commit d25d0d5ffe917ce10ebac65e8c68e9ba0d973de7172d10a1dd4b8ebb9cd9009b Author: Adrian Schröter Date: Sat May 4 01:44:14 2024 +0200 Sync from SUSE:SLFO:Main velociraptor revision 54f5c0690424556a339c0d054724905d diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/_constraints b/_constraints new file mode 100644 index 0000000..4988ecd --- /dev/null +++ b/_constraints @@ -0,0 +1,7 @@ + + + + 10 + + + diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..9095fe1 --- /dev/null +++ b/_multibuild @@ -0,0 +1,4 @@ + + client + + diff --git a/_service b/_service new file mode 100644 index 0000000..9f29119 --- /dev/null +++ b/_service @@ -0,0 +1,21 @@ + + + https://github.com/SUSE/linux-security-sensor + velociraptor + @PARENT_TAG@~git@TAG_OFFSET@.%h + sensor-base-0.6.7 + git + v0.6.7-5 + v([0-9\.\-]*)-(.*) + \1.\2 + enable + enable + + + + + *.tar + xz + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..25d2e55 --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + https://github.com/SUSE/linux-security-sensor + 01be57033daf2e1505c5ac686fb7b25df7cae760 + https://github.com/jeffmahoney/linux-security-sensor + 02020f9752134efd8a6a92ab83a7b55b498e1948 \ No newline at end of file diff --git a/sdjournal-build-fix-for-SLE12.patch b/sdjournal-build-fix-for-SLE12.patch new file mode 100644 index 0000000..c9e12a9 --- /dev/null +++ b/sdjournal-build-fix-for-SLE12.patch @@ -0,0 +1,18 @@ +From: Jeff Mahoney +Subject: third_party/sdjournal: remove enums missing on SLE-12 + +The version of systemd on SLE-12 is older and doesn't have these enums. We +don't use them, so it's safe to remove them. + +--- a/third_party/sdjournal/journal_linux.go ++++ b/third_party/sdjournal/journal_linux.go +@@ -380,9 +380,6 @@ const ( + SD_JOURNAL_RUNTIME_ONLY = int(C.SD_JOURNAL_RUNTIME_ONLY) + SD_JOURNAL_SYSTEM = int(C.SD_JOURNAL_SYSTEM) + SD_JOURNAL_CURRENT_USER = int(C.SD_JOURNAL_CURRENT_USER) +- SD_JOURNAL_OS_ROOT = int(C.SD_JOURNAL_OS_ROOT) +- SD_JOURNAL_ALL_NAMESPACES = int(C.SD_JOURNAL_ALL_NAMESPACES) +- SD_JOURNAL_INCLUDE_DEFAULT_NAMESPACE = int(C.SD_JOURNAL_INCLUDE_DEFAULT_NAMESPACE) + ) + + // Journal event constants diff --git a/sysconfig.velociraptor b/sysconfig.velociraptor new file mode 100644 index 0000000..76988ce --- /dev/null +++ b/sysconfig.velociraptor @@ -0,0 +1,9 @@ +## Path: Security/Monitoring +## Description: Velociraptor server settings +## Type: string +## Default: "" +## ServiceRestart: velociraptor +# +# Options for velociraptor +# +VELOCIRAPTOR_OPTS="" diff --git a/sysconfig.velociraptor-client b/sysconfig.velociraptor-client new file mode 100644 index 0000000..e4cc6e3 --- /dev/null +++ b/sysconfig.velociraptor-client @@ -0,0 +1,9 @@ +## Path: Security/Monitoring +## Description: Velociraptor client settings +## Type: string +## Default: "" +## ServiceRestart: velociraptor-client +# +# Options for velociraptor-client +# +VELOCIRAPTOR_CLIENT_OPTS="-v" diff --git a/sysconfig.velociraptor-kafka-humio-gateway b/sysconfig.velociraptor-kafka-humio-gateway new file mode 100644 index 0000000..aa3825a --- /dev/null +++ b/sysconfig.velociraptor-kafka-humio-gateway @@ -0,0 +1,15 @@ +## Path: Security/Monitoring +## Description: Velociraptor Kafka-Humio Gateway settings +## Type: string +## Default: "" +## ServiceRestart: velociraptor +# +# Options for velociraptor +# +KAFKA_HUMIO_GATEWAY_OPTIONS="--verbose" + +# +# Location of configuration file +# +KAFKA_HUMIO_GATEWAY_CONFIG="/etc/velociraptor-kafka-humio-gateway/transport.yml" + diff --git a/system-user-velociraptor.sysusers b/system-user-velociraptor.sysusers new file mode 100644 index 0000000..21934fc --- /dev/null +++ b/system-user-velociraptor.sysusers @@ -0,0 +1,2 @@ +u velociraptor - "Velociraptor User" /var/lib/velociraptor +g velociraptor - - diff --git a/update-vendoring.sh b/update-vendoring.sh new file mode 100644 index 0000000..cdc1a2e --- /dev/null +++ b/update-vendoring.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +cleanup() { + test -n "${dir}" && rm -rf "${dir}" + if test -n "${gopathdir}"; then + chmod -R u+w "${gopathdir}" + rm -rf "${gopathdir}" + fi +} + +error() { + echo "An error occurred. Exiting." >&2 +} + +trap error ERR SIGINT +trap cleanup EXIT +set -e + +version=$(rpmspec -q --queryformat="%{VERSION}\n" velociraptor.spec|head -1) + +dir="$(realpath "$(mktemp -d vendoring.XXXXXX)")" +topdir="$(realpath "$(dirname "$0")")" + +# Pull the %prep section out of the spec file and replace the tarball with the obscpio +awk ' +BEGIN { go=1; }; +/^%build/ { go=0; }; +{ if (go) print };' < velociraptor.spec > ${dir}/velociraptor.spec + +rpmspec -P ${dir}/velociraptor.spec --define "_sourcedir $PWD" --define "_builddir ${dir}"| \ +awk ' +BEGIN { go=0; }; +/^%build/ { go=0; }; +{ if (go) print }; +/^%prep/ { go=1 }' | sed -e "/rpmuncompress.*velociraptor-.*.tar.xz/s#.*#cpio -D . -id < $PWD/velociraptor-${version}.obscpio#" > ${dir}/setup.sh + +echo "Running %prep" +cd ${dir} +sh -e ${dir}/setup.sh +cd "${dir}/velociraptor-${version}" + +echo "Re-vendoring Go code..." +gopathdir="$(mktemp -d /tmp/gopath.XXXXXXX)" +rm -rf vendor +export GOPATH="$gopathdir" + + +# Vendoring doesn't get along with replaced modules, so symlink to those +go mod vendor +replace_module() { + local mod=$1 + local path=$2 + rm -rf "vendor/${mod}" + rel="$(echo $mod|tr A-Za-z0-9_- .|sed -e 's/\.\.\.*/../g')" + ln -s "${rel}/${path}" "vendor/${mod}" + set -x + ls -la vendor/${mod}/ + set +x +} + +replace_module github.com/aquasecurity/libbpfgo third_party/libbpfgo + +tar Jcf ${dir}/vendor-golang-${version}.tar.xz vendor +cd "${dir}" +mv vendor-golang-*${version}.tar.xz ${topdir} + +cd "${dir}/velociraptor-${version}/contrib/kafka-humio-gateway" +rm -rf vendor +go mod vendor +cd "${dir}/velociraptor-${version}" +tar Jcf "${dir}/vendor-golang-kafka-humio-gateway-${version}.tar.xz" "contrib/kafka-humio-gateway/vendor" + +echo "Re-vendoring nodejs code..." +cd "${dir}/velociraptor-${version}/gui/velociraptor" +rm -rf node_modules +npm install +cd ../.. +tar Jcf ${dir}/vendor-nodejs-${version}.tar.xz gui/velociraptor/node_modules + +cd "${dir}" +mv vendor-golang-*${version}.tar.xz vendor-nodejs-${version}.tar.xz ${topdir} + +for spec in ${topdir}/*.spec; do + sed -i "s/^%define vendor_version.*/%define vendor_version ${version}/" ${spec} +done + +echo "Done" diff --git a/velociraptor-0.6.7.5~git81.01be570.obscpio b/velociraptor-0.6.7.5~git81.01be570.obscpio new file mode 100644 index 0000000..7caa4b7 --- /dev/null +++ b/velociraptor-0.6.7.5~git81.01be570.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dd0b0d893ced36f98f9b5abb374794f0a6c5d7cdf73e9f8b4527a6ba391ee8c6 +size 130008078 diff --git a/velociraptor-client.config.placeholder b/velociraptor-client.config.placeholder new file mode 100644 index 0000000..9bad5ab --- /dev/null +++ b/velociraptor-client.config.placeholder @@ -0,0 +1,20 @@ +# This configuration file can be generated by using +# velociraptor-client config client --config /path/to/server.conf +# The following config needs server_urls and ca_certificate defined. +Client: +# server_urls: +# - https://velociraptor-server.local:8000/ +# ca_certificate: | +# -----BEGIN CERTIFICATE----- +# [CERTIFICATE DATA] +# -----END CERTIFICATE----- + nonce: oLWIjJR+zJ8= + writeback_linux: /var/lib/velociraptor/velociraptor.writeback.yaml + max_poll: 60 + pinned_server_name: VelociraptorServer + max_upload_size: 5242880 + local_buffer: + memory_size: 52428800 + disk_size: 1073741824 + filename_linux: /var/lib/velociraptor/Velociraptor_Buffer.bin + diff --git a/velociraptor-client.service b/velociraptor-client.service new file mode 100644 index 0000000..1427419 --- /dev/null +++ b/velociraptor-client.service @@ -0,0 +1,26 @@ +[Unit] +Description=Velociraptor Client Service + +[Service] +Type=simple +User=root +Group=root +UMask=0027 +MemoryHigh=4G +MemoryMax=8G +EnvironmentFile=-/etc/sysconfig/velociraptor-client +Environment=TMPDIR=/var/lib/velociraptor-client/tmp +ExecStart=/usr/bin/velociraptor-client client --config /etc/velociraptor/client.config $VELOCIRAPTOR_CLIENT_OPTS + +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +MemoryDenyWriteExecute=true +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/velociraptor-golang-mage-vendoring.diff b/velociraptor-golang-mage-vendoring.diff new file mode 100644 index 0000000..08f86cf --- /dev/null +++ b/velociraptor-golang-mage-vendoring.diff @@ -0,0 +1,19 @@ +From: Jeff Mahoney +Subject: [PATCH] velociraptor: remove ignore tag to allow vendoring of mage + +The ignore tag in make.go means it won't be properly vendored. + +--- + make.go | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/make.go b/make.go +index 28b3e90..8fad8b9 100644 +--- a/make.go ++++ b/make.go +@@ -1,5 +1,3 @@ +-// +build ignore +- + /* + Velociraptor - Dig Deeper + Copyright (C) 2019-2022 Rapid7 Inc. diff --git a/velociraptor-kafka-humio-gateway.service b/velociraptor-kafka-humio-gateway.service new file mode 100644 index 0000000..f4ab758 --- /dev/null +++ b/velociraptor-kafka-humio-gateway.service @@ -0,0 +1,24 @@ +[Unit] +Description=Velociraptor Kafka-Humio Gateway Service + +[Service] +Type=simple +User=velociraptor-kafka +Group=velociraptor-kafka +UMask=0027 +User=velociraptor +Group=velociraptor +EnvironmentFile=-/etc/sysconfig/velociraptor-kafka-humio-gateway +ExecStart=/usr/bin/velociraptor-kafka-humio-gateway $KAFKA_HUMIO_GATEWAY_OPTS --config $KAFKA_HUMIO_GATEWAY_CONFIG + +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target diff --git a/velociraptor-kafka.sysusers b/velociraptor-kafka.sysusers new file mode 100644 index 0000000..bcb557c --- /dev/null +++ b/velociraptor-kafka.sysusers @@ -0,0 +1,2 @@ +u velociraptor-kafka - "User for velociraptor Kafka Humio Gateway" /var/lib/velociraptor-kafka-humio-gateway +g velociraptor-kafka - - diff --git a/velociraptor-reproducible-timestamp.diff b/velociraptor-reproducible-timestamp.diff new file mode 100644 index 0000000..479a45c --- /dev/null +++ b/velociraptor-reproducible-timestamp.diff @@ -0,0 +1,30 @@ +From: Jeff Mahoney +Subject: magefile: use stable timestamps for build + +In order to create reprodicible builds, we can't have timestamps that vary +without anything else changing. +diff --git a/magefile.go b/magefile.go +index 16badc2b..76011657 100644 +--- a/magefile.go ++++ b/magefile.go +@@ -428,10 +428,18 @@ func build_gui_files() error { + } + + func flags() string { +- timestamp := time.Now().Format(time.RFC3339) ++ timestamp := os.Getenv("VELOCIRAPTOR_BUILD_TIME") ++ if timestamp == "" { ++ timestamp = time.Now().Format(time.RFC3339) ++ } + flags := fmt.Sprintf(` -X "www.velocidex.com/golang/velociraptor/config.build_time=%s"`, timestamp) + +- flags += fmt.Sprintf(` -X "www.velocidex.com/golang/velociraptor/config.commit_hash=%s"`, hash()) ++ head := os.Getenv("VELOCIRAPTOR_GIT_HEAD") ++ if head == "" { ++ head = hash() ++ } ++ ++ flags += fmt.Sprintf(` -X "www.velocidex.com/golang/velociraptor/config.commit_hash=%s"`, head) + + // If we are running on the CI pipeline we need to know the run + // number and URL so we can report them. diff --git a/velociraptor-server.config.placeholder b/velociraptor-server.config.placeholder new file mode 100644 index 0000000..423ce25 --- /dev/null +++ b/velociraptor-server.config.placeholder @@ -0,0 +1,19 @@ +# This configuration file can be generated by using +# velociraptor config generate + +Datastore: + implementation: FileBaseDataStore + location: /var/lib/velociraptor/data +Writeback: {} +Logging: + output_directory: /var/lib/velociraptor/logs + separate_logs_per_component: true + debug: + disabled: true + info: + rotation_time: 604800 + max_age: 31536000 + error: + rotation_time: 604800 + max_age: 31536000 + diff --git a/velociraptor.changes b/velociraptor.changes new file mode 100644 index 0000000..bedab10 --- /dev/null +++ b/velociraptor.changes @@ -0,0 +1,1161 @@ +------------------------------------------------------------------- +Wed May 10 00:49:09 UTC 2023 - jeffm@suse.com + +- Update to version 0.6.7.5~git81.01be570: + * libbpfgo: pull fix for double-free + * logscale: add documentation for plugin + +------------------------------------------------------------------- +Tue May 9 14:10:31 UTC 2023 - Marcus Rueckert + +- bump minimum nodejs to 18: + building against 16 causes errors + +------------------------------------------------------------------- +Tue May 9 01:25:01 UTC 2023 - Jeff Mahoney + +- Provide sysuser template for velociraptor user and group. + +------------------------------------------------------------------- +Mon May 08 20:21:03 UTC 2023 - jeffm@suse.com + +- Update to version 0.6.7.5~git78.2bef6fc: + * bpf: fix path to vmlinux.h + +------------------------------------------------------------------- +Mon May 08 19:42:58 UTC 2023 - Jeff Mahoney + +- Update to version 0.6.7.5~git77.997aa73: + * file_store/test_utils/server_config.go: update test certificate + * Update bluemonday dependency. + * vql/functions/hash: cache results on Linux + * libbpfgo: update to velociraptor-branch-v0.4.8-libbpf-1.2.0 + * logscale/backport: don't use networking.GetHttpTransport + * vql/tools/logscale: add plugin to post events to LogScale ingestion endpoint + * file_store/directory: add ability to report pending size +- Change clang dependency to clang16 +- Fix velociraptor-golang-mage-vendoring.diff to account for newer + 'go mod vendor' honoring build flags. +- Fix update-vendoring.sh script to actually run the %setup part of + the spec. +- Merge client package into server spec and use _multibuild to create + client package from same spec file. +- Adjust changelog to retain changes for client package. +- Fix building in static mode on earlier releases. + - Added patch: velociraptor-libbpfgo-only-build-libbpf.patch +- Removed patch: velociraptor-skip-git-submodule-import-for-OBS-build.patch + +------------------------------------------------------------------- +Fri Mar 10 18:54:37 UTC 2023 - Marcus Rueckert + +- Tightening the security of the services a bit: + - tmp files are now moved to /var/lib/velociraptor{,-client}/tmp + from /tmp + - run velociraptor server as user velociraptor instead of root + we do not really need root permissions here + - introduce /var/lib/velociraptor/filestore to make it easier to + split out large file upload + - change permissions for the data directory and subdirectories to + /var/lib/velociraptor/ u=rwX,go= velociraptor:velociraptor + /var/lib/velociraptor-client/ u=rwX,go= root:root + - change permissions of config directory to: + /etc/velociraptor/ u=rwX,g=rX,o= root:velociraptor + /etc/velociraptor/server.config u=rw,g=r,o= root:velociraptor + /etc/velociraptor/client.config u=rw,go= root:root + +------------------------------------------------------------------- +Fri Mar 10 15:36:18 UTC 2023 - Jeff Mahoney + +- Update to version 0.6.7.5~git6.73efb2a: + * libbpfgo: update submodule to require libzstd for newer libelf + * utils/time.js: fix handling of nanosecond-resolution timestamps + * libbpfgo: switch to using regular static builds + * Create a new 0.6.7-5 release (#2385) + - Verify FILESYSTEM_WRITE permission on copy() function (#2384) (bsc#1207936, CVE-2023-0242) + - Also ensure client id is considered unsafe (bsc#1207937, CVE-2023-0290) + * github/workflows/linux: do apt-get update to refresh package lists +- Remove unnecessary dependency on libtsan0. +- Allow velociraptor and velociraptor-client packages to coexist. + +------------------------------------------------------------------- +Thu Jan 26 20:06:09 UTC 2023 - Jeff Mahoney + +- Update to version 0.6.7.4~git63.4a1ed09d: + * utils/time.js: fix handling of nanosecond-resolution timestamps +- Added patches: + * velociraptor-reproducible-timestamp.diff + +------------------------------------------------------------------- +Tue Jan 24 20:57:08 UTC 2023 - Jeff Mahoney + +- Use obsinfo mtime to produce stable build timestamp (bsc#1207369). + +------------------------------------------------------------------- +Tue Jan 24 15:07:09 UTC 2023 - Jeff Mahoney + +- Update to version 0.6.7.4~git60.8abed37a: + * http_comms: create ring buffer temporary file in the same directory + * cronsnoop: plumb in real scope logging + * cronsnoop: don't treat routine errors as fatal + * cronsnoop: fix typo + +------------------------------------------------------------------- +Sat Jan 21 04:07:38 UTC 2023 - Jeff Mahoney + +- Fixed release detection to include Tumblweed + +------------------------------------------------------------------- +Sat Jan 21 02:20:07 UTC 2023 - Jeff Mahoney + +- Increase required release to enable eBPF to SLE 15 SP2 and + openSUSE Leap 15.2. Earlier versions don't have a usable eBPF + and can't easily build llvm13. + +------------------------------------------------------------------- +Sat Jan 21 01:44:59 UTC 2023 - Jeff Mahoney + +- Remove dependency on bpftool. We use the vmlinux.h archive + to provide vmlinux.h. + +------------------------------------------------------------------- +Fri Jan 20 20:18:49 UTC 2023 - Jeff Mahoney + +- Restored %defattr due to SLE12 using rpm-4.11. +- Fix builds in vendor code on SLE12 +- Fix build in third_party/sdjournal due to older systemd on SLE12 +- Added patches: + - vendor-build-fixes-for-SLE12.patch + - sdjournal-build-fix-for-SLE12.patch + +------------------------------------------------------------------- +Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller + +- client: add memory limit to systemd unit + +------------------------------------------------------------------- +Thu Jan 19 15:17:22 UTC 2023 - Jeff Mahoney + +- Restore requirement to build with clang13. Newer versions + cause libbpfgo to crash immediately. + +------------------------------------------------------------------- +Thu Jan 19 14:36:42 UTC 2023 - Jeff Mahoney + +- Added support for setting command line options via sysconfig + +------------------------------------------------------------------- +Thu Jan 19 05:00:55 UTC 2023 - Jeff Mahoney + +- Update to version 0.6.7.4~git53.0e85855: + * sdjournal: work around missing _SYSTEMD_UNIT fields + +------------------------------------------------------------------- +Thu Jan 19 01:01:09 UTC 2023 - Jeff Mahoney + +- Clean up for Factory submission: + - Make bpf-enabled builds conditional + - Removed %defattr and combined service lines. + - Change clang and llvm dependencies to use >= 13 + - Newer versions of clang hit a DWARF parsing bug in go < 1.19, + so increase go version dependecy + - Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x + Neither the client or server builds on ix86. + +------------------------------------------------------------------- +Mon Jan 9 16:01:44 UTC 2023 - Jeff Mahoney + +- Added Restart=on-failure to restart the client automatically. + +------------------------------------------------------------------- +Mon Dec 12 20:03:23 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.7.4~git51.a588d6e4: + * magefile.go: use current architecture for Linux builds + * Update libbpfgo submodule to include non-AMD64 build fixes + * bpf: bpf expects s390 instead of s390x + +------------------------------------------------------------------- +Wed Dec 07 04:21:36 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.7.4~git46.5d88d80: + * contrib/kafka-humio-gateway: add new debug option for noisy events + * contrib/kafka-humio-gateway: backoff and retry for metadata + * vql/server/kafka: connect sarama logging to velociraptor logging + * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries + * vql/server/kafka: set appropriate ClientID + +------------------------------------------------------------------- +Wed Dec 07 02:49:56 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.7.4~git41.678ed56: + * rpm: introduce rpm vql plugin + * users: extend DeleteUser testcase to ensure org membership was dropped + * users: ensure baseline user state is correct + * github: run testcases on Linux builds in new workflow + * gui/reporting: update bluemonday dependency to latest + * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() + * SUSE: Add docker-compose environment + * SUSE: add Docker files + * clients/host-info.js: add MAC addresses to client dashboard + * linux: Add ability to interrogate system and network configuration + * Add Linux.Sys.Bash to Server.Monitor.Shell artifact + * kafka-humio-gateway: add sample config file + * Updating the NewFiles and ProcessStatuses Artifacts + * cronsnoop: rework testcases to use t.TempDir + * vql/linux/cronsnoop: Add cronsnoop() plugin + * Extend audit artifacts to use new interface + * audit: rearchitect plugin to scale better with multiple invocations + * audit: use caller-allocated buffer + * use github.com/jeffmahoney/go-libaudit/v2 for audit + * Kafka.Events.Client: Update to use new artifactset type + * Add artifact for chattrsnoop plugin + * bpflib: ensure it's built only on linux and when requesting bpf + * Add chattrsnoop plugin + * Add artifact to monitor user group updates (#24) + * vql/linux/dnssnoop: Add dnssnoop() plugin + * Log Sudo/root command by auditd + * Add custom artifacts for login and logout