63?=@qzq6d?Y^spUBU}XYwoX#P{R(|0X;opWqq!lXydRm1UlH$@7S}I-sV`sj8&?K8@|QaDmpVTTbmT8}d0T}Tovz3
zwq7UNuRMXbqYX#
z`@N}r@%>11`QrQHl0S<--wSVw-hZa$i~qiykw0@+G+&gz>h8#E@(ezZzvdUw{80Xr
zboA>Zrt%x{nfz8fF^E5}$*EB%C4Z3lwEQ7FEB`Bilkb?}*d1v-hJ
z$M^Uy=9BWR@U(mtI$8N{%;)6$;01YxPDx&8zAQfhugc#{r!N0G^9}j=cuW3vIvx4d
z%y$Fcm%oF~Q2vMgqCJk}*U_KIH>NX_*ZB3JbNNkllGn%go2QeO|Mox8uQSTX@1&EH
zZ$_sezh%4VbySr9g-%(%Ii0F}pI&r-YVs%OG~`>-X~~y{U2dt8@JD&QIUE_8D8x6{c7yeQw3PFcP+ol3xK
z@=wrd$akaD40v095S_04Fgm?}59CMC8OcwiGYv=f1OU^7x6tVJS9JwPDXwK
zoovAK@~_e<$}gu=l3#^a@*C;Y<)3H1AwLE0$j`#N@^9gN`OQ4;P~KyHB=6%B`R#OO@&WU6
z`AvBGSMh!Q4$lNUCm-{;1v{N$z{~OpovQpnI<(`(#rJp_o{|^n
zWaI%s1p8##{1p>2%}=FyECQiTC9f(HY8H%#Y+9d?LS$
z&P;wa^Kk}%6Ki{4f&AAZOK=q
z)0S_DcjdpP)0gka{6M}dK9b)`XCmK^`Ki3g$F;e9L??M`d|yY?Ny)o(GV(%=hH~#s~60(HY5CE8h$+%D2Kx^6l}OyoA@~yWws5{&+|J
zQM@PrC(mmj--r33{L}bY{urI9d`o_Rvzfe3C-vL-{XZ5@%TK}c^4pGzzHV8NpUHel
z{sh-qkzc@kRem8}m;aYeQ~q7%TLJILpP|!}UrDDg|1mz4KTl^YA2L6YCqEm#|DVa1
z`EulmQG74=(Mihxj;H0Xq?46D&U`N51^G&JO7bQ6{m{w*ugYIdr!N2XU!(KW2zX1r
z3Z0I8X|AU$UkUHaUq@#sUyb>Zd>woye=9zhzY|a27T@F6ct*YxUXbsG7Xx0Fug&wS
z$`7PdlYbU($lpSzB|nb&w)|AQFFykx$S=T0@^|pK6Zzu5Yft5u(wWQibdtY|-~V4R
zpORmVXXIPZDa&tQz9PR3ugSNe(~$p#`KJ6Kye)qpov!>b=6mv|@R9swYeny8#`0zH
zx%^dl;`aFcd>vktuZ5T7>*5vp&OEQ0JkNYxzCGTQ??tCA--r25zYzvFfJ
ziFBIsr#`0IunaE3vkK^(S=p^op?{RfH
zN%@=bwER1CvhuB&&&jvP3-T-Jl;ry}UzXQ-URC)|>D1*1(rL&K#ar@U(do!r%y;Eq
z$NTaTouT}P%#Y;P;S>4obY}89nV-uaz>~j^@Avm~((=cd&&Z#_bMimZDacpk^ZBAY
zgO}y^(W%Pw%-7^aydj^`Y039yzAbNae!B9<==9|W(izAHbVl-L=uG5C(V5Cm!{_o>
zd?kASko-e@k6q?d@;;uCr|9J5w=M2lCD6jO5SK83%kSe=nW6eCc(fJtoHSJuW;Y{~(==d=)y`fam3V(kaT{NT(F=
ziu@CFYVx0qf?jf
z!F)r$FW!>hMW-WgFyECQg!knS&>6}%ypZo34ERL;4>~jX7kS)yz>{}tzjV^_)9GXa
zo|FHZPC@>4I>msOdd@9e;nalT~lejm&uZ5@Nc{&;SC+TG6
z2jh8pflg8WS>{UtugJHjQ1-x`B&(40^XDFMQ0#Cm(DQYWBLAcrt&VG
zS-=zb#rJp!os|5CbkYIO%8#Oxm;anjA>bwXiF7LR-_WTBye|I=ou>RxbXo!L$j_nE
zlh5e%13r{rOlK@#A{)Kmn*@9&@6k#8DZa-kKR-6GMI
zI^}>@<+stP%Zqdx0dL9gq0^DShWp$NcwhcEIz#!J>5KwCkv~RfCf}USJmASme811q
zNy|S>Clm0TJo(jVzXkcH=oAB9maj~wD*rs4TEH9fHR!bDXVGZ~yeoe*oxc1EI)i|Z
z)h
zo=!91ZTSIoy7CXw=>>cs|16!6{2)5xfKTOLpfi`BMkn!?_#PLYveU`Pzey(>@VxwN
zIz{<)bV>oQ$S&ykbAb%5`lKeRC
zPdVUK`P=B!Aisl7G2mtSp>(S9ztgD&ydnQQotAvb^`mpx4tQ67GM&DBbvlE9
zkK||2naJNxXBzOi`~o`3zsC2t9i3FbGxG1!$;s~-M8E$-KHx?9kLZ-;yK_C2fY;;$
zIt}?DbeaKg%WtOBl^;i^7x01n_jE?`bLor&K9&EO&RpK*b(;8Fe2)uH$seJUkq_x)
z1D=;ZNv9~E(kTVJB7fQG(d(!tPaPR~J>X6G@^sqr9GyL;22h#`62=OaeZW?@lN2_xK(kqLU1GT3(@(mCxwp0$z~sPp2e*
zl1@3`Rrx`5>hkC4Gy>j|A5NzufB9RY*F`trefiOJhVoa^83lYIKc3D^z9yY{z>^Qf
z_j@Xxw0sjfnSkfyr_(9Occ4=Ycv*ffovOS-rxx&r{9ANd@=w!g2fQo4luloM1f4;^
zNAfG_OypmpGY$A$el4Bk!|^?Si%u%w8Tk!#a`MaRE^6%5B2D~ocj80SjOFFH9cjQ~s
z>B&cQ`tm>FL-`JL#_}2S6ZtdvOuh@9#6RPETxP@QoG0Zg<7xRGbh7e2-w}0k@_q4w
zd>=X``5HWKIp9_K0d(r}x6^3^yd^)BPDj2yoo>MU@}uYs<$Kc^1$-hup3Y4ESvvE8
zCm)UP_f$G*`Dt`A0nf=#r&ExhN2eI@viw{+Rr!^4Y5{M^zeT4dzm-lq;9dEpbo%ls
zok74y@+;{~KW27E5RmQHdO-{Y&_8ojEr`ml;2FJEZ>|?CEzvr
z?Q|OQ57B7`ye+?*PFMa(I=z4oFaxGV;^u
zWCNa;KSQS|{~n!Ez$@~XpULMx@?X=b2fQg?flgcgH#(hw_vEY48OWcZGYt4xo}n|9
zuab+N?=0Yn$Krc@Go6(DEp*ZW&&uCUCokWEP9fkW`DSz~@*U|^174SJO{Xc}n@%g>
z9r+G)dh#Ra^aDPW??PuRKatKP;4}FibQ1rL@9}Ip$$+Qj`_ReCFQbzSctL&uos#@|
zI^}>@<%iO#%kQAm2zX0=6rGOz?{vBW@5_&;Gn79=XB6;>{8TzK`K#U*y-w!=Pd*;s
z@9A{X@^$HC0-lqfOQ#^;j7~A&W%;-0ROKI_Qww-Qekq-nd|x{4fOq9r(&@_&r85Zl
zNPaDyiTn$6rU9SJZ=jR>PkfJO(Mbh7BfptWPJS_+e87wH+v$|$SJSBkye7Y!PD6ex
zoo2w>^84v@<$s~m3;00(FrATnPG=nOsr=t`=JMCPJ$juco`~;p;VJpkbTaZRoovAK
z@+HrT9=9mpj7}-w75Q>>+VT(3=>)tdUzyH8z89Tgz{m2{=uG8D(wPN3@nrn|uT3W<
zKb=lG;92?lbn^1c=oA88lD~saMScUFYQXFA&FD1cchhMFyd&S5PES6i(+~Jiz5|`H
z{Bb&yfY0Q+&`HeWdt8pMt0V)SmhV9)D}U|c>ox%|$oHXBlCMLj9Pq0A06KMfo=!tv
z#9Q)1>2&0~GvAee4DZX2qBE3#lKGMRD10J6p3Y2u2J>_ISMcP2g;`J#M)m*wZvsmkwSz9#<*-jH8HrzM{;-ztZW-59V=u0UyX8qBD{oO=m1`@ckiE`J;5^@>A&~o{sPF
z)LwM|Q}Tb&$;iJ#Co4Z4&&wa9QYR&&Kz-8S_c`>hFyDY5DqevhuT@{?LnmepxQyCHYo7ZdtwuUX^dm
