Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Collect /proc/*/mounts #256

Closed
wants to merge 41 commits into from
Closed

Collect /proc/*/mounts #256

wants to merge 41 commits into from

Commits on Jun 12, 2024

  1. artif: openbsd lastcomm 

    on system parsing of system accounting files
    @Herbert-Karl
    Herbert-Karl authored and Herbert Bärschneider committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    7ba78c9 View commit details
    Browse the repository at this point in the history

  2. artif: console message buffer

    @Herbert-Karl
    Herbert-Karl authored and Herbert Bärschneider committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    4667a41 View commit details
    Browse the repository at this point in the history

  3. artif: security backups

    @Herbert-Karl
    Herbert-Karl authored and Herbert Bärschneider committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    602fb3c View commit details
    Browse the repository at this point in the history

  4. artif: locate database

    @Herbert-Karl
    Herbert-Karl authored and Herbert Bärschneider committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    83fabc7 View commit details
    Browse the repository at this point in the history

  5. artif: device database

    @Herbert-Karl
    Herbert-Karl authored and Herbert Bärschneider committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    e9e9292 View commit details
    Browse the repository at this point in the history

  6. artif: system accounting files 

    acct files use a custom format
usracct and savacct are berkeley database in format 1.85/1.86
    @Herbert-Karl
    Herbert-Karl authored and Herbert Bärschneider committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    8994b18 View commit details
    Browse the repository at this point in the history

  7. artif: kernel relink log

    @Herbert-Karl
    Herbert-Karl authored and Herbert Bärschneider committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    a7c24bc View commit details
    Browse the repository at this point in the history

Commits on Jun 13, 2024

  1. Merge pull request tclahr#240 from tclahr/release/2.9.1 

    refactor: v2.9.1
    @tclahr
    tclahr authored Jun 13, 2024
    Configuration menu
    Copy the full SHA
    492f740 View commit details
    Browse the repository at this point in the history

  2. refactor: development version

    @tclahr
    tclahr committed Jun 13, 2024
    Configuration menu
    Copy the full SHA
    ece2c69 View commit details
    Browse the repository at this point in the history

Commits on Jun 25, 2024

  1. Fixed deleted.yaml 

    Fixed "Find open files of (malicious) processes." in deleted.yaml
    @mnrkbys
    mnrkbys committed Jun 25, 2024
    Configuration menu
    Copy the full SHA
    8438a4d View commit details
    Browse the repository at this point in the history

Commits on Jul 3, 2024

  1. Merge pull request tclahr#241 from mnrkbys/fix_deleted.yaml 

    Fixed deleted.yaml
    @tclahr
    tclahr authored Jul 3, 2024
    Configuration menu
    Copy the full SHA
    72bfa92 View commit details
    Browse the repository at this point in the history

  2. Merge pull request tclahr#238 from Herbert-Karl/thesis 

    BSD related artifacts
    @tclahr
    tclahr authored Jul 3, 2024
    Configuration menu
    Copy the full SHA
    34834c4 View commit details
    Browse the repository at this point in the history

  3. initial v3 code

    @tclahr
    tclahr committed Jul 3, 2024
    Configuration menu
    Copy the full SHA
    ebbd3a9 View commit details
    Browse the repository at this point in the history

  4. add repository name

    @tclahr
    tclahr committed Jul 3, 2024
    Configuration menu
    Copy the full SHA
    47db590 View commit details
    Browse the repository at this point in the history

Commits on Jul 4, 2024

  1. remove token

    @tclahr
    tclahr committed Jul 4, 2024
    Configuration menu
    Copy the full SHA
    0466198 View commit details
    Browse the repository at this point in the history

  2. Merge pull request tclahr#242 from tclahr/develop-v3 

    initial v3 code
    @tclahr
    tclahr authored Jul 4, 2024
    Configuration menu
    Copy the full SHA
    83bf596 View commit details
    Browse the repository at this point in the history

Commits on Jul 7, 2024

  1. fix: moved solaris zone info to container part of live response

    @Herbert-Karl
    Herbert-Karl committed Jul 7, 2024
    Configuration menu
    Copy the full SHA
    7499efd View commit details
    Browse the repository at this point in the history

  2. artif: list of freebsd jails running

    @Herbert-Karl
    Herbert-Karl committed Jul 7, 2024
    Configuration menu
    Copy the full SHA
    ff63747 View commit details
    Browse the repository at this point in the history

  3. artif: jail specific process listings

    @Herbert-Karl
    Herbert-Karl committed Jul 7, 2024
    Configuration menu
    Copy the full SHA
    c148a75 View commit details
    Browse the repository at this point in the history

Commits on Jul 11, 2024

  1. refactor: comments changes

    @tclahr
    tclahr committed Jul 11, 2024
    Configuration menu
    Copy the full SHA
    3956e0a View commit details
    Browse the repository at this point in the history

Commits on Jul 15, 2024

  1. refactor: optimize hash collected code

    @tclahr
    tclahr committed Jul 15, 2024
    Configuration menu
    Copy the full SHA
    a597b4c View commit details
    Browse the repository at this point in the history

  2. Merge pull request tclahr#246 from tclahr/hash_collected 

    refactor: optimize hash collected code
    @tclahr
    tclahr authored Jul 15, 2024
    Configuration menu
    Copy the full SHA
    2750aff View commit details
    Browse the repository at this point in the history

