refactor: small code updates

tclahr · tclahr · commit c980630c536c · 2026-01-17T13:36:32.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
 
 - The output and log file names are now automatically appended to the URL provided in `--azure-storage-sas-url` ([#389](https://github.com/tclahr/uac/issues/389)). Consequently, the `--azure-storage-sas-url-log-file` option is no longer needed and has been removed.
 - Introduced the `statf` tool, which leverages the `stat` system call to produce file status information in bodyfile format for FreeBSD-based systems lacking the `stat` and `perl` tools.
+- You can now use the `find` collector to run a specified `command` once for each matched file ([#420](https://github.com/tclahr/uac/issues/420)). Please check the [documentation](https://tclahr.github.io/uac-docs/artifacts/#field-reference-and-examples) for more information. (by [halpomeranz](https://github.com/halpomeranz))
 
 ### Artifacts
 
diff --git a/artifacts/system/getcap.yaml b/artifacts/system/getcap.yaml
@@ -1,13 +1,15 @@
 version: 3.0
+condition: command_exists "getcap"
 output_directory: /system
+# abuse process capabilities
+# ref: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
 artifacts:
   -
-    description: List all files with Linux capabilities
+    description: List all files with Linux capabilities.
     supported_os: [linux]
     collector: find
     path: /
+    exclude_path_pattern: ["/proc", "/sys"]
     file_type: [f]
     command: getcap
-    exclude_file_system: [proc, procfs]
     output_file: getcap.txt
-  
diff --git a/artifacts/system/immutable_files.yaml b/artifacts/system/immutable_files.yaml
@@ -1,13 +1,13 @@
 version: 3.0
+condition: command_exists "lsattr"
 output_directory: /system
 artifacts:
   -
-    description: List all immutable files
+    description: List immutable files.
     supported_os: [linux]
     collector: find
     path: /
+    exclude_path_pattern: ["/dev", "/proc", "/run", "/sys"]
     file_type: [f]
-    command: lsattr | awk '$1 ~ /i/ && $1 !~ /^\\//'
-    exclude_file_system: [proc, procfs, squashfs]
+    command: lsattr -d | awk '$1 ~ /i/ && $1 !~ /^\\//'
     output_file: immutable_files.txt
-  
diff --git a/lib/find_based_collector.sh b/lib/find_based_collector.sh
@@ -32,8 +32,6 @@ _find_based_collector()
   __fc_collector="${1:-}"
   shift
   __fc_path="${1:-}"
-  #shift
-  #__fc_mount_point="${1:-/}"
   shift
   __fc_is_file_list="${1:-false}"
   shift
@@ -63,7 +61,7 @@ _find_based_collector()
   shift
   __fc_ignore_date_range="${1:-false}"
   shift
-  __fc_command_xargs_pipe="${1:-}"
+  __fc_command="${1:-}"
   shift
   __fc_output_directory="${1:-}"
   shift
@@ -95,7 +93,7 @@ _find_based_collector()
   if ${__fc_is_file_list}; then
     # prepend __UAC_TEMP_DATA_DIR/collected if path does not start with /
     if echo "${__fc_path}" | grep -q -v -E "^/"; then
-      __fc_path="${__UAC_TEMP_DATA_DIR}/collected/${__fc_path}"
+      __fc_path="${__UAC_ARTIFACTS_OUTPUT_DIR}/${__fc_path}"
     fi
     __fc_path=`_sanitize_path "${__fc_path}"`
     if [ ! -f "${__fc_path}" ]; then
@@ -148,12 +146,10 @@ _find_based_collector()
   fi
 
