Accepting request 975255 from home:jeff_mahoney:security:sensor:devel

- Fix error handling in tcpsnoop and dnssnoop. * If BTF information is unavailable, there is no indication that the query has failed. - Rebase on 0.6.4: * Updated dependencies * Bugfix: startup bugs (#1680) * bugfix: Server event notebook not correctly created (#1737) * Bugfix: Start a dummy indexing service (#1736) * Add bugfix which would return no rows if the user removed whitelist (#1735) * Fixed bug in read_reg_key (#1734) * BUGFIX: Do not include config flag when darwin installer is repacked (#1733) * Refactored index into its own service. (#1730) * Bugfix: Write one index item per JSONL record. (#1727) * Bugfix: Estimating client impact should consider last active status (#1726) * Add complete ntfs metadata option to MFT output (#1725) * Various bugfixes. (#1724) * Update Usn.yaml (#1723) * Fixed a bug in hunt download preparation. (#1722) * Add Windows.Forensics.Usn filter and presentation updates (#1720) * Optimize writing event monitoring records (#1721) * Add Generic.Detection.Yara.Zip (#1718) * Fixed crash on master-pong response. (#1719) * Remove _type option from elastic. (#1715) * Opportunistically update directly connected client's ping times (#1713) * Fixed a bug in hunt download preparation. (#1722) * Add Windows.Forensics.Usn filter and presentation updates (#1720) * Optimize writing event monitoring records (#1721) * Add Generic.Detection.Yara.Zip (#1718) * Fixed crash on master-pong response. (#1719) OBS-URL: https://build.opensuse.org/request/show/975255 OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=14
2022-05-05 18:38:36 +00:00 · 2022-05-05 18:38:36 +00:00 · 2d6a29d947
commit 2d6a29d947
parent ae02f616a5
18 changed files with 457 additions and 29 deletions
--- a/29
+++ b/29
@ -0,0 +1,29 @@
+FROM opensuse/tumbleweed
+
+# Need to build on SLE first -- it's mostly static but depends on glibc
+#FROM registry.suse.com/suse/sle15:latest
+
+VOLUME /data
+VOLUME /logs
+VOLUME /config
+
+# API
+EXPOSE 8801
+
+# GUI
+EXPOSE 8889
+
+# Frontend
+EXPOSE 8000
+
+# Monitoring
+EXPOSE 8003
+
+COPY entry-point.sh generate-config.sh obs-signing-key.key /
+COPY init-config.json /etc/velociraptor/
+RUN rpm --import /obs-signing-key.key
+RUN zypper -q ar obs://security:sensor/ "obs://security/sensor"
+RUN zypper -q --non-interactive refresh
+RUN zypper -q --non-interactive install velociraptor
+
+CMD /entry-point.sh
--- a/6
+++ b/6
@ -3,10 +3,10 @@
    <param name="url">https://github.com/SUSE/linux-security-sensor</param>
    <param name="filename">velociraptor</param>
    <param name="versionformat">@PARENT_TAG@~git@TAG_OFFSET@.%h</param>
-    <param name="revision">sensor-base-0.6.3</param>
+    <param name="revision">sensor-base-0.6.4</param>
    <param name="scm">git</param>
-    <param name="parent-tag">v0.6.3</param>
-    <param name="versionrewrite-pattern">v(.*)</param>
+    <param name="parent-tag">v0.6.4-1</param>
+    <param name="versionrewrite-pattern">v(.*)-[0-9]</param>
    <param name="changesgenerate">enable</param>
    <param name="submodules">enable</param>
  </service>
--- a/4
+++ b/4
@ -1,4 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/SUSE/linux-security-sensor</param>
-              <param name="changesrevision">0ed023e28e50d9ff4f6ef6b758618cf5a36667bd</param></service></servicedata>
+              <param name="changesrevision">cb7dfd4978750bca1dc24e06c796adf5df5ca0e3</param></service><service name="tar_scm">
+                <param name="url">https://github.com/jeffmahoney/linux-security-sensor</param>
+              <param name="changesrevision">cb7dfd4978750bca1dc24e06c796adf5df5ca0e3</param></service></servicedata>
--- a/make-libbpfgo-vendorable.patch
