Accepting request 1035327 from home:jeff_mahoney:security:sensor

- Update to version 0.6.4.2~git86.b5931f7:
  * cleanup: go mod tidy
- Fix vendoring of replaced modules.
- Only require libtsan0 on x86_64
- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist
- Fix building of libbpfgo on i586

- Update to version 0.6.4.2~git84.1b38fda:
  * Clean up libbpfgo mess
  * libbpfgo: use forked repo for fully static builds
  * libbpfgo: sync to v0.4.4-libbpf-1.0.1
  * contrib/kafka-humio-gateway: add new debug option for noisy events
  * contrib/kafka-humio-gateway: backoff and retry for metadata
  * vql/server/kafka: connect sarama logging to velociraptor logging
  * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
  * vql/server/kafka: set appropriate ClientID
  * libbpfgo: add selftest to build so testcases work
  * cronsnoop: rework testcases to use t.TempDir
  * cronsnoop: move external dependencies to end of import list
  * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()

- Update to version 0.6.4.2~git67.85b608e:
  * clients/host-info.js: add MAC addresses to client dashboard
  * linux: Add ability to interrogate system and network configuration
  * SUSE: Add docker-compose environment
  * SUSE: add Docker files
  * Add Linux.Sys.Bash to Server.Monitor.Shell artifact
  * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
  * kafka-humio-gateway: add sample config file
  * Updating the NewFiles and ProcessStatuses Artifacts

OBS-URL: https://build.opensuse.org/request/show/1035327
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=22

_servicedata

@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/jeffmahoney/linux-security-sensor</param>
-              <param name="changesrevision">45393b11957049ed841f559cf9f3b88dc5a588d9</param></service><service name="tar_scm">
+              <param name="changesrevision">85b608e2da06a90d5e51ae39fe79adbdb8511a3f</param></service><service name="tar_scm">
                 <param name="url">https://github.com/SUSE/linux-security-sensor</param>
-              <param name="changesrevision">b7df81726e4a6c4cabad66b024bb5d2aeea885d6</param></service></servicedata>
+              <param name="changesrevision">b5931f73eb6c171a558d09d4ef8b3d4d7292d519</param></service></servicedata>

libbpfgo-i386.patch

@@ -0,0 +1,15 @@
+---
+ third_party/libbpfgo/Makefile |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/third_party/libbpfgo/Makefile
++++ b/third_party/libbpfgo/Makefile
+@@ -15,7 +15,7 @@ VAGRANT = vagrant
+ CLANG_FMT = clang-format
+ 
+ HOSTOS = $(shell uname)
+-ARCH ?= $(shell uname -m | sed 's/x86_64/amd64/g; s/aarch64/arm64/g')
++ARCH ?= $(shell uname -m | sed 's/x86_64/amd64/g; s/aarch64/arm64/g; s/i.86/386/g')
+ 
+ BTFFILE = /sys/kernel/btf/vmlinux
+ BPFTOOL = $(shell which bpftool || /bin/false)

make-libbpfgo-vendorable.patch

@@ -1,27 +0,0 @@
----
- third_party/libbpfgo/go.mod      |    8 --------
- third_party/libbpfgo/libbpfgo.go |    2 +-
- 2 files changed, 1 insertion(+), 9 deletions(-)
-
---- a/third_party/libbpfgo/go.mod
-+++ /dev/null
-@@ -1,8 +0,0 @@
--module github.com/aquasecurity/libbpfgo
--
--go 1.16
--
--require (
--	github.com/stretchr/testify v1.7.0
--	golang.org/x/sys v0.0.0-20210514084401-e8d321eab015
--)
---- a/third_party/libbpfgo/libbpfgo.go
-+++ b/third_party/libbpfgo/libbpfgo.go
-@@ -87,7 +87,7 @@ import (
- 	"syscall"
- 	"unsafe"
- 
--	"github.com/aquasecurity/libbpfgo/helpers"
-+	"www.velocidex.com/golang/velociraptor/third_party/libbpfgo/helpers"
- )
- 
- const (

update-vendoring.sh

@@ -33,14 +33,34 @@ cpio -D "${dir}" -id < velociraptor-${version}.obscpio
 
 echo "Running %prep"
 cd "${dir}/velociraptor-${version}"
+tar Jxf ${topdir}/vmlinux.h-5.18.9-2-default.tar.xz
 sh ${dir}/setup.sh
 
