diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..9095fe1 --- /dev/null +++ b/_multibuild @@ -0,0 +1,4 @@ + + client + + diff --git a/_service b/_service index 125f9e4..9f29119 100644 --- a/_service +++ b/_service @@ -5,8 +5,8 @@ @PARENT_TAG@~git@TAG_OFFSET@.%h sensor-base-0.6.7 git - v0.6.7-4 - v([0-9\.]*)-(.*) + v0.6.7-5 + v([0-9\.\-]*)-(.*) \1.\2 enable enable diff --git a/_servicedata b/_servicedata index 34ec171..7abade5 100644 --- a/_servicedata +++ b/_servicedata @@ -1,6 +1,6 @@ - https://github.com/jeffmahoney/linux-security-sensor - 0e858552af3d6ab57bae796cc3e50ccef36b4aff https://github.com/SUSE/linux-security-sensor - 4a1ed09d50339b902c6446686bd16deedbb23804 \ No newline at end of file + 2bef6fce8e26733a13a3bbfeaa8c4828db1a99ba + https://github.com/jeffmahoney/linux-security-sensor + 02020f9752134efd8a6a92ab83a7b55b498e1948 \ No newline at end of file diff --git a/sysconfig.velociraptor-kafka-humio-gateway b/sysconfig.velociraptor-kafka-humio-gateway new file mode 100644 index 0000000..aa3825a --- /dev/null +++ b/sysconfig.velociraptor-kafka-humio-gateway @@ -0,0 +1,15 @@ +## Path: Security/Monitoring +## Description: Velociraptor Kafka-Humio Gateway settings +## Type: string +## Default: "" +## ServiceRestart: velociraptor +# +# Options for velociraptor +# +KAFKA_HUMIO_GATEWAY_OPTIONS="--verbose" + +# +# Location of configuration file +# +KAFKA_HUMIO_GATEWAY_CONFIG="/etc/velociraptor-kafka-humio-gateway/transport.yml" + diff --git a/update-vendoring.sh b/update-vendoring.sh index 6a51842..cdc1a2e 100644 --- a/update-vendoring.sh +++ b/update-vendoring.sh @@ -21,20 +21,23 @@ version=$(rpmspec -q --queryformat="%{VERSION}\n" velociraptor.spec|head -1) dir="$(realpath "$(mktemp -d vendoring.XXXXXX)")" topdir="$(realpath "$(dirname "$0")")" -rpmspec -P velociraptor.spec --define "_sourcedir $PWD" | \ +# Pull the %prep section out of the spec file and replace the tarball with the obscpio +awk ' +BEGIN { go=1; }; +/^%build/ { go=0; }; +{ if (go) print };' < velociraptor.spec > ${dir}/velociraptor.spec + +rpmspec -P ${dir}/velociraptor.spec --define "_sourcedir $PWD" --define "_builddir ${dir}"| \ awk ' BEGIN { go=0; }; /^%build/ { go=0; }; { if (go) print }; -/^%setup/ { go=1 }' > ${dir}/setup.sh - -echo "Expanding archive..." -cpio -D "${dir}" -id < velociraptor-${version}.obscpio +/^%prep/ { go=1 }' | sed -e "/rpmuncompress.*velociraptor-.*.tar.xz/s#.*#cpio -D . -id < $PWD/velociraptor-${version}.obscpio#" > ${dir}/setup.sh echo "Running %prep" +cd ${dir} +sh -e ${dir}/setup.sh cd "${dir}/velociraptor-${version}" -tar Jxf ${topdir}/vmlinux.h-5.14.21150400.22-150400-default.tar.xz -sh ${dir}/setup.sh echo "Re-vendoring Go code..." gopathdir="$(mktemp -d /tmp/gopath.XXXXXXX)" diff --git a/velociraptor-0.6.7.4~git63.4a1ed09d.obscpio b/velociraptor-0.6.7.4~git63.4a1ed09d.obscpio deleted file mode 100644 index 1f73be8..0000000 --- a/velociraptor-0.6.7.4~git63.4a1ed09d.obscpio +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7fb845e3c71742cdfd51fd4b7eb0587c9a8ba9894874a5d6353fbf375a733f6d -size 127596558 diff --git a/velociraptor-0.6.7.5~git78.2bef6fc.obscpio b/velociraptor-0.6.7.5~git78.2bef6fc.obscpio new file mode 100644 index 0000000..ba3a10b --- /dev/null +++ b/velociraptor-0.6.7.5~git78.2bef6fc.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:638b6e6ef4d9146cd59ba9252358f1605b64af59ab902f1b919be6e6fe8c38e4 +size 130006542 diff --git a/velociraptor-client.changes b/velociraptor-client.changes deleted file mode 100644 index ae8c431..0000000 --- a/velociraptor-client.changes +++ /dev/null @@ -1,1097 +0,0 @@ -------------------------------------------------------------------- -Thu Jan 26 20:06:09 UTC 2023 - jeffm@suse.com - -- Update to version 0.6.7.4~git63.4a1ed09d: - * utils/time.js: fix handling of nanosecond-resolution timestamps -- Added patches: - * velociraptor-reproducible-timestamp.diff - -------------------------------------------------------------------- -Tue Jan 24 20:57:08 UTC 2023 - Jeff Mahoney - -- Use obsinfo mtime to produce stable build timestamp (bsc#1207369). - -------------------------------------------------------------------- -Tue Jan 24 15:07:09 UTC 2023 - jeffm@suse.com - -- Update to version 0.6.7.4~git60.8abed37a: - * http_comms: create ring buffer temporary file in the same directory - * cronsnoop: plumb in real scope logging - * cronsnoop: don't treat routine errors as fatal - * cronsnoop: fix typo - -------------------------------------------------------------------- -Sat Jan 21 04:07:38 UTC 2023 - Jeff Mahoney - -- Fixed release detection to include Tumblweed - -------------------------------------------------------------------- -Sat Jan 21 02:20:07 UTC 2023 - Jeff Mahoney - -- Increase required release to enable eBPF to SLE 15 SP2 and - openSUSE Leap 15.2. Earlier versions don't have a usable eBPF - and can't easily build llvm13. - -------------------------------------------------------------------- -Sat Jan 21 01:44:59 UTC 2023 - Jeff Mahoney - -- Remove dependency on bpftool. We use the vmlinux.h archive - to provide vmlinux.h. - -------------------------------------------------------------------- -Fri Jan 20 20:18:49 UTC 2023 - Jeff Mahoney - -- Restored %defattr due to SLE12 using rpm-4.11. -- Fix builds in vendor code on SLE12 -- Fix build in third_party/sdjournal due to older systemd on SLE12 -- Added patches: - - vendor-build-fixes-for-SLE12.patch - - sdjournal-build-fix-for-SLE12.patch - -------------------------------------------------------------------- -Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller - -- add memory limit to systemd unit - ---------------------------------------------------------------------- -Thu Jan 19 15:17:22 UTC 2023 - Jeff Mahoney - -- Restore requirement to build with clang13. Newer versions - cause libbpfgo to crash immediately. - ------------------------------------------------------------------ -Thu Jan 19 14:36:42 UTC 2023 - Jeff Mahoney - -- Added support for setting command line options via sysconfig - -------------------------------------------------------------------- -Thu Jan 19 05:00:55 UTC 2023 - Jeff Mahoney - -- Update to version 0.6.7.4~git53.0e85855: - * sdjournal: work around missing _SYSTEMD_UNIT fields - -------------------------------------------------------------------- -Thu Jan 19 01:01:09 UTC 2023 - Jeff Mahoney - -- Clean up for Factory submission: - - Make bpf-enabled builds conditional - - Removed %defattr and combined service lines. - - Change clang and llvm dependencies to use >= 13 - - Newer versions of clang hit a DWARF parsing bug in go < 1.19, - so increase go version dependecy - - Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x - Neither the client or server builds on ix86. - -------------------------------------------------------------------- -Mon Jan 9 16:01:44 UTC 2023 - Jeff Mahoney - -- Added Restart=on-failure to restart the client automatically. - -------------------------------------------------------------------- -Mon Dec 12 20:03:03 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.7.4~git51.a588d6e4: - * magefile.go: use current architecture for Linux builds - * Update libbpfgo submodule to include non-AMD64 build fixes - * bpf: bpf expects s390 instead of s390x - -------------------------------------------------------------------- -Wed Dec 07 04:21:36 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.7.4~git46.5d88d80: - * contrib/kafka-humio-gateway: add new debug option for noisy events - * contrib/kafka-humio-gateway: backoff and retry for metadata - * vql/server/kafka: connect sarama logging to velociraptor logging - * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries - * vql/server/kafka: set appropriate ClientID - -------------------------------------------------------------------- -Wed Dec 07 02:49:56 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.7.4~git41.678ed56: - * rpm: introduce rpm vql plugin - * users: extend DeleteUser testcase to ensure org membership was dropped - * users: ensure baseline user state is correct - * github: run testcases on Linux builds in new workflow - * gui/reporting: update bluemonday dependency to latest - * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() - * SUSE: Add docker-compose environment - * SUSE: add Docker files - * clients/host-info.js: add MAC addresses to client dashboard - * linux: Add ability to interrogate system and network configuration - * Add Linux.Sys.Bash to Server.Monitor.Shell artifact - * kafka-humio-gateway: add sample config file - * Updating the NewFiles and ProcessStatuses Artifacts - * cronsnoop: rework testcases to use t.TempDir - * vql/linux/cronsnoop: Add cronsnoop() plugin - * Extend audit artifacts to use new interface - * audit: rearchitect plugin to scale better with multiple invocations - * audit: use caller-allocated buffer - * use github.com/jeffmahoney/go-libaudit/v2 for audit - * Kafka.Events.Client: Update to use new artifactset type - * Add artifact for chattrsnoop plugin - * bpflib: ensure it's built only on linux and when requesting bpf - * Add chattrsnoop plugin - * Add artifact to monitor user group updates (#24) - * vql/linux/dnssnoop: Add dnssnoop() plugin - * Log Sudo/root command by auditd - * Add custom artifacts for login and logout attempts recorded by auditd - * Add tcpsnoop plugin - * vql/linux/bpflib: add helper package for bpf plugins - * libbpfgo: add submodule with forked repo for fully static builds - * Add Kafka-Humio Gateway [Depends on PR#10] (#8) - * Add a Kafka export plugin - * SUSE: Add SSHLogin artifacts - * SUSE: Do build tests on every pull request - * Add systemd-dev as build dependency for github workflow - * Update the Linux.Events.SSHLogin artifact to scan the systemd journal - * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal - * Add parser to read systemd journal on Linux - * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path - * linux: add lsattr() function to enumerate file attributes - * Github: Run build workflow on each pull request - * More fixes for Windows.System.VAD (#2317) (#2318) - * Bugfix: When org is not specified this JS code raised (#2315) (#2316) - -------------------------------------------------------------------- -Tue Dec 06 21:53:43 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.7.3~git41.fa6afa7: - * rpm: introduce rpm vql plugin - * users: extend DeleteUser testcase to ensure org membership was dropped - * users: ensure baseline user state is correct - * github: run testcases on Linux builds - * gui/reporting: update bluemonday dependency to latest - * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() - * SUSE: Add docker-compose