+++ b/make-libbpfgo-vendorable.patch
@ -0,0 +1,27 @@
+---
+ third_party/libbpfgo/go.mod      |    8 --------
+ third_party/libbpfgo/libbpfgo.go |    2 +-
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+--- a/third_party/libbpfgo/go.mod
+++ /dev/null
+@@ -1,8 +0,0 @@
+-module github.com/aquasecurity/libbpfgo
+-
+-go 1.16
+-
+-require (
+-	github.com/stretchr/testify v1.7.0
+-	golang.org/x/sys v0.0.0-20210514084401-e8d321eab015
+-)
+--- a/third_party/libbpfgo/libbpfgo.go
+++ b/third_party/libbpfgo/libbpfgo.go
+@@ -87,7 +87,7 @@ import (
+ 	"syscall"
+ 	"unsafe"
+ 
+-	"github.com/aquasecurity/libbpfgo/helpers"
+	"www.velocidex.com/golang/velociraptor/third_party/libbpfgo/helpers"
+ )
+ 
+ const (
--- a/velociraptor-0.6.3~git19.640f7a1c.obscpio
+++ b/velociraptor-0.6.3~git19.640f7a1c.obscpio
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b08a8c85dceb85f51064a25fe549b5c1780f23984b08b5352d16640f15a33a88
-size 26367501
--- a/velociraptor-0.6.4~git17.cb7dfd49.obscpio
+++ b/velociraptor-0.6.4~git17.cb7dfd49.obscpio
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:12fc23eab81f534c4a0b085a3c3de875adfb9da97b98b68b8b2d50d51ebc4b64
+size 37749773
--- a/velociraptor-client.changes
+++ b/velociraptor-client.changes
@ -1,3 +1,186 @@
+-------------------------------------------------------------------
+Tue May  3 20:35:57 UTC 2022 - Jeff Mahoney <jeffm@suse.com>
+
+- Fix error handling in tcpsnoop and dnssnoop.
+  * If BTF information is unavailable, there is no indication that the
+    query has failed.
+
+-------------------------------------------------------------------
+Tue May  3 13:45:09 UTC 2022 - Jeff Mahoney <jeffm@suse.com>
+
+- Rebase on 0.6.4:
+  * Updated dependencies
+  * Bugfix: startup bugs (#1680)
+  * bugfix: Server event notebook not correctly created (#1737)
+  * Bugfix: Start a dummy indexing service (#1736)
+  * Add bugfix which would return no rows if the user removed whitelist (#1735)
+  * Fixed bug in read_reg_key (#1734)
+  * BUGFIX: Do not include config flag when darwin installer is repacked (#1733)
+  * Refactored index into its own service. (#1730)
+  * Bugfix: Write one index item per JSONL record. (#1727)
+  * Bugfix: Estimating client impact should consider last active status (#1726)
+  * Add complete ntfs metadata option to MFT output (#1725)
+  * Various bugfixes. (#1724)
+  * Update Usn.yaml (#1723)
+  * Fixed a bug in hunt download preparation. (#1722)
+  * Add Windows.Forensics.Usn filter and presentation updates (#1720)
+  * Optimize writing event monitoring records (#1721)
+  * Add Generic.Detection.Yara.Zip (#1718)
+  * Fixed crash on master-pong response. (#1719)
+  * Remove _type option from elastic. (#1715)
+  * Opportunistically update directly connected client's ping times (#1713)
+  * Fixed a bug in hunt download preparation. (#1722)
+  * Add Windows.Forensics.Usn filter and presentation updates (#1720)
+  * Optimize writing event monitoring records (#1721)
+  * Add Generic.Detection.Yara.Zip (#1718)
+  * Fixed crash on master-pong response. (#1719)
+  * Remove _type option from elastic. (#1715)
+  * Opportunistically update directly connected client's ping times (#1713)
+  * Fixed bug in VQL cell splitting. (#1712)
+  * artifact for parsing macos packages (#1706)
+  * Bugfix: Create a cell for each collected source (#1710)
+  * artifact for parsing macos packages (#1706)
+  * Bugfix: Create a cell for each collected source (#1710)
+  * Added Server.Utils.CollectClient to simplify direct collections (#1708)
+  * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1705)
+  * Fix build on Go 1.18 (#1704)
+  * build(deps): bump minimist from 1.2.5 to 1.2.6 in /gui/velociraptor (#1703)
+  * Mft update - add uSecZeros (#1701)