   case "${__fc_collector}" in
-    "file"|"find")
+    "file")
       if ${__fc_is_file_list}; then
         __fc_find_command="cat \"${__fc_path}\""
       else
-	[ -n "${__fc_command_xargs_pipe}" ] && __fc_print0="true" || __fc_print0="false"
-	      
         __fc_find_command=`_build_find_command \
           "${__fc_path}" \
           "${__fc_path_pattern}" \
@@ -167,20 +163,93 @@ _find_based_collector()
           "${__fc_permissions}" \
           "${__fc_no_group}" \
           "${__fc_no_user}" \
-          "${__fc_print0}" \
+          "" \
           "${__fc_start_date_days}" \
           "${__fc_end_date_days}"`
       fi
-      if [ "${__fc_collector}" = "find" ] && [ -n "${__fc_command_xargs_pipe}" ]; then
-	if ${__UAC_TOOL_FIND_PRINT0_SUPPORT} && ${__UAC_TOOL_XARGS_NULL_DELIMITER_SUPPORT}; then
-          __fc_find_command="${__fc_find_command} | xargs -0 ${__fc_command_xargs_pipe}"
-	else
-	  __fc_find_command="${__fc_find_command} | xargs ${__fc_command_xargs_pipe}"
-	fi
-      fi
       _verbose_msg "${__UAC_VERBOSE_CMD_PREFIX}${__fc_find_command}"
       _run_command "${__fc_find_command}" \
-	>>"${__fc_output_directory}/${__fc_output_file}"
+        >>"${__fc_output_directory}/${__fc_output_file}"
+      ;;
+    "find")
+      if [ -n "${__fc_command}" ]; then
+        if ${__fc_is_file_list}; then
+            __fc_command="sed 's|.|\\\\&|g' \"${__fc_path}\" | xargs ${__fc_command}"
+        elif ${__UAC_TOOL_FIND_PRINT0_SUPPORT} && ${__UAC_TOOL_XARGS_NULL_DELIMITER_SUPPORT}; then
+          __fc_find_command=`_build_find_command \
+            "${__fc_path}" \
+            "${__fc_path_pattern}" \
+            "${__fc_name_pattern}" \
+            "${__fc_exclude_path_pattern}" \
+            "${__fc_exclude_name_pattern}" \
+            "${__fc_max_depth}" \
+            "${__fc_file_type}" \
+            "${__fc_min_file_size}" \
+            "${__fc_max_file_size}" \
+            "${__fc_permissions}" \
+            "${__fc_no_group}" \
+            "${__fc_no_user}" \
+            "true" \
+            "${__fc_start_date_days}" \
+            "${__fc_end_date_days}"`
+          if echo "${__fc_find_command}" | grep -q -E "; $"; then
+            __fc_find_command="{ ${__fc_find_command} }"
+          fi
+          __fc_command="${__fc_find_command} | xargs -0 ${__fc_command}"
+        else
+          __fc_find_command=`_build_find_command \
+            "${__fc_path}" \
+            "${__fc_path_pattern}" \
+            "${__fc_name_pattern}" \
+            "${__fc_exclude_path_pattern}" \
+            "${__fc_exclude_name_pattern}" \
+            "${__fc_max_depth}" \
+            "${__fc_file_type}" \
+            "${__fc_min_file_size}" \
+            "${__fc_max_file_size}" \
+            "${__fc_permissions}" \
+            "${__fc_no_group}" \
+            "${__fc_no_user}" \
+            "" \
+            "${__fc_start_date_days}" \
+            "${__fc_end_date_days}"`
+          if echo "${__fc_find_command}" | grep -q -E "; $"; then
+            __fc_find_command="{ ${__fc_find_command} }"
+          fi
+          __fc_command="${__fc_find_command} | sed 's|.|\\\\&|g' | xargs ${__fc_command}"
+        fi
+        _verbose_msg "${__UAC_VERBOSE_CMD_PREFIX}${__fc_command}"
+        _run_command "${__fc_command}" \
+          >>"${__fc_output_directory}/${__fc_output_file}"
+        if [ ! -s "${__fc_output_directory}/${__fc_output_file}" ]; then
+          rm -f "${__fc_output_directory}/${__fc_output_file}" >/dev/null
+          _log_msg DBG "Empty output file: '${__fc_output_file}'"
+        fi
+      else
+        if ${__fc_is_file_list}; then
+          __fc_find_command="cat \"${__fc_path}\""
+        else
+          __fc_find_command=`_build_find_command \
+            "${__fc_path}" \
+            "${__fc_path_pattern}" \
+            "${__fc_name_pattern}" \
+            "${__fc_exclude_path_pattern}" \
+            "${__fc_exclude_name_pattern}" \
+            "${__fc_max_depth}" \
+            "${__fc_file_type}" \
+            "${__fc_min_file_size}" \
+            "${__fc_max_file_size}" \
+            "${__fc_permissions}" \
+            "${__fc_no_group}" \
+            "${__fc_no_user}" \
+            "" \
+            "${__fc_start_date_days}" \
+            "${__fc_end_date_days}"`
+        fi
+        _verbose_msg "${__UAC_VERBOSE_CMD_PREFIX}${__fc_find_command}"
+        _run_command "${__fc_find_command}" \
+          >>"${__fc_output_directory}/${__fc_output_file}"
+      fi
       ;;
     "hash")
       for __fc_algorithm in `echo "${__UAC_CONF_HASH_ALGORITHM}" | sed -e 's:|: :g'`; do
@@ -247,6 +316,9 @@ _find_based_collector()
             rm -f "${__fc_output_directory}/${__fc_output_file}.${__fc_algorithm}" >/dev/null
             _log_msg DBG "Empty output file: '${__fc_output_file}.${__fc_algorithm}'"
           fi
+        else
+          _log_msg ERR "_find_based_collector: Cannot run hash collector. Target system does not have any hashing tool available"
+          return 1
         fi
       done
       ;;
diff --git a/lib/parse_artifact.sh b/lib/parse_artifact.sh
@@ -49,27 +49,6 @@ _parse_artifact()
 
