refactor: change command line option

Change command line option from --enable-mods to --enable-modifiers

It also identifies modifiers when artifacts are listed.

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Features
 
+- New '--enable-modifiers' command line option. Enabling this option will case UAC to run artifacts that change the current system state ([#272](https://github.com/tclahr/uac/issues/272)).
 - UAC now completely skips an artifact file (YAML) that has no artifacts to be collected for the target operating system. You can use '--artifacts list [OPERATING_SYSTEM]' to display artifacts for a specific operating system only.
 - New output file formats:
   - none: Collected data will not be archived or compressed. Instead, it will be copied directly to an output directory ([#188](https://github.com/tclahr/uac/issues/188)).
@@ -42,6 +43,7 @@
 - hash_executables/hash_executables.yaml: Updated to remove max_depth and max_file_size properties.
 - live_response/containers/jls.yaml: Added collection of jails used on FreeBSD systems [freebsd] ([Herbert-Karl](https://github.com/Herbert-Karl)).
 - live_response/hardware/dmesg.yaml: Updated collection of console message bufffer [esxi, freebsd, netscaler, openbsd, solaris] ([Herbert-Karl](https://github.com/Herbert-Karl)).
+- live_response/modifiers/revel_hidden_processes.yaml: Added command to umount filesystems mounted onto a directory that tipically corresponds to a process ID (PID) [linux] ([halpomeranz](https://github.com/halpomeranz)).
 - live_response/network/procfs_information.yaml: Added collection of TCP and UDP network details from /proc/net [linux]. 
 - live_response/process/deleted.yaml: Collection of deleted processes will no longer use dd conv=swab. The binary file will be collected in its raw format now [linux].
 - live_response/process/deleted.yaml: Updated to fix the collection of open files of (malicious) processes [linux] ([mnrkbys](https://github.com/mnrkbys)).
@@ -77,6 +79,7 @@
 
 ### Artifacts Properties Changes
 
+- Introduced a new global 'modifier' property that ensures the artifact runs only if '--enable-modifiers' command line option is used.
 - Introduced a new 'condition' property that ensures the collection runs only if the specified condition returns true.
 - The 'output_directory' property is now mandatory for the following collectors: command, find, hash and stat.
 - The 'file_type' property is now an array.

artifacts/live_response/modifiers/revel_hidden_processes.yaml

@@ -46,4 +46,6 @@ artifacts:
     foreach: mount | awk 'BEGIN { FS=" on "; } { print $2; }' | grep "/proc/[0-9]" | awk '{print $1}'
     command: umount "%line%"
     output_file: umount_%line%.txt
-
+
+# References:
+# https://dfir.ch/posts/slash-proc/

lib/build_artifact_list.sh

@@ -21,7 +21,7 @@ _build_artifact_list()
         if [ -f "${__ba_item}" ] \
           && { grep -q -E "supported_os:.*all|${__ba_operating_system}" "${__ba_item}" 2>/dev/null || [ "${__UAC_IGNORE_OPERATING_SYSTEM:-false}" = true ]; }; then
           if grep -q -E "modifier:.*true" "${__ba_item}" 2>/dev/null; then
-            ${__UAC_ENABLE_MODS} && echo "${__ba_item}"
+            ${__UAC_ENABLE_MODIFIERS} && echo "${__ba_item}"
           else
             echo "${__ba_item}"
           fi

lib/list_artifacts.sh

@@ -38,13 +38,23 @@ _list_artifacts()
 
     if [ "${__oa_os}" = "all" ]; then
       find "${__oa_artifacts_dir}"/* -name "*.yaml" -print 2>/dev/null \
-        | sed -e "s|^${__oa_artifacts_dir}/||" 2>/dev/null
+        | while read __oa_item || [ -n "${__oa_item}" ]; do
+            if grep -q -E "modifier:.*true" "${__oa_item}" 2>/dev/null; then
+              echo "${__oa_item} (modifier)" | sed -e "s|^${__oa_artifacts_dir}/||" 2>/dev/null
+            else
+              echo "${__oa_item}" | sed -e "s|^${__oa_artifacts_dir}/||" 2>/dev/null
+            fi
+          done
     else
       # shellcheck disable=SC2162
       find "${__oa_artifacts_dir}"/* -name "*.yaml" -print 2>/dev/null \
         | while read __oa_item || [ -n "${__oa_item}" ]; do
             if grep -q -E "supported_os:.*all|${__oa_os}" "${__oa_item}" 2>/dev/null; then
-              echo "${__oa_item}" | sed -e "s|^${__oa_artifacts_dir}/||" 2>/dev/null
+              if grep -q -E "modifier:.*true" "${__oa_item}" 2>/dev/null; then
+                echo "${__oa_item} (modifier)" | sed -e "s|^${__oa_artifacts_dir}/||" 2>/dev/null
+              else
+                echo "${__oa_item}" | sed -e "s|^${__oa_artifacts_dir}/||" 2>/dev/null
+              fi
             fi
           done
     fi

lib/parse_command_line_arguments.sh

@@ -134,8 +134,8 @@ _parse_command_line_arguments()
       "-u"|"--run-as-non-root")
         __UAC_RUN_AS_NON_ROOT=true
         ;;
-      "--enable-mods")
-        __UAC_ENABLE_MODS=true
+      "--enable-modifiers")
+        __UAC_ENABLE_MODIFIERS=true
         ;;
       "--hostname")
         if [ -n "${2:-}" ]; then

lib/usage.sh

@@ -65,7 +65,7 @@ Collection Arguments:
   -u, --run-as-non-root
                     Disable root user check.
                     Note that data collection may be limited.
-      --enable-mods
+      --enable-modifiers
                     Enable artifacts that change the system state.
       --hostname  HOSTNAME
                     Specify the target system hostname.

uac

@@ -61,7 +61,7 @@ __UAC_HASH_COLLECTED=false
 __UAC_CONFIG_FILE="${__UAC_DIR}/config/uac.conf"
 __UAC_MOUNT_POINT="/"
 __UAC_OPERATING_SYSTEM=""
-__UAC_ENABLE_MODS=false
+__UAC_ENABLE_MODIFIERS=false
 __UAC_RUN_AS_NON_ROOT=false
 __UAC_PROCESSING_UNITS=""
 __UAC_HOSTNAME=""
@@ -409,7 +409,7 @@ _log_msg INF "Exclude mount points: ${__UAC_EXCLUDE_MOUNT_POINTS}"
 
 _verbose_msg "Building artifact list..."
 _log_msg INF "Building artifact list"
-_log_msg INF "Enable modifiers: ${__UAC_ENABLE_MODS}"
+_log_msg INF "Enable modifiers: ${__UAC_ENABLE_MODIFIERS}"
 
 # build artifact list based on the operating system
 # skip artifacts that are not applicable to the target operating system