diff --git a/_servicedata b/_servicedata
index c0e34d9..324938b 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,6 +1,6 @@
https://github.com/jeffmahoney/linux-security-sensor
- 45393b11957049ed841f559cf9f3b88dc5a588d9
+ 85b608e2da06a90d5e51ae39fe79adbdb8511a3f
https://github.com/SUSE/linux-security-sensor
- b7df81726e4a6c4cabad66b024bb5d2aeea885d6
\ No newline at end of file
+ b5931f73eb6c171a558d09d4ef8b3d4d7292d519
\ No newline at end of file
diff --git a/libbpfgo-i386.patch b/libbpfgo-i386.patch
new file mode 100644
index 0000000..b979a17
--- /dev/null
+++ b/libbpfgo-i386.patch
@@ -0,0 +1,15 @@
+---
+ third_party/libbpfgo/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/third_party/libbpfgo/Makefile
++++ b/third_party/libbpfgo/Makefile
+@@ -15,7 +15,7 @@ VAGRANT = vagrant
+ CLANG_FMT = clang-format
+
+ HOSTOS = $(shell uname)
+-ARCH ?= $(shell uname -m | sed 's/x86_64/amd64/g; s/aarch64/arm64/g')
++ARCH ?= $(shell uname -m | sed 's/x86_64/amd64/g; s/aarch64/arm64/g; s/i.86/386/g')
+
+ BTFFILE = /sys/kernel/btf/vmlinux
+ BPFTOOL = $(shell which bpftool || /bin/false)
diff --git a/make-libbpfgo-vendorable.patch b/make-libbpfgo-vendorable.patch
deleted file mode 100644
index e40bbc7..0000000
--- a/make-libbpfgo-vendorable.patch
+++ /dev/null
@@ -1,27 +0,0 @@
----
- third_party/libbpfgo/go.mod | 8 --------
- third_party/libbpfgo/libbpfgo.go | 2 +-
- 2 files changed, 1 insertion(+), 9 deletions(-)
-
---- a/third_party/libbpfgo/go.mod
-+++ /dev/null
-@@ -1,8 +0,0 @@
--module github.com/aquasecurity/libbpfgo
--
--go 1.16
--
--require (
-- github.com/stretchr/testify v1.7.0
-- golang.org/x/sys v0.0.0-20210514084401-e8d321eab015
--)
---- a/third_party/libbpfgo/libbpfgo.go
-+++ b/third_party/libbpfgo/libbpfgo.go
-@@ -87,7 +87,7 @@ import (
- "syscall"
- "unsafe"
-
-- "github.com/aquasecurity/libbpfgo/helpers"
-+ "www.velocidex.com/golang/velociraptor/third_party/libbpfgo/helpers"
- )
-
- const (
diff --git a/update-vendoring.sh b/update-vendoring.sh
index 709dd24..6eb87cc 100644
--- a/update-vendoring.sh
+++ b/update-vendoring.sh
@@ -33,14 +33,34 @@ cpio -D "${dir}" -id < velociraptor-${version}.obscpio
echo "Running %prep"
cd "${dir}/velociraptor-${version}"
+tar Jxf ${topdir}/vmlinux.h-5.18.9-2-default.tar.xz
sh ${dir}/setup.sh
echo "Re-vendoring Go code..."
