From 62de5286f721b7ffc6d77d0fa638a0124a973cc31926c1d62e7aabac08c9bae4 Mon Sep 17 00:00:00 2001 From: Jeff Mahoney Date: Wed, 7 Dec 2022 03:37:22 +0000 Subject: [PATCH] Accepting request 1040837 from home:jeff_mahoney:branches:security:sensor - Update to version 0.6.7.4~git41.678ed56: * rpm: introduce rpm vql plugin * users: extend DeleteUser testcase to ensure org membership was dropped * users: ensure baseline user state is correct * github: run testcases on Linux builds in new workflow * gui/reporting: update bluemonday dependency to latest * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() * SUSE: Add docker-compose environment * SUSE: add Docker files * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * Add Linux.Sys.Bash to Server.Monitor.Shell artifact * kafka-humio-gateway: add sample config file * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: rework testcases to use t.TempDir * vql/linux/cronsnoop: Add cronsnoop() plugin * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * audit: use caller-allocated buffer * use github.com/jeffmahoney/go-libaudit/v2 for audit * Kafka.Events.Client: Update to use new artifactset type * Add artifact for chattrsnoop plugin * bpflib: ensure it's built only on linux and when requesting bpf * Add chattrsnoop plugin * Add artifact to monitor user group updates (#24) * vql/linux/dnssnoop: Add dnssnoop() plugin * Log Sudo/root command by auditd * Add custom artifacts for login and logout attempts recorded by auditd * Add tcpsnoop plugin * vql/linux/bpflib: add helper package for bpf plugins OBS-URL: https://build.opensuse.org/request/show/1040837 OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=25 --- _service | 6 +- _servicedata | 2 +- update-vendoring.sh | 7 +- velociraptor-0.6.4.2~git86.b5931f7.obscpio | 3 - velociraptor-0.6.7.4~git41.678ed56.obscpio | 3 + velociraptor-client.changes | 399 ++++++++++++++++++ velociraptor-client.spec | 8 +- ...makefile-add-bpf-rules-to-linux_bare.patch | 24 -- velociraptor.changes | 399 ++++++++++++++++++ velociraptor.obsinfo | 6 +- velociraptor.spec | 10 +- vendor-golang-0.6.4.2~git86.b5931f7.tar.xz | 3 - vendor-golang-0.6.7.4~git41.678ed56.tar.xz | 3 + ...humio-gateway-0.6.4.2~git86.b5931f7.tar.xz | 3 - ...humio-gateway-0.6.7.4~git41.678ed56.tar.xz | 3 + vendor-nodejs-0.6.4.2~git86.b5931f7.tar.xz | 3 - vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz | 3 + 17 files changed, 827 insertions(+), 58 deletions(-) delete mode 100644 velociraptor-0.6.4.2~git86.b5931f7.obscpio create mode 100644 velociraptor-0.6.7.4~git41.678ed56.obscpio delete mode 100644 velociraptor-makefile-add-bpf-rules-to-linux_bare.patch delete mode 100644 vendor-golang-0.6.4.2~git86.b5931f7.tar.xz create mode 100644 vendor-golang-0.6.7.4~git41.678ed56.tar.xz delete mode 100644 vendor-golang-kafka-humio-gateway-0.6.4.2~git86.b5931f7.tar.xz create mode 100644 vendor-golang-kafka-humio-gateway-0.6.7.4~git41.678ed56.tar.xz delete mode 100644 vendor-nodejs-0.6.4.2~git86.b5931f7.tar.xz create mode 100644 vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz diff --git a/_service b/_service index 81919d1..c3271fe 100644 --- a/_service +++ b/_service @@ -1,11 +1,11 @@ - https://github.com/SUSE/linux-security-sensor + https://github.com/jeffmahoney/linux-security-sensor velociraptor @PARENT_TAG@~git@TAG_OFFSET@.%h - sensor-base-0.6.4 + sensor-base-0.6.7 git - v0.6.4-2 + v0.6.7-4 v([0-9\.]*)-(.*) \1.\2 enable diff --git a/_servicedata b/_servicedata index 324938b..346585f 100644 --- a/_servicedata +++ b/_servicedata @@ -1,6 +1,6 @@ https://github.com/jeffmahoney/linux-security-sensor - 85b608e2da06a90d5e51ae39fe79adbdb8511a3f + 678ed562b0dc36217e5fc081936a57bc1e40be22 https://github.com/SUSE/linux-security-sensor b5931f73eb6c171a558d09d4ef8b3d4d7292d519 \ No newline at end of file diff --git a/update-vendoring.sh b/update-vendoring.sh index 6eb87cc..6a51842 100644 --- a/update-vendoring.sh +++ b/update-vendoring.sh @@ -33,7 +33,7 @@ cpio -D "${dir}" -id < velociraptor-${version}.obscpio echo "Running %prep" cd "${dir}/velociraptor-${version}" -tar Jxf ${topdir}/vmlinux.h-5.18.9-2-default.tar.xz +tar Jxf ${topdir}/vmlinux.h-5.14.21150400.22-150400-default.tar.xz sh ${dir}/setup.sh echo "Re-vendoring Go code..." @@ -50,13 +50,12 @@ replace_module() { rm -rf "vendor/${mod}" rel="$(echo $mod|tr A-Za-z0-9_- .|sed -e 's/\.\.\.*/../g')" ln -s "${rel}/${path}" "vendor/${mod}" + set -x ls -la vendor/${mod}/ + set +x } replace_module github.com/aquasecurity/libbpfgo third_party/libbpfgo -replace_module github.com/elastic/go-libaudit/v2 third_party/go-libaudit - -sh tar Jcf ${dir}/vendor-golang-${version}.tar.xz vendor cd "${dir}" diff --git a/velociraptor-0.6.4.2~git86.b5931f7.obscpio b/velociraptor-0.6.4.2~git86.b5931f7.obscpio deleted file mode 100644 index e6d017e..0000000 --- a/velociraptor-0.6.4.2~git86.b5931f7.obscpio +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cdf58a89e754e17e9f4bd837d71dc744e08539581cce39fb06aedd3f9a4f0f19 -size 36331021 diff --git a/velociraptor-0.6.7.4~git41.678ed56.obscpio b/velociraptor-0.6.7.4~git41.678ed56.obscpio new file mode 100644 index 0000000..db61bd9 --- /dev/null +++ b/velociraptor-0.6.7.4~git41.678ed56.