attempts recorded by auditd + * Add tcpsnoop plugin + * vql/linux/bpflib: add helper package for bpf plugins + * libbpfgo: add submodule with forked repo for fully static builds + * Add Kafka-Humio Gateway [Depends on PR#10] (#8) + * Add a Kafka export plugin + * SUSE: Add SSHLogin artifacts + * SUSE: Do build tests on every pull request + * Add systemd-dev as build dependency for github workflow + * Update the Linux.Events.SSHLogin artifact to scan the systemd journal + * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal + * Add parser to read systemd journal on Linux + * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path + * linux: add lsattr() function to enumerate file attributes + * Github: Run build workflow on each pull request + * More fixes for Windows.System.VAD (#2317) (#2318) + * Bugfix: When org is not specified this JS code raised (#2315) (#2316) + +------------------------------------------------------------------- +Tue Dec 06 21:53:43 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.7.3~git41.fa6afa7: + * rpm: introduce rpm vql plugin + * users: extend DeleteUser testcase to ensure org membership was dropped + * users: ensure baseline user state is correct + * github: run testcases on Linux builds + * gui/reporting: update bluemonday dependency to latest + * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() + * SUSE: Add docker-compose environment + * SUSE: add Docker files + * clients/host-info.js: add MAC addresses to client dashboard + * linux: Add ability to interrogate system and network configuration + * Add Linux.Sys.Bash to Server.Monitor.Shell artifact + * kafka-humio-gateway: add sample config file + * Updating the NewFiles and ProcessStatuses Artifacts + * cronsnoop: rework testcases to use t.TempDir + * vql/linux/cronsnoop: Add cronsnoop() plugin + * Extend audit artifacts to use new interface + * audit: rearchitect plugin to scale better with multiple invocations + * audit: use caller-allocated buffer + * use github.com/jeffmahoney/go-libaudit/v2 for audit + * Kafka.Events.Client: Update to use new artifactset type + * Add artifact for chattrsnoop plugin + * bpflib: ensure it's built only on linux and when requesting bpf + * Add chattrsnoop plugin + * Add artifact to monitor user group updates (#24) + * vql/linux/dnssnoop: Add dnssnoop() plugin + * Log Sudo/root command by auditd + * Add custom artifacts for login and logout attempts recorded by auditd + * Add tcpsnoop plugin + * vql/linux/bpflib: add helper package for bpf plugins + * libbpfgo: add submodule with forked repo for fully static builds + * Add Kafka-Humio Gateway [Depends on PR#10] (#8) + * Add a Kafka export plugin + * SUSE: Add SSHLogin artifacts + * SUSE: Do build tests on every pull request + * Add systemd-dev as build dependency for github workflow + * Update the Linux.Events.SSHLogin artifact to scan the systemd journal + * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal + * Add parser to read systemd journal on Linux + * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path + * linux: add lsattr() function to enumerate file attributes + * Github: Run build workflow on each pull request + * Bugfix: Do not materialize the VAD array in Windows.System.VAD (#2311) + * Sync to master's bugfixes (#2309) + * Prepare for 0.6.7-2 release (#2300) + * 0.6.7 sync (#2261) + * 0.6.7 sync3 (#2256) + * 0.6.7 sync (#2239) + * Prepare a 0.6.7-rc3 (#2217) + * Bugfix: sparse files were not properly detected. (#2200) (#2201) + * Propagate progress timeout for collections. (#2193) + * Verify client's key with or without the org id. (#2192) + * Add Windows.System.Shares (#2191) + * Allow artifacts to have aliases (#2190) + * Added a regex_array column type to allow multiple regex to be set. (#2188) + * [Snyk] Upgrade react-router-dom from 5.3.3 to 5.3.4 (#2180) + * Add 'UsedBy' column to results (#2186) + * Update flow and hunt download exports to use the container (#2185) + * Disable toolbar buttons when no options are available (#2183) + * Allow hunts to be scheduled on multiple orgs (#2182) + * Update WIndows PSList and VAD artifacts (#38) (#2181) + * Add in amcache (#2176) + * Added additional sources for UserAccessLogs (aka SUM) artifact (#2179) + * Fixed tests (#2177) + * [Snyk] Upgrade styled-components from 5.3.5 to 5.3.6 (#2174) + * Page Cell logs in notebook (#2172) + * Break client connection stats by org id (#2171) + * Added a remapping export to Windows.Registry.NTUser (#2170) + * Added tlsh hash (#2169) + * Check sparse files for large size before padding them out. (#2167) + * Linux and macOS Packet Capture Artifact Updates (#2168) + * Update deps (#2166) + * Add some suggested groks for parsing IIS logs (#2165) + * Refactor collection container (#2163) + * Implement transparent decryption for collector accessor (#2162) + * [Snyk] Upgrade ace-builds from 1.11.0 to 1.11.1 (#2161) + * Automatically decrypt collections with collector accessor (#2159) + * Fix css colors. (#2158) + * [Snyk] Upgrade ace-builds from 1.10.1 to 1.11.0 (#2156) + * Retry reads on EOF in NTFS accessor (#2157) + * Updated zip implementation to support crypto (#2155) + * Target 'Cmdline' instead of 'CommandLine' (#2154) + * Bugfix: Extra interpolation when client logs messages with % (#2152) + * Add 'Active' column to show whether or not a firewall rule is enabled. (#2150) + * Added test for encrypted offline collector. (#2149) + * Update parsing for Dock plist details (#2148) + * Implement filter for large artifact forms (#2147) + * Add Public Key Encryption Support to Offline Collections (#2133) + * Implemented a max memory grouper (#2146) + * Check if setgid flag is set (#2145) + * [Snyk] Upgrade react-overlays from 5.2.0 to 5.2.1 (#2144) + * Add context to yara.NTFS (#36) (#2143) + * Add `auth_redirect_template` config for handling unauthorized API calls (#2140) + * Allow the user to specify a collection as urgent (#2139) + * Fix typo, slightly improve translations (de,fr) (#2137) + * Add 'CronScripts' query/source and 'Length' option (#2138) + * Check sanity of inventory service for all orgs (#2136) + * Change 'filename' to 'file' for upload (#2135) + * Sync with latest NTFS changes. (#2134) + * [Snyk] Upgrade classnames from 2.3.1 to 2.3.2 (#2130) + * Added URLRegex to FireFox history (#2129) + * Link to collection in host shell (#2128) + * additional references (#2126) + * Sync to go-ntfs (#2125) + * Provide the option to expand sparse files in export (#2124) + * Bugfix: Process address space lockup under some conditions (#2123) + * Added URLRegex to Firefox and Chrome history (#2122) + * Add note about RecentApps key not being available after Windows 10, version 1803 (#2119) + * Expose the communicator's crypto manager (#2118) + * Further refactor of the download handler. (#2117) + * [Snyk] Upgrade ace-builds from 1.10.0 to 1.10.1 (#2114) + * Uploaded files are now shows with client paths (#2116) + * [Snyk] Upgrade recharts from 2.1.13 to 2.1.14 (#2115) + * Maintain row count per query. (#2113) + * Update Trackaccount.yaml (#2112) + * Clean up artifact references (#2111) + * Prevent null error when choosing to calculate hash and when providing authenticode information (#2109) + * Add Length option and re-arrange output (#2107) + * Bugfix: Merge file option should work with config show (#2108) + * Always write content to lock files (#2106) + * [Snyk] Upgrade ace-builds from 1.9.6 to 1.10.0 (#2102) + * Authentication configuration error reporting/validation (#2101) + * auth: don't return a base path with two leading slashes (#2100) + * Added org report in root org dashboard (#2098) + * [Snyk] Upgrade react-bootstrap from 1.6.5 to 1.6.6 (#2094) + * [Snyk] Upgrade humanize-duration from 3.27.2 to 3.27.3 (#2095) + * authenticode is a function and not a plug (#2092) + * Allow '+' in usernames (#2093) + * Attempt to decompress client messages if errors occur. (#2088) + * Pass org config to mutations in MemcacheFileDataStore (#2087) + * Support oauth with a different base path. (#2082) + * Allow client->server compression to be disabled (#2081) + * Keep track of collected results using collection status (#2075) + * Enforce a hard timeout for incoming processing (#2074) + * Expand API of user service to include context (#2071) + * When creating a new org pass the new org id to the acl function (#2068) + * Allow collect_client() etc to accept ArtifactSpec protobuf (#2067) + * Only create initial orgs on first run. (#2066) + * Bugfix: Do not start multiple communicators in windows service. (#2064) + * Added initial_orgs to the config (#2063) + * Bugfix- Server.Utils.DeleteClient over sanitized client id (#2061) + * Fixed backwards compatible bug (#2057) + * [Snyk] Upgrade ace-builds from 1.9.5 to 1.9.6 (#2055) + * Fixed CSS for column selector ui (#2053) + * Split server sanity checks into root org and other orgs (#2052) + * collect each query's status separately (#2049) + * Pass org ids in href parameters (#2047) + * Org manager maintains services lifetime (#2045) + * Added org_delete() function to remove orgs. (#2042) + * Updated themes for context menu (#2041) + * Made context menus settable in the config file (#2040) + * Added Send to CyberChef context menu on table cells. (#2039) + * [Snyk] Upgrade ace-builds from 1.9.3 to 1.9.5 (#2037) + * [Snyk] Upgrade ace-builds from 1.8.1 to 1.9.3 (#2033) + * Bugfix: watch_usn() was not flushing the mft LRU properly (#2032) + * Bugfix: Maintain field order in sysmon based tracker (#2030) + * Added regex protocols for int, float etc. (#2028) + * Refactor client monitoring API to use service (#2027) + * Bugfix: Switch GUI to first available org (#2025) + * Update Linux pslist() to use CommandLine column (#2024) + * Add embedded stager parse usecase (#34) (#2023) + * update to clean up null fields (#2020) + * Refactor code to propagate the context in more cases. (#2019) + * Bugix: Raw file accessor had different behaviour on Windows (#2018) + * Cater for unknown parents in process tracker. (#2015) + * Fix sense of multiple regexp in all() function (#2014) + * Added all() and any() VQL functions (#2013) + * Capitalize 'i' in config generation output (#2012) + * Fixed crash in api_client command (#2010) + * Update UserAccessLogs.yaml (#2009) + * Fixed bug in UserAccessLog artifact (#2008) + * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 (#2000) + * Collect domain role info on interrogate (#1998) + * Added new GUI column type for tree (#1997) + * Fixed CSS to make column selector more visible (#1996) + * Send a System.Upload.Completion