Sync from SUSE:SLFO:Main velociraptor revision 54f5c0690424556a339c0d054724905d

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

_constraints

@@ -0,0 +1,7 @@
+<constraints>
+  <hardware>
+    <disk>
+      <size unit="G">10</size>
+    </disk>
+  </hardware>
+</constraints>

_multibuild

@@ -0,0 +1,4 @@
+<multibuild>
+  <package>client</package>                                                  
+</multibuild>                                                                   
+

_service

@@ -0,0 +1,21 @@
+<services>
+  <service mode="manual" name="obs_scm">
+    <param name="url">https://github.com/SUSE/linux-security-sensor</param>
+    <param name="filename">velociraptor</param>
+    <param name="versionformat">@PARENT_TAG@~git@TAG_OFFSET@.%h</param>
+    <param name="revision">sensor-base-0.6.7</param>
+    <param name="scm">git</param>
+    <param name="parent-tag">v0.6.7-5</param>
+    <param name="versionrewrite-pattern">v([0-9\.\-]*)-(.*)</param>
+    <param name="versionrewrite-replacement">\1.\2</param>
+    <param name="changesgenerate">enable</param>
+    <param name="submodules">enable</param>
+  </service>
+  <service name="set_version" mode="manual" />
+  <service mode="buildtime" name="tar"/>
+  <service mode="buildtime" name="recompress">
+    <param name="file">*.tar</param>
+    <param name="compression">xz</param>
+  </service>
+</services>
+

_servicedata

@@ -0,0 +1,6 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/SUSE/linux-security-sensor</param>
+              <param name="changesrevision">01be57033daf2e1505c5ac686fb7b25df7cae760</param></service><service name="tar_scm">
+                <param name="url">https://github.com/jeffmahoney/linux-security-sensor</param>
+              <param name="changesrevision">02020f9752134efd8a6a92ab83a7b55b498e1948</param></service></servicedata>

sdjournal-build-fix-for-SLE12.patch

@@ -0,0 +1,18 @@
+From: Jeff Mahoney <jeffm@suse.com>
+Subject: third_party/sdjournal: remove enums missing on SLE-12
+
+The version of systemd on SLE-12 is older and doesn't have these enums.  We
+don't use them, so it's safe to remove them.
+
+--- a/third_party/sdjournal/journal_linux.go
++++ b/third_party/sdjournal/journal_linux.go
+@@ -380,9 +380,6 @@ const (
+         SD_JOURNAL_RUNTIME_ONLY              = int(C.SD_JOURNAL_RUNTIME_ONLY)
+         SD_JOURNAL_SYSTEM                    = int(C.SD_JOURNAL_SYSTEM)
+         SD_JOURNAL_CURRENT_USER              = int(C.SD_JOURNAL_CURRENT_USER)
+-        SD_JOURNAL_OS_ROOT                   = int(C.SD_JOURNAL_OS_ROOT)
+-        SD_JOURNAL_ALL_NAMESPACES            = int(C.SD_JOURNAL_ALL_NAMESPACES)
+-        SD_JOURNAL_INCLUDE_DEFAULT_NAMESPACE = int(C.SD_JOURNAL_INCLUDE_DEFAULT_NAMESPACE)
+ )
+ 
+ // Journal event constants

sysconfig.velociraptor

@@ -0,0 +1,9 @@
+## Path:        Security/Monitoring
+## Description: Velociraptor server settings
+## Type:        string                                                          
+## Default:     ""
+## ServiceRestart: velociraptor
+#
+# Options for velociraptor
+#
+VELOCIRAPTOR_OPTS=""

sysconfig.velociraptor-client

@@ -0,0 +1,9 @@
+## Path:        Security/Monitoring
+## Description: Velociraptor client settings
+## Type:        string                                                          
+## Default:     ""
+## ServiceRestart: velociraptor-client
+#
+# Options for velociraptor-client
+#
+VELOCIRAPTOR_CLIENT_OPTS="-v"

sysconfig.velociraptor-kafka-humio-gateway

@@ -0,0 +1,15 @@
+## Path:        Security/Monitoring
+## Description: Velociraptor Kafka-Humio Gateway settings
+## Type:        string                                                          
+## Default:     ""
+## ServiceRestart: velociraptor
+#
+# Options for velociraptor
+#
+KAFKA_HUMIO_GATEWAY_OPTIONS="--verbose"
+
+#
+# Location of configuration file
+#
+KAFKA_HUMIO_GATEWAY_CONFIG="/etc/velociraptor-kafka-humio-gateway/transport.yml"
+

