diff --git a/_servicedata b/_servicedata
index 3407f05..e54f562 100644
--- a/_servicedata
+++ b/_servicedata
@@ -3,4 +3,4 @@
https://github.com/jeffmahoney/linux-security-sensor
45393b11957049ed841f559cf9f3b88dc5a588d9
https://github.com/SUSE/linux-security-sensor
- 45393b11957049ed841f559cf9f3b88dc5a588d9
\ No newline at end of file
+ 87123d4614a0479dd645dccacddffbdd2eab6c19
\ No newline at end of file
diff --git a/velociraptor-0.6.4.2~git31.e1b7fc0e.obscpio b/velociraptor-0.6.4.2~git31.e1b7fc0e.obscpio
deleted file mode 100644
index dc0f1c2..0000000
--- a/velociraptor-0.6.4.2~git31.e1b7fc0e.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:02c13973d8a025778b51c537e62cc669fc71c35c2ee019435e5e4d3c31b8b9b4
-size 35173389
diff --git a/velociraptor-0.6.4.2~git59.5ebb49db.obscpio b/velociraptor-0.6.4.2~git59.5ebb49db.obscpio
new file mode 100644
index 0000000..60c3326
--- /dev/null
+++ b/velociraptor-0.6.4.2~git59.5ebb49db.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:81dc5205be0d262528fb8ba2a1b60e5ca8d58565eb1e90bc809eed3409ce32c5
+size 36168205
diff --git a/velociraptor-client.changes b/velociraptor-client.changes
index afed0c3..c86e2ea 100644
--- a/velociraptor-client.changes
+++ b/velociraptor-client.changes
@@ -1,3 +1,48 @@
+-------------------------------------------------------------------
+Fri Aug 19 01:59:35 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git59.5ebb49db:
+ * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
+
+-------------------------------------------------------------------
+Thu Aug 11 19:40:21 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git57.fcb11adf:
+ * kafka-humio-gateway: add sample config file
+
+-------------------------------------------------------------------
+Fri Jul 15 14:30:49 UTC 2022 - Jeff Mahoney
+
+- Updated BuildRequires to use go 1.17 after updating vendoring
+
+-------------------------------------------------------------------
+Fri Jul 15 02:24:03 UTC 2022 - Jeff Mahoney
+
+- Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only)
+
+-------------------------------------------------------------------
+Fri Jul 15 00:00:39 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git56.47b4adb4:
+ * Updating the NewFiles and ProcessStatuses Artifacts
+ * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37)
+ * third_party/go-libaudit: don't directly use unix.*
+ * Add Linux.Remediation.Quarantine artifact
+ * Extend audit artifacts to use new interface
+ * audit: rearchitect plugin to scale better with multiple invocations
+ * third_party/go-libaudit: move handling of receive buffer to caller
+ * third_party/go-libaudit: move buffer handling from netlink to audit
+ * third_party/go-libaudit: allow audit fd to be pollable
+ * third_party/go-libaudit: Add support for removing individual rules
+ * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls
+ * third_party/go-libaudit: Report missing rules during deletion
+ * import go-libaudit as a third-party module
+ * quarantine: actually call the OS-specific artifact
+ * artifactset: add ability to select named sources
+ * GUI: Artifact selector (#1790)
+ * host-info: make quarantine UI more robust with non-Windows client hosts
+ * shell-viewer: default to Bash on non-Windows clients
+
-------------------------------------------------------------------
Thu May 12 20:15:26 UTC 2022 - jeffm@suse.com
diff --git a/velociraptor-client.spec b/velociraptor-client.spec
index cd3673e..a42eb0a 100644
--- a/velociraptor-client.spec
+++ b/velociraptor-client.spec
@@ -16,20 +16,21 @@
#
%define projname velociraptor
-%define vendor_version 0.6.4.2~git31.e1b7fc0e
+%define vendor_version 0.6.4.2~git56.47b4adb4
+%define vmlinux_h_version 5.18.9-2-default
Name: velociraptor-client
-Version: 0.6.4.2~git31.e1b7fc0e
+Version: 0.6.4.2~git59.5ebb49db
Release: 0
Summary: Endpoint visibility and collection tool (endpoint only)
-
-# FIXME: Select a correct license from https://github.com/openSUSE/spec-cleaner#spdx-licenses
+Group: System/Monitoring
License: AGPL-3.0-only
URL: https://github.com/Velocidex/velociraptor
Source: %{projname}-%{version}.tar.xz
Source1: vendor-golang-%{vendor_version}.tar.xz
Source2: %{name}.service
Source3: %{name}.config.placeholder
+Source4: vmlinux.h-%{vmlinux_h_version}.tar.xz
Patch1: velociraptor-golang-mage-vendoring.diff
Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch
Patch3: velociraptor-makefile-add-bpf-rules-to-linux_bare.patch
@@ -37,7 +38,8 @@ Patch4: make-libbpfgo-vendorable.patch
BuildRequires: golang-packaging
BuildRequires: systemd-rpm-macros
BuildRequires: systemd-devel
-BuildRequires: golang(API) >= 1.14
+# We actually only require >= 1.17
+BuildRequires: golang(API) = 1.17
BuildRequires: fileb0x
BuildRequires: mage
BuildRequires: libtsan0
@@ -60,7 +62,7 @@ install the 'velociraptor' package.