+  * Server monitoring service will reload if an artifact is modified (#1702)
+  * Refactor client info manager (#1700)
+  * A number of bugfixes (#1699)
+  * Update Windows.NTFS.MFT (#1698)
+  * Actually export HumanString attribute on OSPath (#1689)
+  * RHEL/CentOS/Fedora dnf packages (#1684)
+  * Implemented Human Readable OSPath method. (#1688)
+  * Added lazy MFT attributes (#1685)
+  * Maintain OSPath in mft artifacts (#1683)
+  * Fix bug in deaddisk remapping of directories. (#1682)
+  * Bugfix: startup bugs (#1680)
+  * Updated SQLECmd artifacts (#1677)
+  * Artifact repository needs to watch for changes across nodes. (#1676)
+  * Update auto accessor to re-open file with ntfs if read failed (#1674)
+  * Fix MacOS.System.Plist artifact (#1673)
+  * Error collection based on VQL logs (#1672)
+  * Add memory limiting to offline collector (#1666)
+  * Allow mount overlays (#1664)
+  * build(deps): bump node-forge from 1.2.1 to 1.3.0 in /gui/velociraptor (#1661)
+  * Fixed bugs in remapping logic. (#1660)
+  * Fixed bug in the windows auto accessor. (#1658)
+  * Elastic.Events.Clients: synchronize parameters with Elastic.Flows.Upload (#1657)
+  * Add initial commit for Windows.NTFS.ExtendedAttributes (#1656)
+  * Added a shadow remapping type (#1655)
+  * Implemented an event notebook (#1654)
+  * Add Windows.System.WMIQuery (#1651)
+  * Fixed data race in progress throttler. (#1653)
+  * Implemented timeout and cpu limits on offline collector. (#1650)
+  * Added an rpm server command. (#1647)
+  * Artifacts can now define suggestions for notebook cells. (#1646)
+  * Allow multiple OIDC authenticators to be specified. (#1645)
+  * Added a multi authenticator. (#1644)
+  * Add HashHunter hash() update for performance (#1643)
+  * Change the DNSCache Artifact to WMI (#1640)
+  * Added an uploader for notebooks.  (#1639)
+  * Added hashselect arg option to hash() (#1637)
+  * Add Generic.Detection.HashHunter and tests (#1638)
+  * Added Generic.Collectors.SQLECmd (#1635)
+  * Add BinaryHunter (#1634)
+  * String artifact parameters can now have validator regex (#1628)
+  * Implemented CPU rate limited for better control (#1622)
+  * Added a client nanny to detect deadlocks (#1621)
+  * Linux.Sys.Services artifact, parse services from systemctl (#1619)
+  * Collect MAC addresses during interrogation and index them (#1611)
+  * Allow parse_ntfs() to operate on an image file. (#1610)
+  * Fix regression in VFSGetBuffer (#1605)
+  * Added rekey() VQL function (#1604)
+  * switch to uninstall string (#1603)
+  * freebsd /etc/rc.d/velociraptor service script (#1602)
+  * Add Windows.Registry.BackupRestore (#1601)
+  * Optimized NTFS code for better speed and added more fields to parse_mft (#1599)
+  * Update BinaryRename.yaml (#1598)
+  * Added LinuxM1 (#1597)
+  * Add explicit check of sticky keys (#1592)
+  * Remote data store should identify retryable errors (#1590)
+  * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1588)
+  * Add test improvement clear system log (#18) (#1586)
+  * Modified Windows.Forensics.Prefetch to use VQL binary parser (#1585)
+  * add Windows.NTFS.ADSHunter first commit (#17) (#1583)
+  * Resolves Velocidex/velociraptor#1543 Create new VQL entropy() function (#1574)
+  * Remove C time and updating naming (#1546)
+  * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1568)
+  * Update OSPath protocols to support slices. (#1575)
+  * Implement array slice notation in VQL and Server.Import.PreviousReleases (#1573)
+  * add rtf TemplateInjection to Windows.Detection.TemplateInjection  (#1572)
+  * Change accessors API to deal with OSPath objects directly.  (#1570)
+  * Bump follow-redirects from 1.14.4 to 1.14.8 in /gui/velociraptor (#1567)