system-user-velociraptor.sysusers

@@ -0,0 +1,2 @@
+u velociraptor - "Velociraptor User" /var/lib/velociraptor
+g velociraptor - -

update-vendoring.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+cleanup() {
+	test -n "${dir}" && rm -rf "${dir}"
+	if test -n "${gopathdir}"; then
+		chmod -R u+w "${gopathdir}"
+		rm -rf "${gopathdir}"
+	fi
+}
+
+error() {
+	echo "An error occurred.  Exiting." >&2
+}
+
+trap error ERR SIGINT
+trap cleanup EXIT
+set -e
+
+version=$(rpmspec -q --queryformat="%{VERSION}\n" velociraptor.spec|head -1)
+
+dir="$(realpath "$(mktemp -d vendoring.XXXXXX)")"
+topdir="$(realpath "$(dirname "$0")")"
+
+# Pull the %prep section out of the spec file and replace the tarball with the obscpio
+awk '
+BEGIN { go=1; };
+/^%build/ { go=0; };
+{ if (go) print };' < velociraptor.spec > ${dir}/velociraptor.spec
+
+rpmspec -P ${dir}/velociraptor.spec --define "_sourcedir $PWD" --define "_builddir ${dir}"| \
+awk '
+BEGIN { go=0; };
+/^%build/ { go=0; };
+{ if (go) print };
+/^%prep/ { go=1 }' | sed -e "/rpmuncompress.*velociraptor-.*.tar.xz/s#.*#cpio -D . -id < $PWD/velociraptor-${version}.obscpio#" > ${dir}/setup.sh
+
+echo "Running %prep"
+cd ${dir}
+sh -e ${dir}/setup.sh
+cd "${dir}/velociraptor-${version}"
+
+echo "Re-vendoring Go code..."
+gopathdir="$(mktemp -d /tmp/gopath.XXXXXXX)"
+rm -rf vendor
+export GOPATH="$gopathdir"
+
+
+# Vendoring doesn't get along with replaced modules, so symlink to those
+go mod vendor
+replace_module() {
+	local mod=$1
+	local path=$2
+	rm -rf "vendor/${mod}"
+	rel="$(echo $mod|tr A-Za-z0-9_- .|sed -e 's/\.\.\.*/../g')"
+	ln -s "${rel}/${path}" "vendor/${mod}"
+	set -x
+	ls -la vendor/${mod}/
+	set +x
+}
+
+replace_module github.com/aquasecurity/libbpfgo third_party/libbpfgo
+
+tar Jcf ${dir}/vendor-golang-${version}.tar.xz vendor
+cd "${dir}"
+mv vendor-golang-*${version}.tar.xz ${topdir}
+
+cd "${dir}/velociraptor-${version}/contrib/kafka-humio-gateway"
+rm -rf vendor
+go mod vendor
+cd "${dir}/velociraptor-${version}"
+tar Jcf "${dir}/vendor-golang-kafka-humio-gateway-${version}.tar.xz" "contrib/kafka-humio-gateway/vendor"
+
+echo "Re-vendoring nodejs code..."
+cd "${dir}/velociraptor-${version}/gui/velociraptor"
+rm -rf node_modules
+npm install
+cd ../..
+tar Jcf ${dir}/vendor-nodejs-${version}.tar.xz gui/velociraptor/node_modules
+
+cd "${dir}"
+mv vendor-golang-*${version}.tar.xz vendor-nodejs-${version}.tar.xz ${topdir}
+
+for spec in ${topdir}/*.spec; do
+    sed -i "s/^%define vendor_version.*/%define vendor_version ${version}/" ${spec}
+done
+
+echo "Done"

velociraptor-client.config.placeholder

@@ -0,0 +1,20 @@
+# This configuration file can be generated by using
+# velociraptor-client config client --config /path/to/server.conf
+# The following config needs server_urls and ca_certificate defined.
+Client:
+#  server_urls:
+#  - https://velociraptor-server.local:8000/
+#  ca_certificate: |
+#    -----BEGIN CERTIFICATE-----
+#    [CERTIFICATE DATA]
+#    -----END CERTIFICATE-----
+  nonce: oLWIjJR+zJ8=
+  writeback_linux: /var/lib/velociraptor/velociraptor.writeback.yaml
+  max_poll: 60
+  pinned_server_name: VelociraptorServer
+  max_upload_size: 5242880
+  local_buffer:
+    memory_size: 52428800
+    disk_size: 1073741824
+    filename_linux: /var/lib/velociraptor/Velociraptor_Buffer.bin
+