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1e6ccc02e8e3e223fb1db4ee8f432f29d6d0b8f4da8aecb5bb4eed0e5758c37d +size 127589902 diff --git a/velociraptor-client.changes b/velociraptor-client.changes index d3a0bfc..00fb877 100644 --- a/velociraptor-client.changes +++ b/velociraptor-client.changes @@ -1,3 +1,402 @@ +------------------------------------------------------------------- +Wed Dec 07 02:49:56 UTC 2022 - jeffm@suse.com + +- Update to version 0.6.7.4~git41.678ed56: + * rpm: introduce rpm vql plugin + * users: extend DeleteUser testcase to ensure org membership was dropped + * users: ensure baseline user state is correct + * github: run testcases on Linux builds in new workflow + * gui/reporting: update bluemonday dependency to latest + * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() + * SUSE: Add docker-compose environment + * SUSE: add Docker files + * clients/host-info.js: add MAC addresses to client dashboard + * linux: Add ability to interrogate system and network configuration + * Add Linux.Sys.Bash to Server.Monitor.Shell artifact + * kafka-humio-gateway: add sample config file + * Updating the NewFiles and ProcessStatuses Artifacts + * cronsnoop: rework testcases to use t.TempDir + * vql/linux/cronsnoop: Add cronsnoop() plugin + * Extend audit artifacts to use new interface + * audit: rearchitect plugin to scale better with multiple invocations + * audit: use caller-allocated buffer + * use github.com/jeffmahoney/go-libaudit/v2 for audit + * Kafka.Events.Client: Update to use new artifactset type + * Add artifact for chattrsnoop plugin + * bpflib: ensure it's built only on linux and when requesting bpf + * Add chattrsnoop plugin + * Add artifact to monitor user group updates (#24) + * vql/linux/dnssnoop: Add dnssnoop() plugin + * Log Sudo/root command by auditd + * Add custom artifacts for login and logout attempts recorded by auditd + * Add tcpsnoop plugin + * vql/linux/bpflib: add helper package for bpf plugins + * libbpfgo: add submodule with forked repo for fully static builds + * Add Kafka-Humio Gateway [Depends on PR#10] (#8) + * Add a Kafka export plugin + * SUSE: Add SSHLogin artifacts + * SUSE: Do build tests on every pull request + * Add systemd-dev as build dependency for github workflow + * Update the Linux.Events.SSHLogin artifact to scan the systemd journal + * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal + * Add parser to read systemd journal on Linux + * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path + * linux: add lsattr() function to enumerate file attributes + * Github: Run build workflow on each pull request + * More fixes for Windows.System.VAD (#2317) (#2318) + * Bugfix: When org is not specified this JS code raised (#2315) (#2316) + +------------------------------------------------------------------- +Tue Dec 06 21:53:43 UTC 2022 - jeffm@suse.com + +- Update to version 0.6.7.3~git41.fa6afa7: + * rpm: introduce rpm vql plugin + * users: extend DeleteUser testcase to ensure org membership was dropped + * users: ensure baseline user state is correct + * github: run testcases on Linux builds + * gui/reporting: update bluemonday dependency to latest + * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() + * SUSE: Add docker-compose environment + * SUSE: add Docker files + * clients/host-info.js: add MAC addresses to client dashboard + * linux: Add ability to interrogate system and network configuration + * Add Linux.Sys.Bash to Server.Monitor.Shell artifact + * kafka-humio-gateway: add sample config file + * Updating the NewFiles and ProcessStatuses Artifacts + * cronsnoop: rework testcases to use t.TempDir + * vql/linux/cronsnoop: Add cronsnoop() plugin + * Extend audit artifacts to use new interface + * audit: rearchitect plugin to scale better with multiple invocations + * audit: use caller-allocated buffer + * use github.com/jeffmahoney/go-libaudit/v2 for audit + * Kafka.Events.Client: Update to use new artifactset type + * Add artifact for chattrsnoop plugin + * bpflib: ensure it's built only on linux and when requesting bpf + * Add chattrsnoop plugin + * Add artifact to monitor user group updates (#24) + * vql/linux/dnssnoop: Add dnssnoop() plugin + * Log Sudo/root command by auditd + * Add custom artifacts for login and logout attempts recorded by auditd + * Add tcpsnoop plugin + * vql/linux/bpflib: add helper package for bpf plugins + * libbpfgo: add submodule with forked repo for fully static builds + * Add Kafka-Humio Gateway [Depends on PR#10] (#8) + * Add a Kafka export plugin + * SUSE: Add SSHLogin artifacts + * SUSE: Do build tests on every pull request + * Add systemd-dev as build dependency for github workflow + * Update the Linux.Events.SSHLogin artifact to scan the systemd journal + * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal + * Add parser to read systemd journal on Linux + * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path + * linux: add lsattr() function to enumerate file attributes + * Github: Run build workflow on each pull request + * Bugfix: Do not materialize the VAD array in Windows.System.VAD (#2311) + * Sync to master's bugfixes (#2309) + * Prepare for 0.6.7-2 release (#2300) + * 0.6.7 sync (#2261) + * 0.6.7 sync3 (#2256) + * 0.6.7 sync (#2239) + * Prepare a 0.6.7-rc3 (#2217) + * Bugfix: sparse files were not properly detected. (#2200) (#2201) + * Propagate progress timeout for collections. (#2193) + * Verify client's key with or without the org id. (#2192) + * Add Windows.System.Shares (#2191) + * Allow artifacts to have aliases (#2190) + * Added a regex_array column type to allow multiple regex to be set. (#2188) + * [Snyk] Upgrade react-router-dom from 5.3.3 to 5.3.4 (#2180) + * Add 'UsedBy' column to results (#2186) + * Update flow and hunt download exports to use the container (#2185) + * Disable toolbar buttons when no options are available (#2183) + * Allow hunts to be scheduled on multiple orgs (#2182) + * Update WIndows PSList and VAD artifacts (#38) (#2181) + * Add in amcache (#2176) + * Added additional sources for UserAccessLogs (aka SUM) artifact (#2179) + * Fixed tests (#2177) + * [Snyk] Upgrade styled-components from 5.3.5 