environment - * SUSE: add Docker files - * clients/host-info.js: add MAC addresses to client dashboard - * linux: Add ability to interrogate system and network configuration - * Add Linux.Sys.Bash to Server.Monitor.Shell artifact - * kafka-humio-gateway: add sample config file - * Updating the NewFiles and ProcessStatuses Artifacts - * cronsnoop: rework testcases to use t.TempDir - * vql/linux/cronsnoop: Add cronsnoop() plugin - * Extend audit artifacts to use new interface - * audit: rearchitect plugin to scale better with multiple invocations - * audit: use caller-allocated buffer - * use github.com/jeffmahoney/go-libaudit/v2 for audit - * Kafka.Events.Client: Update to use new artifactset type - * Add artifact for chattrsnoop plugin - * bpflib: ensure it's built only on linux and when requesting bpf - * Add chattrsnoop plugin - * Add artifact to monitor user group updates (#24) - * vql/linux/dnssnoop: Add dnssnoop() plugin - * Log Sudo/root command by auditd - * Add custom artifacts for login and logout attempts recorded by auditd - * Add tcpsnoop plugin - * vql/linux/bpflib: add helper package for bpf plugins - * libbpfgo: add submodule with forked repo for fully static builds - * Add Kafka-Humio Gateway [Depends on PR#10] (#8) - * Add a Kafka export plugin - * SUSE: Add SSHLogin artifacts - * SUSE: Do build tests on every pull request - * Add systemd-dev as build dependency for github workflow - * Update the Linux.Events.SSHLogin artifact to scan the systemd journal - * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal - * Add parser to read systemd journal on Linux - * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path - * linux: add lsattr() function to enumerate file attributes - * Github: Run build workflow on each pull request - * Bugfix: Do not materialize the VAD array in Windows.System.VAD (#2311) - * Sync to master's bugfixes (#2309) - * Prepare for 0.6.7-2 release (#2300) - * 0.6.7 sync (#2261) - * 0.6.7 sync3 (#2256) - * 0.6.7 sync (#2239) - * Prepare a 0.6.7-rc3 (#2217) - * Bugfix: sparse files were not properly detected. (#2200) (#2201) - * Propagate progress timeout for collections. (#2193) - * Verify client's key with or without the org id. (#2192) - * Add Windows.System.Shares (#2191) - * Allow artifacts to have aliases (#2190) - * Added a regex_array column type to allow multiple regex to be set. (#2188) - * [Snyk] Upgrade react-router-dom from 5.3.3 to 5.3.4 (#2180) - * Add 'UsedBy' column to results (#2186) - * Update flow and hunt download exports to use the container (#2185) - * Disable toolbar buttons when no options are available (#2183) - * Allow hunts to be scheduled on multiple orgs (#2182) - * Update WIndows PSList and VAD artifacts (#38) (#2181) - * Add in amcache (#2176) - * Added additional sources for UserAccessLogs (aka SUM) artifact (#2179) - * Fixed tests (#2177) - * [Snyk] Upgrade styled-components from 5.3.5 to 5.3.6 (#2174) - * Page Cell logs in notebook (#2172) - * Break client connection stats by org id (#2171) - * Added a remapping export to Windows.Registry.NTUser (#2170) - * Added tlsh hash (#2169) - * Check sparse files for large size before padding them out. (#2167) - * Linux and macOS Packet Capture Artifact Updates (#2168) - * Update deps (#2166) - * Add some suggested groks for parsing IIS logs (#2165) - * Refactor collection container (#2163) - * Implement transparent decryption for collector accessor (#2162) - * [Snyk] Upgrade ace-builds from 1.11.0 to 1.11.1 (#2161) - * Automatically decrypt collections with collector accessor (#2159) - * Fix css colors. (#2158) - * [Snyk] Upgrade ace-builds from 1.10.1 to 1.11.0 (#2156) - * Retry reads on EOF in NTFS accessor (#2157) - * Updated zip implementation to support crypto (#2155) - * Target 'Cmdline' instead of 'CommandLine' (#2154) - * Bugfix: Extra interpolation when client logs messages with % (#2152) - * Add 'Active' column to show whether or not a firewall rule is enabled. (#2150) - * Added test for encrypted offline collector. (#2149) - * Update parsing for Dock plist details (#2148) - * Implement filter for large artifact forms (#2147) - * Add Public Key Encryption Support to Offline Collections (#2133) - * Implemented a max memory grouper (#2146) - * Check if setgid flag is set (#2145) - * [Snyk] Upgrade react-overlays from 5.2.0 to 5.2.1 (#2144) - * Add context to yara.NTFS (#36) (#2143) - * Add `auth_redirect_template` config for handling unauthorized API calls (#2140) - * Allow the user to specify a collection as urgent (#2139) - * Fix typo, slightly improve translations (de,fr) (#2137) - * Add 'CronScripts' query/source and 'Length' option (#2138) - * Check sanity of inventory service for all orgs (#2136) - * Change 'filename' to 'file' for upload (#2135) - * Sync with latest NTFS changes. (#2134) - * [Snyk] Upgrade classnames from 2.3.1 to 2.3.2 (#2130) - * Added URLRegex to FireFox history (#2129) - * Link to collection in host shell (#2128) - * additional references (#2126) - * Sync to go-ntfs (#2125) - * Provide the option to expand sparse files in export (#2124) - * Bugfix: Process address space lockup under some conditions (#2123) - * Added URLRegex to Firefox and Chrome history (#2122) - * Add note about RecentApps key not being available after Windows 10, version 1803 (#2119) - * Expose the communicator's crypto manager (#2118) - * Further refactor of the download handler. (#2117) - * [Snyk] Upgrade ace-builds from 1.10.0 to 1.10.1 (#2114) - * Uploaded files are now shows with client paths (#2116) - * [Snyk] Upgrade recharts from 2.1.13 to 2.1.14 (#2115) - * Maintain row count per query. (#2113) - * Update Trackaccount.yaml (#2112) - * Clean up artifact references (#2111) - * Prevent null error when choosing to calculate hash and when providing authenticode information (#2109) - * Add Length option and re-arrange output (#2107) - * Bugfix: Merge file option should work with config show (#2108) - * Always write content to lock files (#2106) - * [Snyk] Upgrade ace-builds from 1.9.6 to 1.10.0 (#2102) - * Authentication configuration error reporting/validation (#2101) - * auth: don't return a base path with two leading slashes (#2100) - * Added org report in root org dashboard (#2098) - * [Snyk] Upgrade react-bootstrap from 1.6.5 to 1.6.6 (#2094) - * [Snyk] Upgrade humanize-duration from 3.27.2 to 3.27.3 (#2095) - * authenticode is a function and not a plug (#2092) - * Allow '+' in usernames (#2093) - * Attempt to decompress client messages if errors occur. (#2088) - * Pass org config to mutations in MemcacheFileDataStore (#2087) - * Support oauth with a different base path. (#2082) - * Allow client->server compression to be disabled (#2081) - * Keep track of collected results using collection status (#2075) - * Enforce a hard timeout for incoming processing (#2074) - * Expand API of user service to include context (#2071) - * When creating a new org pass the new org id to the acl function (#2068) - * Allow collect_client() etc to accept ArtifactSpec protobuf (#2067) - * Only create initial orgs on first run. (#2066) - * Bugfix: Do not start multiple communicators in windows service. (#2064) - * Added initial_orgs to the config (#2063) - * Bugfix- Server.Utils.DeleteClient over sanitized client id (#2061) - * Fixed backwards compatible bug (#2057) - * [Snyk] Upgrade ace-builds from 1.9.5 to 1.9.6 (#2055) - * Fixed CSS for column selector ui (#2053) - * Split server sanity checks into root org and other orgs (#2052) - * collect each query's status separately (#2049) - * Pass org ids in href parameters (#2047) - * Org manager maintains services lifetime (#2045) - * Added org_delete() function to remove orgs. (#2042) - * Updated themes for context menu (#2041) - * Made context menus settable in the config file (#2040) - * Added Send to CyberChef context menu on table cells. (#2039) - * [Snyk] Upgrade ace-builds from 1.9.3 to 1.9.5 (#2037) - * [Snyk] Upgrade ace-builds from 1.8.1 to 1.9.3 (#2033) - * Bugfix: watch_usn() was not flushing the mft LRU properly (#2032) - * Bugfix: Maintain field order in sysmon based tracker (#2030) - * Added regex protocols for int, float etc. (#2028) - * Refactor client monitoring API to use service (#2027) - * Bugfix: Switch GUI to first available org (#2025) - * Update Linux pslist() to use CommandLine column (#2024) - * Add embedded stager parse usecase (#34) (#2023) - * update to clean up null fields (#2020) - * Refactor code to propagate the context in more cases. (#2019) - * Bugix: Raw file accessor had different behaviour on Windows (#2018) - * Cater for unknown parents in process tracker. (#2015) - * Fix sense of multiple regexp in all() function (#2014) - * Added all() and any() VQL functions (#2013) - * Capitalize 'i' in config generation output (#2012) - * Fixed crash in api_client command (#2010) - * Update UserAccessLogs.yaml (#2009) - * Fixed bug in UserAccessLog artifact (#2008) - * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 (#2000) - * Collect domain role info on interrogate (#1998) - * Added new GUI column type for tree (#1997) - * Fixed CSS to make column selector more visible (#1996) - * Send a System.Upload.Completion event on server artifact upload (#1995) - * Refactor of oauth code (#1993) - * Added some helpful server artifacts (#1992) - * Bugfix: "rpm server" command did not produce minion packages (#1991) - * Add ability to delete monitoring events. (#1990) - * Allow notebook GUI to set notebooks to public. (#1989) - * Allow the user to change password in the GUI (#1988) - * Added a delay() VQL function (#1987) - * Fixed a crash when add_monitoring was called without parameters. (#1986) - * Allow hunt() to limit by OS condition (#1985) - * [Snyk] Upgrade ace-builds from 1.7.1 to 1.8.1 (#1984) - * Fix "last_visit_time" timestamp (#1983) - * Added Generic.System.ProcessSiblings (#1982) - * [Snyk] Upgrade bootstrap from 4.6.1 to 4.6.2 (#1979) - * General cleanup (#1977) - * Update BinaryRename.yaml (#1976) - * Support multi orgs in server-server communication (#1975) - * Inventory service should upload tools to global public directory (#1973) - * fixed path issue (#1972) - * Support REG_MULTI_SZ in raw registry accessor (#1969) - * fix: upgrade interactjs from 1.10.16 to 1.10.17 (#1968) - * Update prefetch library to fix bug (#1965) - * The "fs" accessor should also be org sensitive. (#1964) - * Added user_grant() VQL function (#1963) - * fix: upgrade interactjs from 1.10.14 to 1.10.16 (#1961) - * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1960) - * Several security related bugfixes. (#1962) - * Fixed bug in watch_evtx() (#1955) - * fix: upgrade ace-builds from 1.7.0 to 1.7.1 (#1952) - * Fixed visted_url typo (#1953) - * Added NewOrg artifact to make creating new orgs easier. (#1951) - * Fix broken deps due to snyke merge (#1950) - * build(deps): bump terser from 4.8.0 to 4.8.1 in /gui/velociraptor (#1946) - * fix: upgrade recharts from 2.1.11 to 2.1.12 (#1945) - * fix: upgrade @fortawesome/react-fontawesome from 0.1.18 to 0.2.0 (#1948) - * Added orgs() plugin and user management (#1949) - * fix: upgrade ace-builds from 1.6.1 to 1.7.0 (#1944) - * Add new embedded pe in data section parse (#1943) - * Refactor startup code (#1942) - * fix: upgrade qs from 6.10.4 to 6.11.0 (#1941) - * fix: upgrade recharts from 2.1.10 to 2.1.11 (#1939) - * fix: upgrade ace-builds from 1.6.0 to 1.6.1 (#1938) - * Added artifact Windows.Attack.IncorrectImagePath (#1927) - * Account for pid reuse in process tracker. (#1936) - * add precondition for only windows (#1935) - * Make ddclient service parameters configurable (#1933) - * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1930) - * fix: upgrade interactjs from 1.10.13 to 1.10.14 (#1918) - * replace YaraUrl type (#1922) - * Add other url yara fixes (#1921) - * Update Glob.yaml (#1920) - * Fixed bug in startup code. (#1919) - * Initial commit of multitenant support (#1917) - * Adds three Linux artifacts (#1916) - * Fixed a crash when using artifact plugin with tools (#1915) - * Added a collector accessor (#1912) - * fix: upgrade interactjs from 1.10.11 to 1.10.13 (#1909) - * fix: upgrade qs from 6.10.3 to 6.10.4 (#1910) - * Japanese translation (#1906) - * Fix spanish translations. (#1907) - * fix: upgrade react-overlays from 5.1.2 to 5.2.0 (#1904) - * Add Shimcache reformat (#1892) - * A couple of performance tweaks. (#1903) - * Fix Amcache artifact (#1902) - * Retry axios requests (#1901) - * Revert "fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899)" (#1900) - * fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899) - * Use the auto accessor as first level of VFS (#1898) - * Theme fixes (#1895) - * Added additional logging for windows client service (#1894) - * Theme updates (#1893) - * Prepare for release 0.6.5 (#1890) - * Bugfix: CPU limit was not properly enforced on endpoint. (#1889) - * fix: upgrade react-calendar-timeline from 0.27.0 to 0.28.0 (#1887) - * fix: upgrade ace-builds from 1.5.1 to 1.5.2 (#1888) - * Improve the Windows.Sys.StartupItems artifact (#1886) - * Fixed the --remap flag (#1883) - * Fixed bug in client_delete() (#1882) - * Added a delete_flow VQL plugin (#1880) - * Add fix for generic bin file payload (#1879) - * Bugfix: Notebook calculation did not update cell (#1878) - * fix: upgrade humanize-duration from 3.27.1 to 3.27.2 (#1877) - * Revised Portuguese translation (#1876) - * Update usn.go (#1873) - * Added French language (#1874) - * Updated german translation (#1875) - * Refactor artifact plugin to be more efficient. (#1871) - * Update de.js (#1870) - * fix: upgrade ace-builds from 1.5.0 to 1.5.1 (#1867) - * Refactor server artifacts service (#1868) - * Refactored notebook into a service (#1863) - * fix: upgrade react-router-dom from 5.3.2 to 5.3.3 (#1861) - * fix: upgrade recharts from 2.1.9 to 2.1.10 (#1862) - * Bugfix: raw registry accessor supports read_file() (#1859) - * Add LogHunter - a generic grep over log capability (#1853) - * Added a GUI element to easily filter log messages (#1858) - * Added an oidc-cognito authenticator (#1854) - * build(deps): bump tar from 6.0.5 to 6.1.11 in /gui/velociraptor (#1852) - * fix: upgrade react-router-dom from 5.3.1 to 5.3.2 (#1850) - * Fix ACE font handling (#1849) - * Format timestamps opportunistically. (#1848) - * Update cidr_contains() to return true if any of the ranges match. (#1847) - * Sync KapeFiles and SQLECmd artifacts (#1845) - * Prepare 0.6.5-rc1 release (#1844) - * Added a default process tracker (#1843) - * Implement log levels in VQL (#1839) - * Theme development checkpoint (#1838) - * fix: upgrade ace-builds from 1.4.14 to 1.5.0 (#1836) - * fix: upgrade react-bootstrap from 1.6.4 to 1.6.5 (#1837) - * Added an LRU VQL function (#1835) - * Bugfix: VFS viewer was unable to access files with \ in name (#1832) - * use group SID instead of name to get local admins (#1833) - * Added Portuguese and Spanish languages (#1831) - * fix: upgrade react-overlays from 5.1.1 to 5.1.2 (#1830) - * Make display timezone user selectable (#1827) - * Added Musl build target (#1826) - * Fix deadlock in hunt dispatcher (#1825) - * Theme tweaks (#1821) - * add groupname parameter to LocalAdmins artifact (#1823) - * Fix/activitescache glob expression - Timeline.yaml (#1824) - * Update TemplateInjection.yaml (#1820) - * Prevent text wrap on sidebar (#1819) - * Added some missing translations (#1817) - * Added Deutsch UI Language (#1816) - * Support UNC paths in windows accessors. (#1815) - * Add enrichment callback for process tracker (#1814) - * Prevent null FailureActions error (#1811) - * Make ACL manager pluggable. (#1813) - * Allow custom override for GUI artifacts by default (#1810) - * Refactored hunt related functions to use the hunt_dispatcher (#1807) - * artifactset: add ability to select named sources (#1809) - * UI enhancements (#1805) - * Refactor: Create user manager service (#1804) - * New themes and refactoring of existing CSS (#1801) - * Bugfix: Server monitoring queries were not correctly cancelled. (#1803) - * Add gunzip function (#1802) - * GUI: Artifact selector (#1790) - * Refactor and improve the way clients send query related information (#1800) - * fix: upgrade axios from 0.26.1 to 0.27.2 (#1798) - * Add Cobalt Strike carver sleep function capability (#1795) - * Bugfix: Create new buffer to accumulate VQL results (#1794) - * Make velociraptor_client executable in postint script (#1788) - * Support addition on dicts (#1785) - * fix: upgrade moment from 2.29.2 to 2.29.3 (#1782) - * fix: upgrade react-router-dom from 5.3.0 to 5.3.1 (#1783) - * Reset nanny when client connection failed. (#1780) - * Fix artifacts that use yara parameters to specify yara type (#1779) - * SysmonInstall artifact now skips install if not needed (#1777) - * Suppress warning message for offline collector (#1776) - * Bug fix (#1774) - * Avoid bash process lingering around while server is running (#1775) - * oidc: Fix typo: Genric -> Generic (#1773) - * Make MaxWait for event table settable. (#1772) - * Fixed bug in Windows.Detection.Yara.Process (#1771) - * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) - * Initial implementation of client side process tracker. (#1768) - * Bugfix: Client did not update list of query columns (#1767) - * Fixed bug in ETWSessions artifact (#1766) - * build(deps): bump async from 2.6.3 to 2.6.4 in /gui/velociraptor (#1761) - * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) - * Add fix for dupliate entries from flattern bug (#1760) - * build(deps): bump ejs from 3.1.6 to 3.1.7 in /gui/velociraptor (#1758) - * build(deps): bump cross-fetch from 3.1.3 to 3.1.5 in /gui/velociraptor (#1759) - * Fix undefined types in some artifact parameters (#1757) - * Update Glob.yaml (#1754) - * Bugfix: Unable to set cpu limits in hunt GUI (#1751) - * Support case insensitive notebook cell types (#1747) - * Fixed a bug in the Userassist artifact (#1746) - * Bugfix: Hunt stats were not properly incremented (#1744) - * Invalidate transformed cache when the base table changes. (#1742) - * GUI Table widgets now can apply transformations on the table. (#1740) - * Update FilenameSearch.yaml (#1741) - -------------------------------------------------------------------- -Fri Nov 11 21:12:02 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4.2~git86.b5931f7: - * cleanup: go mod tidy -- Fix vendoring of replaced modules. -- Only require libtsan0 on x86_64 -- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist - -------------------------------------------------------------------- -Fri Nov 11 20:13:00 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4.2~git84.1b38fda: - * Clean up libbpfgo mess - * libbpfgo: use forked repo for fully static builds - * libbpfgo: sync to v0.4.4-libbpf-1.0.1 - * contrib/kafka-humio-gateway: add new debug option for noisy events - * contrib/kafka-humio-gateway: backoff and retry for metadata - * vql/server/kafka: connect sarama logging to velociraptor logging - * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries - * vql/server/kafka: set appropriate ClientID - * libbpfgo: add selftest to build so testcases work - * cronsnoop: rework testcases to use t.TempDir - * cronsnoop: move external dependencies to end of import list - * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() - -------------------------------------------------------------------- -Fri Nov 11 20:08:20 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4.2~git67.85b608e: - * clients/host-info.js: add MAC addresses to client dashboard - * linux: Add ability to interrogate system and network configuration - * SUSE: Add docker-compose environment - * SUSE: add Docker files - * Add Linux.Sys.Bash to Server.Monitor.Shell artifact - * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 - * kafka-humio-gateway: add sample config file - * Updating the NewFiles and ProcessStatuses Artifacts - * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37) - * third_party/go-libaudit: don't directly use unix.