zEWW{AfB|`Qp#r?ge}xKc3D=zW8&x#{r+pPo*=LFaBKbL}I@e-_Ipq
z{QpE^;VJp)bTabAp97u^cwT-kouYj4=Z2R8UXg!`PEEe}bH?idZ^|#F)0Qv(T=Gu9
zd-5yk4CK3U{)Yh{%de#~mG4hyCO;TYED_)1^>kA5+)H`B?>&tbkG|2AHd
z-$AD$zk>Oy{5rfYzn4x^{%hu2^55ef`CsYuvF8@4#errSi
z5jrjT>U28t{h05{KZEz>>(Cj>KhOL~ehNO3Z%Ah*Ka2Uf{JVH^$@qRZrIVHqn9s=X
zz;p6<(J9CuV!kL}Dj%JbvV2QARr#9C*W{bx4SA7HOTPEH(a)#a0q@E`K&Nl#aR&h(
z$xC!5@?Gdm13tIYNiG%N<8E|P0nf-kLMJERi%ve^Mfu0+l;t%#m4Mge2heHAPo&cf
zcw2rLov!>WI=z4orIdqEh
zF`ZJtEAorz)Z`D)sRz6%zno56{s^5;z
zPD;Ma;_Cnb&&q#KCof->P9fkW`GihIzBZj|!0Ymd=rrY<(rE>}BY&JuPre(d(xQ%d?rtRJ^FZ*SUSGPgXkm!o|eCgPF8*dom{{R^3~~-{e~`{N;8XdHbmsCs=p>en?{VQN`G`(NUZs-_cwT-N
zoud3mI;DVD;=8XXUS@lb8RTP9fkWd4^6!ek+}7!0Yn$=rrZ`(P;&|Bj1QlPyP=&
z{eTbUo6{M~pQkek_)K1;lXzu(kIQcsorh$=)AF6^WaVqq$pyS1-;+*Bo~Kg|cvZe1
zow|HSI*ow0xLC-M{M%;d+@nFl<%e0;xOrjwSp=wt$(
zleg&<TKu7U-nqXVb|9JSX3VPC@=XI>msO
z{&`HbZbTR?Y$$vqoAWs#d*J&}}W%-a!RsJSAwSYI|
zx6o~f=kB8Dp1w13ahfYp@BAtA|
zi}DGbvi$3GDgm#_AE48acj+_(-j+}4bmiC4=>>cse}v9R{yRG3fKTN!I&=B`bP}t^
z_qgzs{Bb%NJDqI6^YS^JqWl$GMz7OSz$@}+=+xw^(y0f$DNlSOdfc{reL9_h_vA~_
z8OS%MGYt4xo}@FCf0)iJ;EC78_xMUWDfy@9qywInr|9J6pQlp@cuD?hIu-fpbgBWb
z%hPn4@^8^;1-v6)olZ~wLpuF{59Jv;WBD)WOaeZWzmZO2wfG+YKqndSv^+~ED}R_y
zF5m_ETj-SJ&(SFdyeiMpsmoW~Dtg^D0^X8uM5iNPlTJ6_eR-bFQ2us0qkvE3@1`@8
zzn9KD;K|kF`z_E(%lDv@33yJv4V{AgU^>Nsm*qt|RryJDY5{M^ccjyjpGT)1@UFZ>
zr!W5jok74y@(D$B`?hrzhVUAILvVXC(hH^JDqG_*7n_GnXIDd}59G9v7aH
zA4Vr5{}P>S!1MAtoud3)I;DVD1c=%nP&(@6(BD{s-s%U9YadR-I(UXq_dry^gMPBq|ld7DmC
z{!TirfOq8Ipwp8V>GT6Wly~Ti<-60F1bimHh)yCC-{WWKBm@o7l-Z;DUl&(fL8-_Lwv?f4!m
zcuKzHdC~P}uSBOUzlu&L;63?k=nUk)
zpfe2kSiUNqsr+_2vw$bw7~kXT>7?XSI_ZFCxGx?@mXJVcBUXEZsDR1Iwd7e&Iej)QY
zc^5Cpx1v*$-^hGfemh>5Pw=V4tXycyoM@-=UL|Pk3Hw`7Ly^@+;`%0|<)liy9JApb9&V!+Gt37x8ZNj?tN0^X26NT(%Vo=!X9UHL;B)!obdqn2?{R%PseotX|D}_YZ%ij2@S^-VI%WA5bSeR_
z$(Ot!`aHZL-=0o0;B9%5PFKDQonF8P^5yA_2Yf1j6`i?!e>#b`$M?AKlzbIB
z8Tlb}vH{P_SEo~yA4R7W@QQp*IyL!;bm{?b%HKq%E#G4C`A@)m^7ZKq}9+?Y;Eegd6zz_apq(aFotrBeuaNxlW0iu?*X)qvOK+t6vsZ=%x*
zct^fHot}I`ryua4{QY#s@+av`0zQ-PLMO3Ne2*($6Mf#B40u{zrjwPgOD7lbf_yJJ
zCHe9E{HrYg5?+;moK9VS0rL&{<#K%Z{UedrLa%6)Fj*JHjT-wf}`e@SN`-;w#Dd@p<~
zzm?8Zeh~9B`GntRCXtWd|2yfVdnN
zmi!vLBfpPM;+^s5`!nW~@*$p(P`7?An@*jLS+HY5W9p0BO)rsbZ^5>Z!$zQWuG(VBQlFm%N^!uavxqLM|`L6hW
zUri@1-;nu?{M~p?{(3qE`L4_t174QDiB45srBjn1jyL2R(rL+$XTBZqu6z?Zefjxx
z1_2+*x1=+XUqxpc@VR_PI?2uAd;BGxRKPRxUFqcHchJcPyeR)DowEFXI+cLe9_G8Tqz!
zvH{P_zeJ}f-;GWw;1&6qbZYW_=+pz=l%GeZE&mLiPQZKei|GvHU!XG#_*i}!ovFM<
zXBP0pd*XZi5uKF$0y^n{XXQVolb3&=P9fkW`Hgfc@}JSE2D~o+EuE(PCOWNvcjR}{
z>B(=W(+~JieixmwJjdr<6L}e*$^S$rv3Y!t4d#>bE}oV@NGB`5m*6{FbjAUn%6FzS
zm-p!;wv6v_;VJp40bDr_jmEr*sMdFUh}3ry@@s
z6Yaek@VdNBrzy|VX$8C^zkp6pUZK+u_)z|BI%9d0&LrS7`DJtxTgUgi
zS^0=gF5m_EwRB4IIh}IAtMcpV)a9AaM|*Dsyd}ShPDfs%(+zlEKB6;}znjk()`Pw{gSH2$eJ^3d1K>ijwBl-K7
zAItZ}r}DSbnahu4KJni8z80R6Z%QX4Kaoy0;CcDG=oIB=(J2MIB7YB^n*1U<^?*0!
z1v+i{6?8fQ@5#5OGmzg(XBhCY{JnIh@_Xsb0-o3|zQ^t9q~w36lMZ-Rz9XHye92v+
z*GnPbCHV*FROGAEsRq0*-{6IQ0`Au}@0Z(op-*1ghT7DayOu%#UL+KRc_t7Z^ye$7LovQqwbZP-_
z$d9Dcl0QSI9q_LFXgYoQt3MRI{}}{)BtMqUM7|-NX~5_5Q
z*%EAA7wrx-v`gh*Pv67SD7!$55>#!b?H>)
z$1q=$pNu!;IXW%*nasE4-^9D}Je|J$GUf;JYw(HuSNK$ZFP{8Bd@ujTQ}Si_{;Qn)
z4R~I@F0|?*mmfff0#}>;92=M>Ez{4(yg*
zihQ|iqt{V2;C1?XALwM|eLA^-7vvK6kWc6o174OdPp2wReIdHe
zTEH9fmFcwPCvyJV0q@IO%nt%Sk$0G%%KLcoL-G4R!c+1oo|7la(S69v(|B2)!z=Ov
zUX!oNeQU^fW4B;J;V+w!gOj{N=jK>iVY
zDBlmC%0Gk80SjZR`W?UDJU{4hK%
zKZj0MeiHLJ`Pq0uej%Nbyvux9el=c|f0s^O{%htN^1Jbt{0cf9`6JAC<~(r&PZNm
zek^a}Q~Ant=JK!cyb>RY?{VQN`D%1B@)3`lm7l-ZqkJtoMfr?QNq+5OkMi~C)Z}C4
z>j7`d-%h73{~Mi7z=EB%kxokfU!GSw;8}Tz
zPF}v;p3(Cv1iU2wFrA9L!t<&Iye{91PE+2b(~|e_j{FmJdh#jreR=8x_9#Dy&RCvj
zej=~nGx-s85_`t?xEA+08Su2cK_@HUj7~1#1^E~0l;j_xQx14l{$)CK`5|-~@+SAE
zB|nQ!M}8WeZovEU3+N2xEjpusPvn=-naR(jGY@!julRnyM<*>mmrh20DV~%6fKEYv
z1M@}s@9?txDmqp9-Z!1biZ2cCYC5I1PC6qw)K^D)Xs;=j2)D