+  * Added a deaddisk command to generate config (#1564)
+  * Fix bug in Windows.System.Services (#1565)
+  * Fixed glob expand braces order of operations. (#1560)
+  * Added an offset and raw_file accessors (#1559)
+  * Update CertUtil.yaml (#1558)
+  * remove users to include the system path (#1536)
+  * Implement remap() VQL function and remapping config (#1555)
+  * Make GitHub actions more flexible on Windows (#1549)
+  * Bump normalize-url from 4.5.0 to 4.5.1 in /gui/velociraptor (#1548)
+  * Fix typo (#1547)
+  * Refractor of accessors and path manipulations (#1545)
+  * Dns etw update (#1544)
+  * add PowershellProfile (#1542)
+  * Added dynamic pubsub attributes (#1540)
+  * Fix Windows.Applications.Chrome.History (#1539)
+  * windows.application to windows.applications merge. New firefox history artefact (#1534)
+  * Fixed race condition in zip accessor reference counting. (#1531)
+  * Added Windows.Persistence.SilentProcessExit (#1530)
+  * Add limitations section and lastwrite timestamp (#1529)
+  * Offline collector FetchBinary should respect the IsExecutable flag (#1528)
+  * update description, order by, and hidden keypath (#1527)
+  * add limitations section (#1520)
+  * Avoid holding index lock for too long. (#1519)
+  * re-introduce Windows.Collectors.File with deprecation note (#1516)
+  * add limitations to description and key path to query (#1514)
+  * Retry remote datastore connections (#1513)
+  * Write minion log files and autocert in its own dir.  (#1512)
+  * Synced KapeFiles artifacts (#1511)
+  * Added data retention server artifacts (#1510)
+  * Set an upper limit for ttl in memcache (#1508)
+  * Add updates to Windows.System.Services (#15) (#1509)
+  * Ensure collector container is properly closed when interrupted. (#1507)
+  * Continually rebuild the index at runtime. (#1506)
+  * Harder vacuum - directly move client task directories to the attic. (#1505)
+  * add limitation disclaimer (#1504)
+  * Reduce critial section to avoid deadlock in repository manager (#1503)
+  * Implemented a vacuum command to remove old tasks from client queues. (#1501)
+  * Better format profile metrics output. (#1495)
+  * Cap size of directories and report large directories. (#1493)
+  * Set ACE completers per editor to avoid global state. (#1492)
+  * Add HttpOnly flag to all cookies. (#1491)
+  * Refactor completion routine calls (#1490)
+  * Limit size of cached directories. (#1483)
+  * Add more instrumentation to memory caches. (#1482)
+  * Fixed chart resizing bug (#1481)
+  * Removed the old queries: list from artifacts. (#1480)
+  * [Snyk] Fix for 9 vulnerabilities (#1479)
+  * Remove lock around critical section. (#1478)
+  * Added MacOS.Forensics.AppleDoubleZip (#1476)
+  * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475)
+  * Make index snapshot frequency configurable (#1474)
+  * Bugfix: Setting notebook index did not escape username (#1471)
+  * Flush index from memory to disk  (#1470)
+  * Fixed 2 bugs with the memcache file store (#1469)
+  * Update flow active time when the result set is completed (#1468)
+  * Tag artifacts as built ins (#1467)
+  * Fixed bug in the pathspec() VQL function. (#1465)
+  * fix APIConfigLoader not applying command line args (#1463)
+
+-------------------------------------------------------------------
+Mon May 02 14:55:07 UTC 2022 - jeffm@suse.com
+
+- Resync with git repository:
+  * Add artifact to monitor user group updates (#24)
+  * Add dnssnoop plugin (#15)
+  * Log Sudo/root command by auditd
+  * Add custom artifacts for login and logout attempts recorded by auditd
+
 -------------------------------------------------------------------
 Fri Mar 18 14:12:59 UTC 2022 - jeffm@suse.com