* - * Add Linux.Remediation.Quarantine artifact - * Extend audit artifacts to use new interface - * audit: rearchitect plugin to scale better with multiple invocations - * third_party/go-libaudit: move handling of receive buffer to caller - * third_party/go-libaudit: move buffer handling from netlink to audit - * third_party/go-libaudit: allow audit fd to be pollable - * third_party/go-libaudit: Add support for removing individual rules - * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls - * third_party/go-libaudit: Report missing rules during deletion - * import go-libaudit as a third-party module - * quarantine: actually call the OS-specific artifact - * artifactset: add ability to select named sources - * GUI: Artifact selector (#1790) - * host-info: make quarantine UI more robust with non-Windows client hosts - * shell-viewer: default to Bash on non-Windows clients - -------------------------------------------------------------------- -Thu Nov 10 15:22:27 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4.2~git70.b7df8172: - * file_store: handle watching artifacts with named sources - -------------------------------------------------------------------- -Thu Sep 29 14:16:05 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4.2~git68.5226b23b: - * api/authenticators/basic: fix logoff endpoint - * clients/host-info.js: add MAC addresses to client dashboard - * linux: Add ability to interrogate system and network configuration - * SUSE: Add docker-compose environment - * SUSE: add Docker files - * Add Linux.Sys.Bash to Server.Monitor.Shell artifact - -------------------------------------------------------------------- -Fri Aug 19 21:07:30 UTC 2022 - Jeff Mahoney - -- Updated vendoring. -- Fixed update-vendoring script to use an independent go module cache. - -------------------------------------------------------------------- -Fri Aug 19 01:59:35 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4.2~git59.5ebb49db: - * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 - -------------------------------------------------------------------- -Thu Aug 11 19:40:21 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4.2~git57.fcb11adf: - * kafka-humio-gateway: add sample config file - -------------------------------------------------------------------- -Fri Jul 15 14:30:49 UTC 2022 - Jeff Mahoney - -- Updated BuildRequires to use go 1.17 after updating vendoring - -------------------------------------------------------------------- -Fri Jul 15 02:24:03 UTC 2022 - Jeff Mahoney - -- Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only) - -------------------------------------------------------------------- -Fri Jul 15 00:00:39 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4.2~git56.47b4adb4: - * Updating the NewFiles and ProcessStatuses Artifacts - * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37) - * third_party/go-libaudit: don't directly use unix.* - * Add Linux.Remediation.Quarantine artifact - * Extend audit artifacts to use new interface - * audit: rearchitect plugin to scale better with multiple invocations - * third_party/go-libaudit: move handling of receive buffer to caller - * third_party/go-libaudit: move buffer handling from netlink to audit - * third_party/go-libaudit: allow audit fd to be pollable - * third_party/go-libaudit: Add support for removing individual rules - * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls - * third_party/go-libaudit: Report missing rules during deletion - * import go-libaudit as a third-party module - * quarantine: actually call the OS-specific artifact - * artifactset: add ability to select named sources - * GUI: Artifact selector (#1790) - * host-info: make quarantine UI more robust with non-Windows client hosts - * shell-viewer: default to Bash on non-Windows clients - -------------------------------------------------------------------- -Thu May 12 20:15:26 UTC 2022 - Jeff Mahoney - -- Update to upstream 0.6.4-2: - * Reset nanny when client connection failed. (#1780) - * Fix artifacts that use yara parameters to specify yara type (#1779) - * Update release for bugfixes 0.6.4-2 - * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) - * SysmonInstall artifact now skips install if not needed (#1777) - * Initial implementation of client side process tracker. (#1768) - * Invalidate transformed cache when the base table changes. (#1742) - * GUI Table widgets now can apply transformations on the table. (#1740) - * Suppress warning message for offline collector (#1776) - * Bug fix (#1774) - * Avoid bash process lingering around while server is running (#1775) - * oidc: Fix typo: Genric -> Generic (#1773) - * Make MaxWait for event table settable. (#1772) - * Fixed bug in Windows.Detection.Yara.Process (#1771) - * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) - * Bugfix: Client did not update list of query columns (#1767) - * Merge bugfixes from master branch. (#1769) -- Revendored dependencies. - -------------------------------------------------------------------- -Thu May 12 19:21:56 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4~git31.4298eab0: - * Add artifact for chattrsnoop plugin - * bpflib: ensure it's built only on linux and when requesting bpf - * Add chattrsnoop plugin - * tcpsnoop: Properly close module in case of attach error - * Elastic.Events.Client: Update to use new artifactset type - * Kafka.Events.Client: Update to use new artifactset type - * artifacts: add artifactset parameter type - * api: add type and description fields to v1/GetArtifacts endpoint - * Add artifacts for dns/tcp snoop plugins - * tcpsnoop: Add timestamp to generated events - * dnssnoop: Add timestamp to generated events - -------------------------------------------------------------------- -Thu May 12 17:54:31 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4~git31.4298eab0: - * Elastic.Events.Client: Update to use new artifactset type - * Kafka.Events.Client: Update to use new artifactset type - * artifacts: add artifactset parameter type - * api: add type and description fields to v1/GetArtifacts endpoint - -------------------------------------------------------------------- -Thu May 12 13:30:42 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.4~git26.4407b9b7: - * Add artifact for chattrsnoop plugin - * bpflib: ensure it's built only on linux and when requesting bpf - * Add chattrsnoop plugin - * tcpsnoop: Properly close module in case of attach error - * Add artifacts for dns/tcp snoop plugins - * tcpsnoop: Add timestamp to generated events - * dnssnoop: Add timestamp to generated events - -------------------------------------------------------------------- -Tue May 3 20:35:57 UTC 2022 - Jeff Mahoney - -- Fix error handling in tcpsnoop and dnssnoop. - * If BTF information is unavailable, there is no indication that the - query has failed. - -------------------------------------------------------------------- -Tue May 3 13:45:09 UTC 2022 - Jeff Mahoney - -- Rebase on 0.6.4: - * Updated dependencies - * Bugfix: startup bugs (#1680) - * bugfix: Server event notebook not correctly created (#1737) - * Bugfix: Start a dummy indexing service (#1736) - * Add bugfix which would return no rows if the user removed whitelist (#1735) - * Fixed bug in read_reg_key (#1734) - * BUGFIX: Do not include config flag when darwin installer is repacked (#1733) - * Refactored index into its own service. (#1730) - * Bugfix: Write one index item per JSONL record. (#1727) - * Bugfix: Estimating client impact should consider last active status (#1726) - * Add complete ntfs metadata option to MFT output (#1725) - * Various bugfixes. (#1724) - * Update Usn.yaml (#1723) - * Fixed a bug in hunt download preparation. (#1722) - * Add Windows.Forensics.Usn filter and presentation updates (#1720) - * Optimize writing event monitoring records (#1721) - * Add Generic.Detection.Yara.Zip (#1718) - * Fixed crash on master-pong response. (#1719) - * Remove _type option from elastic. (#1715) - * Opportunistically update directly connected client's ping times (#1713) - * Fixed a bug in hunt download preparation. (#1722) - * Add Windows.Forensics.Usn filter and presentation updates (#1720) - * Optimize writing event monitoring records (#1721) - * Add Generic.Detection.Yara.Zip (#1718) - * Fixed crash on master-pong response. (#1719) - * Remove _type option from elastic. (#1715) - * Opportunistically update directly connected client's ping times (#1713) - * Fixed bug in VQL cell splitting. (#1712) - * artifact for parsing macos packages (#1706) - * Bugfix: Create a cell for each collected source (#1710) - * artifact for parsing macos packages (#1706) - * Bugfix: Create a cell for each collected source (#1710) - * Added Server.Utils.CollectClient to simplify direct collections (#1708) - * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1705) - * Fix build on Go 1.18 (#1704) - * build(deps): bump minimist from 1.2.5 to 1.2.6 in /gui/velociraptor (#1703) - * Mft update - add uSecZeros (#1701) - * Server monitoring service will reload if an artifact is modified (#1702) - * Refactor client info manager (#1700) - * A number of bugfixes (#1699) - * Update Windows.NTFS.MFT (#1698) - * Actually export HumanString attribute on OSPath (#1689) - * RHEL/CentOS/Fedora dnf packages (#1684) - * Implemented Human Readable OSPath method. (#1688) - * Added lazy MFT attributes (#1685) - * Maintain OSPath in mft artifacts (#1683) - * Fix bug in deaddisk remapping of directories. (#1682) - * Bugfix: startup bugs (#1680) - * Updated SQLECmd artifacts (#1677) - * Artifact repository needs to watch for changes across nodes. (#1676) - * Update auto accessor to re-open file with ntfs if read failed (#1674) - * Fix MacOS.System.Plist artifact (#1673) - * Error collection based on VQL logs (#1672) - * Add memory limiting to offline collector (#1666) - * Allow mount overlays (#1664) - * build(deps): bump node-forge from 1.2.1 to 1.3.0 in /gui/velociraptor (#1661) - * Fixed bugs in remapping logic. (#1660) - * Fixed bug in the windows auto accessor. (#1658) - * Elastic.Events.Clients: synchronize parameters with Elastic.Flows.Upload (#1657) - * Add initial commit for Windows.NTFS.ExtendedAttributes (#1656) - * Added a shadow remapping type (#1655) - * Implemented an event notebook (#1654) - * Add Windows.System.WMIQuery (#1651) - * Fixed data race in progress throttler. (#1653) - * Implemented timeout and cpu limits on offline collector. (#1650) - * Added an rpm server command. (#1647) - * Artifacts can now define suggestions for notebook cells. (#1646) - * Allow multiple OIDC authenticators to be specified. (#1645) - * Added a multi authenticator. (#1644) - * Add HashHunter hash() update for performance (#1643) - * Change the DNSCache Artifact to WMI (#1640) - * Added an uploader for notebooks. (#1639) - * Added hashselect arg option to hash() (#1637) - * Add Generic.Detection.HashHunter and tests (#1638) - * Added Generic.Collectors.SQLECmd (#1635) - * Add BinaryHunter (#1634) - * String artifact parameters can now have validator regex (#1628) - * Implemented CPU rate limited for better control (#1622) - * Added a client nanny to detect deadlocks (#1621) - * Linux.Sys.Services artifact, parse services from systemctl (#1619) - * Collect MAC addresses during interrogation and index them (#1611) - * Allow parse_ntfs() to operate on an image file. (#1610) - * Fix regression in VFSGetBuffer (#1605) - * Added rekey() VQL function (#1604) - * switch to uninstall string (#1603) - * freebsd /etc/rc.d/velociraptor service script (#1602) - * Add Windows.Registry.BackupRestore (#1601) - * Optimized NTFS code for better speed and added more fields to parse_mft (#1599) - * Update BinaryRename.yaml (#1598) - * Added LinuxM1 (#1597) - * Add explicit check of sticky keys (#1592) - * Remote data store should identify retryable errors (#1590) - * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1588) - * Add test improvement clear system log (#18) (#1586) - * Modified