 echo "Re-vendoring Go code..."
 gopathdir="$(mktemp -d /tmp/gopath.XXXXXXX)"
 rm -rf vendor
 export GOPATH="$gopathdir"
+
+
+# Vendoring doesn't get along with replaced modules, so symlink to those
 go mod vendor
+replace_module() {
+	local mod=$1
+	local path=$2
+	rm -rf "vendor/${mod}"
+	rel="$(echo $mod|tr A-Za-z0-9_- .|sed -e 's/\.\.\.*/../g')"
+	ln -s "${rel}/${path}" "vendor/${mod}"
+	ls -la vendor/${mod}/
+}
+
+replace_module github.com/aquasecurity/libbpfgo third_party/libbpfgo
+replace_module github.com/elastic/go-libaudit/v2 third_party/go-libaudit
+
+sh
+
 tar Jcf ${dir}/vendor-golang-${version}.tar.xz vendor
+cd "${dir}"
+mv vendor-golang-*${version}.tar.xz ${topdir}
 
 cd "${dir}/velociraptor-${version}/contrib/kafka-humio-gateway"
 rm -rf vendor

velociraptor-0.6.4.2~git70.b7df8172.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6bb4ceb196d9dbcf6f05654e4e832e25aabcc8a5d9c59b1b488bc761db7cf77b
-size 36226061

velociraptor-0.6.4.2~git86.b5931f7.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cdf58a89e754e17e9f4bd837d71dc744e08539581cce39fb06aedd3f9a4f0f19
+size 36331021

velociraptor-client.changes

@@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Fri Nov 11 21:12:02 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git86.b5931f7:
+  * cleanup: go mod tidy
+- Fix vendoring of replaced modules.
+- Only require libtsan0 on x86_64
+- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist
+- Fix building of libbpfgo on i586
+
+-------------------------------------------------------------------
+Fri Nov 11 20:13:00 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git84.1b38fda:
+  * Clean up libbpfgo mess
+  * libbpfgo: use forked repo for fully static builds
+  * libbpfgo: sync to v0.4.4-libbpf-1.0.1
+  * contrib/kafka-humio-gateway: add new debug option for noisy events
+  * contrib/kafka-humio-gateway: backoff and retry for metadata
+  * vql/server/kafka: connect sarama logging to velociraptor logging
+  * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
+  * vql/server/kafka: set appropriate ClientID
+  * libbpfgo: add selftest to build so testcases work
+  * cronsnoop: rework testcases to use t.TempDir
+  * cronsnoop: move external dependencies to end of import list
+  * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()
+
+-------------------------------------------------------------------
+Fri Nov 11 20:08:20 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git67.85b608e:
+  * clients/host-info.js: add MAC addresses to client dashboard
+  * linux: Add ability to interrogate system and network configuration
+  * SUSE: Add docker-compose environment
+  * SUSE: add Docker files
+  * Add Linux.Sys.Bash to Server.Monitor.Shell artifact
+  * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
+  * kafka-humio-gateway: add sample config file
+  * Updating the NewFiles and ProcessStatuses Artifacts
+  * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37)
+  * third_party/go-libaudit: don't directly use unix.*
+  * Add Linux.Remediation.Quarantine artifact
+  * Extend audit artifacts to use new interface
+  * audit: rearchitect plugin to scale better with multiple invocations
+  * third_party/go-libaudit: move handling of receive buffer to caller
+  * third_party/go-libaudit: move buffer handling from netlink to audit
+  * third_party/go-libaudit: allow audit fd to be pollable
+  * third_party/go-libaudit: Add support for removing individual rules
+  * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls
+  * third_party/go-libaudit: Report missing rules during deletion
+  * import go-libaudit as a third-party module
+  * quarantine: actually call the OS-specific artifact
+  * artifactset: add ability to select named sources
+  * GUI: Artifact selector (#1790)
+  * host-info: make quarantine UI more robust with non-Windows client hosts
+  * shell-viewer: default to Bash on non-Windows clients
+
 -------------------------------------------------------------------
 Thu Nov 10 15:22:27 UTC 2022 - jeffm@suse.com
 

velociraptor-client.spec

@@ -16,11 +16,11 @@
 #
 
 %define projname velociraptor
-%define vendor_version 0.6.4.2~git59.5ebb49db
+%define vendor_version 0.6.4.2~git86.b5931f7
 %define vmlinux_h_version 5.18.9-2-default
 
 Name:           velociraptor-client
-Version:        0.6.4.2~git70.b7df8172
+Version:        0.6.4.2~git86.b5931f7
 Release:        0
 Summary:        Endpoint visibility and collection tool (endpoint only)
 Group:		System/Monitoring
@@ -34,7 +34,7 @@ Source4:	vmlinux.h-%{vmlinux_h_version}.tar.xz
 Patch1:         velociraptor-golang-mage-vendoring.diff
 Patch2:		velociraptor-skip-git-submodule-import-for-OBS-build.patch
 Patch3:		velociraptor-makefile-add-bpf-rules-to-linux_bare.patch
-Patch4:		make-libbpfgo-vendorable.patch
+Patch4:		libbpfgo-i386.patch
 BuildRequires:  golang-packaging
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  systemd-devel
@@ -42,11 +42,14 @@ BuildRequires:  systemd-devel
 BuildRequires:  golang(API) = 1.17
 BuildRequires:  fileb0x
 BuildRequires:  mage
+%ifarch x86_64
 BuildRequires:  libtsan0
+%endif
 BuildRequires:  clang13
 BuildRequires:  llvm13
 BuildRequires:  bpftool
 BuildRequires:	libelf-devel
+BuildRequires:	zlib-devel-static
 Conflicts:      velociraptor
 