velociraptor-client.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Velociraptor Client Service
+
+[Service]
+Type=simple
+User=root
+Group=root
+UMask=0027
+MemoryHigh=4G
+MemoryMax=8G
+EnvironmentFile=-/etc/sysconfig/velociraptor-client
+Environment=TMPDIR=/var/lib/velociraptor-client/tmp
+ExecStart=/usr/bin/velociraptor-client client --config /etc/velociraptor/client.config $VELOCIRAPTOR_CLIENT_OPTS
+
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

velociraptor-golang-mage-vendoring.diff

@@ -0,0 +1,19 @@
+From: Jeff Mahoney <jeffm@suse.com>
+Subject: [PATCH] velociraptor: remove ignore tag to allow vendoring of mage
+
+The ignore tag in make.go means it won't be properly vendored.
+
+---
+ make.go |    2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/make.go b/make.go
+index 28b3e90..8fad8b9 100644
+--- a/make.go
++++ b/make.go
+@@ -1,5 +1,3 @@
+-// +build ignore
+-
+ /*
+    Velociraptor - Dig Deeper
+    Copyright (C) 2019-2022 Rapid7 Inc.

velociraptor-kafka-humio-gateway.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Velociraptor Kafka-Humio Gateway Service
+
+[Service]
+Type=simple
+User=velociraptor-kafka
+Group=velociraptor-kafka
+UMask=0027
+User=velociraptor
+Group=velociraptor
+EnvironmentFile=-/etc/sysconfig/velociraptor-kafka-humio-gateway
+ExecStart=/usr/bin/velociraptor-kafka-humio-gateway $KAFKA_HUMIO_GATEWAY_OPTS --config $KAFKA_HUMIO_GATEWAY_CONFIG
+
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target

velociraptor-kafka.sysusers

@@ -0,0 +1,2 @@
+u velociraptor-kafka - "User for velociraptor Kafka Humio Gateway" /var/lib/velociraptor-kafka-humio-gateway
+g velociraptor-kafka - -

velociraptor-reproducible-timestamp.diff

@@ -0,0 +1,30 @@
+From: Jeff Mahoney <jeffm@suse.com>
+Subject: magefile: use stable timestamps for build
+
+In order to create reprodicible builds, we can't have timestamps that vary
+without anything else changing.
+diff --git a/magefile.go b/magefile.go
+index 16badc2b..76011657 100644
+--- a/magefile.go
++++ b/magefile.go
+@@ -428,10 +428,18 @@ func build_gui_files() error {
+ }
+ 
+ func flags() string {
+-	timestamp := time.Now().Format(time.RFC3339)
++	timestamp := os.Getenv("VELOCIRAPTOR_BUILD_TIME")
++	if timestamp == "" {
++		timestamp = time.Now().Format(time.RFC3339)
++	}
+ 	flags := fmt.Sprintf(` -X "www.velocidex.com/golang/velociraptor/config.build_time=%s"`, timestamp)
+ 
+-	flags += fmt.Sprintf(` -X "www.velocidex.com/golang/velociraptor/config.commit_hash=%s"`, hash())
++	head := os.Getenv("VELOCIRAPTOR_GIT_HEAD")
++	if head == "" {
++		head = hash()
++	}
++
++	flags += fmt.Sprintf(` -X "www.velocidex.com/golang/velociraptor/config.commit_hash=%s"`, head)
+ 
+ 	// If we are running on the CI pipeline we need to know the run
+ 	// number and URL so we can report them.

