- Update to version 0.7.0.4.git97.675e45f9:
* kafka-humio-gateway: update go version and dependency list
* kafka-humio-gateway: specific mTLS cert paths in config.yml
* docker-compose: set kafka replication factor and min ISRs
* kafka-humio-gateway: add http post retry mechanism
* kafka-humio-gateway: add pprof debugging option
* kafka-humio-gateway: format with gofmt
* kafka-humio-gateway: fix go-staticcheck issues
* kafka-humio-gateway: fix sendEvents() never exiting
* Kafka.Events.Client: Update to use new artifactset type
* docker-compose: add optional Kafka cluser
* kafka-humio-gateway: add mTLS support
* contrib/kafka-humio-gateway: add new debug option for noisy events
* contrib/kafka-humio-gateway: backoff and retry for metadata
* kafka-humio-gateway: add sample config file
* kafka-humio-gateway: update sarama and dependencies
* Add Kafka-Humio Gateway [Depends on PR#10] (#8)
* vql/server/kafka: connect sarama logging to velociraptor logging
* vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
* vql/server/kafka: set appropriate ClientID
* Add a Kafka export plugin
- Use llvm17 when available
OBS-URL: https://build.opensuse.org/request/show/1185208
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=78
- Update to version 0.7.0.4.git74.3426c0a:
* Fix services artifact symbol pid not found error
* chattrsnoop: correct read size for flags
* chattrsnoop: fix wrong FS_IOC_SETFLAGS value for ppc
* chattrsnoop: fix do_vfs_ioctl kprobe failure
- Remove nodejs sources from main spec file.
- Update to version 0.7.0.4.git68.ad1f4e5:
* Fix undefined binary.NativeEndian build errors
- Add llvm16-libclang13 dependency for SLE 15 SP5 and above
- Disable eBPF for SLE 15 SP2
- Fix builds for SLE 15 SP3 and SLE 12
* Revert to gzip compression instead of zstd for go modules
OBS-URL: https://build.opensuse.org/request/show/1164383
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=66
- Update to version 0.7.0.4.git66.eea7659:
* dnssnoop: fix loading protocol from ip header on s390
* dnssnoop: fix htons() so it works on s390 too
* Fix systemd Services artifact missing events
* chattrsnoop: replace global variables with locals
* tcpsnoop: fix garbled results on s390
* chattrsnoop: fix immutable attribute set on s390
* chattrsnoop: fix bpf_probe_read for s390
* tcpsnoop: remove unused filtering code
* Add artifact to collect new files without owner
* bpf plugins: set a logger callback
- Add CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
(bsc#1221456)
OBS-URL: https://build.opensuse.org/request/show/1161552
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=65
- Update to version 0.7.0.4.git47.0f8a4de1:
* Rename SUSE specific artifacts to have SUSE prefix
* Add SUSE.Linux.Events.NewZeroSizeLogFile artifact
* Move NewFiles artifact to SUSE
* Move ImmutableFile artifact to SUSE
* Make ImmutableFile artifact consistent with others
* Fix absolute path case in ExecutableFiles artifact
* Add client monitoring artifact for RPMs
* Add artifact to collect new hidden files
* Add artifact to monitor ssh authorized_keys files
* Fix split_records error on older clients
* Add hash fields to Linux.Events.ProcessExecutions
* Add artifact to collect systemd service events
* Fix SystemLogins artifacts file extensions
* Add SUSE.Linux.Events.Timers artifact
* Fix audit filter key typo in Linux.Events.NewFiles
* Add server artifact to delete old client data on server
* Add SUSE.Linux.Sys.At artifact
* chattrsnoop: include full error details in logs
* chattrsnoop: handle os.Stat() error properly
* chattrsnoop: don't log.Fatal() on hash error
* Fix Linux.Events.ImmutableFile not showing hash in GUI
* SUSE.Linux.Events.Crontab: Add task execution artifacts
* Raise client connection log level to ERROR
* sdjournal: Correctly seek to current tail
- Remove verbose flag from client config
- Update to version 0.7.0.4.git6.7b40b8b:
* go.mod: increase go version to 1.19
OBS-URL: https://build.opensuse.org/request/show/1149917
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=62
- Added workaround for missing Maintainers tag in Debian-based packages.
obs-service-format_spec_file strips the Packager tag from the spec file
before committing. The build service replaces it with its own. debbuild
expects the Packager field to be present to generate the Maintainers tag
in the output but it only receives the "cleaned" spec file.
- Added Recommends: auditd
- Technically not *required* but Velociraptor's audit client enables
audit and then listens on the multicast socket. Without a listener
on the unicast socket, the kernel will spam the system log with events.
- Fixed debian packaging:
* /etc/sysconfig -> /etc/default
* %postun for systemd service cleanup
* Note: obs-service-format_spec_file strips the Packager tag that
debbuild uses to generate the Maintainer tag
OBS-URL: https://build.opensuse.org/request/show/1134354
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=59
- Temporarily use the NODE_MODULES BEGIN/END form of the node_modules
service due to a bug in debbuild preventing Debian builds from succeeding.
- Update to version 0.7.0.4.git4.c1b68a5b:
* hash: fix nil pointer dereference panic
* velociraptor: add dummy main function for mage
- Removed patch:
* velociraptor-golang-mage-vendoring.diff
- Switched to using go_modules and node_modules source services
- Eliminated bespoke vendoring scripts.
