------------------------------------------------------------------- Mon Aug 19 20:45:30 UTC 2024 - Antonio Teixeira - Update node modules with security fixes. * Fixes CVE-2024-39338 (bsc#1229424) * Remove CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch as the update is included. ------------------------------------------------------------------- Mon Aug 12 20:47:33 UTC 2024 - Antonio Teixeira - Move system-user-velociraptor to the client flavor build in order to build it on all architectures. ------------------------------------------------------------------- Wed Jul 03 17:01:54 UTC 2024 - antonio.teixeira@suse.com - Update to version 0.7.0.4.git97.675e45f9: * kafka-humio-gateway: update go version and dependency list * kafka-humio-gateway: specific mTLS cert paths in config.yml * docker-compose: set kafka replication factor and min ISRs * kafka-humio-gateway: add http post retry mechanism * kafka-humio-gateway: add pprof debugging option * kafka-humio-gateway: format with gofmt * kafka-humio-gateway: fix go-staticcheck issues * kafka-humio-gateway: fix sendEvents() never exiting * Kafka.Events.Client: Update to use new artifactset type * docker-compose: add optional Kafka cluser * kafka-humio-gateway: add mTLS support * contrib/kafka-humio-gateway: add new debug option for noisy events * contrib/kafka-humio-gateway: backoff and retry for metadata * kafka-humio-gateway: add sample config file * kafka-humio-gateway: update sarama and dependencies * Add Kafka-Humio Gateway [Depends on PR#10] (#8) * vql/server/kafka: connect sarama logging to velociraptor logging * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries * vql/server/kafka: set appropriate ClientID * Add a Kafka export plugin - Use llvm17 when available ------------------------------------------------------------------- Tue May 28 16:45:51 UTC 2024 - Antonio Teixeira - Patches changes: * Change CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch to update the follow-redirects package instead of patching directly. * Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572) - Add a package-lock.json to the package ------------------------------------------------------------------- Sat Apr 27 16:11:14 UTC 2024 - Antonio Teixeira - Fix group(velociraptor) dependency for SLE 15 SP3 ------------------------------------------------------------------- Tue Apr 23 10:28:10 UTC 2024 - Antonio Teixeira - Change system-user-velociraptor to noarch ------------------------------------------------------------------- Wed Apr 17 21:53:20 UTC 2024 - Jeff Mahoney - Fix unresolveable Debian group-velociraptor dependency. ------------------------------------------------------------------- Wed Apr 17 15:52:52 UTC 2024 - Jeff Mahoney - Restore velociraptor group for client - Add %{name}(project:%_project) Provides for SLE15 and newer - Fixed SLE12-SP5 build ------------------------------------------------------------------- Fri Apr 5 13:01:05 UTC 2024 - Antonio Teixeira - Obsolete old velociraptor-kafka-humio-gateway package ------------------------------------------------------------------- Wed Apr 03 14:21:30 UTC 2024 - Antonio Teixeira - Update to version 0.7.0.4.git74.3426c0a: * Fix services artifact symbol pid not found error * chattrsnoop: correct read size for flags * chattrsnoop: fix wrong FS_IOC_SETFLAGS value for ppc * chattrsnoop: fix do_vfs_ioctl kprobe failure ------------------------------------------------------------------- Wed Apr 3 13:54:19 UTC 2024 - Antonio Teixeira - Remove nodejs sources from main spec file. ------------------------------------------------------------------- Tue Apr 02 21:52:32 UTC 2024 - Antonio Teixeira - Update to version 0.7.0.4.git68.ad1f4e5: * Fix undefined binary.NativeEndian build errors - Add llvm16-libclang13 dependency for SLE 15 SP5 and above ------------------------------------------------------------------- Tue Apr 2 12:02:12 UTC 2024 - Antonio Teixeira - Disable eBPF for SLE 15 SP2 ------------------------------------------------------------------- Sun Mar 31 23:38:18 UTC 2024 - Antonio Teixeira - Fix builds for SLE 15 SP3 and SLE 12 * Revert to gzip compression instead of zstd for go modules ------------------------------------------------------------------- Mon Mar 25 17:19:16 UTC 2024 - Antonio Teixeira - Update to version 0.7.0.4.git66.eea7659: * dnssnoop: fix loading protocol from ip header on s390 * dnssnoop: fix htons() so it works on s390 too * Fix systemd Services artifact missing events * chattrsnoop: replace global variables with locals * tcpsnoop: fix garbled results on s390 * chattrsnoop: fix immutable attribute set on s390 * chattrsnoop: fix bpf_probe_read for s390 * tcpsnoop: remove unused filtering code * Add artifact to collect new files without owner * bpf plugins: set a logger callback - Add CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch (bsc#1221456) ------------------------------------------------------------------- Thu Feb 29 18:48:52 UTC 2024 - Antonio Teixeira - Reintroduce system-user-velociraptor package due to client %pre and %postun scripts depending on velociraptor user and group. ------------------------------------------------------------------- Tue Feb 27 22:37:09 UTC 2024 - Antonio Teixeira - Obsolete old system-user-velociraptor package. - Use zst compression for go modules. ------------------------------------------------------------------- Thu Feb 22 20:11:34 UTC 2024 - doreilly@suse.com - Update to version 0.7.0.4.git47.0f8a4de1: * Rename SUSE specific artifacts to have SUSE prefix * Add SUSE.Linux.Events.NewZeroSizeLogFile artifact * Move NewFiles artifact to SUSE * Move ImmutableFile artifact to SUSE * Make ImmutableFile artifact consistent with others * Fix absolute path case in ExecutableFiles artifact * Add client monitoring artifact for RPMs * Add artifact to collect new hidden files * Add artifact to monitor ssh authorized_keys files * Fix split_records error on older clients * Add hash fields to Linux.Events.ProcessExecutions * Add artifact to collect systemd service events * Fix SystemLogins artifacts file extensions * Add SUSE.Linux.Events.Timers artifact * Fix audit filter key typo in Linux.Events.NewFiles * Add server artifact to delete old client data on server * Add SUSE.Linux.Sys.At artifact * chattrsnoop: include full error details in logs * chattrsnoop: handle os.Stat() error properly * chattrsnoop: don't log.Fatal() on hash error * Fix Linux.Events.ImmutableFile not showing hash in GUI * SUSE.Linux.Events.Crontab: Add task execution artifacts * Raise client connection log level to ERROR * sdjournal: Correctly seek to current tail - Remove verbose flag from client config ------------------------------------------------------------------- Thu Feb 22 15:56:44 UTC 2024 - doreilly@suse.com - Update to version 0.7.0.4.git6.7b40b8b: * go.mod: increase go version to 1.19 ------------------------------------------------------------------- Thu Feb 22 13:19:14 UTC 2024 - Antonio Teixeira - Use clang16 for SLE 15 SP4 and above. ------------------------------------------------------------------- Thu Jan 18 15:36:50 UTC 2024 - Antonio Teixeira - Fixed Debian %postun scripts being used for other distros. ------------------------------------------------------------------- Wed Dec 20 21:08:36 UTC 2023 - Jeff Mahoney - Added workaround for missing Maintainers tag in Debian-based packages. obs-service-format_spec_file strips the Packager tag from the spec file before committing. The build service replaces it with its own. debbuild expects the Packager field to be present to generate the Maintainers tag in the output but it only receives the "cleaned" spec file. ------------------------------------------------------------------- Tue Dec 19 21:53:37 UTC 2023 - Jeff Mahoney - Added Recommends: auditd - Technically not *required* but Velociraptor's audit client enables audit and then listens on the multicast socket. Without a listener on the unicast socket, the kernel will spam the system log with events. ------------------------------------------------------------------- Tue Dec 19 19:29:06 UTC 2023 - Jeff Mahoney - Fixed debian packaging: * /etc/sysconfig -> /etc/default * %postun for systemd service cleanup * Note: obs-service-format_spec_file strips the Packager tag that debbuild uses to generate the Maintainer tag ------------------------------------------------------------------- Tue Dec 19 14:24:44 UTC 2023 - Jeff Mahoney - Fix %SOURCE references. ------------------------------------------------------------------- Fri Dec 15 22:35:01 UTC 2023 - Jeff Mahoney - Temporarily use the NODE_MODULES BEGIN/END form of the node_modules service due to a bug in debbuild preventing Debian builds from succeeding. ------------------------------------------------------------------- Fri Dec 15 19:32:04 UTC 2023 - Jeff Mahoney - Update to version 0.7.0.4.git4.c1b68a5b: * hash: fix nil pointer dereference panic * velociraptor: add dummy main function for mage - Removed patch: * velociraptor-golang-mage-vendoring.diff - Rebased patch: * velociraptor-reproducible-timestamp.diff - Switched to using go_modules and node_modules source services * Eliminated bespoke vendoring scripts. - Pulled sysuser definition into the velociraptor package. ------------------------------------------------------------------- Tue Dec 5 13:54:03 UTC 2023 - Darragh O'Reilly - Remove PrivateTmp and PrivateDevices settings in velociraptor-client.service (SENS-70) ------------------------------------------------------------------- Wed Nov 15 18:17:04 UTC 2023 - Jeff Mahoney - Update to version 0.7.0.4.git0.e09a0df8: * Add additional sanitization to HTML templates on JS side. (#2) (#3077) (CVE-2023-5950) * vql/linux/sdjournal: Fix open/close lifetimes * vql/linux/audit: fix shutdown races * vql/linux/audit: fix goroutine lifetimes * vql/linux/audit: limit messageQueue to within runService * vql/linux/audit: add auditService.Log() * vql/linux/audit: pull parts of shutdown into shutdown watcher * vql/linux/audit: remove unnecessary error handling for reassembler * vql/linux/audit: remove unused waitgroup from main event loop * vql/linux/audit: handle top-level cancelation properly * vql/linux/audit: make explicit that goroutines in the main errgroup don't return errors * vql/linux/audit: make stats reporting separate from debug prints * vql/linux/audit: simplify polling in listener * vql/linux/audit: tests, check various rule scenarios * vql/linux/audit: Add more client failure test cases * vql/linux/audit: Fix audit client lifecycle * vql/linux/audit: Change listener lifecycle to enable testing * vql/linux/audit: Fix DeleteRule in mock client * vql/linux/audit: Fix typo causing double-lock in notifyMissingRule * vql/linux/audit: Close reassembler if NewListenerBytes fails * vql/linux/audit: limit messageQueue scope to within runService * vql/linux/audit: Make messageQueue lifetime more apparent * vql/linux/audit: mainEventLoop shouldn't exit on canceled context * vql/linux/audit: Clean up context handling in shutdown goroutine * vql/linux/audit: fix test suite handling * bpf: only build libbpf in the go generate stage * bpf: add libbpf/include/uapi to the include path for bpf.h ------------------------------------------------------------------- Fri Nov 3 01:36:35 UTC 2023 - Jeff Mahoney - Enabled builds on CentOS 7/8 (currently without eBPF, needs llvm) - Enabled builds on Ubuntu 20.04 and 22.04 (23.