velociraptor-server.config.placeholder

@@ -0,0 +1,19 @@
+# This configuration file can be generated by using
+# velociraptor config generate
+
+Datastore:
+  implementation: FileBaseDataStore
+  location: /var/lib/velociraptor/data
+Writeback: {}
+Logging:
+  output_directory: /var/lib/velociraptor/logs
+  separate_logs_per_component: true
+  debug:
+    disabled: true
+  info:
+    rotation_time: 604800
+    max_age: 31536000
+  error:
+    rotation_time: 604800
+    max_age: 31536000
+

velociraptor.obsinfo

@@ -0,0 +1,4 @@
+name: velociraptor
+version: 0.6.7.5~git81.01be570
+mtime: 1683679734
+commit: 01be57033daf2e1505c5ac686fb7b25df7cae760

velociraptor.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Velociraptor Server Service
+
+[Service]
+Type=simple
+UMask=0027
+User=velociraptor
+Group=velociraptor
+EnvironmentFile=-/etc/sysconfig/velociraptor
+Environment=TMPDIR=/var/lib/velociraptor/tmp
+ExecStart=/usr/bin/velociraptor frontend --verbose --config /etc/velociraptor/server.config $VELOCIRAPTOR_OPTS
+
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target

velociraptor.spec

@@ -0,0 +1,314 @@
+#
+# spec file
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define flavor @BUILD_FLAVOR@%{nil}
+
+%if "%{flavor}" == "client"
+%define build_client 1
+%define build_server 0
+%define build_kafka_humio_gateway 0
+%define name_suffix -client
+%define make_target linux_bare
+%define config_perms %attr(0600, root, root)
+%define state_dir_perms %attr(0700, root, root)
+%else
+%define build_kafka_humio_gateway 1
+%define build_server 1
+%define build_client 0
+%define name_suffix %{nil}
+%define make_target linux
+%define config_perms %attr(0640, root, velociraptor)
+%define state_dir_perms %attr(0700, velociraptor, velociraptor)
+%endif
+
+%define projname velociraptor
+%define vendor_version 0.6.7.5~git77.997aa73
+%define vmlinux_h_version 5.14.21150400.22-150400-default
+
+# SLE 15 SP2 / Leap 15.2 or newer gets eBPF
+# Earlier versions don't have a usable eBPF and the
+# release doesn't easily build llvm13
+%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150200
+%bcond_without bpf
+%else
+%bcond_with bpf
+%endif
+
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
+
+# SLE12 has _sharedstatedir in an odd place
+%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
+%define _sharedstatedir /var/lib
+%endif
+
+Name:           velociraptor%{name_suffix}
+Version:        0.6.7.5~git81.01be570
+Release:        0
+%if %{build_server}
+Summary:        Endpoint visibility and collection tool
+%else
+Summary:        Endpoint visibility and collection tool (endpoint only)
+%endif
+Group:          System/Monitoring
+License:        AGPL-3.0-only
+URL:            https://github.com/Velocidex/velociraptor
+Source:         %{projname}-%{version}.tar.xz
+Source1:        vendor-golang-%{vendor_version}.tar.xz
+Source2:        vendor-golang-kafka-humio-gateway-%{vendor_version}.tar.xz
+Source3:        vendor-nodejs-%{vendor_version}.tar.xz
+Source4:        vmlinux.h-%{vmlinux_h_version}.tar.xz
+Source5:        velociraptor.service
+Source6:        velociraptor-server.config.placeholder
+Source7:        velociraptor-client.service
+Source8:        velociraptor-client.config.placeholder
+Source9:        update-vendoring.sh
+Source10:       sysconfig.velociraptor
+Source11:       sysconfig.velociraptor-client
+Source12:       %{projname}.obsinfo
+Source13:       system-user-velociraptor.sysusers
+Source14:       velociraptor-kafka.sysusers
+Source15:       velociraptor-kafka-humio-gateway.service
+Source16:       sysconfig.velociraptor-kafka-humio-gateway
+Patch1:         velociraptor-golang-mage-vendoring.diff
+Patch2:         vendor-build-fixes-for-SLE12.patch