to 5.3.6 (#2174) + * Page Cell logs in notebook (#2172) + * Break client connection stats by org id (#2171) + * Added a remapping export to Windows.Registry.NTUser (#2170) + * Added tlsh hash (#2169) + * Check sparse files for large size before padding them out. (#2167) + * Linux and macOS Packet Capture Artifact Updates (#2168) + * Update deps (#2166) + * Add some suggested groks for parsing IIS logs (#2165) + * Refactor collection container (#2163) + * Implement transparent decryption for collector accessor (#2162) + * [Snyk] Upgrade ace-builds from 1.11.0 to 1.11.1 (#2161) + * Automatically decrypt collections with collector accessor (#2159) + * Fix css colors. (#2158) + * [Snyk] Upgrade ace-builds from 1.10.1 to 1.11.0 (#2156) + * Retry reads on EOF in NTFS accessor (#2157) + * Updated zip implementation to support crypto (#2155) + * Target 'Cmdline' instead of 'CommandLine' (#2154) + * Bugfix: Extra interpolation when client logs messages with % (#2152) + * Add 'Active' column to show whether or not a firewall rule is enabled. (#2150) + * Added test for encrypted offline collector. (#2149) + * Update parsing for Dock plist details (#2148) + * Implement filter for large artifact forms (#2147) + * Add Public Key Encryption Support to Offline Collections (#2133) + * Implemented a max memory grouper (#2146) + * Check if setgid flag is set (#2145) + * [Snyk] Upgrade react-overlays from 5.2.0 to 5.2.1 (#2144) + * Add context to yara.NTFS (#36) (#2143) + * Add `auth_redirect_template` config for handling unauthorized API calls (#2140) + * Allow the user to specify a collection as urgent (#2139) + * Fix typo, slightly improve translations (de,fr) (#2137) + * Add 'CronScripts' query/source and 'Length' option (#2138) + * Check sanity of inventory service for all orgs (#2136) + * Change 'filename' to 'file' for upload (#2135) + * Sync with latest NTFS changes. (#2134) + * [Snyk] Upgrade classnames from 2.3.1 to 2.3.2 (#2130) + * Added URLRegex to FireFox history (#2129) + * Link to collection in host shell (#2128) + * additional references (#2126) + * Sync to go-ntfs (#2125) + * Provide the option to expand sparse files in export (#2124) + * Bugfix: Process address space lockup under some conditions (#2123) + * Added URLRegex to Firefox and Chrome history (#2122) + * Add note about RecentApps key not being available after Windows 10, version 1803 (#2119) + * Expose the communicator's crypto manager (#2118) + * Further refactor of the download handler. (#2117) + * [Snyk] Upgrade ace-builds from 1.10.0 to 1.10.1 (#2114) + * Uploaded files are now shows with client paths (#2116) + * [Snyk] Upgrade recharts from 2.1.13 to 2.1.14 (#2115) + * Maintain row count per query. (#2113) + * Update Trackaccount.yaml (#2112) + * Clean up artifact references (#2111) + * Prevent null error when choosing to calculate hash and when providing authenticode information (#2109) + * Add Length option and re-arrange output (#2107) + * Bugfix: Merge file option should work with config show (#2108) + * Always write content to lock files (#2106) + * [Snyk] Upgrade ace-builds from 1.9.6 to 1.10.0 (#2102) + * Authentication configuration error reporting/validation (#2101) + * auth: don't return a base path with two leading slashes (#2100) + * Added org report in root org dashboard (#2098) + * [Snyk] Upgrade react-bootstrap from 1.6.5 to 1.6.6 (#2094) + * [Snyk] Upgrade humanize-duration from 3.27.2 to 3.27.3 (#2095) + * authenticode is a function and not a plug (#2092) + * Allow '+' in usernames (#2093) + * Attempt to decompress client messages if errors occur. (#2088) + * Pass org config to mutations in MemcacheFileDataStore (#2087) + * Support oauth with a different base path. (#2082) + * Allow client->server compression to be disabled (#2081) + * Keep track of collected results using collection status (#2075) + * Enforce a hard timeout for incoming processing (#2074) + * Expand API of user service to include context (#2071) + * When creating a new org pass the new org id to the acl function (#2068) + * Allow collect_client() etc to accept ArtifactSpec protobuf (#2067) + * Only create initial orgs on first run. (#2066) + * Bugfix: Do not start multiple communicators in windows service. (#2064) + * Added initial_orgs to the config (#2063) + * Bugfix- Server.Utils.DeleteClient over sanitized client id (#2061) + * Fixed backwards compatible bug (#2057) + * [Snyk] Upgrade ace-builds from 1.9.5 to 1.9.6 (#2055) + * Fixed CSS for column selector ui (#2053) + * Split server sanity checks into root org and other orgs (#2052) + * collect each query's status separately (#2049) + * Pass org ids in href parameters (#2047) + * Org manager maintains services lifetime (#2045) + * Added org_delete() function to remove orgs. (#2042) + * Updated themes for context menu (#2041) + * Made context menus settable in the config file (#2040) + * Added Send to CyberChef context menu on table cells. (#2039) + * [Snyk] Upgrade ace-builds from 1.9.3 to 1.9.5 (#2037) + * [Snyk] Upgrade ace-builds from 1.8.1 to 1.9.3 (#2033) + * Bugfix: watch_usn() was not flushing the mft LRU properly (#2032) + * Bugfix: Maintain field order in sysmon based tracker (#2030) + * Added regex protocols for int, float etc. (#2028) + * Refactor client monitoring API to use service (#2027) + * Bugfix: Switch GUI to first available org (#2025) + * Update Linux pslist() to use CommandLine column (#2024) + * Add embedded stager parse usecase (#34) (#2023) + * update to clean up null fields (#2020) + * Refactor code to propagate the context in more cases. (#2019) + * Bugix: Raw file accessor had different behaviour on Windows (#2018) + * Cater for unknown parents in