 %description
@@ -65,15 +68,16 @@ install the 'velociraptor' package.
 %setup -q -a 1 -a 4 -n %{projname}-%{version}
 %autopatch -p1
 
-# Without this, the libbpfgo tests want to vendor the external version
-rm -rf third_party/libbpfgo/selftest third_party/libbpfgo/helpers/example_tracelisten_test.go
-
 # Set the version to something more specific than <next-tag>-dev
 sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
 
 mkdir -p third_party/libbpfgo/output
-cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
-   third_party/libbpfgo/output/vmlinux.h
+
+# Any release more recent than SLE 15 SP3/Leap 15.3 will have this
+if ! test -e /sys/kernel/btf/vmlinux; then
+	cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
+	   third_party/libbpfgo/output/vmlinux.h
+fi
 
 # These just clutter the GUI and we don't have Windows clients
 # Note: There are dependencies on these that need to be resolved before

velociraptor-skip-git-submodule-import-for-OBS-build.patch

@@ -18,7 +18,6 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
 -	$(GIT) submodule update --init --recursive $@
 +#	echo "INFO: updating submodule 'libbpfgo'"
 +#	$(GIT) submodule update --init --recursive $@
- 	# Fake that it's an internal module
- 	rm -f $@/go.mod
- 	sed -e 's;"github.com/aquasecurity;"www.velocidex.com/golang/velociraptor/third_party;' -i $@/libbpfgo.go
-
+ 
+ $(LIBBPF_LIB): $(LIBBPFGO_DIR)
+ 	make -C $(LIBBPFGO_DIR) libbpfgo-full-static

velociraptor.changes

@@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Fri Nov 11 21:12:02 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git86.b5931f7:
+  * cleanup: go mod tidy
+- Fix vendoring of replaced modules.
+- Only require libtsan0 on x86_64
+- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist
+- Fix building of libbpfgo on i586
+
+-------------------------------------------------------------------
+Fri Nov 11 20:13:00 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git84.1b38fda:
+  * Clean up libbpfgo mess
+  * libbpfgo: use forked repo for fully static builds
+  * libbpfgo: sync to v0.4.4-libbpf-1.0.1
+  * contrib/kafka-humio-gateway: add new debug option for noisy events
+  * contrib/kafka-humio-gateway: backoff and retry for metadata
+  * vql/server/kafka: connect sarama logging to velociraptor logging
+  * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
+  * vql/server/kafka: set appropriate ClientID
+  * libbpfgo: add selftest to build so testcases work
+  * cronsnoop: rework testcases to use t.TempDir
+  * cronsnoop: move external dependencies to end of import list
+  * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()
+
+-------------------------------------------------------------------
+Fri Nov 11 20:08:20 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git67.85b608e:
+  * clients/host-info.js: add MAC addresses to client dashboard
+  * linux: Add ability to interrogate system and network configuration
+  * SUSE: Add docker-compose environment
+  * SUSE: add Docker files
+  * Add Linux.Sys.Bash to Server.Monitor.Shell artifact
+  * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
+  * kafka-humio-gateway: add sample config file
+  * Updating the NewFiles and ProcessStatuses Artifacts
+  * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37)
+  * third_party/go-libaudit: don't directly use unix.*
+  * Add Linux.Remediation.Quarantine artifact
+  * Extend audit artifacts to use new interface
+  * audit: rearchitect plugin to scale better with multiple invocations
+  * third_party/go-libaudit: move handling of receive buffer to caller
+  * third_party/go-libaudit: move buffer handling from netlink to audit
+  * third_party/go-libaudit: allow audit fd to be pollable
+  * third_party/go-libaudit: Add support for removing individual rules
+  * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls
+  * third_party/go-libaudit: Report missing rules during deletion
+  * import go-libaudit as a third-party module
+  * quarantine: actually call the OS-specific artifact
+  * artifactset: add ability to select named sources
+  * GUI: Artifact selector (#1790)
+  * host-info: make quarantine UI more robust with non-Windows client hosts
+  * shell-viewer: default to Bash on non-Windows clients
+
 -------------------------------------------------------------------
 Thu Nov 10 15:22:27 UTC 2022 - jeffm@suse.com
 

velociraptor.obsinfo

@@ -1,4 +1,4 @@
 name: velociraptor
-version: 0.6.4.2~git70.b7df8172
-mtime: 1667239302
-commit: b7df81726e4a6c4cabad66b024bb5d2aeea885d6
+version: 0.6.4.2~git86.b5931f7
+mtime: 1668201110
+commit: b5931f73eb6c171a558d09d4ef8b3d4d7292d519

velociraptor.spec

@@ -16,11 +16,11 @@
 #
 
 %define projname velociraptor
-%define vendor_version 0.6.4.2~git59.5ebb49db
+%define vendor_version 0.6.4.2~git86.b5931f7
 %define vmlinux_h_version 5.18.9-2-default
 