z^8qi*H)XyO@P_=o%r^txl|RAftG$4aGb4ZW4B)*%i%-$l6yzYw{1`E%}~!TfQIOmmh);+m|A%D131lfMs7
zd?NmQb97SjU71e@JS*RfPF{W}okGA%^7qoI$iGUb8t}UOgLInmkMem!OI}-iz9B!C
z$L-6%g^%Tz;uHA~@Wg)c``^ct@&TTe--PGnzsC#mJ-H7h`Tfk7oo;5qr%=oI9~GGCORhL`2%(y7Y7&U{V&ZM-4Bh)zp>CG&0h0Po5#qtln)%KSin
z7e10-MQ0-a8}n27?uGdjs?e2+_fJUX{2`3iVOKBSYAuf}{{p2dsu+vt?#8#7;#
zZ-v+7chPCcKfrubz8Bt=AAtAdN8%&-7xA(DOnff?7M}QI{Qmy{&&Ypasza;7m13s4ji_TR3B+qvi@WiL$
z_y2J^Df{C0^_8!%PxN}p%Acf@m#@xzLH-83B!7xdMZN*^)qvOK&(dkiH>T5)&p8hr
zdE%1j`S#=={8Z$9`FrUP==6mu7
z@PWKXXC$99KbEh^^P0-9rZbnX&3xjZ_#WSdr{veu$;h)OM&~&ze?OhP{AM~ud5KO*
zz6YI({0=%bd7VyOUZvBN-%F=0@6hSU52w?U|CP=_ejM{d`B(6<{82hn`8SxK$-jdq
z4vz0}PA4V5iutts20SZYq8sfuFCQ^qkl%}!48!+q<>H)p;p-v;l?H=r|=@6G&3zCS*ZZ%k(q+EUy~n2
zry*Zr|LFZ&Q@#w|mLE^2D_?{8o_qs*AU~DPNWMMuV|f{$%Fm!Pmk&>jo>$_~_#PLY
zlAlK>BcIX9%F`$D@k@R&oua(Jd`Vu#EAq?f)Z~Y8AL;>b%709!EkBA*C*VE#HFO5@
z7?YhGM|>;jc4V*r<0fem-&J`S&jBylK+`b
zMgAt{tMWWvmp?+MDK9bKlD`M<$e*ColYfNyzWfvTP@ecs^nAzim+wetD1Qy}Bl#NmM7}$nnS6cb=kks4@$$iG7;CqJ9V%?G?F{{fw{{1Q5qfY;>L&}qmgJg;WJ
z+wvRebmc$cdU^pL$Zw`IlHW#W9Pp|94mxxB!*mk$_#PLYlHW@wBTs!XdOwp5cwYVh
zouYis^^^i$kv~GGCeL#{^?*0!|Dn^CznuS$&Gx^ty0X2=hI810TpgO=l!O
znfbB&EPN_IjLuwsKJ$rV;`jd|JS9JxPDZ{HU%$-;yeQv|`BK1Z@{ciJ4|rRC0P~%I
z59Eh4KMeR(ek}8|fTunmzn_Lr6RwN`KtUeye>bDPE%gu
z<9kcqz&r9Y==9`?Pe<>s`tlx~q5Kd@A3V
z&Rl*9*ONFdzQ@(+r{wRUlaa5-d{(|Go|kV+r)X!sBro9=`A&3d@;#Za2fQiYl}=lJ
zIGs+wd-4jMf&5fDL;30WSbhMVsr+2#XYz01iR0sYJd{pKekt?mfM?}L(aFoNqEiTX
zNq!QYihM|?8t}UO%XFIZyXdq6-jSb0rzd}ePCwv7`T2Cl@@MHx0zQ*}n@-|{_#Rh0
znD@5$^ySG~^tu=Xd?bIK&P2WnooT@5@}<7V>+z)c9@nFj3V24oES;Qu
z!q2nv0WZo^bjtGWxSmSDYx399X~_4b(+qf9zB-+*{0KU|fDhzr(HY5)p)(HnRK6~q
zx%|s?5?_q(ap5WX26Qs=i|J$oo|kV#rzpRUPAT9O`DS!#@;m6%1KyNxMW-!)h)yTq
zJ^A)@2J)xq3pG1f9Hm2j&a%{qU0f
z({w8GFEC#XcwJtn)0BUePAlL&`L~(x2Yf8QmibA*6DP;-|A_gd{113m{t%v%KZ=*+
zFaJz*9?J6N@v8iI?ps~{8s;1Fb?}z_R5~5`mdtnMAH@6eGwBTF2QojBCr^%^??iq+
zotgY7I&*oJPV$uazAmAYmY+%|BQMj*$$NAP@-CgCyg{cdzmiT>{xdo?d7n;0eifaT
z{B}BR`IJsq{{PT*@8R>D^Zm!Cq&11qbttP&LlQ=WYzao4Mk&*x-4ePgsUZoY5*E?l
zwhmoH4MEp=oyVa%2-bNJF^G0(uu`p!I*en7(rz_ahwAUTa=%~S>$;y;{naZE@80)o
z-tT*6=ll75zMt<0Y@G)FJzJ-R|H6C=ztGm{;o~Q``3~@t%n$I7*gE0){v0!_AHg4B
z9>G6m>rCK}u=)f(dXCGP!9QW^%;4wRIypSCb>{HS)>*>Ow{=Q*Ve72n|7h#f@YmZq
z8~8iTTli;eoh`hx`W^i9<^%k5w$1@QSbgwZe~v4=t`Yq6woU}U^0{sZkBKn&$LF4+BzNlY34il
zH*B2&{z|Lg!^h{l{s+(V=lE?~X9RzztuuxvwoVNHj;)ixKWXcv@P9F%!oO$h
z=lgSPf9=s%{GOQ!{O9j**E@wrS8?@o_^})754^Ja4g9)RzlEovTYnF~nbnW}#?K!e
zZTaD+Sp5_p9Ao+6_f&rP(&{(xQmh!Ls{OMIKKm2jZ53j6#4*x6VhX=>H
z^*8YMSbYmW@qKQN9sC6QIgl;<6(4awhq;3%woVVf=9}&3HsRm+?t`y5hocwx{kfg}
z9!k41JcC!2TW1Q7tbPWczs%L=@TqwL
zPt7a%>ZNX-n*KuP8+iLR=N)|WR_9yz@=eZn@W}-M<-pIQA59=*fek7L_M*R^@O^Vu))626V%D>|}*N4IpohUZq_!1q?)
z!lyTJ>vZtVDbBZW)$icZZCri&GXFemk8_^Eqw6~_;YY3)e&l-LN3IvH>+RsWt{q(Y
z2Y7q3%Q;^A*EPMB^B6wAweu8yqz~{TeSrVi6*FHC+AZ6@H!v
zSp5XvTm2NCTm2lKUem3=g5T*<%MV{#{TBX5R=cW89m@}&f8O%LqwBi*E&MrFzlSfae)K9o|8M`Z<%j2E%MV{#{T!ZN&+@}BwE7Kv
zY4uz9C04(OM>llqk6!KPf5De5KYVHRQ~1lQeh$xXWclI2m)-g`JbmyjuDE}Dc=ZtH
z1AJ=r(QEwtfBXZt{tEu%uem=j1h4h$Z}OY2ehz<_t<%Hrzjn`=Y2~kTy7?9!-PrYE
z4v;Q|mwda_j#a{QgI8bpJhpKi=wd
zcx(SXhrgh=a|o|2&j$WXTfc*EZteQEg{S5{e02v`Kfu#dobTzka-P_AYhF*ez004%
zM^?Xt_x9f__@DpKt+Rm#$GN#|;i})mS9fta!@u?CwKN~WbMrBLbXT`d1W)hgdYHB+WHxMb-G(;2A`hh
zynwgn3wUl`!EgO~_q^@k`nu2_{v^ve{yYD=j=9XOvxIB?8m{%XaIJrUYyG13_w66<
z`mlhv4|86^M^?XvZ>_$CEB^pj{?VKLJj$QImA{5>&Tu&!_}09Gx8^-uIm5U3d6aVk
zSI!w+Ia~P0-s(P2x9}@B_H{q_=dAt!SN-U%e$F3ReFVRaeVs6Yf5+-GcyM$3dsy(J
zE^zthbgM7nvDL5Pq1A8Tr&xUpKi2AZ@YL!D_{i#m3;h1v&+13;Yg_#ku6gC~FTT&s
zYXR51O1S1#!8NZ9T=VMSn%54ldF|nvSMWB!4@cScj^UbD4A;C;xaKv5YhDFh^IE_)
zuN7SLs^FSe57)f*@T=MV6~5i?gXT4ct9}C4yi&O4HG^wj1$=D%U&1x775oNPU&A%8
z1|C`c7Or{q@Z+ui0N1?2cldpatv-TlUK999RzHVpUQ76OZC-1*=2gR0-@-MoEnM>&
z;F{L~KC%3xjo$~&D}tY5^$A?_%HWCB=Wxwy4!^V2mvGH%O}F|DT=Qz-_q6)po&NP|
zUL*Ls?0Fc&HLnD&c}?M(R}R;_7I4k0glk?ET=Uw%HLnh?dF|ku*B-8U1@H3vrg@Fw
znpaG>{-Jzx;mBHs$pTjk;Is9C!