gopathdir="$(mktemp -d /tmp/gopath.XXXXXXX)"
rm -rf vendor
export GOPATH="$gopathdir"
+
+
+# Vendoring doesn't get along with replaced modules, so symlink to those
go mod vendor
+replace_module() {
+ local mod=$1
+ local path=$2
+ rm -rf "vendor/${mod}"
+ rel="$(echo $mod|tr A-Za-z0-9_- .|sed -e 's/\.\.\.*/../g')"
+ ln -s "${rel}/${path}" "vendor/${mod}"
+ ls -la vendor/${mod}/
+}
+
+replace_module github.com/aquasecurity/libbpfgo third_party/libbpfgo
+replace_module github.com/elastic/go-libaudit/v2 third_party/go-libaudit
+
+sh
+
tar Jcf ${dir}/vendor-golang-${version}.tar.xz vendor
+cd "${dir}"
+mv vendor-golang-*${version}.tar.xz ${topdir}
cd "${dir}/velociraptor-${version}/contrib/kafka-humio-gateway"
rm -rf vendor
diff --git a/velociraptor-0.6.4.2~git70.b7df8172.obscpio b/velociraptor-0.6.4.2~git70.b7df8172.obscpio
deleted file mode 100644
index 73d02aa..0000000
--- a/velociraptor-0.6.4.2~git70.b7df8172.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6bb4ceb196d9dbcf6f05654e4e832e25aabcc8a5d9c59b1b488bc761db7cf77b
-size 36226061
diff --git a/velociraptor-0.6.4.2~git86.b5931f7.obscpio b/velociraptor-0.6.4.2~git86.b5931f7.obscpio
new file mode 100644
index 0000000..e6d017e
--- /dev/null
+++ b/velociraptor-0.6.4.2~git86.b5931f7.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cdf58a89e754e17e9f4bd837d71dc744e08539581cce39fb06aedd3f9a4f0f19
+size 36331021
diff --git a/velociraptor-client.changes b/velociraptor-client.changes
index 75a1d70..82609cc 100644
--- a/velociraptor-client.changes
+++ b/velociraptor-client.changes
@@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Fri Nov 11 21:12:02 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git86.b5931f7:
+ * cleanup: go mod tidy
+- Fix vendoring of replaced modules.
+- Only require libtsan0 on x86_64
+- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist
+- Fix building of libbpfgo on i586
+
+-------------------------------------------------------------------
+Fri Nov 11 20:13:00 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git84.1b38fda:
+ * Clean up libbpfgo mess
+ * libbpfgo: use forked repo for fully static builds
+ * libbpfgo: sync to v0.4.4-libbpf-1.0.1
+ * contrib/kafka-humio-gateway: add new debug option for noisy events
+ * contrib/kafka-humio-gateway: backoff and retry for metadata
+ * vql/server/kafka: connect sarama logging to velociraptor logging
+ * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
+ * vql/server/kafka: set appropriate ClientID
+ * libbpfgo: add selftest to build so testcases work
+ * cronsnoop: rework testcases to use t.TempDir
+ * cronsnoop: move external dependencies to end of import list
+ * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()
+
+-------------------------------------------------------------------
+Fri Nov 11 20:08:20 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git67.85b608e:
+ * clients/host-info.js: add MAC addresses to client dashboard
+ * linux: Add ability to interrogate system and network configuration
+ * SUSE: Add docker-compose environment
+ * SUSE: add Docker files
+ * Add Linux.Sys.Bash to Server.Monitor.Shell artifact
+ * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
+ * kafka-humio-gateway: add sample config file
+ * Updating the NewFiles and ProcessStatuses Artifacts
+ * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37)
+ * third_party/go-libaudit: don't directly use unix.*
+ * Add Linux.Remediation.Quarantine artifact
+ * Extend audit artifacts to use new interface
+ * audit: rearchitect plugin to scale better with multiple invocations
+ * third_party/go-libaudit: move handling of receive buffer to caller
+ * third_party/go-libaudit: move buffer handling from netlink to audit
+ * third_party/go-libaudit: allow audit fd to be pollable
+ * third_party/go-libaudit: Add support for removing individual rules
+ * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls
+ * third_party/go-libaudit: Report missing rules during deletion
+ * import go-libaudit as a third-party module
+ * quarantine: actually call the OS-specific artifact
+ * artifactset: add ability to select named sources
+ * GUI: Artifact selector (#1790)
+ * host-info: make quarantine UI more robust with non-Windows client hosts
+ * shell-viewer: default to Bash on non-Windows clients
+
-------------------------------------------------------------------
Thu Nov 10 15:22:27 UTC 2022 - jeffm@suse.com
diff --git a/velociraptor-client.spec b/velociraptor-client.spec
index bfb07bb..c96da5f 100644
--- a/velociraptor-client.spec
+++ b/velociraptor-client.spec
@@ -16,11 +16,11 @@
#
%define projname velociraptor
-%define vendor_version 0.6.4.2~git59.5ebb49db
+%define vendor_version 0.6.4.2~git86.b5931f7
%define vmlinux_h_version 5.18.9-2-default
Name: velociraptor-client
-Version: 0.6.4.2~git70.b7df8172
+Version: 0.6.4.2~git86.b5931f7
Release: 0
Summary: Endpoint visibility and collection tool (endpoint only)
Group: System/Monitoring
@@ -34,7 +34,7 @@ Source4: vmlinux.h-%{vmlinux_h_version}.tar.xz
Patch1: velociraptor-golang-mage-vendoring.diff
Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch
Patch3: velociraptor-makefile-add-bpf-rules-to-linux_bare.patch
-Patch4: make-libbpfgo-vendorable.patch
+Patch4: libbpfgo-i386.patch
BuildRequires: golang-packaging
BuildRequires: systemd-rpm-macros
BuildRequires: systemd-devel
@@ -42,11 +42,14 @@ BuildRequires: systemd-devel
BuildRequires: golang(API) = 1.17
BuildRequires: fileb0x
BuildRequires: mage
+%ifarch x86_64
BuildRequires: libtsan0
+%endif
BuildRequires: clang13
BuildRequires: llvm13
BuildRequires: bpftool
BuildRequires: libelf-devel
+BuildRequires: zlib-devel-static
Conflicts: velociraptor
%description
@@ -65,15 +68,16 @@ install the 'velociraptor' package.
%setup -q -a 1 -a 4 -n %{projname}-%{version}
%autopatch -p1
-# Without this, the libbpfgo tests want to vendor the external version
-rm -rf third_party/libbpfgo/selftest third_party/libbpfgo/helpers/example_tracelisten_test.go
-
# Set the version to something more specific than -dev
sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
mkdir -p third_party/libbpfgo/output
-cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
- third_party/libbpfgo/output/vmlinux.h
+
+# Any release more recent than SLE 15 SP3/Leap 15.3 will have this
+if ! test -e /sys/kernel/btf/vmlinux; then
+ cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
+ third_party/libbpfgo/output/vmlinux.h
+fi
# These just clutter the GUI and we don't have Windows clients
# Note: There are dependencies on these that need to be resolved before
diff --git a/velociraptor-skip-git-submodule-import-for-OBS-build.patch b/velociraptor-skip-git-submodule-import-for-OBS-build.patch
index fb1501d..f3a1a06 100644
--- a/velociraptor-skip-git-submodule-import-for-OBS-build.patch
+++ b/velociraptor-skip-git-submodule-import-for-OBS-build.patch
@@ -18,7 +18,6 @@ Signed-off-by: Jeff Mahoney
- $(GIT) submodule update --init --recursive $@
+# echo "INFO: updating submodule 'libbpfgo'"
+# $(GIT) submodule update --init --recursive $@
- # Fake that it's an internal module
- rm -f $@/go.mod
- sed -e 's;"github.com/aquasecurity;"www.velocidex.com/golang/velociraptor/third_party;' -i $@/libbpfgo.go
-
+
+ $(LIBBPF_LIB): $(LIBBPFGO_DIR)
+ make -C $(LIBBPFGO_DIR) libbpfgo-full-static
diff --git a/velociraptor.changes b/velociraptor.changes
index ae400cb..379db2b 100644
--- a/velociraptor.changes
+++ b/velociraptor.changes
@@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Fri Nov 11 21:12:02 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git86.b5931f7:
+ * cleanup: go mod tidy
+- Fix vendoring of replaced modules.