 Name:           velociraptor
-Version:        0.6.4.2~git70.b7df8172
+Version:        0.6.4.2~git86.b5931f7
 Release:        0
 Summary:	Endpoint visibility and collection tool
 Group:		System/Monitoring
@@ -38,7 +38,7 @@ Source8:	vmlinux.h-%{vmlinux_h_version}.tar.xz
 Patch1:		velociraptor-golang-mage-vendoring.diff
 Patch2:		velociraptor-skip-git-submodule-import-for-OBS-build.patch
 Patch3:		velociraptor-makefile-add-bpf-rules-to-linux_bare.patch
-Patch4:		make-libbpfgo-vendorable.patch
+Patch4:		libbpfgo-i386.patch
 BuildRequires:  golang-packaging
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  systemd-devel
@@ -46,13 +46,16 @@ BuildRequires:  systemd-devel
 BuildRequires:  golang(API) = 1.17
 BuildRequires:	fileb0x
 BuildRequires:	mage
+%ifarch x86_64
 BuildRequires:	libtsan0
-BuildRequires:	nodejs16
-BuildRequires:	npm16
+%endif
+BuildRequires:	nodejs >= 16
+BuildRequires:	npm >= 16
 BuildRequires:  clang13
 BuildRequires:  llvm13
 BuildRequires:  bpftool
 BuildRequires:	libelf-devel
+BuildRequires:	zlib-devel-static
 Conflicts:	velociraptor-client
 
 %description
@@ -68,7 +71,7 @@ For just the endpoint agent, please install the 'velociraptor-client' package.
 
 %package kafka-humio-gateway
 Summary: Gateway between Kafka and Humio for Velociraptor Artifacts
-Version: 0.6.4.2~git70.b7df8172
+Version: 0.6.4.2~git86.b5931f7
 
 %description kafka-humio-gateway
 This tool is used to consume events generated by the Kafka Velociraptor plugin
@@ -78,15 +81,16 @@ and post them to a Humio cluster.
 %setup -q -a 1 -a 2 -a 3 -a 8 -n %{projname}-%{version}
 %autopatch -p1
 
-# Without this, the libbpfgo tests want to vendor the external version
-rm -rf third_party/libbpfgo/selftest third_party/libbpfgo/helpers/example_tracelisten_test.go
-
 # Set the version to something more specific than <next-tag>-dev
 sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
 
 mkdir -p third_party/libbpfgo/output
-cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
-   third_party/libbpfgo/output/vmlinux.h
+
+# Any release more recent than SLE 15 SP3/Leap 15.3 will have this
+if ! test -e /sys/kernel/btf/vmlinux; then
+	cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
+	   third_party/libbpfgo/output/vmlinux.h
+fi
 
 # These just clutter the GUI and we don't have Windows clients
 # Note: There are dependencies on these that need to be resolved before

vendor-golang-0.6.4.2~git59.5ebb49db.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e8f77ac096b5e31cb4f2d3350f462ff02c4e6b20310f285456411fbe0d5bf1ec
-size 7869080

vendor-golang-0.6.4.2~git86.b5931f7.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5658ece191a8d0ab5c0d9e558d756ab688eb7faf8544441e5baf37d55ac9fbf1
+size 7824160

vendor-golang-kafka-humio-gateway-0.6.4.2~git59.5ebb49db.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fde72109a7f0de8aa2c413e60c5ede497bf4ced503ee8dc7b123f77ccc9c25ee
-size 454240

vendor-golang-kafka-humio-gateway-0.6.4.2~git86.b5931f7.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d32c165efeb3ace20edd14d308c0a4aacd441d0cfb29f8c3e74e5549781609e8
+size 454332

vendor-nodejs-0.6.4.2~git59.5ebb49db.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:534aa7c32515bf54c823ada382c08ba01ec650e5b88258edc409cef3c5fddcf9
-size 37119140

vendor-nodejs-0.6.4.2~git86.b5931f7.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6a749b2c6b6e6544ed0a47e8aaf8df463e4a38a0dbc2233f0739a91e2de41c6d
+size 37506080