z-@rAm7JfUM*AA|E4RF;5@AI!$^BTc5uNba*CGdsipTae-9R6ghU%)l5627$h3a)u=
z;OAL=2iLrI@Y3q{aLp@tzu&j#T73%Fyr%HpKEDdM=Cy!pUMslfRlzl{2CjK^aLucS
zYhHV}<`p)6A2hEqT=Sa1HLnz|dClOOR{__&mT=8$1=qZ`aLucS-_7o?16=b8Kj8O4
z^$}e2n!q)$46b?2;43?CbGYWUgumG8*Kp0NhOe!@g==10_^YgbfNNd{cxCmY5Bh!6
zydwA;tv-iqUURzLUnN}gTEjK34P5hT;hNVDu6Ye`%`5njf4!R52(Ed>aLp@$YhF{h
z=9R-WuLWH5D&d+}1=qYbaLsEE*SvxY{XYDj-Ctw4<`u(LpTae-DO~d^;F{M0UfX$F
z!8NZ6eu33DaLucOZ>+wDYhHW!d#pbEu-`Y$YYcC!egfCLQuu{dzl3XEEBFI!UNv0v
zYT&Bh!ZoiRu6Z5cnpb#{--p)nM{vz+0>9YmGq~n8gLhUxhihI-_$5}qhHG9md~5YB
zT=Uw(KX3J;kNADiydwCw?Rl8MHLnb=dF61;YYx}EO1S2=hHG9MxaQTuHLo39^BUlq
zSJ3+X(Y!`*%`1j$UI|?Dn!+`&9Ikm)aLsE2Ki%%H4z79a;HuxlHLu{KejhZiFn%4xbd1Y|TYX;Z6
z=5Wnx3D>+@xaPHmKho~60j_x+;Hn>8?Ds+Qir|`80@u7U_}?#aLsFg2eJG9UGNFNKbqGFew5Wu;hI+t|DN4n3%KT0!Zoi7u6b?X
znpX$cymoNSYY*4Fg1`6spm~kqnpX_hyi&O4HHB+l1zhu5z%{QGT=S~nnpY3ky!PH;UZYR?ebBrj
zxaO6>HLnb=dF61;YYx}EO1S2=hHG9MxaQTuHLu`P{`G2JBlwf-{)*w6R{~f46s~#Y
zaLsE0*St!2Waq7dYhD}p@mAl#HLo4r>i2NXEBHshZzoy(7_NE6@QKx@aLsE9KgH@-
zaLucN|G@6A2CjK^aLucSYhHV}<`rJz_d)X-!!@r7T=Podn%4}jc@=c)&l0YAt>Bth
z4cELHxaPHmYhFEE^NK$0_eb-Zz@KUNR|eO-W^mQd;hNVHu6eEDnpX`^te-7h^V-7i
zZ1n?N^E$v&s~>&F?~mpc!S8AH30(8a;F;CuaLsEDzpvGA;F?zp|GeE_JGkaGz%{Sn
zv;OsJUL&~X6~i^J1g?2a;hI+t*Sr>R&8viKUKL#P+Q2oh4z79a;F{MSu6YGpzi*mX
z3fH`*@KfIJex9v>YhDYu>Q`{htAcA@4P5i;;8QzqJzVqJ!%wyP@N<42G_NsyX7v-e
z=9R)vv-%la^D5xE)i2?i*9v~7)o9pIW*_yxZY8_OTTHLnT$JyxH=HLn@GvHCe&^IF0$wE8t%^Qz&k)wgiXYYV^F
z>PI`j51Lm5KiKfk%8@8O!)9{we(pZu%eH_a=BKf>lUgKJ&|
zT=h%1=Cy)rUNv0vYT&))-@-Mo9{x?MKfpDw@JoIl2CI+Yn%4yWJ*&^)n%4}zxB59;
z^IF0$xB3>Yd2Qjpu;<|b*SrpJ&1>{!zYm&M1lPP0xaO6?HLo15dClRPR|(g=)^N>h
z1J}G-xaPHkYhD9f^9sJ=_eb*@!8NZbT=UA|bGyG5aLucPtGTEIiAU%@r63Vy8B_i)W?55LUb
z55wN?gXT4cZ*9I4xaO6@HLn?5^D5vY%fEzcUMu*ut-gk9UJZO~^;@{+)x&RK^#{1-
z6@Ja{TV(YST=Sa1kGJ|cT=QDOkFx%+;hI+s*SuP|=Cy@uUISe7I>0rr(bxSxXkHOq
z^Ge{FR|eO-a=7L-hihIXT=QDPHLnd^^J?LmSMUx0dNr>R{4Z@@FN~jRwS!Nreh=5Yf^YhLJH_h9aLp@*Csv=rHLofB&Q`yI
zYhD%n7@JoE*StEo=GDVBuRUDz3cuy|LGv2JHLnR=^Ge~G*9@+C6>!aK3D>+^P0m?wfYTQ^J?KEo7WDmc@1#QD;WIi
z)x1V<%`1j$UI|?Dn!+`&9IkmS;F?zn*SspY=Cy%qUL9QX+QBuiJzVn&zT@{z^Ge~G
z*A)Jt58C&?;F{M0uKE>R^Qz#QR|D6)I{3`aTMyT~_VClJKK!oV2hD2?is}*Su2r
znN~l8YhDGsu=*uj^IE~rw)!nx^XlP0vw0ohnpgPmejijH!8NZ5T=UA{n%4|IxBPRs
z=Cy>MYxQfm=2gQNR^P%kuPyw^RzJWsuLFE(^`r0kebc-m_<2^J!!@rt{Q4hq_g4wm
zyw-5lZ{V6&3)j4MaLsFgmzF>HzJI-%*9iVxtB>KDR{~#I{S>ZwX=S7=DiZexVeuc}?M}FW{Qj0$y4E6R|T=Sa4^*k)$n%5e>wfq~n=GDSKZ}mI4<~6`~Rv-Mp
z?~mp+f`7^CW4Pv(znpaP^`U70^3V-PLA+-7ku6a%1$69>`
z*Su!%k=4)Pn%5G3ZL4qLn%5S7{ZG61!vU^&9pI`T{mAcw<`uy|JaxZ!G=Xbg8GLN{
zbGYU;hu^^JOStB>hDTPvfoonZ{CKP1!8NY|9$S6zW4}L|*9d-+)lcD?R}MeH=Cy!p
zUL{=h6t$(HLpGVWSdv`6Tc6d*BGw)30(6^;hNVBu6Y&k%2KV^V-0lZ1o*n^V-3eR=>sfUnHMU-*5PKgHFL
z;iG3bkKw^zI8We_c?KVu=kTMR<9@Gr31246;i;_?!>6`R0^i$pW$@hUbGXh)3I8`cR~z`HZ?Jzq<;s43t&_u_`fR(u
z;9q!~^9}qeC%OABILcrDQu{i248P2L3fI01xc05!r+&-j>EP#Eo;_SS(_i&-#uwW6
z%izCfzJmX$c>{lec@IC@Jp46(U-f4KSAS-3UGEaE>+RvM*S=Tr_q~$&1b!{^8T?M>
zOSt+|!=GUFTlmw=4{-G%5B;3W*4>WJn+VAtv?S7oVFa5Z?
zzm{~Xui?+SwS8R(u63eg{C!9N<8sFE_D9Yq@cI8bPvFZRI#1#GQMbI}^EHD{f7SUE
zo?pp%PPcUmcw|0@Yn>%r{jcG=-?#81eY>jPH?5Pwway%_xvb%Op0sd1PX@U1q{sSs
zreo_H{kqPVaOJPzI)_`h_KmLQ@2hn(xUP2&*E%h{zlqD)!Kdb1cxt|bPt1FGU_QX3
zMOYV*}-+LqF?{Nb7pYWSMbS$T+SN4H*er8
z^A@h016=!#Mt)A6hXk(kki+$P-NGm5xcoc%na+E7eunb_UY+fH56{iRYxw!kyPbQk
zj^U+w3}2e3@MAyX{+v?5)z1#De(vF?U*y(Fuj%Lf$J@J{EBK~#*IU7t<}F-#2DtK!
zuI2Bm_r?US_r@Hq=Uxfdb8iFBTlan#T-)FG4c~E}k2(AS?{)Rg_0
za@V&7d~Uvk>-~R#PlA)K_#8aYf9lo`ujA*bj&}89_|)oSc>5E#P6FQ_oM-T<)fe#G
z_Fcdywr>eSC;btSI%(k_p{gegezwZSIz{koEcm>3wW-6
z!j-dxZ?9_S6Rw;!Tsa%Ka&~a#9N>}q30KbWdVW8bmU9eO&KRzo30yfdxN;Wo{wj7p
z;mTRUQ}q+BoHblI8@O_IaOE7}mE}CZl{5TJzn_8n30KY-uAB*6IWxF&7VupCgezwW
z-yUn{6Rw;!Tsa%Ka&~a#9N>}q30KbW`hGuGmU9eO&KRzo30yfdxN;Wo{@3h$!j-dx
zPt{MleSXz&L>h2KjF%mz?CzDD`x@E)lax`mhkP>
z?0mwNvxX~Y16R%tuABorQa|C!8Q#$E=gM-9;mR4ql{0}WX9ic!0^a|solm%Omhh?i
zN!R&=D`x{&&JM1e1H7`F2e@*EH}d;AQa|BG`UzLg1g@MJTsaGPu71LmvxN6oxAO^C
z&KjXLw`3pDW8bhAU?bSIz{koEcm>3wVE&olm%Omhh?iN!R&=
zD`x{&&JM1e1H7`F2e@*Ek>Age`UyYMPq=a>aOKS4%2~j3^%Jg~B|I3}`GhNH4Oh+v
zuACiQIR|*8e!`VAyouk>&9A$hW4Ln0aOF(k%9+8Hvw-(kw(|*B&JsSioNKsp)^O!)