* pending OBS changes) - Enabled builds on Debian 11, 12, Unstable, Testing, and Next - Limit server builds to x86_64 until esbuild issue is sorted ------------------------------------------------------------------- Tue Oct 31 20:07:16 UTC 2023 - Jeff Mahoney - Update to version sensor-base-0.7.0~git0.602f673: * vql/linux/audit: fix staticcheck checks * vql/linux/audit: gofumpt -extra * vql/linux/audit: don't overload EAGAIN * vql/linux/audit: actually add test cases * cronsnoop: fix panic when crontab has empty line * SUSE: Add docker-compose environment * SUSE: add Docker files * SUSE: Do build tests on every pull request * Github: Run build workflow on each pull request * vql/functions/hash: cache results on Linux * rpm: introduce rpm vql plugin * Add Linux.Sys.Bash to Server.Monitor.Shell artifact * Updating the NewFiles and ProcessStatuses Artifacts * vql/linux/cronsnoop: Add cronsnoop() plugin * Extend audit artifacts to use new interface * vql/linux/audit: rearchitect plugin for scalability * vql/linux/audit: use go-libaudit v2 for live audit message processing * file_store/directory/listener_bytes: Add listener to use serialized interface * utils/refcount: add simple refcount implementation * file_store/directory/buffer: add direct-serialized interface * Add artifact to monitor user group updates (#24) * Linux.Events.ProcessExecutions: catch 32-bit execve calls * Add custom artifacts for login and logout attempts recorded by auditd * vql/linux/bpflib: add sample vmlinux.h includes for test builds * vql/linux/bpf/chattrsnoop: Add plugin to catch changes to inode attributes * vql/linux/bpf/dnssnoop: Add dnssnoop() plugin * vql/linux/bpf/tcpsnoop: Add tcpsnoop plugin * vql/linux/bpf: add support to add bpf plugins for Linux * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() * SUSE: Add SSHLogin artifacts * Update the Linux.Events.SSHLogin artifact to scan the systemd journal * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal * Add parser to read systemd journal on Linux * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path * linux: add lsattr() function to enumerate file attributes * github/workflows/linux: do apt-get update to refresh package lists * github: run testcases on Linux builds in new workflow * Add systemd-dev as build dependency for github workflow * magefile.go: use current architecture for Linux builds * build: update to mage 0.15 * Update tool dependencies on each build (#2987) (#2989) * Various Bugfixes (#2981) * Fixed IPv6 formatting in Windows.Forensics.UserAccessLogs (#2980) * Add Yara device scanning (#44) (#2978) * Added a sample bash script for offline collector generation. (#2975) * Implemented a fix for Windows.Timeline.Prefetch (#2974) * Include MAC addresses in client host dashboard (#2943) * logscale: fix stats_interval parameter handling (#2973) * Update Lnk.yaml (#2972) * [Snyk] Upgrade: @babel/core, @babel/plugin-transform-react-jsx, @babel/runtime (#2970) * add suspicious field and targeted default (#2971) * Add filesystem type to data returned by file accessor on Unix (#2967) * [Snyk] Upgrade axios-retry from 3.6.1 to 3.7.0 (#2963) * Implemented a writeback service to manage the writeback file. (#2966) * [Snyk] Upgrade axios-retry from 3.6.0 to 3.6.1 (#2949) * Added FAT accessor for parsing FAT filesystems (#2961) * [Snyk] Upgrade recharts from 2.7.3 to 2.8.0 (#2950) * [Snyk] Upgrade axios from 1.4.0 to 1.5.0 (#2951) * Fix device major/minor number calculations (#2958) * Relay hunt creation errors to the Hunts API (#2953) * [Snyk] Upgrade: @babel/core, @babel/runtime (#2948) * Improve various bits of VQL documentation (#2945) * Update bluemonday dependency. (#2941) * Users testcases (#2942) * Order columns in hostname flatten output (#2939) * Add a generic hostsfile artifact (#2930) * Report process names as well as pid for errors (#2937) * Send hard coded labels in periodic client info updates (#2935) * [Snyk] Upgrade ace-builds from 1.24.0 to 1.24.1 (#2932) * Add Modify() method to client info manager. (#2933) * Remove unused parameter by Bloodhound artifact (#2924) * [Snyk] Upgrade ace-builds from 1.23.4 to 1.24.0 (#2928) * Fix AptSources deb822 parsing bug and add deb822 test (#2926) * Bugfixes: Artifact bugs due to FullPath->OSPath refactor (#2923) * [Snyk] Upgrade: @babel/core, @babel/runtime (#2917) * fix: upgrade recharts from 2.7.2 to 2.7.3 * Update the config file docs. * Bugfix: Include tool versions from root org (#2913) * Fix issues in AptSources artifact and support deb822 format (#2851) * Disable compatibility with URL style paths (#2912) * [Snyk] Upgrade: @fortawesome/fontawesome-svg-core, @fortawesome/free-solid-svg-icons (#2907) * Added Windows.ETW.FileCreation (#2905) * Various documentation improvements (#2904) * [Snyk] Upgrade interactjs from 1.10.17 to 1.10.18 (#2902) * Update to latest SQLiteHunter (#2901) * [Snyk] Upgrade axios-retry from 3.5.1 to 3.6.0 (#2900) * Fix URL for VelociraptorWindowsMSI (#2868) * Allow embedded config to come from an external file (#2899) * Add OriginalFileName to Name regex search for better hunting (#2895) * Bugfix: Allow serve url to be set without materializing (#2894) * Bugfix: accessors should provide their underlying file (#2893) * Shuffle the list of URLs (#2888) * Create Mutants.yaml (#2877) * Added profile_memory() and profile_goroutines() VQL functions (#2887) * [Snyk] Upgrade ace-builds from 1.23.3 to 1.23.4 (#2883) * Create Notification.yaml (#2878) * Fix the issue of full cpus/ram when handling corrupted org (#2886) * [Snyk] Upgrade ace-builds from 1.23.2 to 1.23.3 (#2854) * Fix copy-pasted comment in Admin.Client.Uninstall artifact (#2872) * Create Windows.Detection.Registry.yaml (#2861) * [Snyk] Upgrade @babel/core from 7.22.8 to 7.22.9 (#2862) * fix: upgrade humanize-duration from 3.28.0 to 3.29.0 * fix test * Bugfix: Hunt creation with labels * Bugfix: CreateCollector bug in uploading to the cloud (#2852) * [Snyk] Upgrade ace-builds from 1.23.1 to 1.23.2 (#2850) * Merge fix for ntfs library, add back KapeTriage SDS target (#2849) * Encode download filename in UTF8 to support better i8n (#2848) * [Snyk] Upgrade @babel/core from 7.22.6 to 7.22.8 (#2846) * [Snyk] Upgrade axios-retry from 3.5.0 to 3.5.1 (#2847) * Bugfix: Add Cell From Flow adapted to new flow widgets (#2844) * Feature/humio plugin (#2617) * [Snyk] Upgrade @babel/runtime from 7.22.5 to 7.22.6 (#2841) * Implemented memory protections for notebook cell calculations (#2842) * Added search term label:none for unlabeled clients. (#2840) * Incorporate SQLiteHunter project (#2839) * Add RDP cache (#43) (#2838) * Leave collection behind when uploading to cloud (#2834) * Added a VSS accessor to automatically diff files from different vss (#2833) * Added query debug endpoint at http://localhost:6060/debug/query (#2832) * Fixed bug in KapeFiles Extract (#2830) * Various bug fixes (#2829) * [Snyk] Upgrade axios-retry from 3.5.0 to 3.5.1 (#2827) * [Snyk] Upgrade ace-builds from 1.23.0 to 1.23.1 (#2826) * Implement src IP filtering for the GUI (#2825) * Refactor code to wrap gopsutils (#2824) * Extended Client Event GUI to allow specifying max_wait (#2821) * Bump word-wrap from 1.2.3 to 1.2.4 in /gui/velociraptor (#2820) * Bugfix: Max Wait deadline was reset when a query returned a row (#2819) * Implemented better uploads UI for notebooks (#2816) * [Snyk] Upgrade ace-builds from 1.22.1 to 1.23.0 (#2812) * Modified glob() to return the globs that hit the result. (#2813) * [Snyk] Upgrade ace-builds from 1.22.0 to 1.22.1 (#2786) * Update ServiceCreationComspec.yaml (#2806) * [Snyk] Upgrade recharts from 2.7.1 to 2.7.2 (#2809) * [Snyk] Security upgrade @babel/core from 7.22.5 to 7.22.6 (#2787) * [Snyk] Upgrade recharts from 2.6.2 to 2.7.1 (#2794) * Bump semver from 5.7.1 to 5.7.2 in /gui/velociraptor (#2803) * Bugfix: Update GUI shell interface to use the new GetClientFlows API. (#2802) * RPM packaging: architecture autodetection & spec compliance (#2797) * Debian packaging: architecture autodetection & spec compliance (#2796) * Added Linux.Forensics.Journal artifact (#2799) * Bring back highlight for urgent collections. (#2795) * Update flow list view to use paged table (#2791) * Add lnk and test refresh (#2790) * Report total number of matching clients in search (#2789) * Rebuild the index from the client info snapshot (#2781) * [Snyk] Upgrade: @babel/core, @babel/plugin-syntax-flow, @babel/plugin-transform-react-jsx, @babel/runtime (#2783) * Update Favicons.yaml (#2780) * Write client info database to a snapshot (#2776) * Added an S3 accessor (#2774) * Removed unknown parameter 'Separator' from options in call of Artifac… (#2773) * Trimmed Spaces around labels in labels.go (#2771) * Bugfix: Allow `user_grant` to set roles through the policy (#2769) * [Snyk] Upgrade @popperjs/core from 2.11.7 to 2.11.8 (#2758) * Introduces the `really_do_it` argument to `org_delete` (#2767) * Audit user creation and user role modifications. (#2766) * Update Bam.yaml due to a dead link. Previous link is dead due to a website restructuring. (#2763) * [Snyk] Upgrade styled-components from 5.3.10 to 5.3.11 (#2759) * [Snyk] Upgrade: @babel/core, @babel/plugin-transform-react-jsx, @babel/runtime (#2757) * Update and rename Kerbroasting.yaml to Kerberoasting.yaml (#2754) * Bugfix: Org admin should see all orgs (#2753) * [Snyk] Upgrade ace-builds from 1.21.1 to 1.22.0 (#2750) * Correct UI typo and update translations (#2748) * Correct `scope` plugin reference typo (#2747) * [Snyk] Upgrade axios-retry from 3.4.0 to 3.5.0 (#2743) * Log error messages during rekeying (#2745) * [Snyk] Upgrade ace-builds from 1.21.0 to 1.21.1 (#2738) * Bump fast-xml-parser from 4.1.3 to 4.2.4 in /gui/velociraptor (#2739) * Bugfix: Sort flows before fetching them into the GUI (#2740) * Bump vite from 4.1.4 to 4.1.5 in /gui/velociraptor (#2736) * [Snyk] Upgrade ace-builds from 1.20.0 to 1.21.0 (#2733) * [Snyk] Upgrade qs from 6.11.1 to 6.11.2 (#2734) * Allow in place updating of simple result sets (#2732) * [Snyk] Upgrade recharts from 2.6.0 to 2.6.2 (#2727) * [Snyk] Upgrade ace-builds from 1.19.0 to 1.20.0 (#2728) * Update NetstatEnriched.yaml (#2724) * Update NetstatEnriched (#2723) * Added a leveldb plugin and parser for Chrome Session Storage. (#2722) * [Snyk] Upgrade recharts from 2.5.0 to 2.6.0 (#2720) * Allow SQLite files to be copied always. (#2719) * Add Linux.SuSE.Packages artifact (#2712) * Ehancement: Add Source field to Windows.Applicaiton.History to show sync status (#2716) * Revert "Add SyncStatus to History.yaml" (#2715) * Add SyncStatus to History.yaml (#2714) * Propagate default hunt expiry from the config to the GUI (#2713) * [Snyk] Upgrade ace-builds from 1.18.0 to 1.19.0 (#2709) * [Snyk] Upgrade react-bootstrap from 1.6.6 to 1.6.7 (#2710) * Updated the SQLECmd artifact to support MacOS and Linux (#2708) * Bugfix: http_client parameters did not handle url().Query objects (#2706) * [Snyk] Upgrade @babel/core from 7.21.5 to 7.21.8 (#2704) * Linux.RHEL.Packages: Silence dnf output (#2703) * Allow the inventory service to disable external fetching (#2701) * S3_Upload: Adding KMS and Prefix arguments (#2699) * [Snyk] Upgrade: @babel/core, @babel/plugin-transform-react-jsx, @babel/runtime (#2693) * http_client(): Don't drop responses with empty Content (#2696) * Treat Tool name+version as a unique tool. (#2697) * Updated Windows.KapeFiles.Targets to support multiple drives (#2692) * Added tgz support to the unzip() plugin. (#2691) * Bugfix: SkipVerify did not remove custom verification function. (#2690) * [Snyk] Upgrade axios from 1.3.6 to 1.4.0 (#2686) * Fix typo in vi.jsx (#2684) * Update Vietnamese language (#2681) * Copy scope responder when calling an VQL function. (#2682) * Added Vietnamese translation (#2680) * Bugfix: Miscounting total rows (#2679) * [Snyk] Upgrade axios from 1.3.5 to 1.3.6 (#2672) * Added a Certs authenticator (#2678) * [Snyk] Upgrade ace-builds from 1.17.0 to 1.18.0 (#2674) * [Snyk] Upgrade styled-components from 5.3.9 to 5.3.10 (#2677) * Block collections in locked down servers (#2667) * Allow additional event artifacts to be specified in client config. (#2664) * add fixed decoded data output as preview_upload method (#2663) * [Snyk] Upgrade ace-builds from 1.16.0 to 1.17.0 (#2662) * Added context menu for downloading VFS files. (#2659) * Bugfix: Total row count was inaccurate (#2658) * Refactored vfs widget (#2657) * Refactored VFS download GUI (#2656) * Add filters for hunting to Windows.System.Powershell.ModuleAnalysisCache (#2655) * Improved the artifact import GUI (#2654) * Modify Windows.EventLogs.ScheduledTasks (#2652) * [Snyk] Upgrade axios from 1.3.4 to 1.3.5 (#2650) * Fix typo - "filesyste" to "filesystem" (#2649) * Added binary parser for appcompatcache (#2645) * Improved eslint score (#2642) * Added a more complete text viewer implementation (#2641) * [Snyk] Upgrade react-datetime-picker from 4.2.0 to 4.2.1 (#2640) * [Snyk] Upgrade: @babel/core, @babel/plugin-syntax-flow (#2637) * [Snyk] Upgrade moment-timezone from 0.5.42 to 0.5.43 (#2638) * Added a filter to the artifact search screen (#2639) * Add network usage transfer summary suggestion (#2636) * Extend http_client() to support SMB urls. (#2635) * Handle client crashes by reporting to the server (#2634) * [Snyk] Upgrade: @fortawesome/fontawesome-svg-core, @fortawesome/free-solid-svg-icons (#2633) * [Snyk] Upgrade @popperjs/core from 2.11.6 to 2.11.7 (#2626) * [Snyk] Upgrade moment-timezone from 0.5.41 to 0.5.42 (#2627) * Initial implementation of alerting framework. (#2631) * Update tool definitions to support expected_hash and version (#2629) * Update test certs (#2625) * Refactored repository service. (#2624) * Forward audit events to a server artifact (#2623) * Document vql plugin and function permissions (#2620) * Added a lockdown mode to the server config. (#2619) * Added a VQL function upload_smb() (#2618) * Added upload_azure() function (#2616) * Added the EXPLAIN keyword (#2614) * [Snyk] Upgrade ace-builds from 1.15.3 to 1.16.0 (#2612) * [Snyk] Upgrade recharts from 2.4.3 to 2.5.0 (#2613) * Create monitoring_logs.go (#2611) * [Snyk] Upgrade @babel/core from 7.21.0 to 7.21.3 (#2609) * Add UserAccessLogs and formatting fix (#2607) * Bugfix: Preparing flow export from server artifact flows (#2606) * [Snyk] Upgrade styled-components from 5.3.8 to 5.3.9 (#2605) * Refactor launcher to split writing record and queuing message (#2604) * Added an SMB accessor (#2601) * Uplift client id validation to the client info manager (#2598) * Refactor launcher service to use a storage dependency (#2597) * Update Amcache.yaml (#2596) * Rework table filtering UI (#2595) * Splunk Configuration Details (#2594) * Implement TLS certificate pinning and Fallback Address (#2585) * [Snyk] Upgrade qs from 6.11.0 to 6.11.1 (#2593) * Fixed bug in grok library (#2592) * Add functionality to get efi variables (#2583) * Bugfix: Flow Deletion did not remove uploaded bulk files. (#2589) * Added hunt_update() VQL function to allow stopping/starting hunt (#2587) * Protect CryptCATAdmin functions behind dangerous api flag (#2586) * Close the WinVerifyTrust structure regardless of error. (#2584) * Added DISABLE_DANGEROUS_API_CALLS parameter (#2582) * [Snyk] Upgrade ace-builds from 1.15.2 to 1.15.3 (#2580) * [Snyk] Upgrade styled-components from 5.3.7 to 5.3.8 (#2581) * Bugfix: Trace file generator regression (#2579) * Restrict VerifyFileSignature to only run on a single thread. (#2578) * Dedudplicate labels in GUI (#2577) * Build(deps): Bump github.com/crewjam/saml from 0.4.12 to 0.4.13 (#2575) * Suppress logging to files for admin commands (#2571) * Add client id to client monitoring events (#2569) * Added START_HUNT permission to control who can start a hunt (#2566) * Added automated translations for missing terms (#2565) * More work on pedump vql function (#2557) * Add a hunt reconstruct command to recover hunt objects from logs. (#2556) * Bugfix: When exporting a sparse file also export the idx file. (#2555) * [Snyk] Upgrade moment-timezone from 0.5.40 to 0.5.41 (#2553) * Added pe_dump VQL function (#2554) * Bugfix: Race condition in minions (#2552) * Bugfix: Fixed bug in fifo plugin. (#2550) * Support reading raw devices with the file accessor. (#2549) * Bugfix: Lstat of device using NTFS accessor (#2547) * Refactored path handling in auth handlers (#2546) * Fixed base path bug (#2545) * Bugfix: Do not require repack to load a valid config (#2543) * Fixed incorrect usage of HTTP transport that broke in go1.19.6 (#2536) * Disabled http2 client. (#2535) * Build With go 1.19 (#2534) * Fix bug in template (#2533) * Prepare for 0.6.8-rc2 (#2529) * Bugfix: Parsing OSPath from list of components (#2528) * Bugfix: notebook export did not include uploads (#2527) * Bugfix: Client delete in non-root org did not invalidate cache (#2525) * Add 'Headers' to output * Sync KapeFiles.Targets artifact (#2522) * Allow http_client() to handle cookies. (#2520) * [Snyk] Upgrade ace-builds from 1.15.1 to 1.15.2 (#2519) * Added some Linux artifacts (#2514) * Refactoring side panel navigation as "main menu" navigation, tweaked the hamburger button (#2497) * Add Windows.Registry.PuttyHostKeys (#2516) * [Snyk] Security upgrade styled-components from 5.3.6 to 5.3.7 (#2491) * [Snyk] Upgrade ace-builds from 1.15.0 to 1.15.1 (#2504) * Update ModuleAnalysisCache.yaml (#2512) * Update description formatting (#2509) * Add first round of yara context updates (#2505) * Trigger client and server monitoring table rebuild (#2501) * Added more uploader tests (#2500) * Bugfix: Notebook Uploader so it reports filestore components. (#2499) * Added a max_row_buffer_size parameter (#2498) * Revamped the Metadata UI (#2496) * Added new artifact parameter type: server_metadata (#2494) * Bugfix: Server artifact running should use parent context for save (#2493) * Deduplicate glob hits (#2490) * Hex column types did not required hex encoding (#2488) * Pass collection_context to server artifact runner directly. (#2487) * [Snyk] Security upgrade is-svg from 4.3.2 to 4.4.0 (#2485) * Additional button labels, alt text for screen readers (#2486) * Reload inventory service from an event artifact (#2484) * Client summary react call should be ignored if call was cancelled. (#2483) * Record the client's install time in the writeback file. (#2482) * Fix bug in uploading of sparse files. (#2481) * Adding eslint support (#2480) * Explicitly set the data length in FileBuffer messages (#2479) * Adding label names to various buttons for accessibility (#2474) * Fixed x86 autoruns tool definition (#2477) * Use a more compact flow_id for hunts. (#2472) * Reuse the same session id for all flows in the same hunt. (#2471) * Implemented file_nocase for Linux and Darwin (#2468) * Bugfix: Timestamp detection assumed entire cell is a timestamp (#2467) * Implemented utf8 preserving Zip encoding. (#2464) * Bump golang.org/x/net from 0.5.0 to 0.7.0 (#2462) * Refactored repack functionality into a VQL function (#2461) * [Snyk] Upgrade axios from 1.2.5 to 1.2.6 (#2460) * [Snyk] Upgrade ace-builds from 1.14.0 to 1.15.0 (#2455) * [Snyk] Upgrade axios from 1.2.4 to 1.2.5 (#2456) * Fix crashes when parsing malformed PE and OLE files. (#2457) * Allow redirect when changing org selection (#2453) * [Snyk] Upgrade axios from 1.2.3 to 1.2.4 (#2448) * Store client path components in the uploads metadata (#2451) * Bugfix: syslog and csv watchers did not initialize scope (#2450) * Bugfix: missing rows in VFS ListDirectory (#2449) * Updated mail plugin to support skip_verify (#2447) * Fixed some race conditions (#2446) * [Snyk] Upgrade axios-retry from 3.3.1 to 3.4.0 (#2445) * Refactor and reimplement the pool client. (#2444) * Update ClientInfo message for pool client (#2442) * [Snyk] Upgrade: @babel/plugin-transform-react-jsx, @babel/runtime (#2440) * Track tool definitions by defining artifact (#2439) * [Snyk] Upgrade axios-retry from 3.3.1 to 3.4.0 (#2438) * Refactored event monitoring to not use globals (#2437) * Update WDigest.yaml (#2434) * Refactor and add tests for Linux.Remediation.Quarantine (#2433) * Reworked split_records() and parse_records_with_regex() (#2431) * [Snyk] Upgrade axios from 1.2.2 to 1.2.3 (#2429) * [Snyk] Upgrade react-datetime-picker from 4.1.1 to 4.2.0 (#2430) * minor changed to PSlist and DllList (#2428) * Fixed GUI to handle tables with varying columns per row. (#2425) * Split Windows.Sys.Users into two different artifacts (#2424) * Added progress reporting to offline collector (#2423) * Allow client side collections to be traced. (#2422) * [Snyk] Upgrade humanize-duration from 3.27.3 to 3.28.0 (#2421) * Added a tempfile based materializer to have safe queries (#2420) * Update Process.yaml (#2419) * Brought back the pool client (#2418) * Update Process.yaml (#2417) * [Snyk] Upgrade recharts from 2.3.1 to 2.3.2 (#2416) * Uploads are now deduplicated on store_as_name. (#2415) * Enrich SRUM artifact with the Username as well as SID (#2413) * Implemented a preview Column renderer (#2412) * [Snyk] Upgrade recharts from 2.3.0 to 2.3.1 (#2411) * Add PSList filters (#2407) * Put back the extra ForemanCheckin message on each post (#2410) * Send ClientInfo messages all the time (#2409) * Implement limits on server artifacts (#2406) * Support backwards compatibility comms with older clients. (#2405) * Implement collection limits on client (#2403) * Update go.yml (#2401) * Read flow object from storage for System.Flow.Completion (#2400) * Refactor client flow context manager (#2399) * [Snyk] Upgrade @babel/core from 7.20.7 to 7.20.12 (#2396) * Bump ua-parser-js from 0.7.32 to 0.7.33 in /gui/velociraptor (#2398) * utils/time.jsx: fix handling of nanosecond-resolution timestamps (#2397) * Memory uplift (#39) (#2394) * http_comms: create ring buffer temporary file in the same directory (#2393) * Update server artifact runner to use FlowRequests (#2392) * Added new client message type FlowRequest (#2391) * Allow default timezone to be specified on commandline (#2388) * [Snyk] Upgrade axios from 1.2.1 to 1.2.2 (#2387) * Verify FILESYSTEM_WRITE permission on copy() function (#2384) * Apply Minimum TLS version to the API server (#2383) * [Snyk] Upgrade: @babel/core, @babel/plugin-transform-react-jsx, @babel/runtime (#2382) * [Snyk] Security upgrade recharts from 2.2.0 to 2.3.0 (#2381) * Update and rename Server.Alerts.ProcessCreation.yaml to ProcessCreati… (#2380) * Update collection artifacts_with_results during execution (#2379) * Process monitoring messages with the new comms protocol. (#2378) * Create Windows.Detection.ProcessCreation (#2362) * Create Server.Alerts.ProcessCreation.yaml (#2363) * Fix time factor in FlowStat (#2377) * Refactored comms between client and server (#2375) * Update Splunk Artifact and notebook cells (#2374) * Allow for dynamic base_path (#2365) * Update ParentProcess.yaml (#2369) * Refactor: TLS config is now consitant for all TLS servers (#2367) * Bump json5 from 1.0.1 to 1.0.2 in /gui/velociraptor (#2366) * [Snyk] Upgrade ace-builds from 1.13.2 to 1.14.0 (#2361) * Add rate limits for client connections. (#2360) * Batch client log messages into JSONL groups (#2359) * Added client manager to keep track of all queries in the same flow. (#2358) * [Snyk] Upgrade ace-builds from 1.13.1 to 1.13.2 (#2356) * Added a client plugin vfs_ls (#2355) * Correct uninstall args for RPM based agents (#2354) * Fix download link colors in themes (#2349) * Theme fixes (#2346) * Refactored hunt and collection export code (#2347) * Use pageable tables for the VFS (#2343) * Compress all assets with brotli and serve them already compressed. (#2342) * Add BinaryRename update (#2341) * Vite improvements (#2340) * Update History.yaml (#2339) * Migrate GUI from create-react-app (CRA) to Vite (#2332) * Fix Linux.Sys.LastUserLogin (#2333) * Use 'auto' accessor to prevent issues with uploads (#2331) * Refactored audit logging (#2328) * Fix typo - 'Passowrd' to 'Password' (#2327) * Disable escape to close artifact editor (#2324) * Add starlark,yaml,xml, and float params (#2323) * Bump express from 4.17.2 to 4.18.2 in /gui/velociraptor (#2321) * [Snyk] Upgrade moment-timezone from 0.5.38 to 0.5.39 (#2319) * More fixes for Windows.System.VAD (#2317) * Bugfix: When org is not specified this JS code raised (#2315) * Fixed typo in VAD PR (#2313) * Add VAD protection message, status and type for completeness (#2312) * Bugfix: Do not materialize the VAD array in Windows.System.VAD (#2310) * Bugfix: Reset crypto cache when client is deleted (#2308) * Fixed Windows.Sys.Users artifact. (#2306) * Theme fixes and improvements (#2305) * Added an --msi flag to the config repack command (#2304) * Fix golden tests (#2302) * [Snyk] Upgrade ace-builds from 1.12.5 to 1.13.0 (#2301) * Bump decode-uri-component from 0.2.0 to 0.2.2 in /gui/velociraptor (#2299) * Fix freebsd build (#2298) * Bugfix: Collector timeout was set in ns (#2297) * Added write_jsonl plugin. (#2296) * Bugfix: Export notebook to zip broken (#2295) * Theme fixes (#2291) * User admin management screeb (#2212) * Use 'HuntDescription' value for hunt() 'description' value (#2289) * Add shaded container around artifact description content (#2287) * ACE editor font corrections (#2285) * Ensure reserved user names can not be used (#2284) * Theme fixes and improvements (#2283) * Fix example for dummy proxy in documentation (#2281) * Bugfix: uploads.json in the flow download refered to filestore paths (#2282) * Bugfix: Downloading CSV from table breaks with error. (#2280) * Theme fixes and improvements (#2278) * Upgrade Velociraptor's yara plugin to support yara 4.2.3 (#2277) * Fixed the Windows.KapeFiles.Extract artifact (#2275) * [Snyk] Upgrade ace-builds from 1.12.4 to 1.12.5 (#2269) * Added code to automatically reformat VQL in notebook. (#2271) * Bugfix: http_client was unable to open unix domain sockets (#2270) * [Snyk] Upgrade ace-builds from 1.12.3 to 1.12.4 (#2264) * Bugfix: Minions should not start the ServerMonitoringService (#2260) * Made threshold for sparse file expansions configurable. (#2259) * Bugfix: Export download supports expanding sparse files (#2258) * Bugfix: Do not expand sparse files when importing (#2257) * Bugfix: Store client specific dashboard in client space. (#2255) * Bugfix: Dashboard refresh button did not refresh it (#2254) * Return EOF from timed result set when reading past the end (#2253) * Fix context management in event table updates. (#2252) * Bugfix: Dashboard refresh button did not refresh it (#2251) * Theme fixes (#2250) * Bump loader-utils from 1.4.1 to 1.4.2 in /gui/velociraptor (#2249) * Fixed bug in line splitting in execve() plugin (#2248) * Fixed bug in VQL Drilldown view (#2246) * Update Server.Import.PreviousReleases (#2245) * Update colors in tree widget to match theme (#2243) * Font adjustments in themes (#2242) * Refactor the Windows.NTFS.MFT artifact for back compatibility (#2241) * Theme improvements and alignment (#2240) * Update user delete VQL and grant (#2238) * Refactored Org to OrgRecord protobuf (#2237) * Update parse_mft() and parse_usn() to allow drive prefix. (#2236) * Add choice to config wizard for allow list (#2234) * Bugfix: Allow client metadata with , (#2233) * [Snyk] Upgrade ace-builds from 1.12.0 to 1.12.3 (#2230) * Propagate user's prefered timezone for export tables (#2232) * MappingNameRegex fix (#2231) * More documentation of the config file. (#2228) * Bump loader-utils from 1.4.0 to 1.4.1 in /gui/velociraptor (#2225) * users: AddUserToOrg needs GetUserWithHashes or it will remove passwor… (#2227) * Refactored user management code into a separate module. (#2224) * [Snyk] Upgrade ace-builds from 1.11.1 to 1.12.0 (#2221) * [Snyk] Upgrade moment-timezone from 0.5.37 to 0.5.38 (#2222) * Added an LRU for ACL manager (#2223) * Enforce an allow list on plugins, functions and accessors (#2214) * tests: fix binary copying in CollectorSetupTest (#2210) * Update protobuf generation script (#2213) * Linux quarantine (#2211) * Bugfix: Flush server artifact logs into storage frequently (#2207) * Fix HTTP Params/Add HTTP Method Validation (#2203) * Bugfix: Sync NTFS (#2206) * file_store: handle watching artifacts with named sources (#2204) * Add Provider and ProviderRegex (#2198) * Bugfix: sparse files were not properly detected. (#2200) * Add timestamp_field, hostname_field, and hostname param to splunk_upload (#2187) - Removed velociraptor-kafka-humio-gateway package. * kafka-humio-gateway was dropped in favor of the new upstream LogScale plugin ------------------------------------------------------------------- Tue Jul 18 09:31:19 UTC 2023 - Marcus Meissner - require the group / user only in the server build ------------------------------------------------------------------- Wed May 10 00:49:09 UTC 2023 - jeffm@suse.com - Update to version 0.6.7.5~git81.01be570: * libbpfgo: pull fix for double-free * logscale: add documentation for plugin ------------------------------------------------------------------- Tue May 9 14:10:31 UTC 2023 - Marcus Rueckert - bump minimum nodejs to 18: building against 16 causes errors ------------------------------------------------------------------- Tue May 9 01:25:01 UTC 2023 - Jeff Mahoney - Provide sysuser template for velociraptor user and group. ------------------------------------------------------------------- Mon May 08 20:21:03 UTC 2023 - Jeff Mahoney - Update to version 0.6.7.5~git78.2bef6fc: * bpf: fix path to vmlinux.h ------------------------------------------------------------------- Mon May 08 19:42:58 UTC 2023 - Jeff Mahoney - Update to version 0.6.7.5~git77.997aa73: * file_store/test_utils/server_config.go: update test certificate * Update bluemonday dependency. * vql/functions/hash: cache results on Linux * libbpfgo: update to velociraptor-branch-v0.4.8-libbpf-1.2.0 * logscale/backport: don't use networking.GetHttpTransport * vql/tools/logscale: add plugin to post events to LogScale ingestion endpoint * file_store/directory: add ability to report pending size - Change clang dependency to clang16 - Fix velociraptor-golang-mage-vendoring.diff to account for newer 'go mod vendor' honoring build flags. - Fix update-vendoring.sh script to actually run the %setup part of the spec. - Merge client package into server spec and use _multibuild to create client package from same spec file. - Adjust changelog to retain changes for client package. - Fix building in static mode on earlier releases. - Added patch: velociraptor-libbpfgo-only-build-libbpf.patch - Removed patch: velociraptor-skip-git-submodule-import-for-OBS-build.patch ------------------------------------------------------------------- Fri Mar 10 18:54:37 UTC 2023 - Marcus Rueckert - Tightening the security of the services a bit: - tmp files are now moved to /var/lib/velociraptor{,-client}/tmp from /tmp - run velociraptor server as user velociraptor instead of root we do not really need root permissions here - introduce /var/lib/velociraptor/filestore to make it easier to split out large file upload - change permissions for the data directory and subdirectories to /var/lib/velociraptor/ u=rwX,go= velociraptor:velociraptor /var/lib/velociraptor-client/ u=rwX,go= root:root - change permissions of config directory to: /etc/velociraptor/ u=rwX,g=rX,o= root:velociraptor /etc/velociraptor/server.config u=rw,g=r,o= root:velociraptor /etc/velociraptor/client.config u=rw,go= root:root ------------------------------------------------------------------- Fri Mar 10 15:36:18 UTC 2023 - Jeff Mahoney - Update to version 0.6.7.5~git6.73efb2a: * libbpfgo: update submodule to require libzstd for newer libelf * utils/time.js: fix handling of nanosecond-resolution timestamps * libbpfgo: switch to using regular static builds * Create a new 0.6.7-5 release (#2385) - Verify FILESYSTEM_WRITE permission on copy() function (#2384) (bsc#1207936, CVE-2023-0242) - Also ensure client id is considered unsafe (bsc#1207937, CVE-2023-0290) * github/workflows/linux: do apt-get update to refresh package lists - Remove unnecessary dependency on libtsan0. - Allow velociraptor and velociraptor-client packages to coexist. ------------------------------------------------------------------- Thu Jan 26 20:06:09 UTC 2023 - Jeff Mahoney - Update to version 0.6.7.4~git63.4a1ed09d: * utils/time.js: fix handling of nanosecond-resolution timestamps - Added patches: * velociraptor-reproducible-timestamp.diff ------------------------------------------------------------------- Tue Jan 24 20:57:08 UTC 2023 - Jeff Mahoney - Use obsinfo mtime to produce stable build timestamp (bsc#1207369). ------------------------------------------------------------------- Tue Jan 24 15:07:09 UTC 2023 - Jeff Mahoney - Update to version 0.6.7.4~git60.8abed37a: * http_comms: create ring buffer temporary file in the same directory * cronsnoop: plumb in real scope logging * cronsnoop: don't treat routine errors as fatal * cronsnoop: fix typo ------------------------------------------------------------------- Sat Jan 21 04:07:38 UTC 2023 - Jeff Mahoney - Fixed release detection to include Tumblweed ------------------------------------------------------------------- Sat Jan 21 02:20:07 UTC 2023 - Jeff Mahoney - Increase required release to enable eBPF to SLE 15 SP2 and openSUSE Leap 15.2. Earlier versions don't have a usable eBPF and can't easily build llvm13. ------------------------------------------------------------------- Sat Jan 21 01:44:59 UTC 2023 - Jeff Mahoney - Remove dependency on bpftool. We use the vmlinux.h archive to provide vmlinux.h. ------------------------------------------------------------------- Fri Jan 20 20:18:49 UTC 2023 - Jeff Mahoney - Restored %defattr due to SLE12 using rpm-4.11. - Fix builds in vendor code on SLE12 - Fix build in third_party/sdjournal due to older systemd on SLE12 - Added patches: - vendor-build-fixes-for-SLE12.patch - sdjournal-build-fix-for-SLE12.patch ------------------------------------------------------------------- Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller - client: add memory limit to systemd unit ------------------------------------------------------------------- Thu Jan 19 15:17:22 UTC 2023 - Jeff Mahoney - Restore requirement to build with clang13. Newer versions cause libbpfgo to crash immediately. ------------------------------------------------------------------- Thu Jan 19 14:36:42 UTC 2023 - Jeff Mahoney - Added support for setting command line options via sysconfig ------------------------------------------------------------------- Thu Jan 19 05:00:55 UTC 2023 - Jeff Mahoney - Update to version 0.6.7.4~git53.0e85855: * sdjournal: work around missing _SYSTEMD_UNIT fields ------------------------------------------------------------------- Thu Jan 19 01:01:09 UTC 2023 - Jeff Mahoney - Clean up for Factory submission: - Make bpf-enabled builds conditional - Removed %defattr and combined service lines. - Change clang and llvm dependencies to use >= 13 - Newer versions of clang hit a DWARF parsing bug in go < 1.19, so increase go version dependecy - Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x Neither the client or server builds on ix86. ------------------------------------------------------------------- Mon Jan 9 16:01:44 UTC 2023 - Jeff Mahoney - Added Restart=on-failure to restart the client automatically. ------------------------------------------------------------------- Mon Dec 12 20:03:23 UTC 2022 - Jeff Mahoney - Update to version 0.6.7.4~git51.a588d6e4: * magefile.go: use current architecture for Linux builds * Update libbpfgo submodule