%prep
-%setup -q -a 1 -n %{projname}-%{version}
+%setup -q -a 1 -a 4 -n %{projname}-%{version}
%autopatch -p1
# Without this, the libbpfgo tests want to vendor the external version
@@ -69,6 +71,10 @@ rm -rf third_party/libbpfgo/selftest third_party/libbpfgo/helpers/example_tracel
# Set the version to something more specific than -dev
sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
+mkdir -p third_party/libbpfgo/output
+cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
+ third_party/libbpfgo/output/vmlinux.h
+
# These just clutter the GUI and we don't have Windows clients
# Note: There are dependencies on these that need to be resolved before
# removing them outright.
diff --git a/velociraptor.changes b/velociraptor.changes
index 9ef9b56..2548456 100644
--- a/velociraptor.changes
+++ b/velociraptor.changes
@@ -1,3 +1,48 @@
+-------------------------------------------------------------------
+Fri Aug 19 01:59:35 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git59.5ebb49db:
+ * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
+
+-------------------------------------------------------------------
+Thu Aug 11 19:40:21 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git57.fcb11adf:
+ * kafka-humio-gateway: add sample config file
+
+-------------------------------------------------------------------
+Fri Jul 15 14:30:49 UTC 2022 - Jeff Mahoney
+
+- Updated BuildRequires to use go 1.17 after updating vendoring
+
+-------------------------------------------------------------------
+Fri Jul 15 02:24:03 UTC 2022 - Jeff Mahoney
+
+- Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only)
+
+-------------------------------------------------------------------
+Fri Jul 15 00:00:39 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git56.47b4adb4:
+ * Updating the NewFiles and ProcessStatuses Artifacts
+ * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37)
+ * third_party/go-libaudit: don't directly use unix.*
+ * Add Linux.Remediation.Quarantine artifact
+ * Extend audit artifacts to use new interface
+ * audit: rearchitect plugin to scale better with multiple invocations
+ * third_party/go-libaudit: move handling of receive buffer to caller
+ * third_party/go-libaudit: move buffer handling from netlink to audit
+ * third_party/go-libaudit: allow audit fd to be pollable
+ * third_party/go-libaudit: Add support for removing individual rules
+ * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls
+ * third_party/go-libaudit: Report missing rules during deletion
+ * import go-libaudit as a third-party module
+ * quarantine: actually call the OS-specific artifact
+ * artifactset: add ability to select named sources
+ * GUI: Artifact selector (#1790)
+ * host-info: make quarantine UI more robust with non-Windows client hosts
+ * shell-viewer: default to Bash on non-Windows clients
+
-------------------------------------------------------------------
Thu May 12 20:15:26 UTC 2022 - jeffm@suse.com
diff --git a/velociraptor.obsinfo b/velociraptor.obsinfo
index 3596f90..95b19cb 100644
--- a/velociraptor.obsinfo
+++ b/velociraptor.obsinfo
@@ -1,4 +1,4 @@
name: velociraptor
-version: 0.6.4.2~git31.e1b7fc0e
-mtime: 1652386495
-commit: e1b7fc0e393db0f2f098ee8a181831df333c88e6
+version: 0.6.4.2~git59.5ebb49db
+mtime: 1660874322
+commit: 5ebb49db07717905c8dd9774dc0ab3f38b71c1ba
diff --git a/velociraptor.spec b/velociraptor.spec
index af71847..7352de9 100644