z;L6#-m2-esmh%8t&hVywKPT!ZTsdR7awc%)%;3sdz;pEzuAC)2x`v%kxN_ETlTsgzz{C;ljJ{rT7GlnZ?0$0uquABwDzmlC#xN?^8mF{=Aa@KI=Y~ae-
z!Ig7>SC;btSI+Qwzn@d}lWx!X7_OWNTsbqiau)Dh{e&xL2@mY+RBQN=e!`Wrfh%VR
zSIz+*sh@D=3{UX;xwrdh3|Gz=uAB*6IWxF&7V!R8?0mwNvxIMSzr&TYhAU?SSI!Qu
zoCCbFoCmmahBx#3Iafd7${E9zGl45-23O7;uCL#A@ac73pLg)~n$8D!Z+?KM=Hbo#
z>z$g%@cxEw{RBQ5JI~-t%Q=HjtiFI(R$s!Gw(lCQeQUV(ZQ$CsgKOU&UccM@{L%sb
zx;xp=x5R$mo_rVkz6|^=Rv*F7vHAqwUGDZx;TKz;DO^84IfLK)NACMFIs779XAZyQ
zcii_W7I3Yzgnz)UYX!gVtKGh9xYnuQpR{#0aIMq8wN4A)**aUe*4e?eP7nV#TW1f~
z--|iGwN7vg|2+K2))~RI&KRzBBKT2vcIRpW|L3>4c_nbIlftiM>rCOvNA2hL;94h#
zA7|^#;aX<_*E&o17wjCa;kP}(<*DF5v-$?E`WAkv)$ib{@8P$x>pH;iWFDUA&$qgf
zd+v?lOY<1MHBaGs&e!n$&D{D8d~V*sr#E%=JNj|X2Y7Gw2Y6~8-qOF`xp@pXLQS1z?E|WSI!cyoE2Ps4o~v0t2)u<2w$4V@XgI#eFC4DXYkZKhyV5~-F;oc
zm2-fvZsYbnz;pBPR{nKubzSi2x7<20Ja~a!7d(1`^9-IA&S&uL)_Dn6{xw|rYq;_^
zaOLmd{fphcJ9zqd=L0;q{0I2x5?3GJ+V7|GCvfG@;L1OPD}MpcpXK&l&@F!nUt0b(
ze0928r=#0B*};{6fGht2uKeN2et+_(xP8a)$nwYV*77It!15Px^?w0Z{t~YIYq;{)
z@R8+j;Q60hKjF(qJKw?Qr#TNNet(pI3|IabuKWpH`7`+Tuid^gcy9M^0bf4S)i2=v
zL!8%eWmc=WqG_jLvXAhVTExc?MVh8C>}bxbiRH%3s1K
z&vE;%;i=`X;eq9E=$3zgEB^tm{NZi<{wV(#uKY2)f40k?z?XLaX7Jw5&kR0#uv@2u
zEB_j<{54$p8@Td!@a0R~zB_nj`3HEQ=RZ7}xpm^(`u$Y?1g`uUT={2kaOFS1l|MYi@6YB%Zr?FHxBM}@wfqTu^$%{Hf_@w4
z3%K%^aOGdamA{7PmcM}qkF|c%&vd?nk9N+(+xh)b|Hp9UkKxLnz?DCPPwo9@2CwEW
zPXX`k`LlqJ{>9bTaOH2{%HP42e+O6o0UlWX1AJ-cC%nDi&)m+>7{2;rmp`N1`I*6$
zzkny&WiU&EEZhAV#qSN;y(p6~YE!2|360FSKy2YCNLw@#e+{Z#%0uKXEX
z`DbwDFW@8V{{o&`{u18n{U5$R)#dNt%D;mv{{UD116=vTJNo?@z0mDDhUb<)h6j57
z(=C4iSN;WD`AfL+ui?sH!}m{j`5Sn9w)GQU<<58T;3DVYZ~OgG{xMwnW4Q7saOKb7
zbIU)2SC+qkFD?H9zIva_U(@aR*}#>*gDd|IuKWXhWBCv8K=1!|^7~mm%;g-z_l@%m
zuKv&9%3r{he*sti5}b_}ua@;JNj`gs0a3HGK1Wm%oE6{|>JF16=tJaODs0>i1_}x_!s+
z!1BlN$nq!fS^hBf``KFl
zF?{qImp_9m{|v7D1zhmTK)rk
z^lrCK{5yU>l|O+ie+F0n8C>}bc>XtT-vzw2{3X1y{A>9Boo<~DuKYW=@(*z3Kfskg
zyocYP$nuZjmF17&OUs|Yw;PwgfGht3uKXoj`PXpeui;Dk`fWqk^BY
z+xGy^t^eWg`u$9;|6};HcI#wt<)6WozknG=;2EdLC?f1_Kcge(6VuKYDz`5U
zaOFS1l|Rh<{%q~fk7Iac&z~5c+VdxYPcC-(3%K$x;L2aZm46La{u(~D_lE|aKGyn4
zKg;NF6RusdWG|nZeKrK!tK{*2+hzWxtyEq?+ZebD7E;L5*%D}M=B{xw|rYj|+J
z+qZ$Y*8dLPTmBtwBn(C=qz`N#15QjNGncU4Dt`i3{tT}CGq~~>@QuFy5AW^s
zw}iKre+{qR;qrHI<=?@Te}F6h0j~Vv{r&z#PjmZ@;korchA%CD0-siHodT}>3%K%^
zaOGdamA{5>?E7~OJh1#7ytn*2`06b#fA|2uKgvIbD}M}E{sgZ489cY=&kP<}{sJE8
z{U6@G(&ew=%HP11zk@6P4zBzId~W?ez@x`mKTq}hncC;?7@j}C)n{P;%{nV|~!IggpSN;L6{0F%5hkxw%XZu%f-!VL}`!|M1mOp`~
zmcM{2{{pW3C0zN}aOJPzOY46_xBhqV-hO^*2e1Cn^&y=3{ZalgT=`?T@+WZR&)|W+
z{twTs{{=jFq@6dq<*(t&-@ui>gDd|IuKWXhV(&i(c%|q6gZ+M{mVXS-|G-^W23P(W
zT=@&Q@-N`ZU&3>Hey-uEp8xRN@;C7IelGt2SN;QB`NKc)`=k70xbnyF)XskbUt0e&
zcx3r!bjx4Dm46La{u-|Q4P5y<`2IZCw;epS`~$pygsVTmm-lrZKg92+@+WZR&)~{G
zgDZal?_cQlUC69lZK|w@!Gv-yh{4!<9dVD}Mr4{tUji
z_vabBvit?z@-N_l<*(t&-@ui>gDd|IuKWW$J>T{10FNwx_@{n9TgyL&=fCIH$>7RA
zgDZalSN;WD`AhiH@~`O=m#2nDCp&N8ZRUJ{EB^tm{NY3W{wV(#uKY25<@QbBy?uUV
z@TEOJXYk1KmvH4@!JF16=tJaODpl=J#j%Y`5gDd|IuKWW$u=8_(SC6%Rp5gbiJ{&;L5*%D}M>!ly3bsytngH!&~cr1D|}>tuw&Y{{vk4!!!Nyt4k!;FB-9bxOGMui?sH!})bm45+O{t~YIYq;{)@R5D}yn*NT{?@?*dw<)(SD$kE!$+b&_WT*c
zl|P0ne*#zj48FIYf0)5j%U{6zTf3YK_~?_)YqcyH%CgD)-r48Fa)>wgJX{xw|rYq;_^aOLmd+vmG|cktHo5AfXbAK-oJ
z)`|bj@8|SO&J%cUp26o|arHC!*6IuR%6tLeeA%s2!l-24C^
z**ejq{r)`mf%f~X;8E}Lui^Wz+I7Jr^9J63!_{~2)_e!=zwYY8v;CaPGlnZq3?EsZ
z1imrP;L1OPudKd+Pt6zb>TA{?xbipfy{*&1m1hSJzUkH<;Fb0B08h>1bN=ssCUE7+
z;3La9gKyLyxbiRHbE_}m6Z17ZvVL}S>%$H{QGeju@3_7l;Pb)G+hhFxR9Cvy760B=
z43BL61g?EE_{R2~!Kb!w0pI?w%TvO&?;5UsYxv6cZQv8zw}X%DdIz}nJ;1eZ_*lPh
zbK7?eAKAV!d>^JNVZ29pKZW
z+`i%5@0<1=!?kY=AKAVMd}I4&@Z9=bz_srJu6;}R-sZT5uWa8Mp4xft;M#Ww*S-UM
zYx^GHbK5t3oZrvh`W(ZxZvxl88GK{=&frtqw}7{Hu1dJ}UBk6+4PV*54SZtzcJSq|
zxN|kY(`!0E!1vd(bNG0_Z}V$AAH$=O^BA6A-FX7vnrHN5T>T8bF)!eiEKT@-@{*RK7NAVhuS=aZ_F$BnGbZo|F(lG&mOKk<8%FepR0Z0%2~jba|Kt<
z0Y1Nh>;D0s-pG0QL_g0eaz2KSuJ1gCude4jf$z;T`1U%keg@x|7x1m+U%*?dui%qE
zvGV{wG8g!fx%|1`2lYRNtN#`J$iDC+`@)ax`~UoXkDLd%@)U68>EO!~T%ULF)$z^;
zcx3elcwqJ6!q2%q&aE?sZ*J;5gSWQ+46Zx{TzM97F<-%7Z2w+x1Ao=c-1EPO>)#g+pXBHN
z+SA;=6L|9w_q>|Hd-EmyN~gK{8h(uV7Jh>H0j}R)oj=*nsr(&$bsxK5;OXt`et}1)
zI6uHw_jMjV#ou>+qVq94y}k1ozO?!TzA`W1)$h4=7I5V+;mW^;D}N1F{syl69bEZ$
zaODr5>i1{$`_>=0^2c!HPvFX*!IggoSN;O7{0q49SMVo1$({f1m-rs8^Ev)2zYj+}
z$E}mX&wsGp*YG3vHT*TTyN??9(a(14^zet;?}1O3ejZ&{@k@LK*L5{;T~`m+b%js!