to include non-AMD64 build fixes * bpf: bpf expects s390 instead of s390x ------------------------------------------------------------------- Wed Dec 07 04:21:36 UTC 2022 - Jeff Mahoney - Update to version 0.6.7.4~git46.5d88d80: * contrib/kafka-humio-gateway: add new debug option for noisy events * contrib/kafka-humio-gateway: backoff and retry for metadata * vql/server/kafka: connect sarama logging to velociraptor logging * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries * vql/server/kafka: set appropriate ClientID ------------------------------------------------------------------- Wed Dec 07 02:49:56 UTC 2022 - Jeff Mahoney - Update to version 0.6.7.4~git41.678ed56: * rpm: introduce rpm vql plugin * users: extend DeleteUser testcase to ensure org membership was dropped * users: ensure baseline user state is correct * github: run testcases on Linux builds in new workflow * gui/reporting: update bluemonday dependency to latest * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() * SUSE: Add docker-compose environment * SUSE: add Docker files * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * Add Linux.Sys.Bash to Server.Monitor.Shell artifact * kafka-humio-gateway: add sample config file * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: rework testcases to use t.TempDir * vql/linux/cronsnoop: Add cronsnoop() plugin * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * audit: use caller-allocated buffer * use github.com/jeffmahoney/go-libaudit/v2 for audit * Kafka.Events.Client: Update to use new artifactset type * Add artifact for chattrsnoop plugin * bpflib: ensure it's built only on linux and when requesting bpf * Add chattrsnoop plugin * Add artifact to monitor user group updates (#24) * vql/linux/dnssnoop: Add dnssnoop() plugin * Log Sudo/root command by auditd * Add custom artifacts for login and logout attempts recorded by auditd * Add tcpsnoop plugin * vql/linux/bpflib: add helper package for bpf plugins * libbpfgo: add submodule with forked repo for fully static builds * Add Kafka-Humio Gateway [Depends on PR#10] (#8) * Add a Kafka export plugin * SUSE: Add SSHLogin artifacts * SUSE: Do build tests on every pull request * Add systemd-dev as build dependency for github workflow * Update the Linux.Events.SSHLogin artifact to scan the systemd journal * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal * Add parser to read systemd journal on Linux * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path * linux: add lsattr() function to enumerate file attributes * Github: Run build workflow on each pull request * More fixes for Windows.System.VAD (#2317) (#2318) * Bugfix: When org is not specified this JS code raised (#2315) (#2316) ------------------------------------------------------------------- Tue Dec 06 21:53:43 UTC 2022 - Jeff Mahoney - Update to version 0.6.7.3~git41.fa6afa7: * rpm: introduce rpm vql plugin * users: extend DeleteUser testcase to ensure org membership was dropped * users: ensure baseline user state is correct * github: run testcases on Linux builds * gui/reporting: update bluemonday dependency to latest * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() * SUSE: Add docker-compose environment * SUSE: add Docker files * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * Add Linux.Sys.Bash to Server.Monitor.Shell artifact * kafka-humio-gateway: add sample config file * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: rework testcases to use t.TempDir * vql/linux/cronsnoop: Add cronsnoop() plugin * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * audit: use caller-allocated buffer * use github.com/jeffmahoney/go-libaudit/v2 for audit * Kafka.Events.Client: Update to use new artifactset type * Add artifact for chattrsnoop plugin * bpflib: ensure it's built only on linux and when requesting bpf * Add chattrsnoop plugin * Add artifact to monitor user group updates (#24) * vql/linux/dnssnoop: Add dnssnoop() plugin * Log Sudo/root command by auditd * Add custom artifacts for login and logout attempts recorded by auditd * Add tcpsnoop plugin * vql/linux/bpflib: add helper package for bpf plugins * libbpfgo: add submodule with forked repo for fully static builds * Add Kafka-Humio Gateway [Depends on PR#10] (#8) * Add a Kafka export plugin * SUSE: Add SSHLogin artifacts * SUSE: Do build tests on every pull request * Add systemd-dev as build dependency for github workflow * Update the Linux.Events.SSHLogin artifact to scan the systemd journal * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal * Add parser to read systemd journal on Linux * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path * linux: add lsattr() function to enumerate file attributes * Github: Run build workflow on each pull request * Bugfix: Do not materialize the VAD array in Windows.System.VAD (#2311) * Sync to master's bugfixes (#2309) * Prepare for 0.6.7-2 release (#2300) * 0.6.7 sync (#2261) * 0.6.7 sync3 (#2256) * 0.6.7 sync (#2239) * Prepare a 0.6.7-rc3 (#2217) * Bugfix: sparse files were not properly detected. (#2200) (#2201) * Propagate progress timeout for collections. (#2193) * Verify client's key with or without the org id. (#2192) * Add Windows.System.Shares (#2191) * Allow artifacts to have aliases (#2190) * Added a regex_array column type to allow multiple regex to be set. (#2188) * [Snyk] Upgrade react-router-dom from 5.3.3 to 5.3.4 (#2180) * Add 'UsedBy' column to results (#2186) * Update flow and hunt download exports to use the container (#2185) * Disable toolbar buttons when no options are available (#2183) * Allow hunts to be scheduled on multiple orgs (#2182) * Update WIndows PSList and VAD artifacts (#38) (#2181) * Add in amcache (#2176) * Added additional sources for UserAccessLogs (aka SUM) artifact (#2179) * Fixed tests (#2177) * [Snyk] Upgrade styled-components from 5.3.5 to 5.3.6 (#2174) * Page Cell logs in notebook (#2172) * Break client connection stats by org id (#2171) * Added a remapping export to Windows.Registry.NTUser (#2170) * Added tlsh hash (#2169) * Check sparse files for large size before padding them out. (#2167) * Linux and macOS Packet Capture Artifact Updates (#2168) * Update deps (#2166) * Add some suggested groks for parsing IIS logs (#2165) * Refactor collection container (#2163) * Implement transparent decryption for collector accessor (#2162) * [Snyk] Upgrade ace-builds from 1.11.0 to 1.11.1 (#2161) * Automatically decrypt collections with collector accessor (#2159) * Fix css colors. (#2158) * [Snyk] Upgrade ace-builds from 1.10.1 to 1.11.0 (#2156) * Retry reads on EOF in NTFS accessor (#2157) * Updated zip implementation to support crypto (#2155) * Target 'Cmdline' instead of 'CommandLine' (#2154) * Bugfix: Extra interpolation when client logs messages with % (#2152) * Add 'Active' column to show whether or not a firewall rule is enabled. (#2150) * Added test for encrypted offline collector. (#2149) * Update parsing for Dock plist details (#2148) * Implement filter for large artifact forms (#2147) * Add Public Key Encryption Support to Offline Collections (#2133) * Implemented a max memory grouper (#2146) * Check if setgid flag is set (#2145) * [Snyk] Upgrade react-overlays from 5.2.0 to 5.2.1 (#2144) * Add context to yara.NTFS (#36) (#2143) * Add `auth_redirect_template` config for handling unauthorized API calls (#2140) * Allow the user to specify a collection as urgent (#2139) * Fix typo, slightly improve translations (de,fr) (#2137) * Add 'CronScripts' query/source and 'Length' option (#2138) * Check sanity of inventory service for all orgs (#2136) * Change 'filename' to 'file' for upload (#2135) * Sync with latest NTFS changes. (#2134) * [Snyk] Upgrade classnames from 2.3.1 to 2.3.2 (#2130) * Added URLRegex to FireFox history (#2129) * Link to collection in host shell (#2128) * additional references (#2126) * Sync to go-ntfs (#2125) * Provide the option to expand sparse files in export (#2124) * Bugfix: Process address space lockup under some conditions (#2123) * Added URLRegex to Firefox and Chrome history (#2122) * Add note about RecentApps key not being available after Windows 10, version 1803 (#2119) * Expose the communicator's crypto manager (#2118) * Further refactor of the download handler. (#2117) * [Snyk] Upgrade ace-builds from 1.10.0 to 1.10.1 (#2114) * Uploaded files are now shows with client paths (#2116) * [Snyk] Upgrade recharts from 2.1.13 to 2.1.14 (#2115) * Maintain row count per query. (#2113) * Update Trackaccount.yaml (#2112) * Clean up artifact references (#2111) * Prevent null error when choosing to calculate hash and when providing authenticode information (#2109) * Add Length option and re-arrange output (#2107) * Bugfix: Merge file option should work with config show (#2108) * Always write content to lock files (#2106) * [Snyk] Upgrade ace-builds from 1.9.6 to 1.10.0 (#2102) * Authentication configuration error reporting/validation (#2101) * auth: don't return a base path with two leading slashes (#2100) * Added org report in root org dashboard (#2098) * [Snyk] Upgrade react-bootstrap from 1.6.5 to 1.6.6 (#2094) * [Snyk] Upgrade humanize-duration from 3.27.2 to 3.27.3 (#2095) * authenticode is a function and not a plug (#2092) * Allow '+' in usernames (#2093) * Attempt to decompress client messages if errors occur. (#2088) * Pass org config to mutations in MemcacheFileDataStore (#2087) * Support oauth with a different base path. (#2082) * Allow client->server compression to be disabled (#2081) * Keep track of collected results using collection status (#2075) * Enforce a hard timeout for incoming processing (#2074) * Expand API of user service to include context (#2071) * When creating a new org pass the new org id to the acl function (#2068) * Allow collect_client() etc to accept ArtifactSpec protobuf (#2067) * Only create initial orgs on first run. (#2066) * Bugfix: Do not start multiple communicators in windows service. (#2064) * Added initial_orgs to the config (#2063) * Bugfix- Server.Utils.DeleteClient over sanitized client id (#2061) * Fixed backwards compatible bug (#2057) * [Snyk] Upgrade ace-builds from 1.9.5 to 1.9.6 (#2055) * Fixed CSS for column selector ui (#2053) * Split server sanity checks into root org and other orgs (#2052) * collect each query's status separately (#2049) * Pass org ids in href parameters (#2047) * Org manager maintains services lifetime (#2045) * Added org_delete() function to remove orgs. (#2042) * Updated themes for context menu (#2041) * Made context menus settable in the config file (#2040) * Added Send to CyberChef context menu on table cells. (#2039) * [Snyk] Upgrade ace-builds from 1.9.3 to 1.9.5 (#2037) * [Snyk] Upgrade ace-builds from 1.8.1 to 1.9.3 (#2033) * Bugfix: watch_usn() was not flushing the mft LRU properly (#2032) * Bugfix: Maintain field order in sysmon based tracker (#2030) * Added regex protocols for int, float etc. (#2028) * Refactor client monitoring API to use service (#2027) * Bugfix: Switch GUI to first available org (#2025) * Update Linux pslist() to use CommandLine column (#2024) * Add embedded stager parse usecase (#34) (#2023) * update to clean up null fields (#2020) * Refactor code to propagate the context in more cases. (#2019) * Bugix: Raw file accessor had different behaviour on Windows (#2018) * Cater for unknown parents in process tracker. (#2015) * Fix sense of multiple regexp in all() function (#2014) * Added all() and any() VQL functions (#2013) * Capitalize 'i' in config generation output (#2012) * Fixed crash in api_client command (#2010) * Update UserAccessLogs.yaml (#2009) * Fixed bug in UserAccessLog artifact (#2008) * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 (#2000) * Collect domain role info on interrogate (#1998) * Added new GUI column type for tree (#1997) * Fixed CSS to make column selector more visible (#1996) * Send a System.Upload.Completion event on server artifact upload (#1995) * Refactor of oauth code (#1993) * Added some helpful server artifacts (#1992) * Bugfix: "rpm server" command did not produce minion packages (#1991) * Add ability to delete monitoring events. (#1990) * Allow notebook GUI to set notebooks to public. (#1989) * Allow the user to change password in the GUI (#1988) * Added a delay() VQL function (#1987) * Fixed a crash when add_monitoring was called without parameters. (#1986) * Allow hunt() to limit by OS condition (#1985) * [Snyk] Upgrade ace-builds from 1.7.1 to 1.8.1 (#1984) * Fix "last_visit_time" timestamp (#1983) * Added Generic.System.ProcessSiblings (#1982) * [Snyk] Upgrade bootstrap from 4.6.1 to 4.6.2 (#1979) * General cleanup (#1977) * Update BinaryRename.yaml (#1976) * Support multi orgs in server-server communication (#1975) * Inventory service should upload tools to global public directory (#1973) * fixed path issue (#1972) * Support REG_MULTI_SZ in raw registry accessor (#1969) * fix: upgrade interactjs from 1.10.16 to 1.10.17 (#1968) * Update prefetch library to fix bug (#1965) * The "fs" accessor should also be org sensitive. (#1964) * Added user_grant() VQL function (#1963) * fix: upgrade interactjs from 1.10.14 to 1.10.16 (#1961) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1960) * Several security related bugfixes. (#1962) * Fixed bug in watch_evtx() (#1955) * fix: upgrade ace-builds from 1.7.0 to 1.7.1 (#1952) * Fixed visted_url typo (#1953) * Added NewOrg artifact to make creating new orgs easier. (#1951) * Fix broken deps due to snyke merge (#1950) * build(deps): bump terser from 4.8.0 to 4.8.1 in /gui/velociraptor (#1946) * fix: upgrade recharts from 2.1.11 to 2.1.12 (#1945) * fix: upgrade @fortawesome/react-fontawesome from 0.1.18 to 0.2.0 (#1948) * Added orgs() plugin and user management (#1949) * fix: upgrade ace-builds from 1.6.1 to 1.7.0 (#1944) * Add new embedded pe in data section parse (#1943) * Refactor startup code (#1942) * fix: upgrade qs from 6.10.4 to 6.11.0 (#1941) * fix: upgrade recharts from 2.1.10 to 2.1.11 (#1939) * fix: upgrade ace-builds from 1.6.0 to 1.6.1 (#1938) * Added artifact Windows.Attack.IncorrectImagePath (#1927) * Account for pid reuse in process tracker. (#1936) * add precondition for only windows (#1935) * Make ddclient service parameters configurable (#1933) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1930) * fix: upgrade interactjs from 1.10.13 to 1.10.14 (#1918) * replace YaraUrl type (#1922) * Add other url yara fixes (#1921) * Update Glob.yaml (#1920) * Fixed bug in startup code. (#1919) * Initial commit of multitenant support (#1917) * Adds three Linux artifacts (#1916) * Fixed a crash when using artifact plugin with tools (#1915) * Added a collector accessor (#1912) * fix: upgrade interactjs from 1.10.11 to 1.10.13 (#1909) * fix: upgrade qs from 6.10.3 to 6.10.4 (#1910) * Japanese translation (#1906) * Fix spanish translations. (#1907) * fix: upgrade react-overlays from 5.1.2 to 5.2.0 (#1904) * Add Shimcache reformat (#1892) * A couple of performance tweaks. (#1903) * Fix Amcache artifact (#1902) * Retry axios requests (#1901) * Revert "fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899)" (#1900) * fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899) * Use the auto accessor as first level of VFS (#1898) * Theme fixes (#1895) * Added additional logging for windows client service (#1894) * Theme updates (#1893) * Prepare for release 0.6.5 (#1890) * Bugfix: CPU limit was not properly enforced on endpoint. (#1889) * fix: upgrade react-calendar-timeline from 0.27.0 to 0.28.0 (#1887) * fix: upgrade ace-builds from 1.5.1 to 1.5.2 (#1888) * Improve the Windows.Sys.StartupItems artifact (#1886) * Fixed the --remap flag (#1883) * Fixed bug in client_delete() (#1882) * Added a delete_flow VQL plugin (#1880) * Add fix for generic bin file payload (#1879) * Bugfix: Notebook calculation did not update cell (#1878) * fix: upgrade humanize-duration from 3.27.1 to 3.27.2 (#1877) * Revised Portuguese translation (#1876) * Update usn.go (#1873) * Added French language (#1874) * Updated german translation (#1875) * Refactor artifact plugin to be more efficient. (#1871) * Update de.js (#1870) * fix: upgrade ace-builds from 1.5.0 to 1.5.1 (#1867) * Refactor server artifacts service (#1868) * Refactored notebook into a service (#1863) * fix: upgrade react-router-dom from 5.3.2 to 5.3.3 (#1861) * fix: upgrade recharts from 2.1.9 to 2.1.10 (#1862) * Bugfix: raw registry accessor supports read_file() (#1859) * Add LogHunter - a generic grep over log capability (#1853) * Added a GUI element to easily filter log messages (#1858) * Added an oidc-cognito authenticator (#1854) * build(deps): bump tar from 6.0.5 to 6.1.11 in /gui/velociraptor (#1852) * fix: upgrade react-router-dom from 5.3.1 to 5.3.2 (#1850) * Fix ACE font handling (#1849) * Format timestamps opportunistically. (#1848) * Update cidr_contains() to return true if any of the ranges match. (#1847) * Sync KapeFiles and SQLECmd artifacts (#1845) * Prepare 0.6.5-rc1 release (#1844) * Added a default process tracker (#1843) * Implement log levels in VQL (#1839) * Theme development checkpoint (#1838) * fix: upgrade ace-builds from 1.4.14 to 1.5.0 (#1836) * fix: upgrade react-bootstrap from 1.6.4 to 1.6.5 (#1837) * Added an LRU VQL function (#1835) * Bugfix: VFS viewer was unable to access files with \ in name (#1832) * use group SID instead of name to get local admins (#1833) * Added Portuguese and Spanish languages (#1831) * fix: upgrade react-overlays from 5.1.1 to 5.1.2 (#1830) * Make display timezone user selectable (#1827) * Added Musl build target (#1826) * Fix deadlock in hunt dispatcher (#1825) * Theme tweaks (#1821) * add groupname parameter to LocalAdmins artifact (#1823) * Fix/activitescache glob expression - Timeline.yaml (#1824) * Update TemplateInjection.yaml (#1820) * Prevent text wrap on sidebar (#1819) * Added some missing translations (#1817) * Added Deutsch UI Language (#1816) * Support UNC paths in windows accessors. (#1815) * Add enrichment callback for process tracker (#1814) * Prevent null FailureActions error (#1811) * Make ACL manager pluggable. (#1813) * Allow custom override for GUI artifacts by default (#1810) * Refactored hunt related functions to use the hunt_dispatcher (#1807) * artifactset: add ability to select named sources (#1809) * UI enhancements (#1805) * Refactor: Create user manager service (#1804) * New themes and refactoring of existing CSS (#1801) * Bugfix: Server monitoring queries were not correctly cancelled. (#1803) * Add gunzip function (#1802) * GUI: Artifact selector (#1790) * Refactor and improve the way clients send query related information (#1800) * fix: upgrade axios from 0.26.1 to 0.27.2 (#1798) * Add Cobalt Strike carver sleep function capability (#1795) * Bugfix: Create new buffer to accumulate VQL results (#1794) * Make velociraptor_client executable in postint script (#1788) * Support addition on dicts (#1785) * fix: upgrade moment from 2.29.2 to 2.29.3 (#1782) * fix: upgrade react-router-dom from 5.3.0 to 5.3.1 (#1783) * Reset nanny when client connection failed. (#1780) * Fix artifacts that use yara parameters to specify yara type (#1779) * SysmonInstall artifact now skips install if not needed (#1777) * Suppress warning message for offline collector (#1776) * Bug fix (#1774) * Avoid bash process lingering around while server is running (#1775) * oidc: Fix typo: Genric -> Generic (#1773) * Make MaxWait for event table settable. (#1772) * Fixed bug in Windows.Detection.Yara.Process (#1771) * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) * Initial implementation of client side process tracker. (#1768) * Bugfix: Client did not update list of query columns (#1767) * Fixed bug in ETWSessions artifact (#1766) * build(deps): bump async from 2.6.3 to 2.6.4 in /gui/velociraptor (#1761) * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) * Add fix for dupliate entries from flattern bug (#1760) * build(deps): bump ejs from 3.1.6 to 3.1.7 in /gui/velociraptor (#1758) * build(deps): bump cross-fetch from 3.1.3 to 3.1.5 in /gui/velociraptor (#1759) * Fix undefined types in some artifact parameters (#1757) * Update Glob.yaml (#1754) * Bugfix: Unable to set cpu limits in hunt GUI (#1751) * Support case insensitive notebook cell types (#1747) * Fixed a bug in the Userassist artifact (#1746) * Bugfix: Hunt stats were not properly incremented (#1744) * Invalidate transformed cache when the base table changes. (#1742) * GUI Table widgets now can apply transformations on the table. (#1740) * Update FilenameSearch.yaml (#1741) ------------------------------------------------------------------- Fri Nov 11 21:12:02 UTC 2022 - Jeff Mahoney - Update to version 0.6.4.2~git86.b5931f7: * cleanup: go mod tidy - Fix vendoring of replaced modules. - Only require libtsan0 on x86_64 - Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist ------------------------------------------------------------------- Fri Nov 11 20:13:00 UTC 2022 - Jeff Mahoney - Update to version 0.6.4.2~git84.1b38fda: * Clean up libbpfgo mess * libbpfgo: use forked repo for fully static builds * libbpfgo: sync to v0.4.4-libbpf-1.0.1 * contrib/kafka-humio-gateway: add new debug option for noisy events * contrib/kafka-humio-gateway: backoff and retry for metadata * vql/server/kafka: connect sarama logging to velociraptor logging * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries * vql/server/kafka: set appropriate ClientID * libbpfgo: add selftest to build so testcases work * cronsnoop: rework testcases to use t.TempDir * cronsnoop: move external dependencies to end of import list * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() ------------------------------------------------------------------- Fri Nov 11 20:08:20 UTC 2022 - Jeff Mahoney - Update to version 0.6.4.2~git67.85b608e: * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * SUSE: Add docker-compose environment * SUSE: add Docker files * Add Linux.Sys.Bash to Server.Monitor.Shell artifact * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 * kafka-humio-gateway: add sample config file * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37) * third_party/go-libaudit: don't directly use unix.* * Add Linux.Remediation.Quarantine artifact * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * third_party/go-libaudit: move handling of receive buffer to caller * third_party/go-libaudit: move buffer handling from netlink to audit * third_party/go-libaudit: allow audit fd to be pollable * third_party/go-libaudit: Add support for removing individual rules * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls * third_party/go-libaudit: Report missing rules during deletion * import go-libaudit as a third-party module * quarantine: actually call the OS-specific artifact * artifactset: add ability to select named sources * GUI: Artifact selector (#1790) * host-info: make quarantine UI more robust with non-Windows client hosts * shell-viewer: default to Bash on non-Windows clients ------------------------------------------------------------------- Thu Nov 10 15:22:27 UTC 2022 - Jeff Mahoney - Update to version 0.6.4.2~git70.b7df8172: * file_store: handle watching artifacts with named sources ------------------------------------------------------------------- Thu Sep 29 14:16:05 UTC 2022 - Jeff Mahoney - Update to version 0.6.4.2~git68.5226b23b: * api/authenticators/basic: fix logoff endpoint * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * SUSE: Add docker-compose environment * SUSE: add Docker files * Add Linux.Sys.Bash to Server.Monitor.Shell artifact ------------------------------------------------------------------- Fri Aug 19 21:07:15 UTC 2022 - Jeff Mahoney - Updated vendoring. - Fixed update-vendoring script to use an independent go module cache. ------------------------------------------------------------------- Fri Aug 19 01:59:35 UTC 2022 - Jeff Mahoney - Update to version 0.6.4.2~git59.5ebb49db: * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 ------------------------------------------------------------------- Thu Aug 11 19:40:21 UTC 2022 - Jeff Mahoney - Update to version 0.6.4.2~git57.fcb11adf: * kafka-humio-gateway: add sample config file ------------------------------------------------------------------- Fri Jul 15 14:30:49 UTC 2022 - Jeff Mahoney - Updated BuildRequires to use go 1.17 after updating vendoring ------------------------------------------------------------------- Fri Jul 15 02:24:03 UTC 2022 - Jeff Mahoney - Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only) ------------------------------------------------------------------- Fri Jul 15 00:00:39 UTC 2022 - Jeff Mahoney - Update to version 0.6.4.2~git56.47b4adb4: * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37) * third_party/go-libaudit: don't directly use unix.