process tracker. (#2015) + * Fix sense of multiple regexp in all() function (#2014) + * Added all() and any() VQL functions (#2013) + * Capitalize 'i' in config generation output (#2012) + * Fixed crash in api_client command (#2010) + * Update UserAccessLogs.yaml (#2009) + * Fixed bug in UserAccessLog artifact (#2008) + * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 (#2000) + * Collect domain role info on interrogate (#1998) + * Added new GUI column type for tree (#1997) + * Fixed CSS to make column selector more visible (#1996) + * Send a System.Upload.Completion event on server artifact upload (#1995) + * Refactor of oauth code (#1993) + * Added some helpful server artifacts (#1992) + * Bugfix: "rpm server" command did not produce minion packages (#1991) + * Add ability to delete monitoring events. (#1990) + * Allow notebook GUI to set notebooks to public. (#1989) + * Allow the user to change password in the GUI (#1988) + * Added a delay() VQL function (#1987) + * Fixed a crash when add_monitoring was called without parameters. (#1986) + * Allow hunt() to limit by OS condition (#1985) + * [Snyk] Upgrade ace-builds from 1.7.1 to 1.8.1 (#1984) + * Fix "last_visit_time" timestamp (#1983) + * Added Generic.System.ProcessSiblings (#1982) + * [Snyk] Upgrade bootstrap from 4.6.1 to 4.6.2 (#1979) + * General cleanup (#1977) + * Update BinaryRename.yaml (#1976) + * Support multi orgs in server-server communication (#1975) + * Inventory service should upload tools to global public directory (#1973) + * fixed path issue (#1972) + * Support REG_MULTI_SZ in raw registry accessor (#1969) + * fix: upgrade interactjs from 1.10.16 to 1.10.17 (#1968) + * Update prefetch library to fix bug (#1965) + * The "fs" accessor should also be org sensitive. (#1964) + * Added user_grant() VQL function (#1963) + * fix: upgrade interactjs from 1.10.14 to 1.10.16 (#1961) + * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1960) + * Several security related bugfixes. (#1962) + * Fixed bug in watch_evtx() (#1955) + * fix: upgrade ace-builds from 1.7.0 to 1.7.1 (#1952) + * Fixed visted_url typo (#1953) + * Added NewOrg artifact to make creating new orgs easier. (#1951) + * Fix broken deps due to snyke merge (#1950) + * build(deps): bump terser from 4.8.0 to 4.8.1 in /gui/velociraptor (#1946) + * fix: upgrade recharts from 2.1.11 to 2.1.12 (#1945) + * fix: upgrade @fortawesome/react-fontawesome from 0.1.18 to 0.2.0 (#1948) + * Added orgs() plugin and user management (#1949) + * fix: upgrade ace-builds from 1.6.1 to 1.7.0 (#1944) + * Add new embedded pe in data section parse (#1943) + * Refactor startup code (#1942) + * fix: upgrade qs from 6.10.4 to 6.11.0 (#1941) + * fix: upgrade recharts from 2.1.10 to 2.1.11 (#1939) + * fix: upgrade ace-builds from 1.6.0 to 1.6.1 (#1938) + * Added artifact Windows.Attack.IncorrectImagePath (#1927) + * Account for pid reuse in process tracker. (#1936) + * add precondition for only windows (#1935) + * Make ddclient service parameters configurable (#1933) + * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1930) + * fix: upgrade interactjs from 1.10.13 to 1.10.14 (#1918) + * replace YaraUrl type (#1922) + * Add other url yara fixes (#1921) + * Update Glob.yaml (#1920) + * Fixed bug in startup code. (#1919) + * Initial commit of multitenant support (#1917) + * Adds three Linux artifacts (#1916) + * Fixed a crash when using artifact plugin with tools (#1915) + * Added a collector accessor (#1912) + * fix: upgrade interactjs from 1.10.11 to 1.10.13 (#1909) + * fix: upgrade qs from 6.10.3 to 6.10.4 (#1910) + * Japanese translation (#1906) + * Fix spanish translations. (#1907) + * fix: upgrade react-overlays from 5.1.2 to 5.2.0 (#1904) + * Add Shimcache reformat (#1892) + * A couple of performance tweaks. (#1903) + * Fix Amcache artifact (#1902) + * Retry axios requests (#1901) + * Revert "fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899)" (#1900) + * fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899) + * Use the auto accessor as first level of VFS (#1898) + * Theme fixes (#1895) + * Added additional logging for windows client service (#1894) + * Theme updates (#1893) + * Prepare for release 0.6.5 (#1890) + * Bugfix: CPU limit was not properly enforced on endpoint. (#1889) + * fix: upgrade react-calendar-timeline from 0.27.0 to 0.28.0 (#1887) + * fix: upgrade ace-builds from 1.5.1 to 1.5.2 (#1888) + * Improve the Windows.Sys.StartupItems artifact (#1886) + * Fixed the --remap flag (#1883) + * Fixed bug in client_delete() (#1882) + * Added a delete_flow VQL plugin (#1880) + * Add fix for generic bin file payload (#1879) + * Bugfix: Notebook calculation did not update cell (#1878) + * fix: upgrade humanize-duration from 3.27.1 to 3.27.2 (#1877) + * Revised Portuguese translation (#1876) + * Update usn.go (#1873) + * Added French language (#1874) + * Updated german translation (#1875) + * Refactor artifact plugin to be more efficient. (#1871) + * Update de.js (#1870) + * fix: upgrade ace-builds from 1.5.0 to 1.5.1 (#1867) + * Refactor server artifacts service (#1868) + * Refactored notebook into a service (#1863) + * fix: upgrade react-router-dom from 5.3.2 to 5.3.3 (#1861) + * fix: upgrade recharts from 2.1.9 to 2.1.10 (#1862) + * Bugfix: raw registry accessor supports read_file() (#1859) + * Add LogHunter - a generic grep over log capability (#1853) + * Added a GUI element to easily filter log messages (#1858) + * Added an oidc-cognito authenticator (#1854) + * build(deps): bump tar from 6.0.5 to 6.1.11 in /gui/velociraptor (#1852) + * fix: upgrade react-router-dom from 5.3.1 to 5.3.2 (#1850) + * Fix ACE font handling (#1849) + * Format timestamps