z_tkYx;IDY1%fE!{z8>JgL)^JKz@tYx51;Pu+n!|o>uTV-t`5FB)8*X3bIUWp1FJv4bzR{z{66ctBKS|9?&h1p
zulWq;bGXjc8m@B~oagWRnb)~>Vz|~R;qBS34{P}79OpHBYTm#DTc?AkkG4L;mxc2I
zK6#Y$1AK1v;WPc~U71I4-A5T*_uU+>`*aOo{fFyk3s*k}xc&HHJ1dg=T8pT
zd`tKvbNAfaz|S$?!JqYL_nwnJ%g>|dNe!Pq*7d)E=YQ$EgGc5&cxCGh@aSBdFMR(P
z=V9sR%;(O>@W9rO;Un`Du6`D9&1(hMd1&B&W$&5Mv;CavX9;hg?DDVS{dvx7c>WaU
z4Lr4VI{4en*c0Pu0tUiXf<|$nL
zFW~C`3a-ik~jelMDw$GgyK62M9
zWBr6zHpdb^db_J%!#7r6!&~zfuCKQYaP@igBEJuMPfOsMV-D9GOSs;zHgMgKJNS=n
zj_Hg2JepSx@89S8)4=nOIq%?`*7*(|z2Er&-&_3wK7Eg?4`1TvjNa>f49~4ThR@A2
zxUOpk*L4+eUDpDx>nh>F2VKrJT-Q~@bzKcy*VVywT|HdqCw!^jH=UmeT<3NMKl1($
z*Exw_=C8l~M|Zsme0quV3_dcS!Kb!P0Uvd4odtaPapxtxH($e7<~6)BZ{h0a09QXp
zYrhZbX9CxAActRI-$yIqZ$HESyaR8{ckqkNgO~exzGNQ5zhgdyZ_O8QeV?v}>pWzy
z@b`^AY!A8GQ0}=QDWv73T&0Th15o$nsS1zkj`ZAL!uqneKeX
zukx>V{{y#v0}M^J9uQigYU28)*0Y|)gRz<
z%OAeR@59LIBe?pugzJ5>hJWHe-8tOCZ)g9m^a1{k_qcz*IC`z0=e_0`T+j14T+jbC
z{L7cP^;@_;HwXAPt$tMbdA@I+!_|ipu0Cww>cbAMJ_N7x_x+Idp@8qN=H|YD&*i
zgttdKU&FW8abCkmR^Pzq$GG~Aer@MF_{7#3;JK}HpkK?a6TaT>LvQ!d7(TLfV))+b
z6ZrO;Zv70tyoU1`JpXm)1$=*X=L`78_ATKPt6#&HHm@2UssHe$`U#)g91rl^)(_v{
z_fzL#44+)jT~`bbY~KW~^N`W)Jj~!a4+UK3VL`X^P{MT{)^MGN8m{xuz;zxvxX!~4
zuJbU!bsi3Iormy^e*bkI#&Dg7m~Q<~;YW4u`BuU2a*_Mo@8G}qxU1j8kGpunj#`gWw75wN=yY(CRgP-DZ_HaG7!#DYP^n9Mc^?aVe^}Joe_582ldTwvw
zy6>M-YHz?VFA~97~s{7-1GbZPfv6nUVuC|a6X3jx3JFz
z_})HW68Pu@SD(RG$2*_F1KYQNZ*J)77x3kA&P#Z2dDig#O8xSr>0`1S2M-@=dFNAM%}(cAr;NA4r|
zk^2aK0-h&TN0V`aFlL&uh5)+``r80j@re>^iis`kcVk=L)X;9bEbMaOEGr%b%C>r*P#j
z;L5*(D}Mu5{vNJ*h41$BXkIz|$6s@Qo}I%VQMmV(C46pP(-V8nz(@DA=L|eI-@*Ia
zxcULUx~202d~$E+;d}h+-QUCc7{1D!$MAOIJb|ZobDqKHmS+a<@9ydg_|obZ@QwAY
zgr_IFb=L6Ucb(VpD0SYzr}uK+!Grra-@zlRAK(-9A6}Wq@Adn?xr19jf%oPaT<2j1
z*Lf)5Iu8r@-sW4_|*EagX=sD@Lc_b>pX<-^ZTjuFow@<
z?lHW#>q_7{4;ftNVFuTEDBywRU%+)9D!Bff6};cSE`9FDaDDDi;riTP!1cLb!L@G(
zPw!`cPK4{dblmtkqqFS$(eT^aItBbe<}0{9UmEypzwg%X;cqq%Kj7yn2UkCVzsbHn
zIfK93)>*>!Ia0&bpDkRUF9-OG>~kUdpr7-l<{4a{M-}{K_jYsX;F{weuDOgq_W
zdcQlLQ}~Yy
z3}61e^9ek-*m(j^?Z5SZm0$BJP_Of_g6qC+;JUASxbExlV=kBW)qOpI>%N}Bbzd*x
zy02@v?&~dF_w@m;`#So#pHugB2G@N(hwGfL;X3D)`aFfJ&kMNvT*1}n
z4z51$;p+4F6Mi4m=M=6!7jX4?1y`RNxcc0~)#uR8yZWO(PvGja?hn=LoY$yVpSN)J
z`2bg+qkr)GqdsSF^?43gpVx5pxrM9G16+L`b$%Z8If1LsIb3}%;p+1Su0HGeq&};k
zu|2os>gN=$elFnZX9ZV3JGlC}hpV6CPx<{(KU28+S-{oL69bA3e
z!_~L3y$`An>RSp|-}L^ddY%6c_3GOmuD*@`$?uQ)mcrGy059-eZuKvv6>dz9c{?u^wXA4(<4si7+`WHW^
z`jf%cpE+FpS;N&I{W(Vc(YcE4&o^@2r~2~{y+^&)Nq2sJ{kgt?>*u>#xW3LX!1Z;8
z(PjSn`Z_}bSNXF0Fob6dZG@2&qGeED#<&JM2n0bZTy>JRXd
zdH5B-pHsW8F?>?Ebz*pK^%>pfGJ|U_1zdAkz(?vcTyt5&HJ2K$xioOirGslOJNVY-
zGQc&L16=jtSN%Tk?L3U(xy?6*r`CrAuDN7z%_WEH{wm?RPd9Mgr#rZw&uQ;pm)0-f
zs_)?W+|Dz6|L4vJ`V;Lu!$*JSJp7uUCwPqWF?{<3=P`VBuJZ)GKgW3n&mZl42H)HB
zr+}xn?*cx3yj!P)w~uqard!`?_}2Dq;7jXI2Ort>?%)Qa=91n2KG5m(#
zf6Z|W*Su1=-e(H9-e*>Dy+<{0eZQuM>+ctb-}G~yU%2lJOyJKd-TS}{evQ`EFX1;d
zui>{a-@4*zT@w!^Pj-^Vno&POd=l=lL`7i#%&pBGS
z_m%~`{eSkJ17AMb-gDsXlbqM^%GPP%bF1&*Bdg!RC*}h@GC#nlwtn=V{`DUD`?hfX
z{o*ayn|0|ogI8-
z^#i=M`5xfCdH7%c^={3_@VTv@!qxu*uKus!>VE@Q|DzxHd9;28SO05xdY<(Y9z4_f
z316D;=zs0%2l&L+Kfqh_@W1{1z0G$FZ*AWgzPI`W9z4V4$>I9*V+q%v`!;aRCAi$r
zsXoVW^|^$Pp6l|g;al?>zA|s%%kyn6@J;D_2d|#xe1NCs2Y7BC{?NbPsreYbf3{mc
zg{#j6Tzy`_)#nC&>bKnccJw1ZkNRK2SAXO3tl{$)Ij`Y?c>|xn(A9VF&GVh_;K9oI
z0G~e3`2il;I^mD~>&mTu4By!LDO`W=xPTw&GyF)O;cqzG{=OUho#x@e&-sTJxxaUo
z!;j1buKS{gEB_w;@3wFH6MtXTPvJka`Wha+()GWAr!RNj!TYuI9lUyt^8vnniSq+|
z`BLZMPyPH8s~^Ls<}o}qPvF6;-TDQ5WY@cZ>v~JLu6GUB_117*Zv)r$c5q$q4zBAR
z;JV%eT-O`@%HC&&w!O#8mwN4Dzc`o768{Ayh@a^lJ*YJ&b
z0}tNl>O1({>UZ#o`2gR(&aHER@6E&i@vpZxAH#FIt`x3*R&ez#_=Uf|Jce)1anGMA
z`~&6{ThXcGf
z4};>0pA6CWH@D_v_{#F6aD84BaD9%i;D7&q_w|ql{uT2c{vYP)ulPB&egW6|EBM79
zckcrY{44tX)$n&c#+|G1O8&kNGM~WDGM~ZEHDAJ?W?sXeZ@z`U!u$Zgw|R7BKj)jw
zGr0OZhpW#mT=N~^`aB&SYpEX?l46fqut9iw6^?3@{@9|r}wQmJKvTx|`t94@d
zk$vHs?*gv*R&dR?gKNHfxaK=P+Rv%^rf|)-fNQ=hxaQlyHQyet`G&{%dDQ0#Tzy``
z)wde1zHQ;^TYOc2-^owh=S2dqe(XGhPk-oq2A`W3@aW*`7x32BFX0=@vxZmZHGE_H
zHt>~s2M=uD9lWyo0p6P*;H`Odtl!V~KhAw#Wblj4=Wxwy4cEL{_}gur=xYAHIu99K
z>(Aj@e+}3A;nn^1^Z#*k9K+N9bsobvKX;zMTbpAB-~7VW&)~h)7x0PIFW{BsEa4OL
zH9Rn{=|6RO8v4(icksRC+`&^@XMm5)5Aeu5`gOnm$3Nbks~A2upTK|1Jb~ZYJcCzP
zKlzIHzZrb;8_o-Of2{Kbd};M1e18pBzlKLvU&A-Hegp5X=GN)pBU@(&*E$1yc}=&@
z0Y18_^Kj(%e`P*~Pwcv4czzYPP67|CK7-G#eg@y07x1n50=_XX;VbhBuFvHTuJ?yM
z{4;ib(rftrdDw^C`+Nb{`YX8B8Q`n2%>_P+Y%bUI_nqIw`4}EpeN4Cd1irWW44zw_
z8N9lw+qZ!Cw$1{sbxQhiZk;uJc^&69Ji4y)20pow^A5h%eE}ccz|{}%-s%tV-13Ci
z^825fkKvJd3=hmx`1_yWo^KUg=cj`&tbPyIxgB5ICoOxXxh(*Lm*XNA`s)=lD1L
zeYJiG-`w2we+`dr?YxH1Z|S^&tGNB|dFoWy53V3yb%d>#1zJxDr-!)u)sNw2E16Ln9xcabzs}BQQeF(1W_j7OO
zIffs9uDdUmaGlQ@u64F>trL&^eS=e6KNI-KJcDm;40^VEx1zh<{xbm;z%3s6P
z{|2u79bEZ$@ZS0#{-)obt>quXl|P0ne*#zj46gh$xbhcpXKcpU}^A^%;C+>&)O3v;&4d2|sc>@pb>b!%uR=bTe#Mb
zZtCx=`#OWa{z>jRGl#eKb1ZB4o2@=P&R>7|MAy$TJX$)B;nm}uC-AL#24DS!tDnI~
zwr>G%&vo@n_#fNvNiN|JF<-%#$GhvS;994KpJnT8;HjGUeqOGGpMR2jE^Xj>>+%FQ_xDZT;_`>^
z{2k6m@aoOZBe>Ry;oG;l`Uza?q;Rd1!TSr`I#amT$>Cb3fLCvI>&)qPT}!yuDdBVL
z+X}8c6)@KtN)3alD}`Tbva}B
z{!`8qcyIM7eEUgPKZW<7b3TJ_%$M+A{FQrt_HexihPU$b>%DOT*S~){gX`z{mvH@i
zvOQcs|CZg_-*|_!rS@#s{a$Xa?aq&xrA#jHC%Jq!cVuqM-biK&+~*Qx%b-)uKaVj@~`0!