* * Add Linux.Remediation.Quarantine artifact * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * third_party/go-libaudit: move handling of receive buffer to caller * third_party/go-libaudit: move buffer handling from netlink to audit * third_party/go-libaudit: allow audit fd to be pollable * third_party/go-libaudit: Add support for removing individual rules * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls * third_party/go-libaudit: Report missing rules during deletion * import go-libaudit as a third-party module * quarantine: actually call the OS-specific artifact * artifactset: add ability to select named sources * GUI: Artifact selector (#1790) * host-info: make quarantine UI more robust with non-Windows client hosts * shell-viewer: default to Bash on non-Windows clients ------------------------------------------------------------------- Thu May 12 20:15:26 UTC 2022 - Jeff Mahoney - Update to upstream 0.6.4.2~git16.e1b7fc0: * Rebase on 0.6.4-2 * Reset nanny when client connection failed. (#1780) * Fix artifacts that use yara parameters to specify yara type (#1779) * Update release for bugfixes 0.6.4-2 * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) * SysmonInstall artifact now skips install if not needed (#1777) * Initial implementation of client side process tracker. (#1768) * Invalidate transformed cache when the base table changes. (#1742) * GUI Table widgets now can apply transformations on the table. (#1740) * Suppress warning message for offline collector (#1776) * Bug fix (#1774) * Avoid bash process lingering around while server is running (#1775) * oidc: Fix typo: Genric -> Generic (#1773) * Make MaxWait for event table settable. (#1772) * Fixed bug in Windows.Detection.Yara.Process (#1771) * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) * Bugfix: Client did not update list of query columns (#1767) * Merge bugfixes from master branch. (#1769) - Revendored dependencies. ------------------------------------------------------------------- Thu May 12 17:54:31 UTC 2022 - Jeff Mahoney - Update to version 0.6.4~git31.4298eab0: * Elastic.Events.Client: Update to use new artifactset type * Kafka.Events.Client: Update to use new artifactset type * artifacts: add artifactset parameter type * api: add type and description fields to v1/GetArtifacts endpoint ------------------------------------------------------------------- Thu May 12 13:30:42 UTC 2022 - Jeff Mahoney - Update to version 0.6.4~git26.4407b9b7: * Add artifact for chattrsnoop plugin * bpflib: ensure it's built only on linux and when requesting bpf * Add chattrsnoop plugin * tcpsnoop: Properly close module in case of attach error * Add artifacts for dns/tcp snoop plugins * tcpsnoop: Add timestamp to generated events * dnssnoop: Add timestamp to generated events ------------------------------------------------------------------- Tue May 3 20:35:57 UTC 2022 - Jeff Mahoney - Fix error handling in tcpsnoop and dnssnoop. * If BTF information is unavailable, there is no indication that the query has failed. ------------------------------------------------------------------- Tue May 3 13:45:09 UTC 2022 - Jeff Mahoney - Rebase on 0.6.4: * Updated dependencies * Bugfix: startup bugs (#1680) * bugfix: Server event notebook not correctly created (#1737) * Bugfix: Start a dummy indexing service (#1736) * Add bugfix which would return no rows if the user removed whitelist (#1735) * Fixed bug in read_reg_key (#1734) * BUGFIX: Do not include config flag when darwin installer is repacked (#1733) * Refactored index into its own service. (#1730) * Bugfix: Write one index item per JSONL record. (#1727) * Bugfix: Estimating client impact should consider last active status (#1726) * Add complete ntfs metadata option to MFT output (#1725) * Various bugfixes. (#1724) * Update Usn.yaml (#1723) * Fixed a bug in hunt download preparation. (#1722) * Add Windows.Forensics.Usn filter and presentation updates (#1720) * Optimize writing event monitoring records (#1721) * Add Generic.Detection.Yara.Zip (#1718) * Fixed crash on master-pong response. (#1719) * Remove _type option from elastic. (#1715) * Opportunistically update directly connected client's ping times (#1713) * Fixed a bug in hunt download preparation. (#1722) * Add Windows.Forensics.Usn filter and presentation updates (#1720) * Optimize writing event monitoring records (#1721) * Add Generic.Detection.Yara.Zip (#1718) * Fixed crash on master-pong response. (#1719) * Remove _type option from elastic. (#1715) * Opportunistically update directly connected client's ping times (#1713) * Fixed bug in VQL cell splitting. (#1712) * artifact for parsing macos packages (#1706) * Bugfix: Create a cell for each collected source (#1710) * artifact for parsing macos packages (#1706) * Bugfix: Create a cell for each collected source (#1710) * Added Server.Utils.CollectClient to simplify direct collections (#1708) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1705) * Fix build on Go 1.18 (#1704) * build(deps): bump minimist from 1.2.5 to 1.2.6 in /gui/velociraptor (#1703) * Mft update - add uSecZeros (#1701) * Server monitoring service will reload if an artifact is modified (#1702) * Refactor client info manager (#1700) * A number of bugfixes (#1699) * Update Windows.NTFS.MFT (#1698) * Actually export HumanString attribute on OSPath (#1689) * RHEL/CentOS/Fedora dnf packages (#1684) * Implemented Human Readable OSPath method. (#1688) * Added lazy MFT attributes (#1685) * Maintain OSPath in mft artifacts (#1683) * Fix bug in deaddisk remapping of directories. (#1682) * Bugfix: startup bugs (#1680) * Updated SQLECmd artifacts (#1677) * Artifact repository needs to watch for changes across nodes. (#1676) * Update auto accessor to re-open file with ntfs if read failed (#1674) * Fix MacOS.System.Plist artifact (#1673) * Error collection based on VQL logs (#1672) * Add memory limiting to offline collector (#1666) * Allow mount overlays (#1664) * build(deps): bump node-forge from 1.2.1 to 1.3.0 in /gui/velociraptor (#1661) * Fixed bugs in remapping logic. (#1660) * Fixed bug in the windows auto accessor. (#1658) * Elastic.Events.Clients: synchronize parameters with Elastic.Flows.Upload (#1657) * Add initial commit for Windows.NTFS.ExtendedAttributes (#1656) * Added a shadow remapping type (#1655) * Implemented an event notebook (#1654) * Add Windows.System.WMIQuery (#1651) * Fixed data race in progress throttler. (#1653) * Implemented timeout and cpu limits on offline collector. (#1650) * Added an rpm server command. (#1647) * Artifacts can now define suggestions for notebook cells. (#1646) * Allow multiple OIDC authenticators to be specified. (#1645) * Added a multi authenticator. (#1644) * Add HashHunter hash() update for performance (#1643) * Change the DNSCache Artifact to WMI (#1640) * Added an uploader for notebooks. (#1639) * Added hashselect arg option to hash() (#1637) * Add Generic.Detection.HashHunter and tests (#1638) * Added Generic.Collectors.SQLECmd (#1635) * Add BinaryHunter (#1634) * String artifact parameters can now have validator regex (#1628) * Implemented CPU rate limited for better control (#1622) * Added a client nanny to detect deadlocks (#1621) * Linux.Sys.Services artifact, parse services from systemctl (#1619) * Collect MAC addresses during interrogation and index them (#1611) * Allow parse_ntfs() to operate on an image file. (#1610) * Fix regression in VFSGetBuffer (#1605) * Added rekey() VQL function (#1604) * switch to uninstall string (#1603) * freebsd /etc/rc.d/velociraptor service script (#1602) * Add Windows.Registry.BackupRestore (#1601) * Optimized NTFS code for better speed and added more fields to parse_mft (#1599) * Update BinaryRename.yaml (#1598) * Added LinuxM1 (#1597) * Add explicit check of sticky keys (#1592) * Remote data store should identify retryable errors (#1590) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1588) * Add test improvement clear system log (#18) (#1586) * Modified Windows.Forensics.Prefetch to use VQL binary parser (#1585) * add Windows.NTFS.ADSHunter first commit (#17) (#1583) * Resolves Velocidex/velociraptor#1543 Create new VQL entropy() function (#1574) * Remove C time and updating naming (#1546) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1568) * Update OSPath protocols to support slices. (#1575) * Implement array slice notation in VQL and Server.Import.PreviousReleases (#1573) * add rtf TemplateInjection to Windows.Detection.TemplateInjection (#1572) * Change accessors API to deal with OSPath objects directly. (#1570) * Bump follow-redirects from 1.14.4 to 1.14.8 in /gui/velociraptor (#1567) * Added a deaddisk command to generate config (#1564) * Fix bug in Windows.System.Services (#1565) * Fixed glob expand braces order of operations. (#1560) * Added an offset and raw_file accessors (#1559) * Update CertUtil.yaml (#1558) * remove users to include the system path (#1536) * Implement remap() VQL function and remapping config (#1555) * Make GitHub actions more flexible on Windows (#1549) * Bump normalize-url from 4.5.0 to 4.5.1 in /gui/velociraptor (#1548) * Fix typo (#1547) * Refractor of accessors and path manipulations (#1545) * Dns etw update (#1544) * add PowershellProfile (#1542) * Added dynamic pubsub attributes (#1540) * Fix Windows.Applications.Chrome.History (#1539) * windows.application to windows.applications merge. New firefox history artefact (#1534) * Fixed race condition in zip accessor reference counting. (#1531) * Added Windows.Persistence.SilentProcessExit (#1530) * Add limitations section and lastwrite timestamp (#1529) * Offline collector FetchBinary should respect the IsExecutable flag (#1528) * update description, order by, and hidden keypath (#1527) * add limitations section (#1520) * Avoid holding index lock for too long. (#1519) * re-introduce Windows.Collectors.File with deprecation note (#1516) * add limitations to description and key path to query (#1514) * Retry remote datastore connections (#1513) * Write minion log files and autocert in its own dir. (#1512) * Synced KapeFiles artifacts (#1511) * Added data retention server artifacts (#1510) * Set an upper limit for ttl in memcache (#1508) * Add updates to Windows.System.Services (#15) (#1509) * Ensure collector container is properly closed when interrupted. (#1507) * Continually rebuild the index at runtime. (#1506) * Harder vacuum - directly move client task directories to the