+Patch3:         sdjournal-build-fix-for-SLE12.patch
+Patch4:         velociraptor-reproducible-timestamp.diff
+BuildRequires:  fileb0x
+BuildRequires:  golang-packaging
+BuildRequires:  mage
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  golang(API) >= 1.18
+BuildRequires:  pkgconfig(libsystemd)
+%if %{build_server}
+BuildRequires:  nodejs >= 18
+BuildRequires:  npm >= 18
+%endif
+%if %{with bpf}
+# clang15 causes libbpfgo to crash immediately
+BuildRequires:  clang16
+BuildRequires:  libelf-devel
+BuildRequires:  libzstd-devel
+BuildRequires:  libzstd-devel
+BuildRequires:  llvm16
+BuildRequires:  zlib-devel
+%endif
+Requires:       group(velociraptor)
+Requires:       user(velociraptor)
+ExclusiveArch:  x86_64 ppc64le aarch64 s390x
+%if %{build_server}
+BuildRequires:  sysuser-tools
+%{?sysusers_requires}
+%endif
+
+%if %{build_server}
+%description
+Velociraptor is a tool for collecting host based state information
+using The Velociraptor Query Language (VQL) queries.
+
+To learn more about Velociraptor, read the documentation on:
+
+https://docs.velociraptor.app/
+
+This package contains the velociraptor server and full console GUI.
+For just the endpoint agent, please install the 'velociraptor-client' package.
+
+%package -n system-user-velociraptor
+Summary:        System user and group 'velociraptor'
+Version:        1.0.0
+License:        Apache-2.0
+Group:          System/Monitoring
+Provides:       group(velociraptor)
+Provides:       user(velociraptor)
+
+%description -n system-user-velociraptor
+This package provides a shared system user for all velociraptor components
+
+%endif
+
+%if %{build_kafka_humio_gateway}
+%package kafka-humio-gateway
+Summary:        Gateway between Kafka and Humio for Velociraptor Artifacts
+Version:        0.6.7.5~git81.01be570
+Requires:       group(velociraptor-kafka)
+Requires:       user(velociraptor-kafka)
+
+%description kafka-humio-gateway
+This tool is used to consume events generated by the Kafka Velociraptor plugin
+and post them to a Humio cluster.
+%endif
+
+%if %{build_client}
+%description
+Velociraptor is a tool for collecting host based state information
+using The Velociraptor Query Language (VQL) queries.
+
+To learn more about Velociraptor, read the documentation on:
+
+https://docs.velociraptor.app/
+
+This package contains only the endpoint agent.  For the full server and GUI
+console, please install the 'velociraptor' package.
+%endif
+
+%prep
+%setup -q -a 1 -a 2 -a 3 -a 4 -n %{projname}-%{version}
+%autopatch -p1
+
+# Set the version to something more specific than <next-tag>-dev
+sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
+
+%if %{with bpf}
+mkdir -p third_party/libbpfgo/output
+
+cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
+   third_party/libbpfgo/output/vmlinux.h
+%endif
+
+# These just clutter the GUI and we don't have Windows clients
+# Note: There are dependencies on these that need to be resolved before
+# removing them outright.
+# rm -rf artifacts/definitions/Windows
+
+%build
+
+# Reproductible builds need stable timestamps
+timestamp=$(date -Iseconds --utc --date=@$(grep mtime: %{SOURCE12}|sed -e 's/mtime: //'))
+git_commit=$(grep commit: %{SOURCE12}|sed -e 's/commit: //g')
+
+export VELOCIRAPTOR_BUILD_TIME=$timestamp
+export VELOCIRAPTOR_GIT_HEAD=$git_commit
+
+%if %{build_server}
+(cd gui/velociraptor ; npm run build)
+%sysusers_generate_pre %{SOURCE13} velociraptor-user
+%endif
+
+make %{make_target} BUILD_LIBBPFGO=%{with bpf} GIT=echo
+
+%if %{build_kafka_humio_gateway}
+(cd contrib/kafka-humio-gateway; go build -o %{name}-kafka-humio-gateway)
+%sysusers_generate_pre %{SOURCE16} kafka-user
+%endif
+
+%install
+install -D -d -m 0750 %buildroot/%{_sysconfdir}/velociraptor