zv7Zlb;UD;zTYrFO_I@(DgP-R`_IsEU`2DRuho5HN!j)%$>-jTE{C)NF?Fsx*c3m5I
zb==uk{0VjoKjYc<`2~OVtL)zog8$QVT>a>dexC2V+SSMK?^=Bdzs!6F|1a}7{A=bV
z{5$3qd~e>uzjX)q^}{V(`FptX@8QZH{I=f**3@MoE4@K>7W@VA&R;2$(!
z!8`LBewld-|Bm?%e!2M`ezf&DytChjYnVsy>zF6-o0(7HcQY^GGxH_OZ{fdbzK7q;d~`QI|HOO(zmxeCJ~f}iSLQ4D
zS>_w~pPO&t&oke{-()^Y{rvAYpTIwRt~;Mo_$RG?4!_KN1^*ZG4g6c?Tln|Pd-(E^
zlPf-F2l!8{eh+lrC%EKYRlik
zw^rZ5FR=P8yfN?Lt*tY_FShzUd}|)u!=HO)>xA$xS^Wt99rFmjv~^
zxuo#i*2&-_tDnMeXr9AUTc?1ZX!Ub=V!nh|4|Ve`;rFuo75r553O+CFoWLJ$^(}mA
z`*!fhT73_1ZT$iM6sr&J>CZi|^+Wh`tbPQ4xp@R1>2m>ITYU;2o$mUO!B4VtGKIg-
z*2&?U)7&}*{35HL!!I#k!l$-Q3IA8CU%|g^Uc>hz`tPL!M|s|g9op2eIDS~G(W&^Y98Lp@BhSn48NOs41e?mZr=ocf2+^nr<>2<
zk2Npg=bJC!FETITZ!}-S-(z0GFE(%BmzsC*Z-eAE%@c~4*Yg`1bwv*Jb+&y
z58=1UTkyZgJMe$VBl!EfZhd3;D)Iq*^UGa+1fSLVCU9SMrtnbt;%3?YZ>oG5zKh(0
ze^2hiPn6f-=gaHxKga|4gYppG(fC{NMEMSU!E;^TB6weQVt7UQ0sJfS5qv9o0uSU<
z_>uDB|7H7ss=N%pMDD?Fk^AsR|6iAv;UD^q>yHQjnB0f2Bd@_Xm)GHY%LDjf@(_Ni
zyam5R-htmLkKm8WWB9A`0sO!65q#P6U4IhzXXI0ORbJd8+yCw4W%&Mb4?foZ>%(ui
z^B=fp#~*l0^#k}XX7#58!{7kKmq`o50^vehOde
z0yoa$mf8M)R$hj0BKP3mlKb#OwRI&msIp
zkKUn!P{5ZJ>KUwa>
zFO%2cx5(@8hvfmhaJrjsA^cV4Tkv<}9r%YMS0{q6B9Gx;kq_V%jb{X}$`kmk>P+Fg
z$%|WM`+ums3_nKh!5dnx4?jiu8vFuz9UjXAc*pt=zf<`Z{3&?{{x5k1Uqqi%F?>b&
z0KSHN1m8rSz;}{Q;op@Px6bzeD0vxvn%sk5Ecf9z%WLq5<#qV;@&LZzC7S>673D4X
z+VT#33wZ?JMIOVyBOk!~Hvi#?&42jOsxyWEQeNC9+y5)&Wq9cf*9Q;&2jzYEWAYl@
zSDiZib>##2obn;OC2zrd@(z3`kKjw_JSv7yl^?)YSAGQFK%T(AC7;48XS#kCx6Ssy
zCNIMqau42-`|!TJ1|Q4o@FO+O0AA>5{=+?a3x1aBbl}&@BlxW9#PA1|AHZLbkKhaG
zK5zmr%ctz%Z=c-$Yb~u@&Wu!`3Sz)m2UhAd?oo5
zzJ|P5&-VZ8@-n8Q!&jCM
z;2mw>5qwSM6L??wDSRX4i#ulfKPNB450QKDpUQps1@apF_wqXYK6wCtN*==hEpNdW
z{jKX~2fmyWdZLbP^xaH^OpX>ABZTSqm
zu#wCA@HyqH@ZlydUxSxaXBIxYnakJV)h(RQ!Mio*0lc8)HsBR4H-yirP7~hKa$E2j
z)oH^U>O%)!RX&2xseTVWt9%TfllS3GEq4HKZ0!0ogpXBc1aHX4@L8J=J7?$BC;sX7
ziz@uce>tCp@A7ZwbMQ0XcE7V|!0))qeQ(}`AF4WS_%T{;m#%ydKD&b(PanRO@e@EVcFZ8;bpH28d8h;zUl=5BpikrCSQG4(YE8mB&ARoe4k&of4$tUm`
zd12RV|9yE0UX@qiHTevDR$hf~C!d3#uKhZI+i|G@x8qC*|Ap!_;pfX+a67)W;dY$q
zz<;YcUHBj65&Rx`4}Oe1hCd+h!@sV1K7c>2{1E<}d<1_@K8D-8P2e^^CvcnpQ+T>x
z@0Oicwx1T^Z)!XxxE;sJa68Ud;C4Ls;KeuGemVoUg3rl&@RB@+kDqpR68M^n
z)aS=Pg?~+6+#}o19pz>CL2?g%wA_b(by2t68vJL<*WupcE+4?pQ9gwC1GqhRF@pbF`2@a@`Y?rmL|)u8+yAxYW%#W6#(@E^%r@H6Ed_=WNae!V<~-zy)$pOcT^Z^{$+l8b5n!&i|P_saJFOY$;&
zBe@5+`*J>fXXR_~{pEG|G4cR@hCGB{C2zs+ly~3{$s_ng9>W*ayc)o5o{Zs@C0(Bj
z-_G{4`*G(Lcp|UDC-OP?RNjOaR&n*a^wpgA>8m>*)7Nlb*gHG^=4YH&=%007g;&>f
z9>B+!tu=ofZor#YIuGG<7dvmktCu_Pz)PxM4zlC#t4;-8xyaS=;Byx^58&ze;pzC{
z>G%6GEs
zJ9n*f4?cU1^8h|~>Dq2y!MpMhKGSvi7QA<{^A3FO66X=T8##~RGxGAj+4UM;=<*eK
zSL5;EbLY5x0N-_EcYiE|A0ltTPn37y=gK4a4e}U1ln>yq%17{pH_`iN;GVp=U$#Fx
zT)qALb}YjW-qBrO)Zmt{!#}sLtJ8wpdz(9Odv9|D|Fz!R9K(MpAHeNB&m*|K=ef9l
zc75%=US;^_4sq-2!EdnlOT+Km)#dB(zsdvntMUkb`)h7{#qh~*zdXNP68O67Z#VB#
zctLsZyV><^J?8Eo`tb1;u6_XjdEnM7gtsqu`3Qc7@-f`<34D`R-TF@9GksUzJ0Ls$
zh3|Fi>%+TOYy9w!{lwJ|;T7d0_)ng6^EQSzZ*}z(_=$nbPvHgSy+(HY$G6;geE96I
zG=BJ!eOEt(H~--B5&Wad$MAyk3H(#aPvO0rTz&7r?D*GG-iOaBAHdhM@xv!KYW(mm
zZ2a)H@(FxL8$WzTdGCAK@$Y5hhYxR1|KSJP_~8xZBlr(({P2?U3H;bwG=JdDKdS!+
zWygQ2@;UQl#k&J!f{A3piLtDnGMxADW<%6o@o$G@P>ANY*&0sN(#wg18kx2gZ|ca)Fez3Vl8_~JHx
z_^k5Yq1o}Tq`VKGT&MoS*Hk`)x0R3JRpn#&jPeP5D;qz2c&!_ccUX4(yW9BT4dny)
zK{kGPN%;s~-NJpo#PGSZ-FQZDd;k9!p6KraByh`@!|ZyQSKwC1gIhkx@ep3p_#^nf
zIt%T#ZutQIE7gy3Jb_2bdxvM2YaYOR%7^sJ-1sB9
z@-bcc5&SoMyX)=*zTY?9dDIj>xzsJUd_;EqYpIS0zw#P4KkM-Al@H){KG}i)pYjph