   __pa_global_output_directory=""
 
-  _replace_exposed_variables()
-  {
-    __re_value="${1:-}"
-
-    if [ -n "${__UAC_START_DATE}" ]; then
-      __re_value=`printf "%s" "${__re_value}" \
-        | sed -e "s|%start_date%|${__UAC_START_DATE}|g" \
-              -e "s|%start_date_epoch%|${__UAC_START_DATE_EPOCH}|g" 2>/dev/null`
-    fi
-    if [ -n "${__UAC_END_DATE}" ]; then
-      __re_value=`printf "%s" "${__re_value}" \
-        | sed -e "s|%end_date%|${__UAC_END_DATE}|g" \
-              -e "s|%end_date_epoch%|${__UAC_END_DATE_EPOCH}|g" 2>/dev/null`
-    fi
-    printf "%s" "${__re_value}" \
-      | sed -e "s|%uac_directory%|${__UAC_DIR}|g" \
-            -e "s|%mount_point%|${__UAC_MOUNT_POINT}|g" \
-            -e "s:%non_local_mount_points%:${__UAC_EXCLUDE_MOUNT_POINTS}:g" \
-            -e "s|%temp_directory%|${__UAC_TEMP_DATA_DIR}/tmp|g" 2>/dev/null
-  }
-
   # remove lines starting with # (comments) and any inline comments
   # remove leading and trailing space characters
   # remove blank lines
@@ -125,7 +104,10 @@ _parse_artifact()
 "
               done
             fi
-            __pa_command=`_replace_exposed_variables "${__pa_value}"`
+            __pa_command="${__pa_value}"
+            if printf "%s" "${__pa_command}" | grep -q -E "%[a-zA-Z_]"; then
+              __pa_command=`_replace_runtime_user_defined_variables "${__pa_command}"`
+            fi
             ;;
           "compress_output_file:")
             __pa_compress_output_file="${__pa_value}"
@@ -138,7 +120,10 @@ _parse_artifact()
 "
               done
             fi
-            __pa_condition=`_replace_exposed_variables "${__pa_value}"`
+            __pa_condition="${__pa_value}"
+            if printf "%s" "${__pa_condition}" | grep -q -E "%[a-zA-Z_]"; then
+              __pa_condition=`_replace_runtime_user_defined_variables "${__pa_condition}"`
+            fi
             ;;
           "description:")
             __pa_description="${__pa_value}"
@@ -166,7 +151,10 @@ _parse_artifact()
 "
               done
             fi
-            __pa_foreach=`_replace_exposed_variables "${__pa_value}"`
+            __pa_foreach="${__pa_value}"
+            if printf "%s" "${__pa_foreach}" | grep -q -E "%[a-zA-Z_]"; then
+              __pa_foreach=`_replace_runtime_user_defined_variables "${__pa_foreach}"`
+            fi
             ;;
           "ignore_date_range:")
             __pa_ignore_date_range="${__pa_value}"
@@ -196,14 +184,20 @@ _parse_artifact()
             if echo "${__pa_value}" | grep -q -E "%temp_directory%"; then
               __pa_output_directory=`echo "${__pa_value}" | sed -e "s|%temp_directory%|${__UAC_TEMP_DATA_DIR}/tmp|g" 2>/dev/null`
             else
-              __pa_output_directory="${__UAC_TEMP_DATA_DIR}/collected/${__pa_value}"
+              __pa_output_directory="${__UAC_ARTIFACTS_OUTPUT_DIR}/${__pa_value}"
             fi
             ;;
           "output_file:")
             __pa_output_file="${__pa_value}"
+            if printf "%s" "${__pa_output_file}" | grep -q -E "%[a-zA-Z_]"; then
+              __pa_output_file=`_replace_runtime_user_defined_variables "${__pa_output_file}"`
+            fi
             ;;
           "path:")
-              __pa_path=`_replace_exposed_variables "${__pa_value}"`
+            __pa_path="${__pa_value}"
+            if printf "%s" "${__pa_path}" | grep -q -E "%[a-zA-Z_]"; then