+- Only require libtsan0 on x86_64
+- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist
+- Fix building of libbpfgo on i586
+
+-------------------------------------------------------------------
+Fri Nov 11 20:13:00 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git84.1b38fda:
+ * Clean up libbpfgo mess
+ * libbpfgo: use forked repo for fully static builds
+ * libbpfgo: sync to v0.4.4-libbpf-1.0.1
+ * contrib/kafka-humio-gateway: add new debug option for noisy events
+ * contrib/kafka-humio-gateway: backoff and retry for metadata
+ * vql/server/kafka: connect sarama logging to velociraptor logging
+ * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
+ * vql/server/kafka: set appropriate ClientID
+ * libbpfgo: add selftest to build so testcases work
+ * cronsnoop: rework testcases to use t.TempDir
+ * cronsnoop: move external dependencies to end of import list
+ * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()
+
+-------------------------------------------------------------------
+Fri Nov 11 20:08:20 UTC 2022 - jeffm@suse.com
+
+- Update to version 0.6.4.2~git67.85b608e:
+ * clients/host-info.js: add MAC addresses to client dashboard
+ * linux: Add ability to interrogate system and network configuration
+ * SUSE: Add docker-compose environment
+ * SUSE: add Docker files
+ * Add Linux.Sys.Bash to Server.Monitor.Shell artifact
+ * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
+ * kafka-humio-gateway: add sample config file
+ * Updating the NewFiles and ProcessStatuses Artifacts
+ * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37)
+ * third_party/go-libaudit: don't directly use unix.*
+ * Add Linux.Remediation.Quarantine artifact
+ * Extend audit artifacts to use new interface
+ * audit: rearchitect plugin to scale better with multiple invocations
+ * third_party/go-libaudit: move handling of receive buffer to caller
+ * third_party/go-libaudit: move buffer handling from netlink to audit
+ * third_party/go-libaudit: allow audit fd to be pollable
+ * third_party/go-libaudit: Add support for removing individual rules
+ * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls
+ * third_party/go-libaudit: Report missing rules during deletion
+ * import go-libaudit as a third-party module
+ * quarantine: actually call the OS-specific artifact
+ * artifactset: add ability to select named sources
+ * GUI: Artifact selector (#1790)
+ * host-info: make quarantine UI more robust with non-Windows client hosts
+ * shell-viewer: default to Bash on non-Windows clients
+
-------------------------------------------------------------------
Thu Nov 10 15:22:27 UTC 2022 - jeffm@suse.com
diff --git a/velociraptor.obsinfo b/velociraptor.obsinfo
index 3ff8518..8d3a649 100644
--- a/velociraptor.obsinfo
+++ b/velociraptor.obsinfo
@@ -1,4 +1,4 @@
name: velociraptor
-version: 0.6.4.2~git70.b7df8172
-mtime: 1667239302
-commit: b7df81726e4a6c4cabad66b024bb5d2aeea885d6
+version: 0.6.4.2~git86.b5931f7
+mtime: 1668201110
+commit: b5931f73eb6c171a558d09d4ef8b3d4d7292d519
diff --git a/velociraptor.spec b/velociraptor.spec
index aab572a..0fd6d56 100644
--- a/velociraptor.spec
+++ b/velociraptor.spec
@@ -16,11 +16,11 @@
#
%define projname velociraptor
-%define vendor_version 0.6.4.2~git59.5ebb49db
+%define vendor_version 0.6.4.2~git86.b5931f7
%define vmlinux_h_version 5.18.9-2-default
Name: velociraptor
-Version: 0.6.4.2~git70.b7df8172
+Version: 0.6.4.2~git86.b5931f7
Release: 0
Summary: Endpoint visibility and collection tool
Group: System/Monitoring
@@ -38,7 +38,7 @@ Source8: vmlinux.h-%{vmlinux_h_version}.tar.xz
Patch1: velociraptor-golang-mage-vendoring.diff
Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch
Patch3: velociraptor-makefile-add-bpf-rules-to-linux_bare.patch
-Patch4: make-libbpfgo-vendorable.patch
+Patch4: libbpfgo-i386.patch
BuildRequires: golang-packaging
BuildRequires: systemd-rpm-macros
BuildRequires: systemd-devel
@@ -46,13 +46,16 @@ BuildRequires: systemd-devel
BuildRequires: golang(API) = 1.17
BuildRequires: fileb0x
BuildRequires: mage
+%ifarch x86_64
BuildRequires: libtsan0
-BuildRequires: nodejs16
-BuildRequires: npm16
+%endif
+BuildRequires: nodejs >= 16
+BuildRequires: npm >= 16
BuildRequires: clang13
BuildRequires: llvm13
BuildRequires: bpftool
BuildRequires: libelf-devel
+BuildRequires: zlib-devel-static
Conflicts: velociraptor-client
%description
@@ -68,7 +71,7 @@ For just the endpoint agent, please install the 'velociraptor-client' package.