--- a/velociraptor-client.spec
+++ b/velociraptor-client.spec
@ -19,7 +19,7 @@
 %define vendor_version %{version}

 Name:           velociraptor-client
-Version:        0.6.3~git19.640f7a1c
+Version:        0.6.4~git17.cb7dfd49
 Release:        0
 Summary:        Endpoint visibility and collection tool (endpoint only)

@ -33,6 +33,7 @@ Source3:        %{name}.config.placeholder
 Patch1:         velociraptor-golang-mage-vendoring.diff
 Patch2:		velociraptor-skip-git-submodule-import-for-OBS-build.patch
 Patch3:		velociraptor-makefile-add-bpf-rules-to-linux_bare.patch
+Patch4:		make-libbpfgo-vendorable.patch
 BuildRequires:  golang-packaging
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  systemd-devel
@ -62,14 +63,16 @@ install the 'velociraptor' package.
 %setup -q -a 1 -n %{projname}-%{version}
 %autopatch -p1

-# The build process will do this too but it makes 'go mod vendor' easier
-rm -f third_party/libbpfgo/go.mod
+# Without this, the libbpfgo tests want to vendor the external version
+rm -rf third_party/libbpfgo/selftest third_party/libbpfgo/helpers/example_tracelisten_test.go

 # Set the version to something more specific than <next-tag>-dev
 sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go

 # These just clutter the GUI and we don't have Windows clients
-rm -rf artifacts/definitions/Windows
+# Note: There are dependencies on these that need to be resolved before
+# removing them outright.
+# rm -rf artifacts/definitions/Windows

 %build
 PATH=$PATH:/usr/sbin make linux_bare
--- a/velociraptor-skip-git-submodule-import-for-OBS-build.patch
+++ b/velociraptor-skip-git-submodule-import-for-OBS-build.patch
@ -11,7 +11,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
 --- a/Makefile
 +++ b/Makefile
@@ -61,8 +61,8 @@ ifeq ($(BUILD_LIBBPFGO), 1)
- BPF_MODULES := vql/linux/tcpsnoop/tcpsnoop.bpf.o
+ 	vql/linux/dnssnoop/dnssnoop.bpf.o
 