Windows.Forensics.Prefetch to use VQL binary parser (#1585) - * add Windows.NTFS.ADSHunter first commit (#17) (#1583) - * Resolves Velocidex/velociraptor#1543 Create new VQL entropy() function (#1574) - * Remove C time and updating naming (#1546) - * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1568) - * Update OSPath protocols to support slices. (#1575) - * Implement array slice notation in VQL and Server.Import.PreviousReleases (#1573) - * add rtf TemplateInjection to Windows.Detection.TemplateInjection (#1572) - * Change accessors API to deal with OSPath objects directly. (#1570) - * Bump follow-redirects from 1.14.4 to 1.14.8 in /gui/velociraptor (#1567) - * Added a deaddisk command to generate config (#1564) - * Fix bug in Windows.System.Services (#1565) - * Fixed glob expand braces order of operations. (#1560) - * Added an offset and raw_file accessors (#1559) - * Update CertUtil.yaml (#1558) - * remove users to include the system path (#1536) - * Implement remap() VQL function and remapping config (#1555) - * Make GitHub actions more flexible on Windows (#1549) - * Bump normalize-url from 4.5.0 to 4.5.1 in /gui/velociraptor (#1548) - * Fix typo (#1547) - * Refractor of accessors and path manipulations (#1545) - * Dns etw update (#1544) - * add PowershellProfile (#1542) - * Added dynamic pubsub attributes (#1540) - * Fix Windows.Applications.Chrome.History (#1539) - * windows.application to windows.applications merge. New firefox history artefact (#1534) - * Fixed race condition in zip accessor reference counting. (#1531) - * Added Windows.Persistence.SilentProcessExit (#1530) - * Add limitations section and lastwrite timestamp (#1529) - * Offline collector FetchBinary should respect the IsExecutable flag (#1528) - * update description, order by, and hidden keypath (#1527) - * add limitations section (#1520) - * Avoid holding index lock for too long. (#1519) - * re-introduce Windows.Collectors.File with deprecation note (#1516) - * add limitations to description and key path to query (#1514) - * Retry remote datastore connections (#1513) - * Write minion log files and autocert in its own dir. (#1512) - * Synced KapeFiles artifacts (#1511) - * Added data retention server artifacts (#1510) - * Set an upper limit for ttl in memcache (#1508) - * Add updates to Windows.System.Services (#15) (#1509) - * Ensure collector container is properly closed when interrupted. (#1507) - * Continually rebuild the index at runtime. (#1506) - * Harder vacuum - directly move client task directories to the attic. (#1505) - * add limitation disclaimer (#1504) - * Reduce critial section to avoid deadlock in repository manager (#1503) - * Implemented a vacuum command to remove old tasks from client queues. (#1501) - * Better format profile metrics output. (#1495) - * Cap size of directories and report large directories. (#1493) - * Set ACE completers per editor to avoid global state. (#1492) - * Add HttpOnly flag to all cookies. (#1491) - * Refactor completion routine calls (#1490) - * Limit size of cached directories. (#1483) - * Add more instrumentation to memory caches. (#1482) - * Fixed chart resizing bug (#1481) - * Removed the old queries: list from artifacts. (#1480) - * [Snyk] Fix for 9 vulnerabilities (#1479) - * Remove lock around critical section. (#1478) - * Added MacOS.Forensics.AppleDoubleZip (#1476) - * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) - * Make index snapshot frequency configurable (#1474) - * Bugfix: Setting notebook index did not escape username (#1471) - * Flush index from memory to disk (#1470) - * Fixed 2 bugs with the memcache file store (#1469) - * Update flow active time when the result set is completed (#1468) - * Tag artifacts as built ins (#1467) - * Fixed bug in the pathspec() VQL function. (#1465) - * fix APIConfigLoader not applying command line args (#1463) - -------------------------------------------------------------------- -Mon May 02 14:55:07 UTC 2022 - Jeff Mahoney - -- Resync with git repository: - * Add artifact to monitor user group updates (#24) - * Add dnssnoop plugin (#15) - * Log Sudo/root command by auditd - * Add custom artifacts for login and logout attempts recorded by auditd - -------------------------------------------------------------------- -Fri Mar 18 14:12:59 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.3~git19.640f7a1c: - * Add tcpsnoop plugin - -------------------------------------------------------------------- -Tue Mar 15 13:31:21 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.3~git17.741ebb59: - * kafka-humio-gateway: update README.md - * kafka-humio-gateway: Fix missing variable rename - * Add Kafka-Humio Gateway [Depends on PR#10] (#8) - -------------------------------------------------------------------- -Tue Mar 15 01:04:29 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.3~git13.af7fdb00: - * SUSE: Add SSHLogin artifacts - * Add a Kafka export plugin - * SUSE: Do build tests on every pull request - * Add systemd-dev as build dependency for github workflow - -------------------------------------------------------------------- -Fri Feb 18 00:52:01 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.3~git6.d95ed32e: - * Update the Linux.Events.SSHLogin artifact to scan the systemd journal - * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal - * Add parser to read systemd journal on Linux - * Add an artifact to enumerate immutable files under a path - * Add chattr function support for linux - * Make GitHub actions more flexible on Windows - -------------------------------------------------------------------- -Thu Feb 10 02:13:36 UTC 2022 - Jeff Mahoney - -- Add simple default config and provide /var/lib/velociraptor-client. - -------------------------------------------------------------------- -Wed Feb 2 18:24:32 UTC 2022 - Jeff Mahoney - -- Resolved some rpmlint warnings and added client config placeholder. - -------------------------------------------------------------------- -Wed Feb 2 04:44:49 UTC 2022 - William Brown - -- Add client service file - -------------------------------------------------------------------- -Thu Jan 27 17:33:45 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.3~git0.69e0fffa: - * Prepare for 0.6.3 release (#1515) - * add limitations to description and key path to query (#1514) - * Retry remote datastore connections (#1513) - * Write minion log files and autocert in its own dir. (#1512) - * Synced KapeFiles artifacts (#1511) - * Added data retention server artifacts (#1510) - * Set an upper limit for ttl in memcache (#1508) - * Add updates to Windows.System.Services (#15) (#1509) - * Ensure collector container is properly closed when interrupted. (#1507) - * Continually rebuild the index at runtime. (#1506) - * Harder vacuum - directly move client task directories to the attic. (#1505) - * add limitation disclaimer (#1504) - * Reduce critial section to avoid deadlock in repository manager (#1503) - * Implemented a vacuum command to remove old tasks from client queues. (#1501) - * Better format profile metrics output. (#1495) - * Cap size of directories and report large directories. (#1493) - * Set ACE completers per editor to avoid global state. (#1492) - * Add HttpOnly flag to all cookies. (#1491) - * Refactor completion routine calls (#1490) - * fix: upgrade react-bootstrap from 1.3.0 to 1.6.4 (#1486) - * fix: upgrade http-proxy-middleware from 1.0.5 to 1.3.1 (#1485) - * fix: upgrade react-ace from 9.1.3 to 9.5.0 (#1487) - * fix: upgrade recharts from 2.0.9 to 2.1.8 (#1488) - * fix: upgrade react-datetime-picker from 3.0.4 to 3.4.3 (#1489) - * Limit size of cached directories. (#1483) - * Add more instrumentation to memory caches. (#1482) - * Fixed chart resizing bug (#1481) - * Removed the old queries: list from artifacts. (#1480) - * [Snyk] Fix for 9 vulnerabilities (#1479) - * Remove lock around critical section. (#1478) - * Added MacOS.Forensics.AppleDoubleZip (#1476) - * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) - * Make index snapshot frequency configurable - * fix APIConfigLoader not applying command line args (#1463) - * Flush index from memory to disk (#1470) - * Prepare RC2 (#1473) - * Bugfix: Setting notebook index did not escape username (#1471) - * Fixed 2 bugs with the memcache file store (#1469) - * Update flow active time when the result set is completed (#1468) - * Tag artifacts as built ins (#1467) - * Fixed bug in the pathspec() VQL function. (#1465) - * Update PrivateKeys.yaml (#1459) - * Added recursion_callback option to the glob plugin (#1461) - * Added config wizard for multi-frontend configuration (#1460) - * Calculate the sha256 hash of the offline container. (#1458) - * Artifact inspection GUI now allows pivot. (#1457) - * Client certs can now be specified in the config file. (#1456) - * New Upload File Form element (#1455) - * Added a sparse accessor (#1453) - * Hunt wizard estimates clients affected (#1452) - * Make the interrogation process customizable. (#1451) - * Update Info.yaml (#1427) - * Improved Lnk parser to include additional fields. (#1449) - * Added a Yara GUI element editor. (#1447) - * Added patch and merge to `config show` and `config generate` (#1445) - * Remove usage of FatalIfError from main module (#1443) - * Introduced a dedicated pathspec object (#1440) - * Bump is-svg from 4.2.2 to 4.3.0 in /gui/velociraptor (#1437) - * Only pass client config in the client VQL scope. (#1436) - * rework protobuf message generator (#1435) - * Update Autoruns.yaml - * Added test for filefinder (#1431) - * fix filters in filefinder artifact (#1430) - * Add Artifact to collect KapeFile targets on Linux (#1426) - * Enabled lazy quotes on csv parser (#1424) - * Fixed bug in client comms. (#1423) - * Add document filter for better usability (#1421) - * Added resource information to the output of parse_pe() (#1420) - * Low latency client connectivity discovery (#1419) - * Add RecentDocs collection (#1416) - * Update Amcache artifact for clarity (#1415) - * Added extra parameters to parse_csv() (#1413) - * Added netcat plugin to read from socket (#1412) - * Updated SRUM with Network Usage and Upload option (#1408) - * Synced darwin and freebsd file accessor with the linux one. (#1409) - * Added Windows.Forensics.SAM artifact (#1404) - * Initial artifacts can be specified in config (#1403) - * Add conhost.exe to binary rename (#1402) - * Add update Prefetch Btime execution fix (#1398) - * Update Prefetch timeline (#1397) - * Cleanup search API (#1396) - * Update protobuf dependencies. (#1394) - * More multi-frontend optimizations (#1393) - * Client info manager now keeps track of scheduled