opportunistically. (#1848) + * Update cidr_contains() to return true if any of the ranges match. (#1847) + * Sync KapeFiles and SQLECmd artifacts (#1845) + * Prepare 0.6.5-rc1 release (#1844) + * Added a default process tracker (#1843) + * Implement log levels in VQL (#1839) + * Theme development checkpoint (#1838) + * fix: upgrade ace-builds from 1.4.14 to 1.5.0 (#1836) + * fix: upgrade react-bootstrap from 1.6.4 to 1.6.5 (#1837) + * Added an LRU VQL function (#1835) + * Bugfix: VFS viewer was unable to access files with \ in name (#1832) + * use group SID instead of name to get local admins (#1833) + * Added Portuguese and Spanish languages (#1831) + * fix: upgrade react-overlays from 5.1.1 to 5.1.2 (#1830) + * Make display timezone user selectable (#1827) + * Added Musl build target (#1826) + * Fix deadlock in hunt dispatcher (#1825) + * Theme tweaks (#1821) + * add groupname parameter to LocalAdmins artifact (#1823) + * Fix/activitescache glob expression - Timeline.yaml (#1824) + * Update TemplateInjection.yaml (#1820) + * Prevent text wrap on sidebar (#1819) + * Added some missing translations (#1817) + * Added Deutsch UI Language (#1816) + * Support UNC paths in windows accessors. (#1815) + * Add enrichment callback for process tracker (#1814) + * Prevent null FailureActions error (#1811) + * Make ACL manager pluggable. (#1813) + * Allow custom override for GUI artifacts by default (#1810) + * Refactored hunt related functions to use the hunt_dispatcher (#1807) + * artifactset: add ability to select named sources (#1809) + * UI enhancements (#1805) + * Refactor: Create user manager service (#1804) + * New themes and refactoring of existing CSS (#1801) + * Bugfix: Server monitoring queries were not correctly cancelled. (#1803) + * Add gunzip function (#1802) + * GUI: Artifact selector (#1790) + * Refactor and improve the way clients send query related information (#1800) + * fix: upgrade axios from 0.26.1 to 0.27.2 (#1798) + * Add Cobalt Strike carver sleep function capability (#1795) + * Bugfix: Create new buffer to accumulate VQL results (#1794) + * Make velociraptor_client executable in postint script (#1788) + * Support addition on dicts (#1785) + * fix: upgrade moment from 2.29.2 to 2.29.3 (#1782) + * fix: upgrade react-router-dom from 5.3.0 to 5.3.1 (#1783) + * Reset nanny when client connection failed. (#1780) + * Fix artifacts that use yara parameters to specify yara type (#1779) + * SysmonInstall artifact now skips install if not needed (#1777) + * Suppress warning message for offline collector (#1776) + * Bug fix (#1774) + * Avoid bash process lingering around while server is running (#1775) + * oidc: Fix typo: Genric -> Generic (#1773) + * Make MaxWait for event table settable. (#1772) + * Fixed bug in Windows.Detection.Yara.Process (#1771) + * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) + * Initial implementation of client side process tracker. (#1768) + * Bugfix: Client did not update list of query columns (#1767) + * Fixed bug in ETWSessions artifact (#1766) + * build(deps): bump async from 2.6.3 to 2.6.4 in /gui/velociraptor (#1761) + * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) + * Add fix for dupliate entries from flattern bug (#1760) + * build(deps): bump ejs from 3.1.6 to 3.1.7 in /gui/velociraptor (#1758) + * build(deps): bump cross-fetch from 3.1.3 to 3.1.5 in /gui/velociraptor (#1759) + * Fix undefined types in some artifact parameters (#1757) + * Update Glob.yaml (#1754) + * Bugfix: Unable to set cpu limits in hunt GUI (#1751) + * Support case insensitive notebook cell types (#1747) + * Fixed a bug in the Userassist artifact (#1746) + * Bugfix: Hunt stats were not properly incremented (#1744) + * Invalidate transformed cache when the base table changes. (#1742) + * GUI Table widgets now can apply transformations on the table. (#1740) + * Update FilenameSearch.yaml (#1741) + ------------------------------------------------------------------- Fri Nov 11 21:12:02 UTC 2022 - jeffm@suse.com diff --git a/velociraptor-client.spec b/velociraptor-client.spec index 185f00e..71c61b5 100644 --- a/velociraptor-client.spec +++ b/velociraptor-client.spec @@ -16,11 +16,11 @@ # %define projname velociraptor -%define vendor_version 0.6.4.2~git86.b5931f7 +%define vendor_version 0.6.7.4~git41.678ed56 %define vmlinux_h_version 5.14.21150400.22-150400-default Name: velociraptor-client -Version: 0.6.4.2~git86.b5931f7 +Version: 0.6.7.4~git41.678ed56 Release: 0 Summary: Endpoint visibility and collection tool (endpoint only) Group: System/Monitoring @@ -33,13 +33,11 @@ Source3: %{name}.config.placeholder Source4: vmlinux.h-%{vmlinux_h_version}.tar.xz Patch1: velociraptor-golang-mage-vendoring.diff Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch -Patch3: velociraptor-makefile-add-bpf-rules-to-linux_bare.patch Patch4: libbpfgo-i386.patch BuildRequires: golang-packaging BuildRequires: systemd-rpm-macros BuildRequires: systemd-devel -# We actually only require >= 1.17 -BuildRequires: golang(API) = 1.17 +BuildRequires: golang(API) >= 1.18 BuildRequires: fileb0x BuildRequires: mage %ifarch x86_64 diff --git a/velociraptor-makefile-add-bpf-rules-to-linux_bare.patch b/velociraptor-makefile-add-bpf-rules-to-linux_bare.patch deleted file mode 100644 index 84eb1fb..0000000 --- a/velociraptor-makefile-add-bpf-rules-to-linux_bare.