fix: fix docker and podman collectors

Fix docker and podman collectors. Fixes issue #237

CHANGELOG.md

@@ -1,35 +1,13 @@
 # Changelog
 
-## 2.9.0 (2024-05-28)
+## DEVELOPMENT VERSION
 
-### Features
+### Fixes
 
-- uac.log and uac.log.stderr files were moved to the front of the output archive file (by [rbcrwd](https://github.com/rbcrwd)).
+- live_response/containers/docker.yaml: Fixed docker stats command that was running in a loop and therefore the program was not terminating [linux] (by [0xtter](https://github.com/0xtter)).
+- live_response/containers/podman.yaml: Fixed docker stats command that was running in a loop and therefore the program was not terminating [linux].
 
 ### Artifacts
 
-- files/logs/macos.yaml: Updated collection support for auditd logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
-- files/logs/solaris.yaml: Added collection support for lastlog, wtmpx, utmpx, svc and webui logs that are stored outside /var/log directory [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
-- files/logs/var_log.yaml: Updated collection to support new system [esxi] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
-- files/packages/pkg_contents.yaml: Updated collection support for NetBSD 10 [netbsd] (by [Herbert-Karl](https://github.com/Herbert-Karl)).
-- files/packages/pkg_contents.yaml: Updated collection support for package table of contents files [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
-- files/system/svc.yaml: Added collection support for svc manifest and method (service start) files [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
-- files/system/systemd.yaml: Updated collection to support artifacts related to transient and per-user systemd timers [linux] (by [halpomeranz](https://github.com/halpomeranz)).
-- files/system/var_ld.yaml: Added collection support for ld config files [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
-- live_response/containers/docker.yaml: Added collection support for resource usage statistics of each container [linux].
-- live_response/containers/podman.yaml: Added collection support for resource usage statistics of each container [linux].
-- live_response/packages/brew.yaml: Added collection support for packages installed through brew package manager [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
-- live_response/packages/equo.yaml: Added collection support for packages installed through Entropy package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
-- live_response/packages/nix.yaml: Added collection support for packages installed through Nix package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
-- live_response/packages/pip.yaml: Added collection support for Python packages installed through pip [linux] (by [sanderu](https://github.com/sanderu)).
-- live_response/packages/pisi.yaml: Added collection support for packages installed through pisi package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
-- live_response/packages/pkg.yaml: Updated collection support for information about installed packages [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)).
-- live_response/packages/xbps.yaml: Added collection support for packages installed through XBPS package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
-- live_response/packages/yay.yaml: Added collection support for packages installed through Yay [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
-- live_response/process/procfs_information.yaml: Added collection support for entries corresponding to memory-mapped files [linux].
-- live_response/process/procfs_information.yaml: Added collection support for listing the contents of /proc/modules [linux].
-- live_response/process/procfs_information.yaml: Added collection support for listing Unix sockets [linux].
-- live_response/system/ebpf.yaml: Added collection support for listing pinned eBPF progs [linux].
-- live_response/system/kernel_modules.yaml: Added collection support for listing available parameters per kernel module [linux].
-- live_response/system/kernel_modules.yaml: Added collection support for listing loaded kernel modules to compare with /proc/modules [linux].
-- live_response/system/modinfo.yaml: Added collection support for information about loaded kernel modules [linux, solaris] (by [sanderu](https://github.com/sanderu)).
+- files/shell/history.yaml: Added collection support for *.historynew files [all].
+- files/shell/sessions.yaml: Added collection support for *.session files [all] [randomaccess3](https://github.com/randomaccess3))

artifacts/files/shell/history.yaml

@@ -1,10 +1,13 @@
-version: 2.0
+version: 2.1
 artifacts:
   -
     description: Collect shell history files.
     supported_os: [all]
     collector: file
     path: /%user_home%
     # lesshst: less command history file
-    name_pattern: [".*_history", ".*history", ".lesshst", ".zhistory", "fish_history"]
+    name_pattern: [".*_history", ".*history", "*.historynew", ".lesshst", ".zhistory", "fish_history"]
     max_depth: 4
+
+# References:
+# https://dfir.ch/posts/today_i_learned_zsh_sessions/

artifacts/files/shell/sessions.yaml

@@ -5,6 +5,8 @@ artifacts:
     supported_os: [all]
     collector: file
     path: /%user_home%
-    name_pattern: ["*.sessions", ".*_sessions","*.session"]
+    name_pattern: ["*.session", "*.sessions", ".*_sessions"]
     max_depth: 2
 
+# References:
+# https://dfir.ch/posts/today_i_learned_zsh_sessions/

artifacts/live_response/containers/docker.yaml

@@ -1,4 +1,4 @@
-version: 2.0
+version: 2.1
 artifacts:
   -
     description: List all containers.
@@ -96,5 +96,6 @@ artifacts:
     supported_os: [linux]
     collector: command
     foreach: docker container ps --all | sed 1d | awk '{print $1}'
-    command: docker stats --all --no-stream --no-trunc %line%
-    output_file: docker_stats_%line%.txt
+    command: docker stats --no-stream --no-trunc %line%
+    output_file: docker_stats_%line%.txt
+

artifacts/live_response/containers/podman.yaml

@@ -96,5 +96,5 @@ artifacts:
     supported_os: [linux]
     collector: command
     foreach: podman container ps --all | sed 1d | awk '{print $1}'
-    command: podman stats %line%
-    output_file: podman_stats_%line%.txt
+    command: podman stats --no-stream %line%
+    output_file: podman_stats_%line%.txt

uac

@@ -41,7 +41,7 @@ export PATH
 . "${UAC_DIR}/lib/load_lib_files.sh"
 
 # global vars
-UAC_VERSION="2.9.0"
+UAC_VERSION="DEVELOPMENT VERSION"
 MOUNT_POINT="/"
 OPERATING_SYSTEM=""
 SYSTEM_ARCH=""