tasks. (#1392) - * add sid and lookupsid plugin (#1388) - * Add Mutant whitelist (#1387) - * Notify currently connected clients on new hunts (#1386) - * Index rebuild command loads new index service. (#1385) - * Changes to support distributed architecture. (#1384) - * Added procdump and procdump64 (#1382) - * Fixed heavy mutex contention in the labeler. (#1375) - * Add shellcode to CobaltStrike carver (#10) (#1373) - * Added an index rebuild command. (#1369) - * GUI artifact form was ignoring the friendly name attribute (#1368) - * Added a specialized form element for regex parameters. (#1367) - * Added a gRPC based remote datastore (#1366) - * Display all subauthorities for GUID in SRUM (#1365) - * Verify all gRPC peer certificates were signed by the Velociraptor CA (#1362) - * Implemented MemcacheFileDatastore - memory caching with file backend (#1361) - * Added new plugins to manipulate event tables easier. (#1355) - * Refactored in memory datastore to be more efficient. (#1353) - * Sync vfilter (#1351) - * Add both fqdn and hostname to the client search table (#1350) - * BUGFIX: Datastore on windows is unable to represent files with . (#1348) - * Added buffer_size parameter to parse_records_with_regex() (#1347) - * Propagate column types from artifact to flow notebook. (#1346) - * Cobalt parser update (#1345) - * Allow listener to not use file buffer. (#1344) - * Fix Deployment documentation link in README (#1343) - * Preserve uint64 types across Listener (#1341) - * Fix spelling (#1339) - * Refactored queue listener to preserve order. (#1340) - * Added a magic() VQL function (#1338) - * Fixed bug in CSS (#1337) - -------------------------------------------------------------------- -Thu Jan 27 17:27:42 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.2~git0.8dd598b2: - * Update ese parser to fix timestamp bug - * Prepare final 0.6.2 release (#1363) - * Verify all gRPC peer certificates were signed by the Velociraptor CA - * Removed search index parallelism (#1358) - * Added new plugins to manipulate event tables easier. (#1355) - * Sync vfilter (#1351) - * Add both fqdn and hostname to the client search table (#1350) - * BUGFIX: Datastore on windows is unable to represent files with . (#1348) - * Added buffer_size parameter to parse_records_with_regex() (#1347) - * Propagate column types from artifact to flow notebook. (#1346) - -------------------------------------------------------------------- -Thu Jan 6 21:50:43 UTC 2022 - Jeff Mahoney - -- Remove dependencies on nodejs since we don't use it in client mode. - -------------------------------------------------------------------- -Thu Jan 06 20:14:39 UTC 2022 - Jeff Mahoney - -- Update to version 0.6.2~git73.dc02b45e: - * Update PrivateKeys.yaml (#1459) - * Added recursion_callback option to the glob plugin (#1461) - * Added config wizard for multi-frontend configuration (#1460) - * Calculate the sha256 hash of the offline container. (#1458) - * Artifact inspection GUI now allows pivot. (#1457) - * Client certs can now be specified in the config file. (#1456) - * New Upload File Form element (#1455) - * Added a sparse accessor (#1453) - * Hunt wizard estimates clients affected (#1452) - * Make the interrogation process customizable. (#1451) - -------------------------------------------------------------------- -Tue Dec 21 20:25:43 UTC 2021 - Jeff Mahoney - -- Disable Windows artifacts. We don't target Windows endpoints and - the queries clutter the GUI. - -------------------------------------------------------------------- -Thu Dec 16 14:12:05 UTC 2021 - Jeff Mahoney - -- Switch to using master branch via service files. - - Added update-vendoring.sh to update the nodejs and go dependencies - after version update. - - Now building with linux_bare target that disables the GUI for - endpoint usage. - - Patch the version string to reflect the package version instead - of an indistinguishable -dev. - -------------------------------------------------------------------- -Thu Dec 2 01:46:34 UTC 2021 - Jeff Mahoney - -- Initial packaging. diff --git a/velociraptor-client.service b/velociraptor-client.service index 358b8c4..1427419 100644 --- a/velociraptor-client.service +++ b/velociraptor-client.service @@ -9,7 +9,8 @@ UMask=0027 MemoryHigh=4G MemoryMax=8G EnvironmentFile=-/etc/sysconfig/velociraptor-client -ExecStart=/usr/bin/velociraptor client --config /etc/velociraptor/client.config $VELOCIRAPTOR_CLIENT_OPTS +Environment=TMPDIR=/var/lib/velociraptor-client/tmp +ExecStart=/usr/bin/velociraptor-client client --config /etc/velociraptor/client.config $VELOCIRAPTOR_CLIENT_OPTS PrivateTmp=true PrivateDevices=true diff --git a/velociraptor-client.spec b/velociraptor-client.spec deleted file mode 100644 index 5a3c484..0000000 --- a/velociraptor-client.spec +++ /dev/null @@ -1,157 +0,0 @@ -# -# spec file for package velociraptor-client -# -# Copyright (c) 2023 SUSE LLC -# -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - -# Please submit bugfixes or comments via https://bugs.opensuse.org/ -# - - -%define projname velociraptor -%define vendor_version 0.6.7.4~git41.678ed56 -%define vmlinux_h_version 5.14.21150400.22-150400-default - -# SLE 15 SP2 / Leap 15.2 or newer gets eBPF -# Earlier versions don't have a usable eBPF and the -# release doesn't easily build llvm13 -%if 0%{?suse_version} > 1500 || 0%{?sle_version} >= 150200 -%bcond_without bpf -%else -%bcond_with bpf -%endif - -#Compat macro for new _fillupdir macro introduced in Nov 2017 -%if ! %{defined _fillupdir} - %define _fillupdir %{_localstatedir}/adm/fillup-templates -%endif - -# SLE12 has _sharedstatedir in an odd place -%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 -%define _sharedstatedir /var/lib -%endif - -Name: velociraptor-client -Version: 0.6.7.4~git63.4a1ed09d -Release: 0 -Summary: Endpoint visibility and collection tool (endpoint only) -Group: System/Monitoring -License: AGPL-3.0-only -URL: https://github.com/Velocidex/velociraptor -Source: %{projname}-%{version}.tar.xz -Source1: vendor-golang-%{vendor_version}.tar.xz -Source2: %{name}.service -Source3: %{name}.config.placeholder -Source4: vmlinux.h-%{vmlinux_h_version}.tar.xz -Source5: update-vendoring.sh -Source6: sysconfig.%{name} -Source7: %{projname}.obsinfo -Patch1: velociraptor-golang-mage-vendoring.diff -Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch -Patch3: vendor-build-fixes-for-SLE12.patch -Patch4: sdjournal-build-fix-for-SLE12.patch -Patch5: velociraptor-reproducible-timestamp.diff -BuildRequires: fileb0x -BuildRequires: golang-packaging -BuildRequires: mage -BuildRequires: systemd-rpm-macros -BuildRequires: golang(API) >= 1.19 -BuildRequires: pkgconfig(libsystemd) -%ifarch x86_64 -BuildRequires: libtsan0 -%endif -%if %{with bpf} -# clang15 causes libbpfo to crash immediately -BuildRequires: clang13 -BuildRequires: libelf-devel -BuildRequires: llvm13 -BuildRequires: zlib-devel-static -%endif -Conflicts: velociraptor -ExclusiveArch: x86_64 ppc64le aarch64 s390x - -%description -Velociraptor is a tool for collecting host based state information -using The Velociraptor Query Language (VQL) queries. - -To learn more about Velociraptor, read the documentation on: - -https://docs.velociraptor.app/ - -This package contains only the endpoint agent. For the full console, please -install the 'velociraptor' package. - -%prep -%setup -q -a 1 -a 4 -n %{projname}-%{version} -%autopatch -p1 - -# Set the version to something more specific than -dev -sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go - -%if %{with bpf} -mkdir -p third_party/libbpfgo/output - -cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \ - third_party/libbpfgo/output/vmlinux.h -%endif - -# These just clutter the GUI and we don't have Windows clients -# Note: There are dependencies on these that need to be resolved before -# removing them outright. -# rm -rf artifacts/definitions/Windows - -%build - -# Reproductible builds need stable timestamps -timestamp=$(date -Iseconds --utc --date=@$(grep mtime: %{SOURCE7}|sed -e 's/mtime: //')) -git_commit=$(grep commit: %{SOURCE7}|sed -e 's/commit: //g') - -export VELOCIRAPTOR_BUILD_TIME=$timestamp -export VELOCIRAPTOR_GIT_HEAD=$git_commit - -PATH=$PATH:/usr/sbin make linux_bare BUILD_LIBBPFGO=%{with bpf} - -%install -mkdir -p %buildroot/%{_bindir} -mkdir -p %buildroot/%{_sysconfdir}/velociraptor -mkdir -p %buildroot/%{_unitdir} -mkdir -p %buildroot/%{_sharedstatedir}/velociraptor-client -install -m 0755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/velociraptor -install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service -install -m 0600 %{SOURCE3} %{buildroot}%{_sysconfdir}/velociraptor/client.config -install -d -m 755 %{buildroot}%{_fillupdir} -install -m 0644 %{SOURCE6} %{buildroot}%{_fillupdir} - -%files -%defattr(-, root, root) -%license LICENSE -%doc README.md -%dir %{_sysconfdir}/velociraptor -%{_bindir}/velociraptor -%config(noreplace) %{_sysconfdir}/velociraptor/client.config -%{_unitdir}/%{name}.service -%dir %{_sharedstatedir}/velociraptor-client -%{_fillupdir}/sysconfig.%{name} - -%pre -%service_add_pre %{name}.service - -%post -%{fillup_only} -%service_add_post %{name}.service - -%preun -%service_del_preun %{name}.service - -%postun -%service_del_postun %{name}.service - -%changelog diff --git a/velociraptor-golang-mage-vendoring.diff b/velociraptor-golang-mage-vendoring.diff index 87cfb9b..08f86cf 100644 --- a/velociraptor-golang-mage-vendoring.diff +++ b/velociraptor-golang-mage-vendoring.diff @@ -1,22 +1,19 @@ From: Jeff Mahoney -Subject: [PATCH] velociraptor: add dummy main function for mage +Subject: [PATCH] velociraptor: remove ignore tag to allow vendoring of mage + +The ignore tag in make.go means it won't be properly vendored. -Mage won't pull in the full dependencies without there being a real -import. This isn't used in the executable, since that's in bin/, but it -will be used for 'go mod vendor' --- - dummy.go | 9 +++++++++ - 1 file changed, 9 insertions(+) + make.go | 2 -- + 1 file changed, 2 deletions(-) ---- /dev/null -+++ b/dummy.go -@@ -0,0 +1,9 @@ -+// +build useless -+package main -+ -+import ( -+ "github.com/magefile/mage" -+) -+ -+func main() { -+} +diff --git a/make.go b/make.go +index 28b3e90..8fad8b9 100644 +--- a/make.go ++++ b/make.go +@@ -1,5 +1,3 @@ +-// +build ignore +- + /* + Velociraptor - Dig Deeper + Copyright (C) 2019-2022 Rapid7 Inc. diff --git a/velociraptor-kafka-humio-gateway.service b/velociraptor-kafka-humio-gateway.service new file mode 100644 index 0000000..f4ab758 --- /dev/null +++ b/velociraptor-kafka-humio-gateway.service @@ -0,0 +1,24 @@ +[Unit] +Description=Velociraptor Kafka-Humio Gateway Service + +[Service] +Type=simple +User=velociraptor-kafka +Group=velociraptor-kafka +UMask=0027 +User=velociraptor +Group=velociraptor +EnvironmentFile=-/etc/sysconfig/velociraptor-kafka-humio-gateway +ExecStart=/usr/bin/velociraptor-kafka-humio-gateway $KAFKA_HUMIO_GATEWAY_OPTS --config $KAFKA_HUMIO_GATEWAY_CONFIG + +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target diff --git a/velociraptor-kafka.sysusers b/velociraptor-kafka.sysusers new file mode 100644 index 0000000..bcb557c --- /dev/null +++ b/velociraptor-kafka.sysusers @@ -0,0 +1,2 @@ +u velociraptor-kafka - "User for velociraptor Kafka Humio Gateway" /var/lib/velociraptor-kafka-humio-gateway +g velociraptor-kafka - - diff --git a/velociraptor-skip-git-submodule-import-for-OBS-build.patch b/velociraptor-skip-git-submodule-import-for-OBS-build.patch deleted file mode 100644 index f3a1a06..0000000 --- a/velociraptor-skip-git-submodule-import-for-OBS-build.