%package kafka-humio-gateway
Summary: Gateway between Kafka and Humio for Velociraptor Artifacts
-Version: 0.6.4.2~git70.b7df8172
+Version: 0.6.4.2~git86.b5931f7
%description kafka-humio-gateway
This tool is used to consume events generated by the Kafka Velociraptor plugin
@@ -78,15 +81,16 @@ and post them to a Humio cluster.
%setup -q -a 1 -a 2 -a 3 -a 8 -n %{projname}-%{version}
%autopatch -p1
-# Without this, the libbpfgo tests want to vendor the external version
-rm -rf third_party/libbpfgo/selftest third_party/libbpfgo/helpers/example_tracelisten_test.go
-
# Set the version to something more specific than -dev
sed -ie "s/\(VERSION *= \).*/\1 \"%{version}\"/" constants/constants.go
mkdir -p third_party/libbpfgo/output
-cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
- third_party/libbpfgo/output/vmlinux.h
+
+# Any release more recent than SLE 15 SP3/Leap 15.3 will have this
+if ! test -e /sys/kernel/btf/vmlinux; then
+ cp vmlinux.h-%{vmlinux_h_version}/vmlinux-%{_arch}.h \
+ third_party/libbpfgo/output/vmlinux.h
+fi
# These just clutter the GUI and we don't have Windows clients
# Note: There are dependencies on these that need to be resolved before
diff --git a/vendor-golang-0.6.4.2~git59.5ebb49db.tar.xz b/vendor-golang-0.6.4.2~git59.5ebb49db.tar.xz
deleted file mode 100644
index bfa1418..0000000
--- a/vendor-golang-0.6.4.2~git59.5ebb49db.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e8f77ac096b5e31cb4f2d3350f462ff02c4e6b20310f285456411fbe0d5bf1ec
-size 7869080
diff --git a/vendor-golang-0.6.4.2~git86.b5931f7.tar.xz b/vendor-golang-0.6.4.2~git86.b5931f7.tar.xz
new file mode 100644
index 0000000..2e6a6bc
--- /dev/null
+++ b/vendor-golang-0.6.4.2~git86.b5931f7.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5658ece191a8d0ab5c0d9e558d756ab688eb7faf8544441e5baf37d55ac9fbf1
+size 7824160
diff --git a/vendor-golang-kafka-humio-gateway-0.6.4.2~git59.5ebb49db.tar.xz b/vendor-golang-kafka-humio-gateway-0.6.4.2~git59.5ebb49db.tar.xz
deleted file mode 100644
index 32dd08f..0000000
--- a/vendor-golang-kafka-humio-gateway-0.6.4.2~git59.5ebb49db.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fde72109a7f0de8aa2c413e60c5ede497bf4ced503ee8dc7b123f77ccc9c25ee
-size 454240
diff --git a/vendor-golang-kafka-humio-gateway-0.6.4.2~git86.b5931f7.tar.xz b/vendor-golang-kafka-humio-gateway-0.6.4.2~git86.b5931f7.tar.xz
new file mode 100644
index 0000000..d5c9527
--- /dev/null
+++ b/vendor-golang-kafka-humio-gateway-0.6.4.2~git86.b5931f7.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d32c165efeb3ace20edd14d308c0a4aacd441d0cfb29f8c3e74e5549781609e8
+size 454332
diff --git a/vendor-nodejs-0.6.4.2~git59.5ebb49db.tar.xz b/vendor-nodejs-0.6.4.2~git59.5ebb49db.tar.xz
deleted file mode 100644
index c6b428a..0000000
--- a/vendor-nodejs-0.6.4.2~git59.5ebb49db.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:534aa7c32515bf54c823ada382c08ba01ec650e5b88258edc409cef3c5fddcf9
-size 37119140
diff --git a/vendor-nodejs-0.6.4.2~git86.b5931f7.tar.xz b/vendor-nodejs-0.6.4.2~git86.b5931f7.tar.xz
new file mode 100644
index 0000000..880a2c1
--- /dev/null
+++ b/vendor-nodejs-0.6.4.2~git86.b5931f7.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6a749b2c6b6e6544ed0a47e8aaf8df463e4a38a0dbc2233f0739a91e2de41c6d
+size 37506080