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: Jeff Mahoney -Subject: Makefile: add bpf rules to linux_bare - -The standalone client needs to have the vql implementation for bpf too - -Acked-by: Jeff Mahoney ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/Makefile -+++ b/Makefile -@@ -84,8 +84,8 @@ endif - - linux: $(BPF_MODULES) - $(GOFLAGS) go run make.go -v linux --linux_bare: -- go run make.go -v linuxBare -+linux_bare: $(BPF_MODULES) -+ $(GOFLAGS) go run make.go -v linuxBare - - freebsd: - go run make.go -v freebsd - diff --git a/velociraptor.changes b/velociraptor.changes index 7b03f0b..a201bef 100644 --- a/velociraptor.changes +++ b/velociraptor.changes @@ -1,3 +1,402 @@ +------------------------------------------------------------------- +Wed Dec 07 02:49:56 UTC 2022 - jeffm@suse.com + +- Update to version 0.6.7.4~git41.678ed56: + * rpm: introduce rpm vql plugin + * users: extend DeleteUser testcase to ensure org membership was dropped + * users: ensure baseline user state is correct + * github: run testcases on Linux builds in new workflow + * gui/reporting: update bluemonday dependency to latest + * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() + * SUSE: Add docker-compose environment + * SUSE: add Docker files + * clients/host-info.js: add MAC addresses to client dashboard + * linux: Add ability to interrogate system and network configuration + * Add Linux.Sys.Bash to Server.Monitor.Shell artifact + * kafka-humio-gateway: add sample config file + * Updating the NewFiles and ProcessStatuses Artifacts + * cronsnoop: rework testcases to use t.TempDir + * vql/linux/cronsnoop: Add cronsnoop() plugin + * Extend audit artifacts to use new interface + * audit: rearchitect plugin to scale better with multiple invocations + * audit: use caller-allocated buffer + * use github.com/jeffmahoney/go-libaudit/v2 for audit + * Kafka.Events.Client: Update to use new artifactset type + * Add artifact for chattrsnoop plugin + * bpflib: ensure it's built only on linux and when requesting bpf + * Add chattrsnoop plugin + * Add artifact to monitor user group updates (#24) + * vql/linux/dnssnoop: Add dnssnoop() plugin + * Log Sudo/root command by auditd + * Add custom artifacts for login and logout attempts recorded by auditd + * Add tcpsnoop plugin + * vql/linux/bpflib: add helper package for bpf plugins + * libbpfgo: add submodule with forked repo for fully static builds + * Add Kafka-Humio Gateway [Depends on PR#10] (#8) + * Add a Kafka export plugin + * SUSE: Add SSHLogin artifacts + * SUSE: Do build tests on every pull request + * Add systemd-dev as build dependency for github workflow + * Update the Linux.Events.SSHLogin artifact to scan the systemd journal + * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal + * Add parser to read systemd journal on Linux + * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path + * linux: add lsattr() function to enumerate file attributes + * Github: Run build workflow on each pull request + * More fixes for Windows.System.VAD (#2317) (#2318) + * Bugfix: When org is not specified this JS code raised (#2315) (#2316) + +------------------------------------------------------------------- +Tue Dec 06 21:53:43 UTC 2022 - jeffm@suse.com + +- Update to version 0.6.7.3~git41.fa6afa7: + * rpm: introduce rpm vql plugin + * users: extend DeleteUser testcase to ensure org membership was dropped + * users: ensure baseline user state is correct + * github: run testcases on Linux builds + * gui/reporting: update bluemonday dependency to latest + * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() + * SUSE: Add docker-compose environment + * SUSE: add Docker files + * clients/host-info.js: add MAC addresses to client dashboard + * linux: Add ability to interrogate system and network configuration + * Add Linux.Sys.Bash to Server.Monitor.Shell artifact + * kafka-humio-gateway: add sample config file + * Updating the NewFiles and ProcessStatuses Artifacts + * cronsnoop: rework testcases to use t.TempDir + * vql/linux/cronsnoop: Add cronsnoop() plugin + * Extend audit artifacts to use new interface + * audit: rearchitect plugin to scale better with multiple invocations + * audit: use caller-allocated buffer + * use github.com/jeffmahoney/go-libaudit/v2 for audit + * Kafka.Events.Client: Update to use new artifactset type + * Add artifact for chattrsnoop plugin + * bpflib: ensure it's built only on linux and when requesting bpf + * Add chattrsnoop plugin + * Add artifact to monitor user group updates (#24) + * vql/linux/dnssnoop: Add dnssnoop() plugin + * Log Sudo/root command by auditd + * Add custom artifacts for login and logout attempts recorded by auditd + * Add tcpsnoop plugin + * vql/linux/bpflib: add helper package for bpf plugins + * libbpfgo: add submodule with forked repo for fully static builds + * Add Kafka-Humio Gateway [Depends on PR#10] (#8) + * Add a Kafka export plugin + * SUSE: Add SSHLogin artifacts + * SUSE: Do build tests on every pull request + * Add systemd-dev as build dependency for github workflow + * Update the Linux.Events.SSHLogin artifact to scan the systemd journal + * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal + * Add parser to read systemd journal on Linux + * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path + * linux: add lsattr() function to enumerate file attributes + * Github: Run build workflow on each pull request + * Bugfix: Do not materialize the VAD array in Windows.System.VAD (#2311) + * Sync to master's bugfixes (#2309) + * Prepare for 0.6.7-2 release (#2300) + * 0.6.7 sync (#2261) + * 0.6.7 sync3 (#2256) + * 0.6.7 sync (#2239) + * Prepare a 0.6.7-rc3 (#2217) + * Bugfix: sparse files were not properly detected. (#2200) (#2201) + * Propagate progress timeout for collections. (#2193) + * Verify client's key with or without the org id. (#2192) + * Add Windows.System.Shares (#2191) + * Allow artifacts to have aliases (#2190) + * Added a regex_array column type to allow multiple regex to be set. (#2188) + * [Snyk] Upgrade