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: Jeff Mahoney -Subject: skip git submodule import for OBS build - -For OBS builds, the git submodule is imported during obs_scm. - -Signed-off-by: Jeff Mahoney ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/Makefile -+++ b/Makefile -@@ -61,8 +61,8 @@ ifeq ($(BUILD_LIBBPFGO), 1) - vql/linux/chattrsnoop/chattrsnoop.bpf.o - - $(LIBBPFGO_DIR): always-check -- echo "INFO: updating submodule 'libbpfgo'" -- $(GIT) submodule update --init --recursive $@ -+# echo "INFO: updating submodule 'libbpfgo'" -+# $(GIT) submodule update --init --recursive $@ - - $(LIBBPF_LIB): $(LIBBPFGO_DIR) - make -C $(LIBBPFGO_DIR) libbpfgo-full-static diff --git a/velociraptor.changes b/velociraptor.changes index 4fb543a..4214475 100644 --- a/velociraptor.changes +++ b/velociraptor.changes @@ -1,5 +1,65 @@ ------------------------------------------------------------------- -Thu Jan 26 20:06:09 UTC 2023 - jeffm@suse.com +Mon May 08 20:21:03 UTC 2023 - jeffm@suse.com + +- Update to version 0.6.7.5~git78.2bef6fc: + * bpf: fix path to vmlinux.h + +------------------------------------------------------------------- +Mon May 08 19:42:58 UTC 2023 - Jeff Mahoney + +- Update to version 0.6.7.5~git77.997aa73: + * file_store/test_utils/server_config.go: update test certificate + * Update bluemonday dependency. + * vql/functions/hash: cache results on Linux + * libbpfgo: update to velociraptor-branch-v0.4.8-libbpf-1.2.0 + * logscale/backport: don't use networking.GetHttpTransport + * vql/tools/logscale: add plugin to post events to LogScale ingestion endpoint + * file_store/directory: add ability to report pending size +- Change clang dependency to clang16 +- Fix velociraptor-golang-mage-vendoring.diff to account for newer + 'go mod vendor' honoring build flags. +- Fix update-vendoring.sh script to actually run the %setup part of + the spec. +- Merge client package into server spec and use _multibuild to create + client package from same spec file. +- Adjust changelog to retain changes for client package. +- Fix building in static mode on earlier releases. + - Added patch: velociraptor-libbpfgo-only-build-libbpf.patch + +------------------------------------------------------------------- +Fri Mar 10 18:54:37 UTC 2023 - Marcus Rueckert + +- Tightening the security of the services a bit: + - tmp files are now moved to /var/lib/velociraptor{,-client}/tmp + from /tmp + - run velociraptor server as user velociraptor instead of root + we do not really need root permissions here + - introduce /var/lib/velociraptor/filestore to make it easier to + split out large file upload + - change permissions for the data directory and subdirectories to + /var/lib/velociraptor/ u=rwX,go= velociraptor:velociraptor + /var/lib/velociraptor-client/ u=rwX,go= root:root + - change permissions of config directory to: + /etc/velociraptor/ u=rwX,g=rX,o= root:velociraptor + /etc/velociraptor/server.config u=rw,g=r,o= root:velociraptor + /etc/velociraptor/client.config u=rw,go= root:root + +------------------------------------------------------------------- +Fri Mar 10 15:36:18 UTC 2023 - Jeff Mahoney + +- Update to version 0.6.7.5~git6.73efb2a: + * libbpfgo: update submodule to require libzstd for newer libelf + * utils/time.js: fix handling of nanosecond-resolution timestamps + * libbpfgo: switch to using regular static builds + * Create a new 0.6.7-5 release (#2385) + - Verify FILESYSTEM_WRITE permission on copy() function (#2384) (bsc#1207936, CVE-2023-0242) + - Also ensure client id is considered unsafe (bsc#1207937, CVE-2023-0290) + * github/workflows/linux: do apt-get update to refresh package lists +- Remove unnecessary dependency on libtsan0. +- Allow velociraptor and velociraptor-client packages to coexist. + +------------------------------------------------------------------- +Thu Jan 26 20:06:09 UTC 2023 - Jeff Mahoney - Update to version 0.6.7.4~git63.4a1ed09d: * utils/time.js: fix handling of nanosecond-resolution timestamps @@ -12,7 +72,7 @@ Tue Jan 24 20:57:08 UTC 2023 - Jeff Mahoney - Use obsinfo mtime to produce stable build timestamp (bsc#1207369). ------------------------------------------------------------------- -Tue Jan 24 15:07:09 UTC 2023 - jeffm@suse.com +Tue Jan 24 15:07:09 UTC 2023 - Jeff Mahoney - Update to version 0.6.7.4~git60.8abed37a: * http_comms: create ring buffer temporary file in the same directory @@ -48,6 +108,11 @@ Fri Jan 20 20:18:49 UTC 2023 - Jeff Mahoney - vendor-build-fixes-for-SLE12.patch - sdjournal-build-fix-for-SLE12.patch +------------------------------------------------------------------- +Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller + +- client: add memory limit to systemd unit + ------------------------------------------------------------------- Thu Jan 19 15:17:22 UTC 2023 - Jeff Mahoney @@ -77,6 +142,11 @@ Thu Jan 19 01:01:09 UTC 2023 - Jeff Mahoney - Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x Neither the client or server builds on ix86. +------------------------------------------------------------------- +Mon Jan 9 16:01:44 UTC 2023 - Jeff Mahoney + +- Added Restart=on-failure to restart the client automatically. + ------------------------------------------------------------------- Mon Dec 12 20:03:23 UTC 2022 - Jeff Mahoney @@ -1030,7 +1100,12 @@ Thu Jan 27 17:27:42 UTC 2022 - Jeff Mahoney * Propagate column types from artifact to flow notebook. (#1346) ------------------------------------------------------------------- -Thu Jan 06 20:14:39 UTC 2022 - Jeff Mahoney +Thu Jan 6 21:50:43 UTC 2022 - Jeff Mahoney + +- client: Remove dependencies on nodejs since we don't use it in client mode. + +------------------------------------------------------------------- +Thu Jan 6 20:14:39 UTC 2022 - Jeff Mahoney - Update to version 0.6.2~git73.dc02b45e: * Update PrivateKeys.yaml (#1459) @@ -1056,6 +1131,8 @@ Thu Dec 16 14:12:05 UTC 2021 - Jeff Mahoney - Switch to using master branch via service files. - Added update-vendoring.sh to update the nodejs and go dependencies after version update. + - Now building the client with linux_bare target that disables + the GUI for endpoint usage. - Patch the version string to reflect the package version instead of an indistinguishable -dev. diff --git a/velociraptor.obsinfo b/velociraptor.obsinfo index b861665..fe9b6be 100644 --- a/velociraptor.obsinfo +++ b/velociraptor.obsinfo @@ -1,4 +1,4 @@ name: velociraptor -version: 0.6.7.4~git63.4a1ed09d -mtime: 1674763484 -commit: 4a1ed09d50339b902c6446686bd16deedbb23804 +version: 0.6.7.5~git78.2bef6fc +mtime: 1683577211 +commit: 2bef6fce8e26733a13a3bbfeaa8c4828db1a99ba diff --git a/velociraptor.service b/velociraptor.service index e5fe38a..0e11022 100644 --- a/velociraptor.service +++ b/velociraptor.service @@ -3,10 +3,11 @@ Description=Velociraptor Server Service [Service] Type=simple -User=root -Group=root UMask=0027 +User=velociraptor +Group=velociraptor EnvironmentFile=-/etc/sysconfig/velociraptor +Environment=TMPDIR=/var/lib/velociraptor/tmp ExecStart=/usr/bin/velociraptor frontend --verbose --config /etc/velociraptor/server.config $VELOCIRAPTOR_OPTS PrivateTmp=true diff --git a/velociraptor.spec b/velociraptor.spec index 3fac13b..b5034e8 100644 --- a/velociraptor.spec +++ b/velociraptor.spec @@ -1,5 +1,5 @@ # -# spec file for package velociraptor +# spec file # # Copyright (c) 2023 SUSE LLC # @@ -16,8 +16,28 @@ # +%define flavor @BUILD_FLAVOR@%{nil} + +%if "%{flavor}" == "client" +%define build_client 1 +%define build_server 0 +%define build_kafka_humio_gateway 0 +%define name_suffix -client +%define make_target linux_bare +%define config_perms %attr(0600, root, root) +%define state_dir_perms %attr(0700, root, root) +%else +%define build_kafka_humio_gateway 1 +%define build_server 1 +%define build_client 0 +%define name_suffix %{nil} +%define make_target linux +%define config_perms %attr(0640, root, velociraptor) +%define state_dir_perms %attr(0700, velociraptor, velociraptor) +%endif + %define projname velociraptor -%define vendor_version 0.6.7.4~git41.678ed56 +%define vendor_version 0.6.7.5~git77.997aa73 %define vmlinux_h_version 5.14.21150400.22-150400-default # SLE 15 SP2 / Leap 15.2 or newer gets eBPF @@ -39,10 +59,14 @@ %define _sharedstatedir /var/lib %endif -Name: velociraptor -Version: 0.6.7.4~git63.4a1ed09d +Name: velociraptor%{name_suffix} +Version: 0.6.7.5~git78.2bef6fc Release: 0 +%if %{build_server} Summary: Endpoint visibility and collection tool +%else +Summary: Endpoint visibility and collection tool (endpoint only) +%endif Group: System/Monitoring License: AGPL-3.0-only URL: https://github.com/Velocidex/velociraptor @@ -50,41 +74,50 @@ Source: %{projname}-%{version}.tar.xz Source1: vendor-golang-%{vendor_version}.tar.xz Source2: vendor-golang-kafka-humio-gateway-%{vendor_version}.tar.xz Source3: vendor-nodejs-%{vendor_version}.tar.xz -Source4: %{name}.service -Source5: %{name}-server.config.placeholder -Source6: %{name}-client.service -Source7: %{name}-client.config.placeholder -Source8: vmlinux.h-%{vmlinux_h_version}.tar.xz +Source4: vmlinux.h-%{vmlinux_h_version}.tar.xz +Source5: velociraptor.service +Source6: velociraptor-server.config.placeholder +Source7: velociraptor-client.service +Source8: velociraptor-client.config.placeholder Source9: update-vendoring.sh -Source10: sysconfig.%{name} -Source11: sysconfig.