+install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/data
+install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/logs
+install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/tmp
+
+%if %{build_server}
+service_file_source=%{SOURCE5}
+config_file_source=%{SOURCE6}
+sysconfig_file_source=%{SOURCE10}
+config_file=server.config
+
+install -D -m 0644 %{SOURCE13} %{buildroot}%{_sysusersdir}/system-user-velociraptor.conf
+%else
+service_file_source=%{SOURCE7}
+config_file_source=%{SOURCE8}
+sysconfig_file_source=%{SOURCE11}
+config_file=client.config
+%endif
+
+install -D -m 0644 "$service_file_source" %{buildroot}%{_unitdir}/%{name}.service
+install -D -m 0644 "$sysconfig_file_source" %{buildroot}%{_fillupdir}/sysconfig.%{name}
+install -D -m 0640 "$config_file_source" "%{buildroot}%{_sysconfdir}/velociraptor/$config_file"
+install -D -m 0755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/%{name}
+
+%if %{build_kafka_humio_gateway}
+install -D -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/
+install -D -m 0644 %{SOURCE16} %{buildroot}%{_fillupdir}/
+install -D -m 0755 contrib/kafka-humio-gateway/velociraptor-kafka-humio-gateway %buildroot/%{_bindir}
+install -D -m 0644 contrib/kafka-humio-gateway/sample-config.yml \
+		   %buildroot/%{_datadir}/velociraptor-kafka-humio-gateway/sample-config.yml
+install -D -m 0644 %{SOURCE14} %{buildroot}%{_sysusersdir}/velociraptor-kafka.conf
+install -D -d -m 0750 %{buildroot}%{_sysconfdir}/velociraptor-kafka-humio-gateway
+install -D -m 0640 contrib/kafka-humio-gateway/sample-config.yml \
+		   %buildroot/%{_sysconfdir}/velociraptor-kafka-humio-gateway/transport.yml
+%endif
+
+%files
+%defattr(-, root, root)
+%license LICENSE
+%doc README.md
+%{_bindir}/%{name}
+%{_unitdir}/%{name}.service
+%{_fillupdir}/sysconfig.%{name}
+
+%dir %attr(-, root, velociraptor) %{_sysconfdir}/velociraptor
+
+%config(noreplace) %{config_perms} %{_sysconfdir}/velociraptor/*.config
+%dir %{state_dir_perms} %{_sharedstatedir}/%{name}
+%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/data
+%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/logs
+%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/tmp
+
+%pre
+%service_add_pre %{name}.service
+
+%post
+%{fillup_only}
+%service_add_post %{name}.service
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+%service_del_postun %{name}.service
+
+%if %{build_server}
+%pre -n system-user-velociraptor -f velociraptor-user.pre
+
+%files -n system-user-velociraptor
+%defattr(-, root, root)
+%{_sysusersdir}/system-user-velociraptor.conf
+%endif
+
+%if %{build_kafka_humio_gateway}
+%files kafka-humio-gateway
+%defattr(-, root, root)
+%license LICENSE
+%doc contrib/kafka-humio-gateway/README.md
+%{_bindir}/velociraptor-kafka-humio-gateway
+%dir %{_datadir}/velociraptor-kafka-humio-gateway
+%{_datadir}/velociraptor-kafka-humio-gateway/sample-config.yml
+%{_sysusersdir}/velociraptor-kafka.conf
+%{_unitdir}/velociraptor-kafka-humio-gateway.service
+%{_fillupdir}/sysconfig.velociraptor-kafka-humio-gateway
+%dir %attr(750, root, velociraptor-kafka) %{_sysconfdir}/velociraptor-kafka-humio-gateway
+%config(noreplace) %attr(0640, root, velociraptor-kafka) %{_sysconfdir}/velociraptor-kafka-humio-gateway/transport.yml
+
+%pre kafka-humio-gateway -f kafka-user.pre
+%service_add_pre velociraptor-kafka-humio-gateway.service
+
+%post kafka-humio-gateway
+%{fillup_only -s kafka-humio-gateway}
+%service_add_post velociraptor-kafka-humio-gateway.service
+
+%preun kafka-humio-gateway
+%service_del_preun velociraptor-kafka-humio-gateway.service
+
+%postun kafka-humio-gateway
+%service_del_postun velociraptor-kafka-humio-gateway.service
+
+%endif
+
+%changelog