react-router-dom from 5.3.3 to 5.3.4 (#2180) + * Add 'UsedBy' column to results (#2186) + * Update flow and hunt download exports to use the container (#2185) + * Disable toolbar buttons when no options are available (#2183) + * Allow hunts to be scheduled on multiple orgs (#2182) + * Update WIndows PSList and VAD artifacts (#38) (#2181) + * Add in amcache (#2176) + * Added additional sources for UserAccessLogs (aka SUM) artifact (#2179) + * Fixed tests (#2177) + * [Snyk] Upgrade styled-components from 5.3.5 to 5.3.6 (#2174) + * Page Cell logs in notebook (#2172) + * Break client connection stats by org id (#2171) + * Added a remapping export to Windows.Registry.NTUser (#2170) + * Added tlsh hash (#2169) + * Check sparse files for large size before padding them out. (#2167) + * Linux and macOS Packet Capture Artifact Updates (#2168) + * Update deps (#2166) + * Add some suggested groks for parsing IIS logs (#2165) + * Refactor collection container (#2163) + * Implement transparent decryption for collector accessor (#2162) + * [Snyk] Upgrade ace-builds from 1.11.0 to 1.11.1 (#2161) + * Automatically decrypt collections with collector accessor (#2159) + * Fix css colors. (#2158) + * [Snyk] Upgrade ace-builds from 1.10.1 to 1.11.0 (#2156) + * Retry reads on EOF in NTFS accessor (#2157) + * Updated zip implementation to support crypto (#2155) + * Target 'Cmdline' instead of 'CommandLine' (#2154) + * Bugfix: Extra interpolation when client logs messages with % (#2152) + * Add 'Active' column to show whether or not a firewall rule is enabled. (#2150) + * Added test for encrypted offline collector. (#2149) + * Update parsing for Dock plist details (#2148) + * Implement filter for large artifact forms (#2147) + * Add Public Key Encryption Support to Offline Collections (#2133) + * Implemented a max memory grouper (#2146) + * Check if setgid flag is set (#2145) + * [Snyk] Upgrade react-overlays from 5.2.0 to 5.2.1 (#2144) + * Add context to yara.NTFS (#36) (#2143) + * Add `auth_redirect_template` config for handling unauthorized API calls (#2140) + * Allow the user to specify a collection as urgent (#2139) + * Fix typo, slightly improve translations (de,fr) (#2137) + * Add 'CronScripts' query/source and 'Length' option (#2138) + * Check sanity of inventory service for all orgs (#2136) + * Change 'filename' to 'file' for upload (#2135) + * Sync with latest NTFS changes. (#2134) + * [Snyk] Upgrade classnames from 2.3.1 to 2.3.2 (#2130) + * Added URLRegex to FireFox history (#2129) + * Link to collection in host shell (#2128) + * additional references (#2126) + * Sync to go-ntfs (#2125) + * Provide the option to expand sparse files in export (#2124) + * Bugfix: Process address space lockup under some conditions (#2123) + * Added URLRegex to Firefox and Chrome history (#2122) + * Add note about RecentApps key not being available after Windows 10, version 1803 (#2119) + * Expose the communicator's crypto manager (#2118) + * Further refactor of the download handler. (#2117) + * [Snyk] Upgrade ace-builds from 1.10.0 to 1.10.1 (#2114) + * Uploaded files are now shows with client paths (#2116) + * [Snyk] Upgrade recharts from 2.1.13 to 2.1.14 (#2115) + * Maintain row count per query. (#2113) + * Update Trackaccount.yaml (#2112) + * Clean up artifact references (#2111) + * Prevent null error when choosing to calculate hash and when providing authenticode information (#2109) + * Add Length option and re-arrange output (#2107) + * Bugfix: Merge file option should work with config show (#2108) + * Always write content to lock files (#2106) + * [Snyk] Upgrade ace-builds from 1.9.6 to 1.10.0 (#2102) + * Authentication configuration error reporting/validation (#2101) + * auth: don't return a base path with two leading slashes (#2100) + * Added org report in root org dashboard (#2098) + * [Snyk] Upgrade react-bootstrap from 1.6.5 to 1.6.6 (#2094) + * [Snyk] Upgrade humanize-duration from 3.27.2 to 3.27.3 (#2095) + * authenticode is a function and not a plug (#2092) + * Allow '+' in usernames (#2093) + * Attempt to decompress client messages if errors occur. (#2088) + * Pass org config to mutations in MemcacheFileDataStore (#2087) + * Support oauth with a different base path. (#2082) + * Allow client->server compression to be disabled (#2081) + * Keep track of collected results using collection status (#2075) + * Enforce a hard timeout for incoming processing (#2074) + * Expand API of user service to include context (#2071) + * When creating a new org pass the new org id to the acl function (#2068) + * Allow collect_client() etc to accept ArtifactSpec protobuf (#2067) + * Only create initial orgs on first run. (#2066) + * Bugfix: Do not start multiple communicators in windows service. (#2064) + * Added initial_orgs to the config (#2063) + * Bugfix- Server.Utils.DeleteClient over sanitized client id (#2061) + * Fixed backwards compatible bug (#2057) + * [Snyk] Upgrade ace-builds from 1.9.5 to 1.9.6 (#2055) + * Fixed CSS for column selector ui (#2053) + * Split server sanity checks into root org and other orgs (#2052) + * collect each query's status separately (#2049) + * Pass org ids in href parameters (#2047) + * Org manager maintains services lifetime (#2045) + * Added org_delete() function to remove orgs. (#2042) + * Updated themes for context menu (#2041) + * Made context menus settable in the config file (#2040) + * Added Send to CyberChef context menu on table cells. (#2039) + * [Snyk] Upgrade ace-builds from 1.9.3 to 1.9.5 (#2037) + * [Snyk] Upgrade ace-builds from 1.8.1 to 1.9.3 (#2033) + * Bugfix: watch_usn() was not flushing the mft LRU properly (#2032) + * Bugfix: Maintain field order in