Commits on Jul 17, 2024

  1. Update zoneadm.yaml 

    update version
    @tclahr
    tclahr authored Jul 17, 2024
    Configuration menu
    Copy the full SHA
    a918e4a View commit details
    Browse the repository at this point in the history

Commits on Jul 18, 2024

  1. fix: fix btime on freebsd 14 

    Birth time on FreeBSD 14 is shown as -1 in some cases, so this code fixes it to show 0 instead.
    @tclahr
    tclahr committed Jul 18, 2024
    Configuration menu
    Copy the full SHA
    e97a470 View commit details
    Browse the repository at this point in the history

  2. refactor: optimization changes 

    Code optimization changes only.
    @tclahr
    tclahr committed Jul 18, 2024
    Configuration menu
    Copy the full SHA
    f15dac8 View commit details
    Browse the repository at this point in the history

  3. refactor: replace single quote

    @tclahr
    tclahr committed Jul 18, 2024
    Configuration menu
    Copy the full SHA
    431fa6f View commit details
    Browse the repository at this point in the history

  4. Merge pull request tclahr#248 from tclahr/fix_bodyfile_btime 

    Fix bodyfile btime
    @tclahr
    tclahr authored Jul 18, 2024
    Configuration menu
    Copy the full SHA
    c705519 View commit details
    Browse the repository at this point in the history

  5. Merge branch 'develop' into develop

    @tclahr
    tclahr authored Jul 18, 2024
    Configuration menu
    Copy the full SHA
    478b0af View commit details
    Browse the repository at this point in the history

  6. refactor: update changelog

    @tclahr
    tclahr committed Jul 18, 2024
    Configuration menu
    Copy the full SHA
    2fb60a6 View commit details
    Browse the repository at this point in the history

  7. Merge pull request tclahr#243 from Herbert-Karl/develop 

    FreeBSD: information on jails (FreeBSD specific containers)
    @tclahr
    tclahr authored Jul 18, 2024
    Configuration menu
    Copy the full SHA
    3c5c937 View commit details
    Browse the repository at this point in the history

Commits on Jul 20, 2024

  1. fix: zip binary segmentation fault 

    Update code to test whether zip can run in the target system before adding it to PATH.

zip binary was causing either a "segmentation fault" or a "kernel too old" in some specific systems making the output file creation to fail.

Fix tclahr#245
    @tclahr
    tclahr committed Jul 20, 2024
    Configuration menu
    Copy the full SHA
    75f3689 View commit details
    Browse the repository at this point in the history

  2. Merge pull request tclahr#251 from tclahr/fix_zip_segmentation_fault 

    fix: zip binary segmentation fault
    @tclahr
    tclahr authored Jul 20, 2024
    Configuration menu
    Copy the full SHA
    f3ec4c3 View commit details
    Browse the repository at this point in the history

  3. refactor: add verbose message 

    Add verbose message.
    @tclahr
    tclahr committed Jul 20, 2024
    Configuration menu
    Copy the full SHA
    2e95e2d View commit details
    Browse the repository at this point in the history

  4. Merge pull request tclahr#252 from tclahr/add_verbose_message 

    refactor: add verbose message
    @tclahr
    tclahr authored Jul 20, 2024
    Configuration menu
    Copy the full SHA
    776202d View commit details
    Browse the repository at this point in the history

Commits on Jul 22, 2024

  1. artif: new artifacts

    @tclahr
    tclahr committed Jul 22, 2024
    Configuration menu
    Copy the full SHA
    430fba1 View commit details
    Browse the repository at this point in the history

  2. artif: add missing collector propery

    @tclahr
    tclahr committed Jul 22, 2024
    Configuration menu
    Copy the full SHA
    d881976 View commit details
    Browse the repository at this point in the history

  3. Merge pull request tclahr#254 from tclahr/new_artifacts 

    artif: new artifacts
    @tclahr
    tclahr authored Jul 22, 2024
    Configuration menu
    Copy the full SHA
    3c10215 View commit details
    Browse the repository at this point in the history

Commits on Jul 23, 2024

  1. refactor: change gif file name

    @tclahr
    tclahr committed Jul 23, 2024
    Configuration menu
    Copy the full SHA
    f80a179 View commit details
    Browse the repository at this point in the history

  2. refactor: replace for by while

    @tclahr
    tclahr committed Jul 23, 2024
    Configuration menu
    Copy the full SHA
    f3ef15f View commit details
    Browse the repository at this point in the history

  3. Merge pull request tclahr#255 from tclahr/replace_ifs 

    refactor: replace for by while
    @tclahr
    tclahr authored Jul 23, 2024
    Configuration menu
    Copy the full SHA
    86c212a View commit details
    Browse the repository at this point in the history

  4. artif: Collect /proc/*/mounts 

    Bind mounts can be used to hide processes (see https://dfir.ch/posts/slash-proc/). One of the quickest ways to detect this behavior is to "grep /proc /proc/self/mounts". Because /proc/*/mounts are not necessarily the same across all processes, collect all of them.

Signed-off-by: Hal Pomeranz <[email protected]>
    @halpomeranz
    halpomeranz committed Jul 23, 2024
    Configuration menu
    Copy the full SHA
    6f8066b View commit details
    Browse the repository at this point in the history