%{name}-client +Source10: sysconfig.velociraptor +Source11: sysconfig.velociraptor-client Source12: %{projname}.obsinfo +Source13: velociraptor-kafka.sysusers +Source14: velociraptor-kafka-humio-gateway.service +Source15: sysconfig.velociraptor-kafka-humio-gateway Patch1: velociraptor-golang-mage-vendoring.diff -Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch -Patch3: vendor-build-fixes-for-SLE12.patch -Patch4: sdjournal-build-fix-for-SLE12.patch -Patch5: velociraptor-reproducible-timestamp.diff +Patch2: vendor-build-fixes-for-SLE12.patch +Patch3: sdjournal-build-fix-for-SLE12.patch +Patch4: velociraptor-reproducible-timestamp.diff BuildRequires: fileb0x BuildRequires: golang-packaging BuildRequires: mage BuildRequires: systemd-rpm-macros BuildRequires: golang(API) >= 1.18 BuildRequires: pkgconfig(libsystemd) -%ifarch x86_64 -BuildRequires: libtsan0 -%endif +%if %{build_server} BuildRequires: nodejs >= 16 BuildRequires: npm >= 16 -%if %{with bpf} -# clang15 causes libbpfo to crash immediately -BuildRequires: clang13 -BuildRequires: libelf-devel -BuildRequires: llvm13 -BuildRequires: zlib-devel-static %endif -Conflicts: velociraptor-client +%if %{with bpf} +# clang15 causes libbpfgo to crash immediately +BuildRequires: clang16 +BuildRequires: libelf-devel +BuildRequires: libzstd-devel +BuildRequires: libzstd-devel +BuildRequires: llvm16 +BuildRequires: zlib-devel +%endif +Requires: group(velociraptor) +Requires: user(velociraptor) ExclusiveArch: x86_64 ppc64le aarch64 s390x +%if %{build_kafka_humio_gateway} +BuildRequires: sysuser-tools +%{?sysusers_requires} +%endif +%if %{build_server} %description Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries. @@ -93,19 +126,37 @@ To learn more about Velociraptor, read the documentation on: https://docs.velociraptor.app/ -This package contains the endpoint agent and full console GUI. +This package contains the velociraptor server and full console GUI. For just the endpoint agent, please install the 'velociraptor-client' package. +%endif +%if %{build_kafka_humio_gateway} %package kafka-humio-gateway Summary: Gateway between Kafka and Humio for Velociraptor Artifacts -Version: 0.6.7.4~git63.4a1ed09d +Version: 0.6.7.5~git78.2bef6fc +Requires: group(velociraptor-kafka) +Requires: user(velociraptor-kafka) %description kafka-humio-gateway This tool is used to consume events generated by the Kafka Velociraptor plugin and post them to a Humio cluster. +%endif + +%if %{build_client} +%description +Velociraptor is a tool for collecting host based state information +using The Velociraptor Query Language (VQL) queries. + +To learn more about Velociraptor, read the documentation on: + +https://docs.velociraptor.app/ + +This package contains only the endpoint agent. For the full server and GUI +console, please install the 'velociraptor' package. +%endif %prep -%setup -q -a 1 -a 2 -a 3 -a 8 -n %{projname}-%{version} +%setup -q -a 1 -a 2 -a 3 -a 4 -n %{projname}-%{version} %autopatch -p1 # Set the version to something more specific than -dev @@ -132,67 +183,108 @@ git_commit=$(grep commit: %{SOURCE12}|sed -e 's/commit: //g') export VELOCIRAPTOR_BUILD_TIME=$timestamp export VELOCIRAPTOR_GIT_HEAD=$git_commit +%if %{build_server} (cd gui/velociraptor ; npm run build) -PATH=$PATH:/usr/sbin make linux BUILD_LIBBPFGO=%{with bpf} +%endif +make %{make_target} BUILD_LIBBPFGO=%{with bpf} GIT=echo + +%if %{build_kafka_humio_gateway} (cd contrib/kafka-humio-gateway; go build -o %{name}-kafka-humio-gateway) +%sysusers_generate_pre %{SOURCE13} user +%endif %install -mkdir -p %buildroot/%{_bindir} -mkdir -p %buildroot/%{_sysconfdir}/velociraptor -mkdir -p %buildroot/%{_unitdir} -mkdir -p %buildroot/%{_sharedstatedir}/velociraptor/data -mkdir -p %buildroot/%{_sharedstatedir}/velociraptor/logs -mkdir -p %buildroot/%{_sharedstatedir}/velociraptor-client -mkdir -p %buildroot/%{_datadir}/%{name}-kafka-humio-gateway -install -m 0755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/velociraptor -install -m 0755 contrib/kafka-humio-gateway/%{name}-kafka-humio-gateway %buildroot/%{_bindir} -install -m 0644 contrib/kafka-humio-gateway/sample-config.yml %buildroot/%{_datadir}/%{name}-kafka-humio-gateway/sample-config.yml -install -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/%{name}.service -install -m 0600 %{SOURCE5} %{buildroot}%{_sysconfdir}/velociraptor/server.config -install -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/%{name}-client.service -install -m 0600 %{SOURCE7} %{buildroot}%{_sysconfdir}/velociraptor/client.config -install -d -m 755 %{buildroot}%{_fillupdir} -install -m 0644 %{SOURCE10} %{buildroot}%{_fillupdir} -install -m 0644 %{SOURCE11} %{buildroot}%{_fillupdir} +install -D -d -m 0750 %buildroot/%{_sysconfdir}/velociraptor +install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/data +install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/logs +install -D -d -m 0700 %buildroot/%{_sharedstatedir}/%{name}/tmp + +%if %{build_server} +service_file_source=%{SOURCE5} +config_file_source=%{SOURCE6} +sysconfig_file_source=%{SOURCE10} +config_file=server.config +%else +service_file_source=%{SOURCE7} +config_file_source=%{SOURCE8} +sysconfig_file_source=%{SOURCE11} +config_file=client.config +%endif + +install -D -m 0644 "$service_file_source" %{buildroot}%{_unitdir}/%{name}.service +install -D -m 0644 "$sysconfig_file_source" %{buildroot}%{_fillupdir}/sysconfig.%{name} +install -D -m 0640 "$config_file_source" "%{buildroot}%{_sysconfdir}/velociraptor/$config_file" +install -D -m 0755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/%{name} + +%if %{build_kafka_humio_gateway} +install -D -m 0644 %{SOURCE14} %{buildroot}%{_unitdir}/ +install -D -m 0644 %{SOURCE15} %{buildroot}%{_fillupdir}/ +install -D -m 0755 contrib/kafka-humio-gateway/velociraptor-kafka-humio-gateway %buildroot/%{_bindir} +install -D -m 0644 contrib/kafka-humio-gateway/sample-config.yml \ + %buildroot/%{_datadir}/velociraptor-kafka-humio-gateway/sample-config.yml +install -D -m 0644 %{SOURCE10} %{buildroot}%{_sysusersdir}/velociraptor-kafka.conf +install -D -d -m 0750 %{buildroot}%{_sysconfdir}/velociraptor-kafka-humio-gateway +install -D -m 0640 contrib/kafka-humio-gateway/sample-config.yml \ + %buildroot/%{_sysconfdir}/velociraptor-kafka-humio-gateway/transport.yml +%endif %files %defattr(-, root, root) %license LICENSE %doc README.md -%dir %{_sysconfdir}/velociraptor -%{_bindir}/velociraptor -%config(noreplace) %{_sysconfdir}/velociraptor/server.config -%config(noreplace) %{_sysconfdir}/velociraptor/client.config +%{_bindir}/%{name} %{_unitdir}/%{name}.service -%{_unitdir}/%{name}-client.service -%dir %{_sharedstatedir}/velociraptor -%dir %{_sharedstatedir}/velociraptor/data -%dir %{_sharedstatedir}/velociraptor/logs -%dir %{_sharedstatedir}/velociraptor-client %{_fillupdir}/sysconfig.%{name} -%{_fillupdir}/sysconfig.%{name}-client +%dir %attr(-, root, velociraptor) %{_sysconfdir}/velociraptor + +%config(noreplace) %{config_perms} %{_sysconfdir}/velociraptor/*.config +%dir %{state_dir_perms} %{_sharedstatedir}/%{name} +%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/data +%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/logs +%dir %{state_dir_perms} %{_sharedstatedir}/%{name}/tmp + +%pre +%service_add_pre %{name}.service + +%post +%{fillup_only} +%service_add_post %{name}.service + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service + +%if %{build_kafka_humio_gateway} %files kafka-humio-gateway %defattr(-, root, root) %license LICENSE %doc contrib/kafka-humio-gateway/README.md -%{_bindir}/%{name}-kafka-humio-gateway -%dir %{_datadir}/%{name}-kafka-humio-gateway -%{_datadir}/%{name}-kafka-humio-gateway/sample-config.yml +%{_bindir}/velociraptor-kafka-humio-gateway +%dir %{_datadir}/velociraptor-kafka-humio-gateway +%{_datadir}/velociraptor-kafka-humio-gateway/sample-config.yml +%{_sysusersdir}/velociraptor-kafka.conf +%{_unitdir}/velociraptor-kafka-humio-gateway.service +%{_fillupdir}/sysconfig.velociraptor-kafka-humio-gateway +%dir %attr(750, root, velociraptor-kafka) %{_sysconfdir}/velociraptor-kafka-humio-gateway +%config(noreplace) %attr(0640, root, velociraptor-kafka) %{_sysconfdir}/velociraptor-kafka-humio-gateway/transport.yml -%pre -%service_add_pre %{name}.service %{name}-client.service +%pre kafka-humio-gateway -f user.pre +%service_add_pre velociraptor-kafka-humio-gateway.service -%post -%{fillup_only} -%{fillup_only -s client} -%service_add_post %{name}.service %{name}-client.service +%post kafka-humio-gateway +%{fillup_only -s kafka-humio-gateway} +%service_add_post velociraptor-kafka-humio-gateway.service -%preun -%service_del_preun %{name}.service %{name}-client.service +%preun kafka-humio-gateway +%service_del_preun velociraptor-kafka-humio-gateway.service -%postun -%service_del_postun %{name}.service %{name}-client.service +%postun kafka-humio-gateway +%service_del_postun velociraptor-kafka-humio-gateway.service + +%endif %changelog diff --git a/vendor-golang-0.6.7.4~git41.678ed56.tar.xz b/vendor-golang-0.6.7.4~git41.678ed56.tar.xz deleted file mode 100644 index a18aba0..0000000 --- a/vendor-golang-0.6.7.4~git41.678ed56.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d0e93278e02bdcba1d6f81dc318ae07131c1f8492dc5db7340ddd8f3841d31f4 -size 27825180 diff --git a/vendor-golang-0.6.7.5~git77.997aa73.tar.xz b/vendor-golang-0.6.7.5~git77.997aa73.tar.xz new file mode 100644 index 0000000..ea9966e --- /dev/null +++ b/vendor-golang-0.6.7.5~git77.997aa73.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e16186e67b1737d138cf75a9e1b6bb80f95836dffae11e1b28b06ea435b5b019 +size 27831304 diff --git a/vendor-golang-kafka-humio-gateway-0.6.7.4~git41.678ed56.tar.xz b/vendor-golang-kafka-humio-gateway-0.6.7.4~git41.678ed56.tar.xz deleted file mode 100644 index 6f8bdf4..0000000 --- a/vendor-golang-kafka-humio-gateway-0.6.7.4~git41.678ed56.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:73c425c59d06d58c64c5f0f45e4211f9d9f51e8e1e688e070ccf53a8eb9bbc6f -size 454256 diff --git a/vendor-golang-kafka-humio-gateway-0.6.7.5~git77.997aa73.tar.xz b/vendor-golang-kafka-humio-gateway-0.6.7.5~git77.997aa73.tar.xz new file mode 100644 index 0000000..cb46f78 --- /dev/null +++ b/vendor-golang-kafka-humio-gateway-0.6.7.5~git77.997aa73.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:690564ed252212f29c47531980c0a71db117562cd82e5d65b432764af6fa0033 +size 454120 diff --git a/vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz b/vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz deleted file mode 100644 index a116a4b..0000000 --- a/vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e8734e871d5df2ccfd120ab591ed195fcb2b111ee7cc41378e5c29b68c3e83cb -size 37872364 diff --git a/vendor-nodejs-0.6.7.5~git77.997aa73.tar.xz b/vendor-nodejs-0.6.7.5~git77.997aa73.tar.xz new file mode 100644 index 0000000..304b0e8 --- /dev/null +++ b/vendor-nodejs-0.6.7.5~git77.997aa73.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b42eb599be65908543ead404fa6c59a90526ff1011e9ddad6258f1f1437770a4 +size 37663228