event on server artifact upload (#1995) + * Refactor of oauth code (#1993) + * Added some helpful server artifacts (#1992) + * Bugfix: "rpm server" command did not produce minion packages (#1991) + * Add ability to delete monitoring events. (#1990) + * Allow notebook GUI to set notebooks to public. (#1989) + * Allow the user to change password in the GUI (#1988) + * Added a delay() VQL function (#1987) + * Fixed a crash when add_monitoring was called without parameters. (#1986) + * Allow hunt() to limit by OS condition (#1985) + * [Snyk] Upgrade ace-builds from 1.7.1 to 1.8.1 (#1984) + * Fix "last_visit_time" timestamp (#1983) + * Added Generic.System.ProcessSiblings (#1982) + * [Snyk] Upgrade bootstrap from 4.6.1 to 4.6.2 (#1979) + * General cleanup (#1977) + * Update BinaryRename.yaml (#1976) + * Support multi orgs in server-server communication (#1975) + * Inventory service should upload tools to global public directory (#1973) + * fixed path issue (#1972) + * Support REG_MULTI_SZ in raw registry accessor (#1969) + * fix: upgrade interactjs from 1.10.16 to 1.10.17 (#1968) + * Update prefetch library to fix bug (#1965) + * The "fs" accessor should also be org sensitive. (#1964) + * Added user_grant() VQL function (#1963) + * fix: upgrade interactjs from 1.10.14 to 1.10.16 (#1961) + * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1960) + * Several security related bugfixes. (#1962) + * Fixed bug in watch_evtx() (#1955) + * fix: upgrade ace-builds from 1.7.0 to 1.7.1 (#1952) + * Fixed visted_url typo (#1953) + * Added NewOrg artifact to make creating new orgs easier. (#1951) + * Fix broken deps due to snyke merge (#1950) + * build(deps): bump terser from 4.8.0 to 4.8.1 in /gui/velociraptor (#1946) + * fix: upgrade recharts from 2.1.11 to 2.1.12 (#1945) + * fix: upgrade @fortawesome/react-fontawesome from 0.1.18 to 0.2.0 (#1948) + * Added orgs() plugin and user management (#1949) + * fix: upgrade ace-builds from 1.6.1 to 1.7.0 (#1944) + * Add new embedded pe in data section parse (#1943) + * Refactor startup code (#1942) + * fix: upgrade qs from 6.10.4 to 6.11.0 (#1941) + * fix: upgrade recharts from 2.1.10 to 2.1.11 (#1939) + * fix: upgrade ace-builds from 1.6.0 to 1.6.1 (#1938) + * Added artifact Windows.Attack.IncorrectImagePath (#1927) + * Account for pid reuse in process tracker. (#1936) + * add precondition for only windows (#1935) + * Make ddclient service parameters configurable (#1933) + * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1930) + * fix: upgrade interactjs from 1.10.13 to 1.10.14 (#1918) + * replace YaraUrl type (#1922) + * Add other url yara fixes (#1921) + * Update Glob.yaml (#1920) + * Fixed bug in startup code. (#1919) + * Initial commit of multitenant support (#1917) + * Adds three Linux artifacts (#1916) + * Fixed a crash when using artifact plugin with tools (#1915) + * Added a collector accessor (#1912) + * fix: upgrade interactjs from 1.10.11 to 1.10.13 (#1909) + * fix: upgrade qs from 6.10.3 to 6.10.4 (#1910) + * Japanese translation (#1906) + * Fix spanish translations. (#1907) + * fix: upgrade react-overlays from 5.1.2 to 5.2.0 (#1904) + * Add Shimcache reformat (#1892) + * A couple of performance tweaks. (#1903) + * Fix Amcache artifact (#1902) + * Retry axios requests (#1901) + * Revert "fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899)" (#1900) + * fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899) + * Use the auto accessor as first level of VFS (#1898) + * Theme fixes (#1895) + * Added additional logging for windows client service (#1894) + * Theme updates (#1893) + * Prepare for release 0.6.5 (#1890) + * Bugfix: CPU limit was not properly enforced on endpoint. (#1889) + * fix: upgrade react-calendar-timeline from 0.27.0 to 0.28.0 (#1887) + * fix: upgrade ace-builds from 1.5.1 to 1.5.2 (#1888) + * Improve the Windows.Sys.StartupItems artifact (#1886) + * Fixed the --remap flag (#1883) + * Fixed bug in client_delete() (#1882) + * Added a delete_flow VQL plugin (#1880) + * Add fix for generic bin file payload (#1879) + * Bugfix: Notebook calculation did not update cell (#1878) + * fix: upgrade humanize-duration from 3.27.1 to 3.27.2 (#1877) + * Revised Portuguese translation (#1876) + * Update usn.go (#1873) + * Added French language (#1874) + * Updated german translation (#1875) + * Refactor artifact plugin to be more efficient. (#1871) + * Update de.js (#1870) + * fix: upgrade ace-builds from 1.5.0 to 1.5.1 (#1867) + * Refactor server artifacts service (#1868) + * Refactored notebook into a service (#1863) + * fix: upgrade react-router-dom from 5.3.2 to 5.3.3 (#1861) + * fix: upgrade recharts from 2.1.9 to 2.1.10 (#1862) + * Bugfix: raw registry accessor supports read_file() (#1859) + * Add LogHunter - a generic grep over log capability (#1853) + * Added a GUI element to easily filter log messages (#1858) + * Added an oidc-cognito authenticator (#1854) + * build(deps): bump tar from 6.0.5 to 6.1.11 in /gui/velociraptor (#1852) + * fix: upgrade react-router-dom from 5.3.1 to 5.3.2 (#1850) + * Fix ACE font handling (#1849) + * Format timestamps opportunistically. (#1848) + * Update cidr_contains() to return true if any of the ranges match. (#1847) + * Sync KapeFiles and SQLECmd artifacts (#1845) + * Prepare 0.6.5-rc1 release (#1844) + * Added a default process tracker (#1843) + * Implement log levels in VQL (#1839) + * Theme development checkpoint (#1838) + * fix: upgrade ace-builds from 1.4.14 to 1.5.0 (#1836) + * fix: upgrade react-bootstrap from 1.6.4 to 1.6.5 (#1837) + * Added an LRU VQL function (#1835) + * Bugfix: VFS viewer was unable to access files with \ in name (#1832) + * use group SID instead of name to get local admins (#1833) + * Added Portuguese and Spanish languages (#1831) + * fix: upgrade react-overlays from 5.1.1 to 5.1.2 (#1830) + * Make display timezone user selectable (#1827) + * Added Musl build target (#1826) + * Fix deadlock in hunt dispatcher (#1825) + * Theme tweaks (#1821) + * add groupname parameter to LocalAdmins artifact (#1823) + * Fix/activitescache glob expression - Timeline.yaml (#1824) + * Update TemplateInjection.yaml (#1820) + * Prevent text wrap on sidebar (#1819) + * Added some missing translations (#1817) + * Added Deutsch UI Language (#1816) + * Support UNC paths in windows accessors. (#1815) + * Add enrichment callback for process tracker (#1814) + * Prevent null FailureActions error (#1811) + * Make ACL manager pluggable. (#1813) + * Allow custom override for GUI artifacts by default (#1810) + * Refactored hunt related functions to use the hunt_dispatcher (#1807) + * artifactset: add ability to select named sources (#1809) + * UI enhancements (#1805) + * Refactor: Create user manager service (#1804) + * New themes and refactoring of existing CSS (#1801) + * Bugfix: Server monitoring queries were not correctly cancelled. (#1803) + * Add gunzip function (#1802) + * GUI: Artifact selector (#1790) + * Refactor and improve the way clients send query related information (#1800) + * fix: upgrade axios from 0.26.1 to 0.27.2 (#1798) + * Add Cobalt Strike carver sleep function capability (#1795) + * Bugfix: Create new buffer to accumulate VQL results (#1794) + * Make velociraptor_client executable in postint script (#1788) + * Support addition on dicts (#1785) + * fix: upgrade moment from 2.29.2 to 2.29.3 (#1782) + * fix: upgrade react-router-dom from 5.3.0 to 5.3.1 (#1783) + * Reset nanny when client connection failed. (#1780) + * Fix artifacts that use yara parameters to specify yara type (#1779) + * SysmonInstall artifact now skips install if not needed (#1777) + * Suppress warning message for offline collector (#1776) + * Bug fix (#1774) + * Avoid bash process lingering around while server is running (#1775) + * oidc: Fix typo: Genric -> Generic (#1773) + * Make MaxWait for event table settable. (#1772) + * Fixed bug in Windows.Detection.Yara.Process (#1771) + * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) + * Initial implementation of client side process tracker. (#1768) + * Bugfix: Client did not update list of query columns (#1767) + * Fixed bug in ETWSessions artifact (#1766) + * build(deps): bump async from 2.6.3 to 2.6.4 in /gui/velociraptor (#1761) + * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) + * Add fix for dupliate entries from flattern bug (#1760) + * build(deps): bump ejs from 3.1.6 to 3.1.7 in /gui/velociraptor (#1758) + * build(deps): bump cross-fetch from 3.1.3 to 3.1.5 in /gui/velociraptor (#1759) + * Fix undefined types in some artifact parameters (#1757) + * Update Glob.yaml (#1754) + * Bugfix: Unable to set cpu limits in hunt GUI (#1751) + * Support case insensitive notebook cell types (#1747) + * Fixed a bug in the Userassist artifact (#1746) + * Bugfix: Hunt stats were not properly incremented (#1744) + * Invalidate transformed cache when the base table changes. (#1742) + * GUI Table widgets now can apply transformations on the table. (#1740) + * Update FilenameSearch.yaml (#1741) + +------------------------------------------------------------------- +Fri Nov 11 21:12:02 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4.2~git86.b5931f7: + * cleanup: go mod tidy +- Fix vendoring of replaced modules. +- Only require libtsan0 on x86_64 +- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist + +------------------------------------------------------------------- +Fri Nov 11 20:13:00 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4.2~git84.1b38fda: + * Clean up libbpfgo mess + * libbpfgo: use forked repo for fully static builds + * libbpfgo: sync to v0.4.4-libbpf-1.0.1 + * contrib/kafka-humio-gateway: add new debug option for noisy events + * contrib/kafka-humio-gateway: backoff and retry for metadata + * vql/server/kafka: connect sarama logging to velociraptor logging + * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries + * vql/server/kafka: set appropriate ClientID + * libbpfgo: add selftest to build so testcases work + * cronsnoop: rework testcases to use t.TempDir + * cronsnoop: move external dependencies to end of import list + * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() + +------------------------------------------------------------------- +Fri Nov 11 20:08:20 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4.2~git67.85b608e: + * clients/host-info.js: add MAC addresses to client dashboard + * linux: Add ability to interrogate system and network configuration + * SUSE: Add docker-compose environment + * SUSE: add Docker files + * Add Linux.Sys.Bash to Server.Monitor.Shell artifact + * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 + * kafka-humio-gateway: add sample config file + * Updating the NewFiles and ProcessStatuses Artifacts + * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37) + * third_party/go-libaudit: don't directly use unix.