attic. (#1505) * add limitation disclaimer (#1504) * Reduce critial section to avoid deadlock in repository manager (#1503) * Implemented a vacuum command to remove old tasks from client queues. (#1501) * Better format profile metrics output. (#1495) * Cap size of directories and report large directories. (#1493) * Set ACE completers per editor to avoid global state. (#1492) * Add HttpOnly flag to all cookies. (#1491) * Refactor completion routine calls (#1490) * Limit size of cached directories. (#1483) * Add more instrumentation to memory caches. (#1482) * Fixed chart resizing bug (#1481) * Removed the old queries: list from artifacts. (#1480) * [Snyk] Fix for 9 vulnerabilities (#1479) * Remove lock around critical section. (#1478) * Added MacOS.Forensics.AppleDoubleZip (#1476) * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) * Make index snapshot frequency configurable (#1474) * Bugfix: Setting notebook index did not escape username (#1471) * Flush index from memory to disk (#1470) * Fixed 2 bugs with the memcache file store (#1469) * Update flow active time when the result set is completed (#1468) * Tag artifacts as built ins (#1467) * Fixed bug in the pathspec() VQL function. (#1465) * fix APIConfigLoader not applying command line args (#1463) ------------------------------------------------------------------- Mon May 02 14:55:07 UTC 2022 - Jeff Mahoney - Resync with git repository: * Add artifact to monitor user group updates (#24) * Add dnssnoop plugin (#15) * Log Sudo/root command by auditd * Add custom artifacts for login and logout attempts recorded by auditd ------------------------------------------------------------------- Fri Mar 18 14:12:59 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git19.640f7a1c: * Add tcpsnoop plugin ------------------------------------------------------------------- Tue Mar 15 13:31:21 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git17.741ebb59: * kafka-humio-gateway: update README.md * kafka-humio-gateway: Fix missing variable rename * Add Kafka-Humio Gateway [Depends on PR#10] (#8) ------------------------------------------------------------------- Tue Mar 15 01:04:29 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git13.af7fdb00: * SUSE: Add SSHLogin artifacts * Add a Kafka export plugin * SUSE: Do build tests on every pull request * Add systemd-dev as build dependency for github workflow ------------------------------------------------------------------- Fri Feb 18 00:52:01 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git6.d95ed32e: * Update the Linux.Events.SSHLogin artifact to scan the systemd journal * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal * Add parser to read systemd journal on Linux * Add an artifact to enumerate immutable files under a path * Add chattr function support for linux * Make GitHub actions more flexible on Windows ------------------------------------------------------------------- Thu Feb 10 02:12:54 UTC 2022 - Jeff Mahoney - Add simple default configs and provide dirs in /var/lib for client and server. ------------------------------------------------------------------- Mon Feb 7 14:40:47 UTC 2022 - Jeff Mahoney - Temporarily re-enable Windows artifacts (LSS#4). ------------------------------------------------------------------- Wed Feb 2 18:10:19 UTC 2022 - Jeff Mahoney - Added systemd unit file and placeholder config file. ------------------------------------------------------------------- Thu Jan 27 17:33:45 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git0.69e0fffa: * Prepare for 0.6.3 release (#1515) * add limitations to description and key path to query (#1514) * Retry remote datastore connections (#1513) * Write minion log files and autocert in its own dir. (#1512) * Synced KapeFiles artifacts (#1511) * Added data retention server artifacts (#1510) * Set an upper limit for ttl in memcache (#1508) * Add updates to Windows.System.Services (#15) (#1509) * Ensure collector container is properly closed when interrupted. (#1507) * Continually rebuild the index at runtime. (#1506) * Harder vacuum - directly move client task directories to the attic. (#1505) * add limitation disclaimer (#1504) * Reduce critial section to avoid deadlock in repository manager (#1503) * Implemented a vacuum command to remove old tasks from client queues. (#1501) * Better format profile metrics output. (#1495) * Cap size of directories and report large directories. (#1493) * Set ACE completers per editor to avoid global state. (#1492) * Add HttpOnly flag to all cookies. (#1491) * Refactor completion routine calls (#1490) * fix: upgrade react-bootstrap from 1.3.0 to 1.6.4 (#1486) * fix: upgrade http-proxy-middleware from 1.0.5 to 1.3.1 (#1485) * fix: upgrade react-ace from 9.1.3 to 9.5.0 (#1487) * fix: upgrade recharts from 2.0.9 to 2.1.8 (#1488) * fix: upgrade react-datetime-picker from 3.0.4 to 3.4.3 (#1489) * Limit size of cached directories. (#1483) * Add more instrumentation to memory caches. (#1482) * Fixed chart resizing bug (#1481) * Removed the old queries: list from artifacts. (#1480) * [Snyk] Fix for 9 vulnerabilities (#1479) * Remove lock around critical section. (#1478) * Added MacOS.Forensics.AppleDoubleZip (#1476) * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) * Make index snapshot frequency configurable * fix APIConfigLoader not applying command line args (#1463) * Flush index from memory to disk (#1470) * Prepare RC2 (#1473) * Bugfix: Setting notebook index did not escape username (#1471) * Fixed 2 bugs with the memcache file store (#1469) * Update flow active time when the result set is completed (#1468) * Tag artifacts as built ins (#1467) * Fixed bug in the pathspec() VQL function. (#1465) * Update PrivateKeys.yaml (#1459) * Added recursion_callback option to the glob plugin (#1461) * Added config wizard for multi-frontend configuration (#1460) * Calculate the sha256 hash of the offline container. (#1458) * Artifact inspection GUI now allows pivot. (#1457) * Client certs can now be specified in the config file. (#1456) * New Upload File Form element (#1455) * Added a sparse accessor (#1453) * Hunt wizard estimates clients affected (#1452) * Make the interrogation process customizable. (#1451) * Update Info.yaml (#1427) * Improved Lnk parser to include additional fields. (#1449) * Added a Yara GUI element editor. (#1447) * Added patch and merge to `config show` and `config generate` (#1445) * Remove usage of FatalIfError from main module (#1443) * Introduced a dedicated pathspec object (#1440) * Bump is-svg from 4.2.2 to 4.3.0 in /gui/velociraptor (#1437) * Only pass client config in the client VQL scope. (#1436) * rework protobuf message generator (#1435) * Update Autoruns.yaml * Added test for filefinder (#1431) * fix filters in filefinder artifact (#1430) * Add Artifact to collect KapeFile targets on Linux (#1426) * Enabled lazy quotes on csv parser (#1424) * Fixed bug in client comms. (#1423) * Add document filter for better usability (#1421) * Added resource information to the output of parse_pe() (#1420) * Low latency client connectivity discovery (#1419) * Add RecentDocs collection (#1416) * Update Amcache artifact for clarity (#1415) * Added extra parameters to parse_csv() (#1413) * Added netcat plugin to read from socket (#1412) * Updated SRUM with Network Usage and Upload option (#1408) * Synced darwin and freebsd file accessor with the linux one. (#1409) * Added Windows.Forensics.SAM artifact (#1404) * Initial artifacts can be specified in config (#1403) * Add conhost.exe to binary rename (#1402) * Add update Prefetch Btime execution fix (#1398) * Update Prefetch timeline (#1397) * Cleanup search API (#1396) * Update protobuf dependencies. (#1394) * More multi-frontend optimizations (#1393) * Client info manager now keeps track of scheduled tasks. (#1392) * add sid and lookupsid plugin (#1388) * Add Mutant whitelist (#1387) * Notify currently connected clients on new hunts (#1386) * Index rebuild command loads new index service. (#1385) * Changes to support distributed architecture. (#1384) * Added procdump and procdump64 (#1382) * Fixed heavy mutex contention in the labeler. (#1375) * Add shellcode to CobaltStrike carver (#10) (#1373) * Added an index rebuild command. (#1369) * GUI artifact form was ignoring the friendly name attribute (#1368) * Added a specialized form element for regex parameters. (#1367) * Added a gRPC based remote datastore (#1366) * Display all subauthorities for GUID in SRUM (#1365) * Verify all gRPC peer certificates were signed by the Velociraptor CA (#1362) * Implemented MemcacheFileDatastore - memory caching with file backend (#1361) * Added new plugins to manipulate event tables easier. (#1355) * Refactored in memory datastore to be more efficient. (#1353) * Sync vfilter (#1351) * Add both fqdn and hostname to the client search table (#1350) * BUGFIX: Datastore on windows is unable to represent files with . (#1348) * Added buffer_size parameter to parse_records_with_regex() (#1347) * Propagate column types from artifact to flow notebook. (#1346) * Cobalt parser update (#1345) * Allow listener to not use file buffer. (#1344) * Fix Deployment documentation link in README (#1343) * Preserve uint64 types across Listener (#1341) * Fix spelling (#1339) * Refactored queue listener to preserve order. (#1340) * Added a magic() VQL function (#1338) * Fixed bug in CSS (#1337) ------------------------------------------------------------------- Thu Jan 27 17:27:42 UTC 2022 - Jeff Mahoney - Update to version 0.6.2~git0.8dd598b2: * Update ese parser to fix timestamp bug * Prepare final 0.6.2 release (#1363) * Verify all gRPC peer certificates were signed by the Velociraptor CA * Removed search index parallelism (#1358) * Added new plugins to manipulate event tables easier. (#1355) * Sync vfilter (#1351) * Add both fqdn and hostname to the client search table (#1350) * BUGFIX: Datastore on windows is unable to represent files with . (#1348) * Added buffer_size parameter to parse_records_with_regex() (#1347) * Propagate column types from artifact to flow notebook. (#1346) ------------------------------------------------------------------- Thu Jan 6 21:50:43 UTC 2022 - Jeff Mahoney - client: Remove dependencies on nodejs since we don't use it in client mode. ------------------------------------------------------------------- Thu Jan 6 20:14:39 UTC 2022 - Jeff Mahoney - Update to version 0.6.2~git73.dc02b45e: * Update PrivateKeys.yaml (#1459) * Added recursion_callback option to the glob plugin (#1461) * Added config wizard for multi-frontend configuration (#1460) * Calculate the sha256 hash of the offline container. (#1458) * Artifact inspection GUI now allows pivot. (#1457) * Client certs can now be specified in the config file. (#1456) * New Upload File Form element (#1455) * Added a sparse accessor (#1453) * Hunt wizard estimates clients affected (#1452) * Make the interrogation process customizable. (#1451) ------------------------------------------------------------------- Tue Dec 21 20:25:43 UTC 2021 - Jeff Mahoney - Disable Windows artifacts. We don't target Windows endpoints and the queries clutter the GUI. ------------------------------------------------------------------- Thu Dec 16 14:12:05 UTC 2021 - Jeff Mahoney - Switch to using master branch via service files. - Added update-vendoring.sh to update the nodejs and go dependencies after version update. - Now building the client with linux_bare target that disables the GUI for endpoint usage. - Patch the version string to reflect the package version instead of an indistinguishable -dev. ------------------------------------------------------------------- Thu Dec 2 01:46:34 UTC 2021 - Jeff Mahoney - Initial packaging.