 $(LIBBPFGO_DIR): always-check
 -	echo "INFO: updating submodule 'libbpfgo'"
--- a/velociraptor.changes
+++ b/velociraptor.changes
@ -1,3 +1,186 @@
+-------------------------------------------------------------------
+Tue May  3 20:35:57 UTC 2022 - Jeff Mahoney <jeffm@suse.com>
+
+- Fix error handling in tcpsnoop and dnssnoop.
+  * If BTF information is unavailable, there is no indication that the
+    query has failed.
+
+-------------------------------------------------------------------
+Tue May  3 13:45:09 UTC 2022 - Jeff Mahoney <jeffm@suse.com>
+
+- Rebase on 0.6.4:
+  * Updated dependencies
+  * Bugfix: startup bugs (#1680)
+  * bugfix: Server event notebook not correctly created (#1737)
+  * Bugfix: Start a dummy indexing service (#1736)
+  * Add bugfix which would return no rows if the user removed whitelist (#1735)
+  * Fixed bug in read_reg_key (#1734)
+  * BUGFIX: Do not include config flag when darwin installer is repacked (#1733)
+  * Refactored index into its own service. (#1730)
+  * Bugfix: Write one index item per JSONL record. (#1727)
+  * Bugfix: Estimating client impact should consider last active status (#1726)
+  * Add complete ntfs metadata option to MFT output (#1725)
+  * Various bugfixes. (#1724)
+  * Update Usn.yaml (#1723)
+  * Fixed a bug in hunt download preparation. (#1722)
+  * Add Windows.Forensics.Usn filter and presentation updates (#1720)
+  * Optimize writing event monitoring records (#1721)
+  * Add Generic.Detection.Yara.Zip (#1718)
+  * Fixed crash on master-pong response. (#1719)
+  * Remove _type option from elastic. (#1715)
+  * Opportunistically update directly connected client's ping times (#1713)
+  * Fixed a bug in hunt download preparation. (#1722)
+  * Add Windows.Forensics.Usn filter and presentation updates (#1720)
+  * Optimize writing event monitoring records (#1721)
+  * Add Generic.Detection.Yara.Zip (#1718)
+  * Fixed crash on master-pong response. (#1719)
+  * Remove _type option from elastic. (#1715)
+  * Opportunistically update directly connected client's ping times (#1713)
+  * Fixed bug in VQL cell splitting. (#1712)
+  * artifact for parsing macos packages (#1706)
+  * Bugfix: Create a cell for each collected source (#1710)
+  * artifact for parsing macos packages (#1706)
+  * Bugfix: Create a cell for each collected source (#1710)
+  * Added Server.Utils.CollectClient to simplify direct collections (#1708)
+  * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1705)
+  * Fix build on Go 1.18 (#1704)
+  * build(deps): bump minimist from 1.2.5 to 1.2.6 in /gui/velociraptor (#1703)
+  * Mft update - add uSecZeros (#1701)
+  * Server monitoring service will reload if an artifact is modified (#1702)
+  * Refactor client info manager (#1700)
+  * A number of bugfixes (#1699)
+  * Update Windows.NTFS.MFT (#1698)
+  * Actually export HumanString attribute on OSPath (#1689)
+  * RHEL/CentOS/Fedora dnf packages (#1684)
+  * Implemented Human Readable OSPath method. (#1688)
+  * Added lazy MFT attributes (#1685)
+  * Maintain OSPath in mft artifacts (#1683)
+  * Fix bug in deaddisk remapping of directories. (#1682)
+  * Bugfix: startup bugs (#1680)
+  * Updated SQLECmd artifacts (#1677)
+  * Artifact repository needs to watch for changes across nodes. (#1676)
+  * Update auto accessor to re-open file with ntfs if read failed (#1674)
+  * Fix MacOS.System.Plist artifact (#1673)
+  * Error collection based on VQL logs (#1672)
+  * Add memory limiting to offline collector (#1666)
+  * Allow mount overlays (#1664)
+  * build(deps): bump node-forge from 1.2.1 to 1.3.0 in /gui/velociraptor (#1661)
+  * Fixed bugs in remapping logic. (#1660)
+  * Fixed bug in the windows auto accessor. (#1658)
+  * Elastic.Events.Clients: synchronize parameters with Elastic.Flows.Upload (#1657)
+  * Add initial commit for Windows.NTFS.ExtendedAttributes (#1656)
+  * Added a shadow remapping type (#1655)
+  * Implemented an event notebook (#1654)
+  * Add Windows.System.WMIQuery (#1651)
+  * Fixed data race in progress throttler. (#1653)
+  * Implemented timeout and cpu limits on offline collector. (#1650)
+  * Added an rpm server command. (#1647)
+  * Artifacts can now define suggestions for notebook cells. (#1646)
+  * Allow multiple OIDC authenticators to be specified. (#1645)
+  * Added a multi authenticator. (#1644)
+  * Add HashHunter hash() update for performance (#1643)
+  * Change the DNSCache Artifact to WMI (#1640)
+  * Added an uploader for notebooks.  (#1639)
+  * Added hashselect arg option to hash() (#1637)
+  * Add Generic.Detection.HashHunter and tests (#1638)
+  * Added Generic.Collectors.SQLECmd (#1635)
+  * Add BinaryHunter (#1634)
+  * String artifact parameters can now have validator regex (#1628)
+  * Implemented CPU rate limited for better control (#1622)
+  * Added a client nanny to detect deadlocks (#1621)
+  * Linux.Sys.Services artifact, parse services from systemctl (#1619)
+  * Collect MAC addresses during interrogation and index them (#1611)
+  * Allow parse_ntfs() to operate on an image file. (#1610)