- Pulled sysuser definition into the velociraptor package.
- Remove PrivateTmp and PrivateDevices settings in velociraptor-client.service (SENS-70)
- Update to version 0.7.0.4.git0.e09a0df8:
* Add additional sanitization to HTML templates on JS side. (#2) (#3077) (CVE-2023-5950)
* vql/linux/sdjournal: Fix open/close lifetimes
* vql/linux/audit: fix shutdown races
* vql/linux/audit: fix goroutine lifetimes
* vql/linux/audit: limit messageQueue to within runService
* vql/linux/audit: add auditService.Log()
* vql/linux/audit: pull parts of shutdown into shutdown watcher
* vql/linux/audit: remove unnecessary error handling for reassembler
* vql/linux/audit: remove unused waitgroup from main event loop
* vql/linux/audit: handle top-level cancelation properly
* vql/linux/audit: make explicit that goroutines in the main errgroup don't return errors
* vql/linux/audit: make stats reporting separate from debug prints
* vql/linux/audit: simplify polling in listener
* vql/linux/audit: tests, check various rule scenarios
* vql/linux/audit: Add more client failure test cases
* vql/linux/audit: Fix audit client lifecycle
OBS-URL: https://build.opensuse.org/request/show/1133905
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=55
- Update to version 0.6.7.5~git78.2bef6fc:
* bpf: fix path to vmlinux.h
- Update to version 0.6.7.5~git77.997aa73:
* file_store/test_utils/server_config.go: update test certificate
* Update bluemonday dependency.
* vql/functions/hash: cache results on Linux
* libbpfgo: update to velociraptor-branch-v0.4.8-libbpf-1.2.0
* logscale/backport: don't use networking.GetHttpTransport
* vql/tools/logscale: add plugin to post events to LogScale ingestion endpoint
* file_store/directory: add ability to report pending size
- Change clang dependency to clang16
- Fix velociraptor-golang-mage-vendoring.diff to account for newer
'go mod vendor' honoring build flags.
- Fix update-vendoring.sh script to actually run the %setup part of
the spec.
- Merge client package into server spec and use _multibuild to create
client package from same spec file.
- Adjust changelog to retain changes for client package.
- Fix building in static mode on earlier releases.
- Added patch: velociraptor-libbpfgo-only-build-libbpf.patch
- Tightening the security of the services a bit:
- tmp files are now moved to /var/lib/velociraptor{,-client}/tmp
from /tmp
- run velociraptor server as user velociraptor instead of root
we do not really need root permissions here
- introduce /var/lib/velociraptor/filestore to make it easier to
split out large file upload
- change permissions for the data directory and subdirectories to
OBS-URL: https://build.opensuse.org/request/show/1085591
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=46
- Update to version 0.6.7.4~git63.4a1ed09d:
* utils/time.js: fix handling of nanosecond-resolution timestamps
- Added patches:
* velociraptor-reproducible-timestamp.diff
- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).
- Update to version 0.6.7.4~git60.8abed37a:
* http_comms: create ring buffer temporary file in the same directory
* cronsnoop: plumb in real scope logging
* cronsnoop: don't treat routine errors as fatal
* cronsnoop: fix typo
- Update to version 0.6.7.4~git63.4a1ed09d:
* utils/time.js: fix handling of nanosecond-resolution timestamps
- Added patches:
* velociraptor-reproducible-timestamp.diff
- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).
- Update to version 0.6.7.4~git60.8abed37a:
* http_comms: create ring buffer temporary file in the same directory
* cronsnoop: plumb in real scope logging
* cronsnoop: don't treat routine errors as fatal
* cronsnoop: fix typo
OBS-URL: https://build.opensuse.org/request/show/1064242
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/velociraptor?expand=0&rev=3
- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).
- Update to version 0.6.7.4~git60.8abed37a:
* http_comms: create ring buffer temporary file in the same directory
* cronsnoop: plumb in real scope logging
* cronsnoop: don't treat routine errors as fatal
* cronsnoop: fix typo
- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).
- Update to version 0.6.7.4~git60.8abed37a:
* http_comms: create ring buffer temporary file in the same directory
* cronsnoop: plumb in real scope logging
* cronsnoop: don't treat routine errors as fatal
* cronsnoop: fix typo
OBS-URL: https://build.opensuse.org/request/show/1060929
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=41
- Remove dependency on bpftool. We use the vmlinux.h archive
to provide vmlinux.h.
- Restored %defattr due to SLE12 using rpm-4.11.
- Fix builds in vendor code on SLE12
- Fix build in third_party/sdjournal due to older systemd on SLE12
- Added patches:
- vendor-go-magic-build-fix-for-SLE12.patch
- sdjournal-build-fix-for-SLE12.patch
- Remove dependency on bpftool. We use the vmlinux.h archive
to provide vmlinux.h.
- Restored %defattr due to SLE12 using rpm-4.11.
- Fix builds in vendor code on SLE12
- Fix build in third_party/sdjournal due to older systemd on SLE12
- Added patches:
- vendor-go-magic-build-fix-for-SLE12.patch
- sdjournal-build-fix-for-SLE12.patch
OBS-URL: https://build.opensuse.org/request/show/1060070
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=35