--- a/velociraptor.spec
+++ b/velociraptor.spec
@@ -16,14 +16,14 @@
#
%define projname velociraptor
-%define vendor_version 0.6.4.2~git31.e1b7fc0e
+%define vendor_version 0.6.4.2~git56.47b4adb4
+%define vmlinux_h_version 5.18.9-2-default
Name: velociraptor
-Version: 0.6.4.2~git31.e1b7fc0e
+Version: 0.6.4.2~git59.5ebb49db
Release: 0
Summary: Endpoint visibility and collection tool
-
-# FIXME: Select a correct license from https://github.com/openSUSE/spec-cleaner#spdx-licenses
+Group: System/Monitoring
License: AGPL-3.0-only
URL: https://github.com/Velocidex/velociraptor
Source: %{projname}-%{version}.tar.xz
@@ -34,6 +34,7 @@ Source4: %{name}.service
Source5: %{name}-server.config.placeholder
Source6: %{name}-client.service
Source7: %{name}-client.config.placeholder
+Source8: vmlinux.h-%{vmlinux_h_version}.tar.xz
Patch1: velociraptor-golang-mage-vendoring.diff
Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch
Patch3: velociraptor-makefile-add-bpf-rules-to-linux_bare.patch
@@ -41,7 +42,8 @@ Patch4: make-libbpfgo-vendorable.patch
BuildRequires: golang-packaging
BuildRequires: systemd-rpm-macros
BuildRequires: systemd-devel
-BuildRequires: golang(API) >= 1.14
+# We actually only require >= 1.17
+BuildRequires: golang(API) = 1.17
BuildRequires: fileb0x
BuildRequires: mage
BuildRequires: libtsan0
@@ -66,14 +68,14 @@ For just the endpoint agent, please install the 'velociraptor-client' package.
%package kafka-humio-gateway
Summary: Gateway between Kafka and Humio for Velociraptor Artifacts
-Version: 0.6.4.2~git31.e1b7fc0e
+Version: 0.6.4.2~git59.5ebb49db
%description kafka-humio-gateway
This tool is used to consume events generated by the Kafka Velociraptor plugin
and post them to a Humio cluster.
%prep
-%setup -q -a 1 -a 2 -a 3 -n %{projname}-%{version}
+%setup -q -a 1 -a 2 -a 3 -a 8 -n %{projname}-%{version}
%autopatch -p1
# Without this, the libbpfgo tests want to vendor the external version
@@ -82,6 +84,10 @@ rm -rf third_party/libbpfgo/selftest third_party/libbpfgo/helpers/example_tracel
# Set the version to something more specific than -dev
sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
+mkdir -p third_party/libbpfgo/output
+cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
+ third_party/libbpfgo/output/vmlinux.h
+
# These just clutter the GUI and we don't have Windows clients
# Note: There are dependencies on these that need to be resolved before
# removing them outright.
@@ -91,7 +97,7 @@ sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
(cd gui/velociraptor ; npm run build)
PATH=$PATH:/usr/sbin make linux
-(cd contrib/kafka-humio-gateway; go build -o velociraptor-kafka-humio-gateway)
+(cd contrib/kafka-humio-gateway; go build -o %{name}-kafka-humio-gateway)
%install
mkdir -p %buildroot/%{_bindir}
@@ -100,14 +106,17 @@ mkdir -p %buildroot/%{_unitdir}
mkdir -p %buildroot/%{_sharedstatedir}/velociraptor/data
mkdir -p %buildroot/%{_sharedstatedir}/velociraptor/logs
mkdir -p %buildroot/%{_sharedstatedir}/velociraptor-client
-install -m 755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/velociraptor
-install -m 755 contrib/kafka-humio-gateway/velociraptor-kafka-humio-gateway %buildroot/%{_bindir}
+mkdir -p %buildroot/%{_datadir}/%{name}-kafka-humio-gateway
+install -m 0755 output/velociraptor-v%{version}-linux-* %buildroot/%{_bindir}/velociraptor
+install -m 0755 contrib/kafka-humio-gateway/%{name}-kafka-humio-gateway %buildroot/%{_bindir}