+  * Fix regression in VFSGetBuffer (#1605)
+  * Added rekey() VQL function (#1604)
+  * switch to uninstall string (#1603)
+  * freebsd /etc/rc.d/velociraptor service script (#1602)
+  * Add Windows.Registry.BackupRestore (#1601)
+  * Optimized NTFS code for better speed and added more fields to parse_mft (#1599)
+  * Update BinaryRename.yaml (#1598)
+  * Added LinuxM1 (#1597)
+  * Add explicit check of sticky keys (#1592)
+  * Remote data store should identify retryable errors (#1590)
+  * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1588)
+  * Add test improvement clear system log (#18) (#1586)
+  * Modified Windows.Forensics.Prefetch to use VQL binary parser (#1585)
+  * add Windows.NTFS.ADSHunter first commit (#17) (#1583)
+  * Resolves Velocidex/velociraptor#1543 Create new VQL entropy() function (#1574)
+  * Remove C time and updating naming (#1546)
+  * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1568)
+  * Update OSPath protocols to support slices. (#1575)
+  * Implement array slice notation in VQL and Server.Import.PreviousReleases (#1573)
+  * add rtf TemplateInjection to Windows.Detection.TemplateInjection  (#1572)
+  * Change accessors API to deal with OSPath objects directly.  (#1570)
+  * Bump follow-redirects from 1.14.4 to 1.14.8 in /gui/velociraptor (#1567)
+  * Added a deaddisk command to generate config (#1564)
+  * Fix bug in Windows.System.Services (#1565)
+  * Fixed glob expand braces order of operations. (#1560)
+  * Added an offset and raw_file accessors (#1559)
+  * Update CertUtil.yaml (#1558)
+  * remove users to include the system path (#1536)
+  * Implement remap() VQL function and remapping config (#1555)
+  * Make GitHub actions more flexible on Windows (#1549)
+  * Bump normalize-url from 4.5.0 to 4.5.1 in /gui/velociraptor (#1548)
+  * Fix typo (#1547)
+  * Refractor of accessors and path manipulations (#1545)
+  * Dns etw update (#1544)
+  * add PowershellProfile (#1542)
+  * Added dynamic pubsub attributes (#1540)
+  * Fix Windows.Applications.Chrome.History (#1539)
+  * windows.application to windows.applications merge. New firefox history artefact (#1534)
+  * Fixed race condition in zip accessor reference counting. (#1531)
+  * Added Windows.Persistence.SilentProcessExit (#1530)
+  * Add limitations section and lastwrite timestamp (#1529)
+  * Offline collector FetchBinary should respect the IsExecutable flag (#1528)
+  * update description, order by, and hidden keypath (#1527)
+  * add limitations section (#1520)
+  * Avoid holding index lock for too long. (#1519)
+  * re-introduce Windows.Collectors.File with deprecation note (#1516)
+  * add limitations to description and key path to query (#1514)
+  * Retry remote datastore connections (#1513)
+  * Write minion log files and autocert in its own dir.  (#1512)
+  * Synced KapeFiles artifacts (#1511)
+  * Added data retention server artifacts (#1510)
+  * Set an upper limit for ttl in memcache (#1508)
+  * Add updates to Windows.System.Services (#15) (#1509)
+  * Ensure collector container is properly closed when interrupted. (#1507)
+  * Continually rebuild the index at runtime. (#1506)
+  * Harder vacuum - directly move client task directories to the attic. (#1505)
+  * add limitation disclaimer (#1504)
+  * Reduce critial section to avoid deadlock in repository manager (#1503)
+  * Implemented a vacuum command to remove old tasks from client queues. (#1501)
+  * Better format profile metrics output. (#1495)
+  * Cap size of directories and report large directories. (#1493)
+  * Set ACE completers per editor to avoid global state. (#1492)
+  * Add HttpOnly flag to all cookies. (#1491)
+  * Refactor completion routine calls (#1490)
+  * Limit size of cached directories. (#1483)
+  * Add more instrumentation to memory caches. (#1482)
+  * Fixed chart resizing bug (#1481)
+  * Removed the old queries: list from artifacts. (#1480)
+  * [Snyk] Fix for 9 vulnerabilities (#1479)
+  * Remove lock around critical section. (#1478)
+  * Added MacOS.Forensics.AppleDoubleZip (#1476)
+  * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475)
+  * Make index snapshot frequency configurable (#1474)
+  * Bugfix: Setting notebook index did not escape username (#1471)
+  * Flush index from memory to disk  (#1470)
+  * Fixed 2 bugs with the memcache file store (#1469)
+  * Update flow active time when the result set is completed (#1468)
+  * Tag artifacts as built ins (#1467)
+  * Fixed bug in the pathspec() VQL function. (#1465)
+  * fix APIConfigLoader not applying command line args (#1463)
+
+-------------------------------------------------------------------
+Mon May 02 14:55:07 UTC 2022 - jeffm@suse.com
+
+- Resync with git repository:
+  * Add artifact to monitor user group updates (#24)
+  * Add dnssnoop plugin (#15)
+  * Log Sudo/root command by auditd
+  * Add custom artifacts for login and logout attempts recorded by auditd
+
 -------------------------------------------------------------------
 Fri Mar 18 14:12:59 UTC 2022 - jeffm@suse.com