vendor-build-fixes-for-SLE12.patch

@@ -0,0 +1,137 @@
+From: Jeff Mahoney <jeffm@suse.com>
+Subject: vendor: build fixes for SLE-12
+
+SLE-12 uses gcc 4.8 and as a result requires definition
+of _GNU_SOURCE and -std=c99 to build properly.
+
+--- a/vendor/github.com/Velocidex/go-magic/magic/magic.go
++++ b/vendor/github.com/Velocidex/go-magic/magic/magic.go
+@@ -1,7 +1,7 @@
+ package magic
+ 
+ /*
+- #cgo CFLAGS: -DHAVE_CONFIG_H
++ #cgo CFLAGS: -DHAVE_CONFIG_H -std=c99 -D_GNU_SOURCE -DHAVE_STRNDUP
+  #include <magic.h>
+  #include <stdlib.h>
+ */
+--- a/vendor/github.com/Velocidex/go-magic/magic/regex.c
++++ b/vendor/github.com/Velocidex/go-magic/magic/regex.c
+@@ -24,8 +24,6 @@
+   #pragma alloca
+ #endif
+ 
+-#define _GNU_SOURCE
+-
+ /* We need this for `regex.h', and perhaps for the Emacs include files.  */
+ #include <sys/types.h>
+ 
+--- a/vendor/github.com/Velocidex/go-yara/cgo.go
++++ b/vendor/github.com/Velocidex/go-yara/cgo.go
+@@ -6,6 +6,6 @@
+ 
+ package yara
+ 
+-// #cgo CFLAGS: -D_FILE_OFFSET_BITS=64
++// #cgo CFLAGS: -D_FILE_OFFSET_BITS=64 -std=c99 -D_GNU_SOURCE
+ // #cgo LDFLAGS:
+ import "C"
+--- a/vendor/github.com/Velocidex/go-yara/endian.h
++++ /dev/null
+@@ -1,96 +0,0 @@
+-/*
+-Copyright (c) 2016. The YARA Authors. All Rights Reserved.
+-
+-Redistribution and use in source and binary forms, with or without modification,
+-are permitted provided that the following conditions are met:
+-
+-1. Redistributions of source code must retain the above copyright notice, this
+-list of conditions and the following disclaimer.
+-
+-2. Redistributions in binary form must reproduce the above copyright notice,
+-this list of conditions and the following disclaimer in the documentation and/or
+-other materials provided with the distribution.
+-
+-3. Neither the name of the copyright holder nor the names of its contributors
+-may be used to endorse or promote products derived from this software without
+-specific prior written permission.
+-
+-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-*/
+-
+-#ifndef YR_ENDIAN_H
+-#define YR_ENDIAN_H
+-
+-#include <yara_integers.h>
+-
+-#if defined(__has_builtin)
+-#if __has_builtin(__builtin_bswap16)
+-#define yr_bswap16(x) __builtin_bswap16(x)
+-#endif
+-#endif
+-
+-#if !defined(yr_bswap16) && defined(_MSC_VER)
+-#define yr_bswap16(x) _byteswap_ushort(x)
+-#endif
+-
+-#if !defined(yr_bswap16)
+-uint16_t _yr_bswap16(uint16_t x);
+-#define yr_bswap16(x) _yr_bswap16(x)
+-#endif
+-
+-#if defined(__has_builtin)
+-#if __has_builtin(__builtin_bswap32)
+-#define yr_bswap32(x) __builtin_bswap32(x)
+-#endif
+-#endif
+-
+-#if !defined(yr_bswap32) && defined(_MSC_VER)
+-#define yr_bswap32(x) _byteswap_ulong(x)
+-#endif
+-
+-#if !defined(yr_bswap32)
+-uint32_t _yr_bswap32(uint32_t x);
+-#define yr_bswap32(x) _yr_bswap32(x)
+-#endif
+-
+-#if defined(__has_builtin)
+-#if __has_builtin(__builtin_bswap64)
+-#define yr_bswap64(x) __builtin_bswap64(x)
+-#endif
+-#endif
+-
+-#if !defined(yr_bswap64) && defined(_MSC_VER)
+-#define yr_bswap64(x) _byteswap_uint64(x)
+-#endif
+-
+-#if !defined(yr_bswap64)
+-uint64_t _yr_bswap64(uint64_t x);
+-#define yr_bswap64(x) _yr_bswap64(x)
+-#endif
+-
+-#if defined(WORDS_BIGENDIAN)
+-#define yr_le16toh(x) yr_bswap16(x)
+-#define yr_le32toh(x) yr_bswap32(x)
+-#define yr_le64toh(x) yr_bswap64(x)
+-#define yr_be16toh(x) (x)
+-#define yr_be32toh(x) (x)
+-#define yr_be64toh(x) (x)
+-#else
+-#define yr_le16toh(x) (x)
+-#define yr_le32toh(x) (x)
+-#define yr_le64toh(x) (x)
+-#define yr_be16toh(x) yr_bswap16(x)
+-#define yr_be32toh(x) yr_bswap32(x)
+-#define yr_be64toh(x) yr_bswap64(x)
+-#endif
+-
+-#endif