+install -m 0644 contrib/kafka-humio-gateway/sample-config.yml %buildroot/%{_datadir}/%{name}-kafka-humio-gateway/sample-config.yml
install -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/%{name}.service
install -m 0600 %{SOURCE5} %{buildroot}%{_sysconfdir}/velociraptor/server.config
install -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/%{name}-client.service
install -m 0600 %{SOURCE7} %{buildroot}%{_sysconfdir}/velociraptor/client.config
%files
+%defattr(-, root, root)
%license LICENSE
%doc README.md
%dir %{_sysconfdir}/velociraptor
@@ -122,9 +131,12 @@ install -m 0600 %{SOURCE7} %{buildroot}%{_sysconfdir}/velociraptor/client.config
%dir %{_sharedstatedir}/velociraptor-client
%files kafka-humio-gateway
+%defattr(-, root, root)
%license LICENSE
%doc contrib/kafka-humio-gateway/README.md
-%{_bindir}/velociraptor-kafka-humio-gateway
+%{_bindir}/%{name}-kafka-humio-gateway
+%dir %{_datadir}/%{name}-kafka-humio-gateway
+%{_datadir}/%{name}-kafka-humio-gateway/sample-config.yml
%pre
%service_add_pre %{name}.service
diff --git a/vendor-golang-0.6.4.2~git31.e1b7fc0e.tar.xz b/vendor-golang-0.6.4.2~git31.e1b7fc0e.tar.xz
deleted file mode 100644
index a010242..0000000
--- a/vendor-golang-0.6.4.2~git31.e1b7fc0e.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5dad594f42ddcbebd18fe553ef5068081701561a72e229bd39ad99811a2fe39b
-size 7817752
diff --git a/vendor-golang-0.6.4.2~git56.47b4adb4.tar.xz b/vendor-golang-0.6.4.2~git56.47b4adb4.tar.xz
new file mode 100644
index 0000000..502a838
--- /dev/null
+++ b/vendor-golang-0.6.4.2~git56.47b4adb4.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a7d38ad45be8b27e563fadac89059951f60d1d231f2d8fec3df1b827447a5901
+size 7868504
diff --git a/vendor-golang-kafka-humio-gateway-0.6.4.2~git31.e1b7fc0e.tar.xz b/vendor-golang-kafka-humio-gateway-0.6.4.2~git31.e1b7fc0e.tar.xz
deleted file mode 100644
index 002951f..0000000
--- a/vendor-golang-kafka-humio-gateway-0.6.4.2~git31.e1b7fc0e.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:43bc2686bdf5fb270650c77cbff22e7728188a0e9d7eb010dfb84d8c5f484f14
-size 454376
diff --git a/vendor-golang-kafka-humio-gateway-0.6.4.2~git56.47b4adb4.tar.xz b/vendor-golang-kafka-humio-gateway-0.6.4.2~git56.47b4adb4.tar.xz
new file mode 100644
index 0000000..b0fc52d
--- /dev/null
+++ b/vendor-golang-kafka-humio-gateway-0.6.4.2~git56.47b4adb4.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:886a5eeed9e6c9188a634e2cd19735f9260b0916ebb1a024f6b0de848219b652
+size 454252
diff --git a/vendor-nodejs-0.6.4.2~git31.e1b7fc0e.tar.xz b/vendor-nodejs-0.6.4.2~git31.e1b7fc0e.tar.xz
deleted file mode 100644
index c4fecbb..0000000
--- a/vendor-nodejs-0.6.4.2~git31.e1b7fc0e.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:554186cd098a64de8979b4f4c7ecb09ed1a2e2ffb4db09cfd58da5b14b4e9d6b
-size 37044384
diff --git a/vendor-nodejs-0.6.4.2~git56.47b4adb4.tar.xz b/vendor-nodejs-0.6.4.2~git56.47b4adb4.tar.xz
new file mode 100644
index 0000000..a916f16
--- /dev/null
+++ b/vendor-nodejs-0.6.4.2~git56.47b4adb4.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c2c6afab53fa7d9860738ee4c3e0a720594fdc17e3414c0ba812dec7d21f3d41
+size 36978488
diff --git a/vmlinux.h-5.18.9-2-default.tar.xz b/vmlinux.h-5.18.9-2-default.tar.xz
new file mode 100644
index 0000000..5552aa4
--- /dev/null
+++ b/vmlinux.h-5.18.9-2-default.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:75a6a812bbed4f1e7abd5a3c02d1658a96b43d3c4fc99a155739c256a8da8245
+size 457380