z@-e)iagN~W`oh!og{SNLgPiq+r|Sz(*B5T%58>5IT%SAev=4Br6T{O!zz??V4!=p;
ztNg?4`u@bWFZ^2DzVK^o`@;9!&V9ag;GYZJJdEJh&k=kBm=
zhui*Mhu{769p|rK0(fOF=OKLNLTyL*`KlAa)9nbaUhL|O;LoZ~0-xDQ`!9U*OIOD`
zD%&4BuKMtvj;nR}$oc@c<7WuBenxQ1$8gIha68_5&FuKi1GpVmqZ}W>ZTlv0+rCq{
zZQt^bvg5Js>%ndN`f%I6b+~Qc0B+kigxmIw;I@5ZxNYAN+_rB5x9v5B+xGH~&i29b
zKHTyF+_qzs;|bihuXjv#x#o5FvAQ1;!0qpUh49IFZhwj3mXG0ko%62hAoX?@|AkKvXd!PotxJI*I?JKj#=Hh%B8?D|^X
zhg*IQzL}OAzz4r~|gE!TsmY$>+pANd%lMRoy+&~R
z`wnCHkv7lamM@=>?T@`rvI76H^#^YGI{cT1xIWLpe`@`KTfPIg_u)r59>bfu?i<1F
z?_!MMr(1vEmM{M#+aK#&1#W%z;Fhn$_t0}_0o?BQcHqbB`->>YM{v83o#c4=#O!*N
zc6Y}CFUJG8y>B*zSJnRx+~!FaZu2UF+xG|w-1dtp-1ZCar0jZG-iKR0fZO?72%kMs
zpPO*Y$8gIhaLZ5OmiK;|9lzy$xaF&G%g@4FiS|eMxApx<1KyB#;iUz>GXJ?5!N+gA
z{`BBI`4C=s%jLU2%dYRt`&1vE)`zF{;c5Mov-Q*Q!_)fkv_3qo-_F)g#}7~I!_)fk
zwEijC`sw)LX?=KFAD-4fHCsO&KRm4uPwT_e`ajRsFZ@UQ5xg|jd^jy94^Q)_=j7pO
z{*0VFJk6h(lZU7IPEH=4=6{jR_g+_j;LVBiA-wX6`u59go$L~8UuEm0XY#!2z|%VLw9dKNI%69TJgoyy>ztRZla2?T)`6#Wev_@!Pqbd}_EXM#@EQ3K
zUKy!x=V$9TUsQc~S|6U)ho|)~$ktEC4^QjE)B5nV{)O54>G%-IfQMP_Met23Rp4Nw_^)JrWZ{Mfw3$Hw?`EW@#UwJ@zy5%p;=F|G{#v`hK
zSvH^6ho||=v-z|>y!nvoUy;qH_2Fs$%4|NZ4a$_2KFKygi#w
z>%-Ie`KN3?txvc4c}F&%)`zF_ZII2U_2Fs$&TKxd4^QXYUDn09&ciu%;AtIrTIUhe*;?xbFU&gc!5f=u
zec?TM_tBjC@U%WWtq)J@k80e<~*rZ*QXYeL5!(Z(4qwlZQ7f|JR&6yt=W*^S5li8EAXKXZBJ4nQXp$
zwDR!6iON5llZQ7?aQPv8?q{m=TuvQ$siivbw9fN6b>Oqds}4M^^Y@%O^y5?qp4Lfn
z>cD%)s17`>^FmG?_{@(~2cFh>Fb=L2~AWNjDtobuh*a+V8EmkUpq3s08|PnSE%
zSuT8dn${PdE*G9I7oINnA34i~H-4_=!qer#)8)d`<^D5gx$vg8dmo-I7oIK`o-X%a
zIm?Bo+ZUcL7oIK`o-X(G>~iPMbp4Fr6?ymHIeB=ReOUebEC-p=M5JM1|BJz58ToIHY`C6D1($OrHn^C!pHLBJK6ESB`?EEbywemuPXQ9Uy;|~TgmJ2z2yP?Xn6?#sk{X*?56(1EAj~b
z+)XYY!_QOw0sMFJ5qv05;LpjY@VDi~|7QEY#$~*8E#1|zO}r#V7C7U$jk8ZoEwh^KT3HYe!9E{KTlqV$MOLFfINi1Ebqf-
z?{Vk719(L~gcs!f_htLgy<2tQ4fzm0EAKCqty8&Ib>I^l4}56jd4IM}*XqC<@*#Xy
z-v2x-%B3C50kgx$ICnL
z)8!F-S3U0?!!K5T0KZ*6fE`$$MA`K0DqsxIfAb!PvD=HPvPsyy(O~!xBC@7
z{3zvX@KfY<_=WNS9?L`cP~L*q1Gil|@I?6t{-!*Jm-cpb2JltoBlx=V1iqDg3O_(z
z{7|-^p~hc^AFI3vKTGbzyQ))zkK}cDVIR$B_;sou!tax};LpiB@VDd@5v+hhrZ{=
z8N)v%AHX+|kKnt=6ZqlsDg3AM;*#0ET_`WZua|r9JLEn*ILNJ64gRq5b$DC(0G=ox
z!Z-e_`~6@G{*Lk;`0}bB!995lUq?QGZ!RCfZC)ktSozXY**?!)u<`trc^O`nSKza9
z4?aHM)tQACE^^+2uX(WBE*-etmyY1;DIdePln>xL%SZ72Z@-b3
z;aAB$`2BJp{=B>fUqI(Yb@+<%0RDM-2wz{`f^RSHzz>v1@MGjL{8ae>{%iRNez`n>
z-z1;H@01sp$@c#lc^UqO+=DN4sE)(%#pN~l3i3MK?k5EBHIxtG8^~MmUFAJ^^Ba1P
zI{b;l-1sN(zVfAIv;BERc^}@Kb@glT?pDql@PhJf_OS3ZK<_dW^y;orMD
zQ~0r}Q(P|FhwuoOFT?G8(u1F>IzIdgc@2J(ybd481NbBI5dK$r3;u?@1OI^5D}t{m
zkKu<6)PMMAl^?-3ktgsud8wT3b7fmMuV&!4DL)IJQ@#OzNclFru$`;lga1|eA$(5x
z3H&u1|MJ=KH@DaL;qUu_>)R~6u!GCb(N}bJ8}MaSrw#9_P7l7S@kIGh=$6}n@1}eQUf9{?BY5ST&WG^sPR_^hrp7sef9M)_-dNVZ
z+xH`t*WLM29X>1Xz?=Va`2pOn7e??-)6ItjzVngJr||E|iyz5umlNe>_;>X8G(Gqk
z%KPvOP>
z^W+`)wekplr#y!5_^g|61NigGkKlH{C4v7-`Qpd2ef!|iu6`N5vfP8OE%)J@%WLpm
z+r+>;Km=oPf|XF|61OH&sqQBJ>?_#-SQaTwEn}p
z@)7)5)k)y5%ct;#k9F%?TshnSkIBpMugE?4CUPHMm)GD2$?NcwL>8(@vd)E_%`z5$Fu$1O`2fDQd<5TE
zp1^mNPvM8ki=W8$|Htw&{4BW#ze?`I|0J)$?RmdC{1N2?_}}Fr{6F#*d{NEM4t!;K
z1pksehHoYxz;}_4;D^W)_zChUe583>{A9NOQ+XMFmg;!$OXNQM_wpLN{8KkS>+naF
z58yA$L%2P6*Mb*L)cl7pE05rxmdEg~%Lnl7X+ds
z$vyZ5avy%Hyao@f|L{kZ58(D(TnK+v`4)UZ&7Tf@Ie7&Cf;@(AE+4@6mXF{^%MHPOiE%^8%=WTdj9(dX1cF%S7L%4mv(}G{G
zd6p1`Z}DSS(LagA*M_mG$22gp76F>)Wi_ut(-slm@yz7D@c9>DE>
zS_?i=z61aKg_`H^_2n^qYxw}ahkOJ-Sf0R-lTYDi$cvxJ_W2@t86L|$_#JW|{C@1pz!
zUig;Fmu9l#++X<_cvJaV_y(70{P4mau6`Tdyj5@`JJr)~W3rt+mPWXJ!a@-y)MKI%U_zDn~4-v5rvx8Zjy--8$S)%f9k