+              __pa_path=`_replace_runtime_user_defined_variables "${__pa_path}"`
+            fi
             ;;
           "path_pattern:")
             __pa_path_pattern=`echo "${__pa_value}" | _array_to_psv 2>/dev/null`
@@ -362,7 +356,7 @@ _parse_artifact()
                         "${__pa_no_group}" \
                         "${__pa_no_user}" \
                         "${__pa_ignore_date_range}" \
-			"" \
+                        "" \
                         "${__UAC_TEMP_DATA_DIR}" \
                         "file_collector.tmp"
                     elif [ "${__pa_collector}" = "find" ]; then
@@ -383,7 +377,7 @@ _parse_artifact()
                         "${__pa_no_group}" \
                         "${__pa_no_user}" \
                         "${__pa_ignore_date_range}" \
-			"${__pa_command}" \
+                        "${__pa_new_command}" \
                         "${__pa_new_output_directory}" \
                         "${__pa_new_output_file}"
                     elif [ "${__pa_collector}" = "hash" ]; then
@@ -404,7 +398,7 @@ _parse_artifact()
                         "${__pa_no_group}" \
                         "${__pa_no_user}" \
                         "${__pa_ignore_date_range}" \
-			"" \
+                        "" \
                         "${__pa_new_output_directory}" \
                         "${__pa_new_output_file}"
                     elif [ "${__pa_collector}" = "stat" ]; then
@@ -425,7 +419,7 @@ _parse_artifact()
                         "${__pa_no_group}" \
                         "${__pa_no_user}" \
                         "${__pa_ignore_date_range}" \
-			"" \
+                        "" \
                         "${__pa_new_output_directory}" \
                         "${__pa_new_output_file}"
                     fi
@@ -457,7 +451,7 @@ _parse_artifact()
                   "${__pa_no_group}" \
                   "${__pa_no_user}" \
                   "${__pa_ignore_date_range}" \
-		  "" \
+                  "" \
                   "${__UAC_TEMP_DATA_DIR}" \
                   "file_collector.tmp"
               elif [ "${__pa_collector}" = "find" ]; then
@@ -478,7 +472,7 @@ _parse_artifact()
                   "${__pa_no_group}" \
                   "${__pa_no_user}" \
                   "${__pa_ignore_date_range}" \
-		  "${__pa_command}" \
+                  "${__pa_command}" \
                   "${__pa_output_directory}" \
                   "${__pa_output_file}"
               elif [ "${__pa_collector}" = "hash" ]; then
@@ -499,7 +493,7 @@ _parse_artifact()
                   "${__pa_no_group}" \
                   "${__pa_no_user}" \
                   "${__pa_ignore_date_range}" \
-		  "" \
+                  "" \
                   "${__pa_output_directory}" \
                   "${__pa_output_file}"
               elif [ "${__pa_collector}" = "stat" ]; then
@@ -520,7 +514,7 @@ _parse_artifact()
                   "${__pa_no_group}" \
                   "${__pa_no_user}" \
                   "${__pa_ignore_date_range}" \
-		  "" \
+                  "" \
                   "${__pa_output_directory}" \
                   "${__pa_output_file}"
               fi
@@ -531,4 +525,4 @@ _parse_artifact()
         esac
       done
 
-}
+}
diff --git a/lib/validate_artifact.sh b/lib/validate_artifact.sh
@@ -566,4 +566,4 @@ _validate_artifact()
         esac
 
       done
-}
+}

-Original file line number
+Diff line change
         esac
       done
 -}
 +}