--- a/velociraptor.obsinfo
+++ b/velociraptor.obsinfo
@ -1,4 +1,4 @@
 name: velociraptor
-version: 0.6.3~git19.640f7a1c
-mtime: 1647612684
-commit: 640f7a1c9256437f7824a897bdf7415be367dced
+version: 0.6.4~git17.cb7dfd49
+mtime: 1651674535
+commit: cb7dfd4978750bca1dc24e06c796adf5df5ca0e3
--- a/velociraptor.spec
+++ b/velociraptor.spec
@ -19,7 +19,7 @@
 %define vendor_version %{version}

 Name:           velociraptor
-Version:        0.6.3~git19.640f7a1c
+Version:        0.6.4~git17.cb7dfd49
 Release:        0
 Summary:	Endpoint visibility and collection tool

@ -37,6 +37,7 @@ Source7:        %{name}-client.config.placeholder
 Patch1:		velociraptor-golang-mage-vendoring.diff
 Patch2:		velociraptor-skip-git-submodule-import-for-OBS-build.patch
 Patch3:		velociraptor-makefile-add-bpf-rules-to-linux_bare.patch
+Patch4:		make-libbpfgo-vendorable.patch
 BuildRequires:  golang-packaging
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  systemd-devel
@ -65,7 +66,7 @@ For just the endpoint agent, please install the 'velociraptor-client' package.

 %package kafka-humio-gateway
 Summary: Gateway between Kafka and Humio for Velociraptor Artifacts
-Version: 0.6.3~git19.640f7a1c
+Version: 0.6.4~git17.cb7dfd49

 %description kafka-humio-gateway
 This tool is used to consume events generated by the Kafka Velociraptor plugin
@ -75,8 +76,8 @@ and post them to a Humio cluster.
 %setup -q -a 1 -a 2 -a 3 -n %{projname}-%{version}
 %autopatch -p1

-# The build process will do this too but it makes 'go mod vendor' easier
-rm -f third_party/libbpfgo/go.mod
+# Without this, the libbpfgo tests want to vendor the external version
+rm -rf third_party/libbpfgo/selftest third_party/libbpfgo/helpers/example_tracelisten_test.go

 # Set the version to something more specific than <next-tag>-dev
 sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
@ -84,7 +85,7 @@ sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
 # These just clutter the GUI and we don't have Windows clients
 # Note: There are dependencies on these that need to be resolved before
 # removing them outright.
-#rm -rf artifacts/definitions/Windows
+# rm -rf artifacts/definitions/Windows

 %build
 (cd gui/velociraptor ; npm run build)
--- a/vendor-golang-0.6.3~git19.640f7a1c.tar.xz
+++ b/vendor-golang-0.6.3~git19.640f7a1c.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:04ec5de7b319ed2a0eb6831aee6c71847b855a449d23a0471ff4f02b18e1bb93
-size 7702152
--- a/vendor-golang-0.6.4~git17.cb7dfd49.tar.xz
+++ b/vendor-golang-0.6.4~git17.cb7dfd49.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1267ce38995013e337ffc4c6665c79cdfc8423926e481b5daffdd76a98075899
+size 7833536
--- a/vendor-golang-kafka-humio-gateway-0.6.3~git19.640f7a1c.tar.xz
+++ b/vendor-golang-kafka-humio-gateway-0.6.3~git19.640f7a1c.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:999be178a6d63c91d238c3784225cdf05548ae15408118820de2dbe094f1a1f1
-size 454412
--- a/vendor-golang-kafka-humio-gateway-0.6.4~git17.cb7dfd49.tar.xz
+++ b/vendor-golang-kafka-humio-gateway-0.6.4~git17.cb7dfd49.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0e1c01277e2932113ee52e35bee303bf326e485b3d40fc857381a0225823e2a8
+size 454244
--- a/vendor-nodejs-0.6.3~git19.640f7a1c.tar.xz
+++ b/vendor-nodejs-0.6.3~git19.640f7a1c.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:63726f09061a557ebe25527a94bb485df27c119b235786686ed4232518ad9560
-size 56292444
--- a/vendor-nodejs-0.6.4~git17.cb7dfd49.tar.xz
+++ b/vendor-nodejs-0.6.4~git17.cb7dfd49.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:40af0767681c4b68ca31dfa2d0a9eb156c2e6e9995824f5ef93acfa60dc710d2
+size 37095216