* + * Add Linux.Remediation.Quarantine artifact + * Extend audit artifacts to use new interface + * audit: rearchitect plugin to scale better with multiple invocations + * third_party/go-libaudit: move handling of receive buffer to caller + * third_party/go-libaudit: move buffer handling from netlink to audit + * third_party/go-libaudit: allow audit fd to be pollable + * third_party/go-libaudit: Add support for removing individual rules + * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls + * third_party/go-libaudit: Report missing rules during deletion + * import go-libaudit as a third-party module + * quarantine: actually call the OS-specific artifact + * artifactset: add ability to select named sources + * GUI: Artifact selector (#1790) + * host-info: make quarantine UI more robust with non-Windows client hosts + * shell-viewer: default to Bash on non-Windows clients + +------------------------------------------------------------------- +Thu Nov 10 15:22:27 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4.2~git70.b7df8172: + * file_store: handle watching artifacts with named sources + +------------------------------------------------------------------- +Thu Sep 29 14:16:05 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4.2~git68.5226b23b: + * api/authenticators/basic: fix logoff endpoint + * clients/host-info.js: add MAC addresses to client dashboard + * linux: Add ability to interrogate system and network configuration + * SUSE: Add docker-compose environment + * SUSE: add Docker files + * Add Linux.Sys.Bash to Server.Monitor.Shell artifact + +------------------------------------------------------------------- +Fri Aug 19 21:07:15 UTC 2022 - Jeff Mahoney + +- Updated vendoring. +- Fixed update-vendoring script to use an independent go module cache. + +------------------------------------------------------------------- +Fri Aug 19 01:59:35 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4.2~git59.5ebb49db: + * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 + +------------------------------------------------------------------- +Thu Aug 11 19:40:21 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4.2~git57.fcb11adf: + * kafka-humio-gateway: add sample config file + +------------------------------------------------------------------- +Fri Jul 15 14:30:49 UTC 2022 - Jeff Mahoney + +- Updated BuildRequires to use go 1.17 after updating vendoring + +------------------------------------------------------------------- +Fri Jul 15 02:24:03 UTC 2022 - Jeff Mahoney + +- Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only) + +------------------------------------------------------------------- +Fri Jul 15 00:00:39 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4.2~git56.47b4adb4: + * Updating the NewFiles and ProcessStatuses Artifacts + * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37) + * third_party/go-libaudit: don't directly use unix.* + * Add Linux.Remediation.Quarantine artifact + * Extend audit artifacts to use new interface + * audit: rearchitect plugin to scale better with multiple invocations + * third_party/go-libaudit: move handling of receive buffer to caller + * third_party/go-libaudit: move buffer handling from netlink to audit + * third_party/go-libaudit: allow audit fd to be pollable + * third_party/go-libaudit: Add support for removing individual rules + * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls + * third_party/go-libaudit: Report missing rules during deletion + * import go-libaudit as a third-party module + * quarantine: actually call the OS-specific artifact + * artifactset: add ability to select named sources + * GUI: Artifact selector (#1790) + * host-info: make quarantine UI more robust with non-Windows client hosts + * shell-viewer: default to Bash on non-Windows clients + +------------------------------------------------------------------- +Thu May 12 20:15:26 UTC 2022 - Jeff Mahoney + +- Update to upstream 0.6.4-2: + * Reset nanny when client connection failed. (#1780) + * Fix artifacts that use yara parameters to specify yara type (#1779) + * Update release for bugfixes 0.6.4-2 + * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) + * SysmonInstall artifact now skips install if not needed (#1777) + * Initial implementation of client side process tracker. (#1768) + * Invalidate transformed cache when the base table changes. (#1742) + * GUI Table widgets now can apply transformations on the table. (#1740) + * Suppress warning message for offline collector (#1776) + * Bug fix (#1774) + * Avoid bash process lingering around while server is running (#1775) + * oidc: Fix typo: Genric -> Generic (#1773) + * Make MaxWait for event table settable. (#1772) + * Fixed bug in Windows.Detection.Yara.Process (#1771) + * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) + * Bugfix: Client did not update list of query columns (#1767) + * Merge bugfixes from master branch. (#1769) +- Revendored dependencies. + +------------------------------------------------------------------- +Thu May 12 17:54:31 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4~git31.4298eab0: + * Elastic.Events.Client: Update to use new artifactset type + * Kafka.Events.Client: Update to use new artifactset type + * artifacts: add artifactset parameter type + * api: add type and description fields to v1/GetArtifacts endpoint + +------------------------------------------------------------------- +Thu May 12 13:30:42 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.4~git26.4407b9b7: + * Add artifact for chattrsnoop plugin + * bpflib: ensure it's built only on linux and when requesting bpf + * Add chattrsnoop plugin + * tcpsnoop: Properly close module in case of attach error + * Add artifacts for dns/tcp snoop plugins + * tcpsnoop: Add timestamp to generated events + * dnssnoop: Add timestamp to generated events + +------------------------------------------------------------------- +Tue May 3 20:35:57 UTC 2022 - Jeff Mahoney + +- Fix error handling in tcpsnoop and dnssnoop. + * If BTF information is unavailable, there is no indication that the + query has failed. + +------------------------------------------------------------------- +Tue May 3 13:45:09 UTC 2022 - Jeff Mahoney + +- Rebase on 0.6.4: + * Updated dependencies + * Bugfix: startup bugs (#1680) + * bugfix: Server event notebook not correctly created (#1737) + * Bugfix: Start a dummy indexing service (#1736) + * Add bugfix which would return no rows if the user removed whitelist (#1735) + * Fixed bug in read_reg_key (#1734) + * BUGFIX: Do not include config flag when darwin installer is repacked (#1733) + * Refactored index into its own service. (#1730) + * Bugfix: Write one index item per JSONL record. (#1727) + * Bugfix: Estimating client impact should consider last active status (#1726) + * Add complete ntfs metadata option to MFT output (#1725) + * Various bugfixes. (#1724) + * Update Usn.yaml (#1723) + * Fixed a bug in hunt download preparation. (#1722) + * Add Windows.Forensics.Usn filter and presentation updates (#1720) + * Optimize writing event monitoring records (#1721) + * Add Generic.Detection.Yara.Zip (#1718) + * Fixed crash on master-pong response. (#1719) + * Remove _type option from elastic. (#1715) + * Opportunistically update directly connected client's ping times (#1713) + * Fixed a bug in hunt download preparation. (#1722) + * Add Windows.Forensics.Usn filter and presentation updates (#1720) + * Optimize writing event monitoring records (#1721) + * Add Generic.Detection.Yara.Zip (#1718) + * Fixed crash on master-pong response. (#1719) + * Remove _type option from elastic. (#1715) + * Opportunistically update directly connected client's ping times (#1713) + * Fixed bug in VQL cell splitting. (#1712) + * artifact for parsing macos packages (#1706) + * Bugfix: Create a cell for each collected source (#1710) + * artifact for parsing macos packages (#1706) + * Bugfix: Create a cell for each collected source (#1710) + * Added Server.Utils.CollectClient to simplify direct collections (#1708) + * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1705) + * Fix build on Go 1.18 (#1704) + * build(deps): bump minimist from 1.2.5 to 1.2.6 in /gui/velociraptor (#1703) + * Mft update - add uSecZeros (#1701) + * Server monitoring service will reload if an artifact is modified (#1702) + * Refactor client info manager (#1700) + * A number of bugfixes (#1699) + * Update Windows.NTFS.MFT (#1698) + * Actually export HumanString attribute on OSPath (#1689) + * RHEL/CentOS/Fedora dnf packages (#1684) + * Implemented Human Readable OSPath method. (#1688) + * Added lazy MFT attributes (#1685) + * Maintain OSPath in mft artifacts (#1683) + * Fix bug in deaddisk remapping of directories. (#1682) + * Bugfix: startup bugs (#1680) + * Updated SQLECmd artifacts (#1677) + * Artifact repository needs to watch for changes across nodes. (#1676) + * Update auto accessor to re-open file with ntfs if read failed (#1674) + * Fix MacOS.System.Plist artifact (#1673) + * Error collection based on VQL logs (#1672) + * Add memory limiting to offline collector (#1666) + * Allow mount overlays (#1664) + * build(deps): bump node-forge from 1.2.1 to 1.3.0 in /gui/velociraptor (#1661) + * Fixed bugs in remapping logic. (#1660) + * Fixed bug in the windows auto accessor. (#1658) + * Elastic.Events.Clients: synchronize parameters with Elastic.Flows.Upload (#1657) + * Add initial commit for Windows.NTFS.ExtendedAttributes (#1656) + * Added a shadow remapping type (#1655) + * Implemented an event notebook (#1654) + * Add Windows.System.WMIQuery (#1651) + * Fixed data race in progress throttler. (#1653) + * Implemented timeout and cpu limits on offline collector. (#1650) + * Added an rpm server command. (#1647) + * Artifacts can now define suggestions for notebook cells. (#1646) + * Allow multiple OIDC authenticators to be specified. (#1645) + * Added a multi authenticator. (#1644) + * Add HashHunter hash() update for performance (#1643) + * Change the DNSCache Artifact to WMI (#1640) + * Added an uploader for notebooks. (#1639) + * Added hashselect arg option to hash() (#1637) + * Add Generic.Detection.HashHunter and tests (#1638) + * Added Generic.Collectors.SQLECmd (#1635) + * Add BinaryHunter (#1634) + * String artifact parameters can now have validator regex (#1628) + * Implemented CPU rate limited for better control (#1622) + * Added a client nanny to detect deadlocks (#1621) + * Linux.Sys.Services artifact, parse services from systemctl (#1619) + * Collect MAC addresses during interrogation and index them (#1611) + * Allow parse_ntfs() to operate on an image file. (#1610) + * Fix regression in VFSGetBuffer (#1605) + * Added rekey() VQL function (#1604) + * switch to uninstall string (#1603) + * freebsd /etc/rc.d/velociraptor service script (#1602) + * Add Windows.Registry.BackupRestore (#1601) + * Optimized NTFS code for better speed and added more fields to parse_mft (#1599) + * Update BinaryRename.yaml (#1598) + * Added LinuxM1 (#1597) + * Add explicit check of sticky keys (#1592) + * Remote data store should identify retryable errors (#1590) + * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1588) + * Add test improvement clear system log (#18) (#1586) + * Modified Windows.Forensics.Prefetch to use VQL binary parser (#1585) + * add Windows.NTFS.ADSHunter first commit (#17) (#1583) + * Resolves Velocidex/velociraptor#1543 Create new VQL entropy() function (#1574) + * Remove C time and updating naming (#1546) + * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1568) + * Update OSPath protocols to support slices. (#1575) + * Implement array slice notation in VQL and Server.Import.PreviousReleases (#1573) + * add rtf TemplateInjection to Windows.Detection.TemplateInjection (#1572) + * Change accessors API to deal with OSPath objects directly. (#1570) + * Bump follow-redirects from 1.14.4 to 1.14.8 in /gui/velociraptor (#1567) + * Added a deaddisk command to generate config (#1564) + * Fix bug in Windows.System.Services (#1565) + * Fixed glob expand braces order of operations. (#1560) + * Added an offset and raw_file accessors (#1559) + * Update CertUtil.yaml (#1558) + * remove users to include the system path (#1536) + * Implement remap() VQL function and remapping config (#1555) + * Make GitHub actions more flexible on Windows (#1549) + * Bump normalize-url from 4.5.0 to 4.5.1 in /gui/velociraptor (#1548) + * Fix typo (#1547) + * Refractor of accessors and path manipulations (#1545) + * Dns etw update (#1544) + * add PowershellProfile (#1542) + * Added dynamic pubsub attributes (#1540) + * Fix Windows.Applications.Chrome.History (#1539) + * windows.application to windows.applications merge. New firefox history artefact (#1534) + * Fixed race condition in zip accessor reference counting. (#1531) + * Added Windows.Persistence.SilentProcessExit (#1530) + * Add limitations section and lastwrite timestamp (#1529) + * Offline collector FetchBinary should respect the IsExecutable flag (#1528) + * update description, order by, and hidden keypath (#1527) + * add limitations section (#1520) + * Avoid holding index lock for too long. (#1519) + * re-introduce Windows.Collectors.File with deprecation note (#1516) + * add limitations to description and key path to query (#1514) + * Retry remote datastore connections (#1513) + * Write minion log files and autocert in its own dir. (#1512) + * Synced KapeFiles artifacts (#1511) + * Added data retention server artifacts (#1510) + * Set an upper limit for ttl in memcache (#1508) + * Add updates to Windows.System.Services (#15) (#1509) + * Ensure collector container is properly closed when interrupted. (#1507) + * Continually rebuild the index at runtime. (#1506) + * Harder vacuum - directly move client task directories to the attic. (#1505) + * add limitation disclaimer (#1504) + * Reduce critial section to avoid deadlock in repository manager (#1503) + * Implemented a vacuum command to remove old tasks from client queues. (#1501) + * Better format profile metrics output. (#1495) + * Cap size of directories and report large directories. (#1493) + * Set ACE completers per editor to avoid global state. (#1492) + * Add HttpOnly flag to all cookies. (#1491) + * Refactor completion routine calls (#1490) + * Limit size of cached directories. (#1483) + * Add more instrumentation to memory caches. (#1482) + * Fixed chart resizing bug (#1481) + * Removed the old queries: list from artifacts. (#1480) + * [Snyk] Fix for 9 vulnerabilities (#1479) + * Remove lock around critical section. (#1478) + * Added MacOS.Forensics.AppleDoubleZip (#1476) + * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) + * Make index snapshot frequency configurable (#1474) + * Bugfix: Setting notebook index did not escape username (#1471) + * Flush index from memory to disk (#1470) + * Fixed 2 bugs with the memcache file store (#1469) + * Update flow active time when the result set is completed (#1468) + * Tag artifacts as built ins (#1467) + * Fixed bug in the pathspec() VQL function. (#1465) + * fix APIConfigLoader not applying command line args (#1463) + +------------------------------------------------------------------- +Mon May 02 14:55:07 UTC 2022 - Jeff Mahoney + +- Resync with git repository: + * Add artifact to monitor user group updates (#24) + * Add dnssnoop plugin (#15) + * Log Sudo/root command by auditd + * Add custom artifacts for login and logout attempts recorded by auditd + +------------------------------------------------------------------- +Fri Mar 18 14:12:59 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.3~git19.640f7a1c: + * Add tcpsnoop plugin + +------------------------------------------------------------------- +Tue Mar 15 13:31:21 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.3~git17.741ebb59: + * kafka-humio-gateway: update README.md + * kafka-humio-gateway: Fix missing variable rename + * Add Kafka-Humio Gateway [Depends on PR#10] (#8) + +------------------------------------------------------------------- +Tue Mar 15 01:04:29 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.3~git13.af7fdb00: + * SUSE: Add SSHLogin artifacts + * Add a Kafka export plugin + * SUSE: Do build tests on every pull request + * Add systemd-dev as build dependency for github workflow + +------------------------------------------------------------------- +Fri Feb 18 00:52:01 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.3~git6.d95ed32e: + * Update the Linux.Events.SSHLogin artifact to scan the systemd journal + * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal + * Add parser to read systemd journal on Linux + * Add an artifact to enumerate immutable files under a path + * Add chattr function support for linux + * Make GitHub actions more flexible on Windows + +------------------------------------------------------------------- +Thu Feb 10 02:12:54 UTC 2022 - Jeff Mahoney + +- Add simple default configs and provide dirs in /var/lib for client + and server. + +------------------------------------------------------------------- +Mon Feb 7 14:40:47 UTC 2022 - Jeff Mahoney + +- Temporarily re-enable Windows artifacts (LSS#4). + +------------------------------------------------------------------- +Wed Feb 2 18:10:19 UTC 2022 - Jeff Mahoney + +- Added systemd unit file and placeholder config file. + +------------------------------------------------------------------- +Thu Jan 27 17:33:45 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.3~git0.69e0fffa: + * Prepare for 0.6.3 release (#1515) + * add limitations to description and key path to query (#1514) + * Retry remote datastore connections (#1513) + * Write minion log files and autocert in its own dir. (#1512) + * Synced KapeFiles artifacts (#1511) + * Added data retention server artifacts (#1510) + * Set an upper limit for ttl in memcache (#1508) + * Add updates to Windows.System.Services (#15) (#1509) + * Ensure collector container is properly closed when interrupted. (#1507) + * Continually rebuild the index at runtime. (#1506) + * Harder vacuum - directly move client task directories to the attic. (#1505) + * add limitation disclaimer (#1504) + * Reduce critial section to avoid deadlock in repository manager (#1503) + * Implemented a vacuum command to remove old tasks from client queues. (#1501) + * Better format profile metrics output. (#1495) + * Cap size of directories and report large directories. (#1493) + * Set ACE completers per editor to avoid global state. (#1492) + * Add HttpOnly flag to all cookies. (#1491) + * Refactor completion routine calls (#1490) + * fix: upgrade react-bootstrap from 1.3.0 to 1.6.4 (#1486) + * fix: upgrade http-proxy-middleware from 1.0.5 to 1.3.1 (#1485) + * fix: upgrade react-ace from 9.1.3 to 9.5.0 (#1487) + * fix: upgrade recharts from 2.0.9 to 2.1.8 (#1488) + * fix: upgrade react-datetime-picker from 3.0.4 to 3.4.3 (#1489) + * Limit size of cached directories. (#1483) + * Add more instrumentation to memory caches. (#1482) + * Fixed chart resizing bug (#1481) + * Removed the old queries: list from artifacts. (#1480) + * [Snyk] Fix for 9 vulnerabilities (#1479) + * Remove lock around critical section. (#1478) + * Added MacOS.Forensics.AppleDoubleZip (#1476) + * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) + * Make index snapshot frequency configurable + * fix APIConfigLoader not applying command line args (#1463) + * Flush index from memory to disk (#1470) + * Prepare RC2 (#1473) + * Bugfix: Setting notebook index did not escape username (#1471) + * Fixed 2 bugs with the memcache file store (#1469) + * Update flow active time when the result set is completed (#1468) + * Tag artifacts as built ins (#1467) + * Fixed bug in the pathspec() VQL function. (#1465) + * Update PrivateKeys.yaml (#1459) + * Added recursion_callback option to the glob plugin (#1461) + * Added config wizard for multi-frontend configuration (#1460) + * Calculate the sha256 hash of the offline container. (#1458) + * Artifact inspection GUI now allows pivot. (#1457) + * Client certs can now be specified in the config file. (#1456) + * New Upload File Form element (#1455) + * Added a sparse accessor (#1453) + * Hunt wizard estimates clients affected (#1452) + * Make the interrogation process customizable. (#1451) + * Update Info.yaml (#1427) + * Improved Lnk parser to include additional fields. (#1449) + * Added a Yara GUI element editor. (#1447) + * Added patch and merge to `config show` and `config generate` (#1445) + * Remove usage of FatalIfError from main module (#1443) + * Introduced a dedicated pathspec object (#1440) + * Bump is-svg from 4.2.2 to 4.3.0 in /gui/velociraptor (#1437) + * Only pass client config in the client VQL scope. (#1436) + * rework protobuf message generator (#1435) + * Update Autoruns.yaml + * Added test for filefinder (#1431) + * fix filters in filefinder artifact (#1430) + * Add Artifact to collect KapeFile targets on Linux (#1426) + * Enabled lazy quotes on csv parser (#1424) + * Fixed bug in client comms. (#1423) + * Add document filter for better usability (#1421) + * Added resource information to the output of parse_pe() (#1420) + * Low latency client connectivity discovery (#1419) + * Add RecentDocs collection (#1416) + * Update Amcache artifact for clarity (#1415) + * Added extra parameters to parse_csv() (#1413) + * Added netcat plugin to read from socket (#1412) + * Updated SRUM with Network Usage and Upload option (#1408) + * Synced darwin and freebsd file accessor with the linux one. (#1409) + * Added Windows.Forensics.SAM artifact (#1404) + * Initial artifacts can be specified in config (#1403) + * Add conhost.exe to binary rename (#1402) + * Add update Prefetch Btime execution fix (#1398) + * Update Prefetch timeline (#1397) + * Cleanup search API (#1396) + * Update protobuf dependencies. (#1394) + * More multi-frontend optimizations (#1393) + * Client info manager now keeps track of scheduled tasks. (#1392) + * add sid and lookupsid plugin (#1388) + * Add Mutant whitelist (#1387) + * Notify currently connected clients on new hunts (#1386) + * Index rebuild command loads new index service. (#1385) + * Changes to support distributed architecture. (#1384) + * Added procdump and procdump64 (#1382) + * Fixed heavy mutex contention in the labeler. (#1375) + * Add shellcode to CobaltStrike carver (#10) (#1373) + * Added an index rebuild command. (#1369) + * GUI artifact form was ignoring the friendly name attribute (#1368) + * Added a specialized form element for regex parameters. (#1367) + * Added a gRPC based remote datastore (#1366) + * Display all subauthorities for GUID in SRUM (#1365) + * Verify all gRPC peer certificates were signed by the Velociraptor CA (#1362) + * Implemented MemcacheFileDatastore - memory caching with file backend (#1361) + * Added new plugins to manipulate event tables easier. (#1355) + * Refactored in memory datastore to be more efficient. (#1353) + * Sync vfilter (#1351) + * Add both fqdn and hostname to the client search table (#1350) + * BUGFIX: Datastore on windows is unable to represent files with . (#1348) + * Added buffer_size parameter to parse_records_with_regex() (#1347) + * Propagate column types from artifact to flow notebook. (#1346) + * Cobalt parser update (#1345) + * Allow listener to not use file buffer. (#1344) + * Fix Deployment documentation link in README (#1343) + * Preserve uint64 types across Listener (#1341) + * Fix spelling (#1339) + * Refactored queue listener to preserve order. (#1340) + * Added a magic() VQL function (#1338) + * Fixed bug in CSS (#1337) + +------------------------------------------------------------------- +Thu Jan 27 17:27:42 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.2~git0.8dd598b2: + * Update ese parser to fix timestamp bug + * Prepare final 0.6.2 release (#1363) + * Verify all gRPC peer certificates were signed by the Velociraptor CA + * Removed search index parallelism (#1358) + * Added new plugins to manipulate event tables easier. (#1355) + * Sync vfilter (#1351) + * Add both fqdn and hostname to the client search table (#1350) + * BUGFIX: Datastore on windows is unable to represent files with . (#1348) + * Added buffer_size parameter to parse_records_with_regex() (#1347) + * Propagate column types from artifact to flow notebook. (#1346) + +------------------------------------------------------------------- +Thu Jan 6 21:50:43 UTC 2022 - Jeff Mahoney + +- client: Remove dependencies on nodejs since we don't use it in client mode. + +------------------------------------------------------------------- +Thu Jan 6 20:14:39 UTC 2022 - Jeff Mahoney + +- Update to version 0.6.2~git73.dc02b45e: + * Update PrivateKeys.yaml (#1459) + * Added recursion_callback option to the glob plugin (#1461) + * Added config wizard for multi-frontend configuration (#1460) + * Calculate the sha256 hash of the offline container. (#1458) + * Artifact inspection GUI now allows pivot. (#1457) + * Client certs can now be specified in the config file. (#1456) + * New Upload File Form element (#1455) + * Added a sparse accessor (#1453) + * Hunt wizard estimates clients affected (#1452) + * Make the interrogation process customizable. (#1451) + +------------------------------------------------------------------- +Tue Dec 21 20:25:43 UTC 2021 - Jeff Mahoney + +- Disable Windows artifacts. We don't target Windows endpoints and + the queries clutter the GUI. + +------------------------------------------------------------------- +Thu Dec 16 14:12:05 UTC 2021 - Jeff Mahoney + +- Switch to using master branch via service files. + - Added update-vendoring.sh to update the nodejs and go dependencies + after version update. + - Now building the client with linux_bare target that disables + the GUI for endpoint usage. + - Patch the version string to reflect the package version instead + of an indistinguishable -dev. + +------------------------------------------------------------------- +Thu Dec 2 01:46:34 UTC 2021 - Jeff Mahoney + +- Initial packaging. diff --git a/velociraptor.obsinfo b/velociraptor.obsinfo new file mode 100644 index 0000000..57d1894 --- /dev/null +++ b/velociraptor.obsinfo @@ -0,0 +1,4 @@ +name: velociraptor +version: 0.6.7.5~git81.01be570 +mtime: 1683679734 +commit: 01be57033daf2e1505c5ac686fb7b25df7cae760 diff --git a/velociraptor.service b/velociraptor.service new file mode 100644 index 0000000..0e11022 --- /dev/null +++ b/velociraptor.service @@ -0,0 +1,23 @@ +[Unit] +Description=Velociraptor Server Service + +[Service] +Type=simple +UMask=0027 +User=velociraptor +Group=velociraptor +EnvironmentFile=-/etc/sysconfig/velociraptor +Environment=TMPDIR=/var/lib/velociraptor/tmp +ExecStart=/usr/bin/velociraptor frontend --verbose --config /etc/velociraptor/server.config $VELOCIRAPTOR_OPTS + +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target diff --git a/velociraptor.spec b/velociraptor.spec new file mode 100644 index 0000000..a79c607 --- /dev/null +++ b/velociraptor.spec @@ -0,0 +1,314 @@ +# +# spec file +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define flavor @BUILD_FLAVOR@%{nil} + +%if "%{flavor}" == "client" +%define build_client 1 +%define build_server 0 +%define build_kafka_humio_gateway 0 +%define name_suffix -client +%define make_target linux_bare +%define config_perms %attr(0600, root, root) +%define state_dir_perms %attr(0700, root, root) +%else +%define build_kafka_humio_gateway 1 +%define build_server 1 +%define build_client 0 +%define name_suffix %{nil} +%define make_target linux +%define config_perms %attr(0640, root, velociraptor) +%define state_dir_perms %attr(0700, velociraptor, velociraptor) +%endif + +%define projname velociraptor +%define vendor_version 0.6.7.5~git77.997aa73 +%define vmlinux_h_version 5.14.21150400.22-150400-default + +# SLE 15 SP2 / Leap 15.2 or newer gets eBPF +# Earlier versions don't have a usable eBPF and the +# release doesn't easily build llvm13 +%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150200 +%bcond_without bpf +%else +%bcond_with bpf +%endif + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif + +# SLE12 has _sharedstatedir in an odd place +%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 +%define _sharedstatedir /var/lib +%endif + +Name: velociraptor%{name_suffix} +Version: 0.6.7.5~git81.01be570 +Release: 0 +%if %{build_server} +Summary: Endpoint visibility and collection tool +%else +Summary: Endpoint visibility and collection tool (endpoint only) +%endif +Group: System/Monitoring +License: AGPL-3.0-only +URL: https://github.com/Velocidex/velociraptor +Source: %{projname}-%{version}.tar.xz +Source1: vendor-golang-%{vendor_version}.tar.xz +Source2: vendor-golang-kafka-humio-gateway-%{vendor_version}.tar.xz +Source3: vendor-nodejs-%{vendor_version}.tar.xz +Source4: vmlinux.h-%{vmlinux_h_version}.tar.xz +Source5: velociraptor.service +Source6: velociraptor-server.config.placeholder +Source7: velociraptor-client.service +Source8: velociraptor-client.config.placeholder +Source9: update-vendoring.sh +Source10: sysconfig.velociraptor +Source11: sysconfig.velociraptor-client +Source12: %{projname}.obsinfo +Source13: system-user-velociraptor.sysusers +Source14: velociraptor-kafka.sysusers +Source15: velociraptor-kafka-humio-gateway.service +Source16: sysconfig.velociraptor-kafka-humio-gateway +Patch1: velociraptor-golang-mage-vendoring.diff +Patch2: vendor-build-fixes-for-SLE12.patch +Patch3: sdjournal-build-fix-for-SLE12.patch +Patch4: velociraptor-reproducible-timestamp.diff +BuildRequires: fileb0x +BuildRequires: golang-packaging +BuildRequires: mage +BuildRequires: systemd-rpm-macros +BuildRequires: golang(API) >= 1.18 +BuildRequires: pkgconfig(libsystemd) +%if %{build_server} +BuildRequires: nodejs >= 18 +BuildRequires: npm >= 18 +%endif +%if %{with bpf} +# clang15 causes libbpfgo to crash immediately +BuildRequires: clang16 +BuildRequires: libelf-devel +BuildRequires: libzstd-devel +BuildRequires: libzstd-devel +BuildRequires: llvm16 +BuildRequires: zlib-devel +%endif +Requires: group(velociraptor) +Requires: user(velociraptor) +ExclusiveArch: x86_64 ppc64le aarch64 s390x +%if %{build_server} +BuildRequires: sysuser-tools +%{?sysusers_requires} +%endif + +%if %{build_server} +%description +Velociraptor is a tool for collecting host based state information +using The Velociraptor Query Language (VQL) queries. + +To learn more about Velociraptor, read the documentation on: + +https://docs.velociraptor.app/ + +This package contains the velociraptor server and full console GUI. +For just the endpoint agent, please install the 'velociraptor-client' package. + +%package -n system-user-velociraptor +Summary: System user and group 'velociraptor' +Version: 1.0.0 +License: Apache-2.0 +Group: System/Monitoring +Provides: group(velociraptor) +Provides: user(velociraptor) + +%description -n system-user-velociraptor +This package provides a shared system user for all velociraptor components + +%endif + +%if %{build_kafka_humio_gateway} +%package kafka-humio-gateway +Summary: Gateway between Kafka and Humio for Velociraptor Artifacts +Version: 0.6.7.5~git81.01be570 +Requires: group(velociraptor-kafka) +Requires: user(velociraptor-kafka) + +%description kafka-humio-gateway +This tool is used to consume events generated by the Kafka Velociraptor plugin +and post them to a Humio cluster. +%endif + +%if %{build_client} +%description +Velociraptor is a tool for collecting host based state information +using The Velociraptor Query Language (VQL) queries. + +To learn more about Velociraptor, read the documentation on: + +https://docs.velociraptor.app/ + +This package contains only the endpoint agent. For the full server and GUI +console, please install the 'velociraptor' package. +%endif + +%prep +%setup -q -a 1 -a 2 -a 3 -a 4 -n %{projname}-%{version} +%autopatch -p1 + +# Set the version to something more specific than -dev +sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go + +%if %{with bpf} +mkdir -p third_party/libbpfgo/output + +cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \ + third_party/libbpfgo/output/vmlinux.h +%endif + +# These just clutter the GUI and we don't have Windows clients +# Note: There are dependencies on these that need to be resolved before +# removing them outright. +# rm -rf artifacts/definitions/Windows + +%build + +# Reproductible builds need stable timestamps +timestamp=$(date -Iseconds --utc --date=@$(grep mtime: %{SOURCE12}|sed -e 's/mtime: //')) +git_commit=$(grep commit: %{SOURCE12}|sed -e 's/commit: //g') + +export VELOCIRAPTOR_BUILD_TIME=$timestamp +export VELOCIRAPTOR_GIT_HEAD=$git_commit + +%if %{build_server} +(cd gui/velociraptor ; npm run build) +%sysusers_generate_pre %{SOURCE13} velociraptor-user +%endif + +make %{make_target} BUILD_LIBBPFGO=%{with bpf} GIT=echo + +%if %{build_kafka_humio_gateway} +(cd contrib/kafka-humio-gateway; go build -o %{name}-kafka-humio-gateway) +%sysusers_generate_pre %{SOURCE16} kafka-user +%endif + +%install +install -D -d -m 0750 %buildroot/%{_sysconfdir}/velociraptor +install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/data +install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/logs +install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/tmp + +%if %{build_server} +service_file_source=%{SOURCE5} +config_file_source=%{SOURCE6} +sysconfig_file_source=%{SOURCE10} +config_file=server.config + +install -D -m 0644 %{SOURCE13} %{buildroot}%{_sysusersdir}/system-user-velociraptor.conf +%else +service_file_source=%{SOURCE7} +config_file_source=%{SOURCE8} +sysconfig_file_source=%{SOURCE11} +config_file=client.config +%endif + +install -D -m 0644 "$service_file_source" %{buildroot}%{_unitdir}/%{name}.service +install -D -m 0644 "$sysconfig_file_source" %{buildroot}%{_fillupdir}/sysconfig.%{name} +install -D -m 0640 "$config_file_source" "%{buildroot}%{_sysconfdir}/velociraptor/$config_file" +install -D -m 0755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/%{name} + +%if %{build_kafka_humio_gateway} +install -D -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/ +install -D -m 0644 %{SOURCE16} %{buildroot}%{_fillupdir}/ +install -D -m 0755 contrib/kafka-humio-gateway/velociraptor-kafka-humio-gateway %buildroot/%{_bindir} +install -D -m 0644 contrib/kafka-humio-gateway/sample-config.yml \ + %buildroot/%{_datadir}/velociraptor-kafka-humio-gateway/sample-config.yml +install -D -m 0644 %{SOURCE14} %{buildroot}%{_sysusersdir}/velociraptor-kafka.conf +install -D -d -m 0750 %{buildroot}%{_sysconfdir}/velociraptor-kafka-humio-gateway +install -D -m 0640 contrib/kafka-humio-gateway/sample-config.yml \ + %buildroot/%{_sysconfdir}/velociraptor-kafka-humio-gateway/transport.yml +%endif + +%files +%defattr(-, root, root) +%license LICENSE +%doc README.md +%{_bindir}/%{name} +%{_unitdir}/%{name}.service +%{_fillupdir}/sysconfig.%{name} + +%dir %attr(-, root, velociraptor) %{_sysconfdir}/velociraptor + +%config(noreplace) %{config_perms} %{_sysconfdir}/velociraptor/*.config +%dir %{state_dir_perms} %{_sharedstatedir}/%{name} +%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/data +%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/logs +%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/tmp + +%pre +%service_add_pre %{name}.service + +%post +%{fillup_only} +%service_add_post %{name}.service + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service + +%if %{build_server} +%pre -n system-user-velociraptor -f velociraptor-user.pre + +%files -n system-user-velociraptor +%defattr(-, root, root) +%{_sysusersdir}/system-user-velociraptor.conf +%endif + +%if %{build_kafka_humio_gateway} +%files kafka-humio-gateway +%defattr(-, root, root) +%license LICENSE +%doc contrib/kafka-humio-gateway/README.md +%{_bindir}/velociraptor-kafka-humio-gateway +%dir %{_datadir}/velociraptor-kafka-humio-gateway +%{_datadir}/velociraptor-kafka-humio-gateway/sample-config.yml +%{_sysusersdir}/velociraptor-kafka.conf +%{_unitdir}/velociraptor-kafka-humio-gateway.service +%{_fillupdir}/sysconfig.velociraptor-kafka-humio-gateway +%dir %attr(750, root, velociraptor-kafka) %{_sysconfdir}/velociraptor-kafka-humio-gateway +%config(noreplace) %attr(0640, root, velociraptor-kafka) %{_sysconfdir}/velociraptor-kafka-humio-gateway/transport.yml + +%pre kafka-humio-gateway -f kafka-user.pre +%service_add_pre velociraptor-kafka-humio-gateway.service + +%post kafka-humio-gateway +%{fillup_only -s kafka-humio-gateway} +%service_add_post velociraptor-kafka-humio-gateway.service + +%preun kafka-humio-gateway +%service_del_preun velociraptor-kafka-humio-gateway.service + +%postun kafka-humio-gateway +%service_del_postun velociraptor-kafka-humio-gateway.service + +%endif + +%changelog diff --git a/vendor-build-fixes-for-SLE12.patch b/vendor-build-fixes-for-SLE12.patch new file mode 100644 index 0000000..9c35c1c --- /dev/null +++ b/vendor-build-fixes-for-SLE12.patch @@ -0,0 +1,137 @@ +From: Jeff Mahoney +Subject: vendor: build fixes for SLE-12 + +SLE-12 uses gcc 4.8 and as a result requires definition +of _GNU_SOURCE and -std=c99 to build properly. + +--- a/vendor/github.com/Velocidex/go-magic/magic/magic.go ++++ b/vendor/github.com/Velocidex/go-magic/magic/magic.go +@@ -1,7 +1,7 @@ + package magic + + /* +- #cgo CFLAGS: -DHAVE_CONFIG_H ++ #cgo CFLAGS: -DHAVE_CONFIG_H -std=c99 -D_GNU_SOURCE -DHAVE_STRNDUP + #include + #include + */ +--- a/vendor/github.com/Velocidex/go-magic/magic/regex.c ++++ b/vendor/github.com/Velocidex/go-magic/magic/regex.c +@@ -24,8 +24,6 @@ + #pragma alloca + #endif + +-#define _GNU_SOURCE +- + /* We need this for `regex.h', and perhaps for the Emacs include files. */ + #include + +--- a/vendor/github.com/Velocidex/go-yara/cgo.go ++++ b/vendor/github.com/Velocidex/go-yara/cgo.go +@@ -6,6 +6,6 @@ + + package yara + +-// #cgo CFLAGS: -D_FILE_OFFSET_BITS=64 ++// #cgo CFLAGS: -D_FILE_OFFSET_BITS=64 -std=c99 -D_GNU_SOURCE + // #cgo LDFLAGS: + import "C" +--- a/vendor/github.com/Velocidex/go-yara/endian.h ++++ /dev/null +@@ -1,96 +0,0 @@ +-/* +-Copyright (c) 2016. The YARA Authors. All Rights Reserved. +- +-Redistribution and use in source and binary forms, with or without modification, +-are permitted provided that the following conditions are met: +- +-1. Redistributions of source code must retain the above copyright notice, this +-list of conditions and the following disclaimer. +- +-2. Redistributions in binary form must reproduce the above copyright notice, +-this list of conditions and the following disclaimer in the documentation and/or +-other materials provided with the distribution. +- +-3. Neither the name of the copyright holder nor the names of its contributors +-may be used to endorse or promote products derived from this software without +-specific prior written permission. +- +-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR +-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON +-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-*/ +- +-#ifndef YR_ENDIAN_H +-#define YR_ENDIAN_H +- +-#include +- +-#if defined(__has_builtin) +-#if __has_builtin(__builtin_bswap16) +-#define yr_bswap16(x) __builtin_bswap16(x) +-#endif +-#endif +- +-#if !defined(yr_bswap16) && defined(_MSC_VER) +-#define yr_bswap16(x) _byteswap_ushort(x) +-#endif +- +-#if !defined(yr_bswap16) +-uint16_t _yr_bswap16(uint16_t x); +-#define yr_bswap16(x) _yr_bswap16(x) +-#endif +- +-#if defined(__has_builtin) +-#if __has_builtin(__builtin_bswap32) +-#define yr_bswap32(x) __builtin_bswap32(x) +-#endif +-#endif +- +-#if !defined(yr_bswap32) && defined(_MSC_VER) +-#define yr_bswap32(x) _byteswap_ulong(x) +-#endif +- +-#if !defined(yr_bswap32) +-uint32_t _yr_bswap32(uint32_t x); +-#define yr_bswap32(x) _yr_bswap32(x) +-#endif +- +-#if defined(__has_builtin) +-#if __has_builtin(__builtin_bswap64) +-#define yr_bswap64(x) __builtin_bswap64(x) +-#endif +-#endif +- +-#if !defined(yr_bswap64) && defined(_MSC_VER) +-#define yr_bswap64(x) _byteswap_uint64(x) +-#endif +- +-#if !defined(yr_bswap64) +-uint64_t _yr_bswap64(uint64_t x); +-#define yr_bswap64(x) _yr_bswap64(x) +-#endif +- +-#if defined(WORDS_BIGENDIAN) +-#define yr_le16toh(x) yr_bswap16(x) +-#define yr_le32toh(x) yr_bswap32(x) +-#define yr_le64toh(x) yr_bswap64(x) +-#define yr_be16toh(x) (x) +-#define yr_be32toh(x) (x) +-#define yr_be64toh(x) (x) +-#else +-#define yr_le16toh(x) (x) +-#define yr_le32toh(x) (x) +-#define yr_le64toh(x) (x) +-#define yr_be16toh(x) yr_bswap16(x) +-#define yr_be32toh(x) yr_bswap32(x) +-#define yr_be64toh(x) yr_bswap64(x) +-#endif +- +-#endif diff --git a/vendor-golang-0.6.7.5~git77.997aa73.tar.xz b/vendor-golang-0.6.7.5~git77.997aa73.tar.xz new file mode 100644 index 0000000..ea9966e --- /dev/null +++ b/vendor-golang-0.6.7.5~git77.997aa73.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e16186e67b1737d138cf75a9e1b6bb80f95836dffae11e1b28b06ea435b5b019 +size 27831304 diff --git a/vendor-golang-kafka-humio-gateway-0.6.7.5~git77.997aa73.tar.xz b/vendor-golang-kafka-humio-gateway-0.6.7.5~git77.997aa73.tar.xz new file mode 100644 index 0000000..cb46f78 --- /dev/null +++ b/vendor-golang-kafka-humio-gateway-0.6.7.5~git77.997aa73.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:690564ed252212f29c47531980c0a71db117562cd82e5d65b432764af6fa0033 +size 454120 diff --git a/vendor-nodejs-0.6.7.5~git77.997aa73.tar.xz b/vendor-nodejs-0.6.7.5~git77.997aa73.tar.xz new file mode 100644 index 0000000..304b0e8 --- /dev/null +++ b/vendor-nodejs-0.6.7.5~git77.997aa73.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b42eb599be65908543ead404fa6c59a90526ff1011e9ddad6258f1f1437770a4 +size 37663228 diff --git a/vmlinux.h-5.14.21150400.22-150400-default.tar.xz b/vmlinux.h-5.14.21150400.22-150400-default.tar.xz new file mode 100644 index 0000000..0e89d73 --- /dev/null +++ b/vmlinux.h-5.14.21150400.22-150400-default.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3437ed2f82883d508c385951d3d146f37f7c954fa0da6021494aa15ff19dc9a0 +size 590616