sysmon based tracker (#2030) + * Added regex protocols for int, float etc. (#2028) + * Refactor client monitoring API to use service (#2027) + * Bugfix: Switch GUI to first available org (#2025) + * Update Linux pslist() to use CommandLine column (#2024) + * Add embedded stager parse usecase (#34) (#2023) + * update to clean up null fields (#2020) + * Refactor code to propagate the context in more cases. (#2019) + * Bugix: Raw file accessor had different behaviour on Windows (#2018) + * Cater for unknown parents in process tracker. (#2015) + * Fix sense of multiple regexp in all() function (#2014) + * Added all() and any() VQL functions (#2013) + * Capitalize 'i' in config generation output (#2012) + * Fixed crash in api_client command (#2010) + * Update UserAccessLogs.yaml (#2009) + * Fixed bug in UserAccessLog artifact (#2008) + * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 (#2000) + * Collect domain role info on interrogate (#1998) + * Added new GUI column type for tree (#1997) + * Fixed CSS to make column selector more visible (#1996) + * Send a System.Upload.Completion event on server artifact upload (#1995) + * Refactor of oauth code (#1993) + * Added some helpful server artifacts (#1992) + * Bugfix: "rpm server" command did not produce minion packages (#1991) + * Add ability to delete monitoring events. (#1990) + * Allow notebook GUI to set notebooks to public. (#1989) + * Allow the user to change password in the GUI (#1988) + * Added a delay() VQL function (#1987) + * Fixed a crash when add_monitoring was called without parameters. (#1986) + * Allow hunt() to limit by OS condition (#1985) + * [Snyk] Upgrade ace-builds from 1.7.1 to 1.8.1 (#1984) + * Fix "last_visit_time" timestamp (#1983) + * Added Generic.System.ProcessSiblings (#1982) + * [Snyk] Upgrade bootstrap from 4.6.1 to 4.6.2 (#1979) + * General cleanup (#1977) + * Update BinaryRename.yaml (#1976) + * Support multi orgs in server-server communication (#1975) + * Inventory service should upload tools to global public directory (#1973) + * fixed path issue (#1972) + * Support REG_MULTI_SZ in raw registry accessor (#1969) + * fix: upgrade interactjs from 1.10.16 to 1.10.17 (#1968) + * Update prefetch library to fix bug (#1965) + * The "fs" accessor should also be org sensitive. (#1964) + * Added user_grant() VQL function (#1963) + * fix: upgrade interactjs from 1.10.14 to 1.10.16 (#1961) + * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1960) + * Several security related bugfixes. (#1962) + * Fixed bug in watch_evtx() (#1955) + * fix: upgrade ace-builds from 1.7.0 to 1.7.1 (#1952) + * Fixed visted_url typo (#1953) + * Added NewOrg artifact to make creating new orgs easier. (#1951) + * Fix broken deps due to snyke merge (#1950) + * build(deps): bump terser from 4.8.0 to 4.8.1 in /gui/velociraptor (#1946) + * fix: upgrade recharts from 2.1.11 to 2.1.12 (#1945) + * fix: upgrade @fortawesome/react-fontawesome from 0.1.18 to 0.2.0 (#1948) + * Added orgs() plugin and user management (#1949) + * fix: upgrade ace-builds from 1.6.1 to 1.7.0 (#1944) + * Add new embedded pe in data section parse (#1943) + * Refactor startup code (#1942) + * fix: upgrade qs from 6.10.4 to 6.11.0 (#1941) + * fix: upgrade recharts from 2.1.10 to 2.1.11 (#1939) + * fix: upgrade ace-builds from 1.6.0 to 1.6.1 (#1938) + * Added artifact Windows.Attack.IncorrectImagePath (#1927) + * Account for pid reuse in process tracker. (#1936) + * add precondition for only windows (#1935) + * Make ddclient service parameters configurable (#1933) + * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1930) + * fix: upgrade interactjs from 1.10.13 to 1.10.14 (#1918) + * replace YaraUrl type (#1922) + * Add other url yara fixes (#1921) + * Update Glob.yaml (#1920) + * Fixed bug in startup code. (#1919) + * Initial commit of multitenant support (#1917) + * Adds three Linux artifacts (#1916) + * Fixed a crash when using artifact plugin with tools (#1915) + * Added a collector accessor (#1912) + * fix: upgrade interactjs from 1.10.11 to 1.10.13 (#1909) + * fix: upgrade qs from 6.10.3 to 6.10.4 (#1910) + * Japanese translation (#1906) + * Fix spanish translations. (#1907) + * fix: upgrade react-overlays from 5.1.2 to 5.2.0 (#1904) + * Add Shimcache reformat (#1892) + * A couple of performance tweaks. (#1903) + * Fix Amcache artifact (#1902) + * Retry axios requests (#1901) + * Revert "fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899)" (#1900) + * fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899) + * Use the auto accessor as first level of VFS (#1898) + * Theme fixes (#1895) + * Added additional logging for windows client service (#1894) + * Theme updates (#1893) + * Prepare for release 0.6.5 (#1890) + * Bugfix: CPU limit was not properly enforced on endpoint. (#1889) + * fix: upgrade react-calendar-timeline from 0.27.0 to 0.28.0 (#1887) + * fix: upgrade ace-builds from 1.5.1 to 1.5.2 (#1888) + * Improve the Windows.Sys.StartupItems artifact (#1886) + * Fixed the --remap flag (#1883) + * Fixed bug in client_delete() (#1882) + * Added a delete_flow VQL plugin (#1880) + * Add fix for generic bin file payload (#1879) + * Bugfix: Notebook calculation did not update cell (#1878) + * fix: upgrade humanize-duration from 3.27.1 to 3.27.2 (#1877) + * Revised Portuguese translation (#1876) + * Update usn.go (#1873) + * Added French language (#1874) + * Updated german translation (#1875) + * Refactor artifact plugin to be more efficient. (#1871) + * Update de.js (#1870) + * fix: upgrade ace-builds from 1.5.0 to 1.5.1 (#1867) + * Refactor server artifacts service (#1868) + * Refactored notebook into a service (#1863) + * fix: upgrade react-router-dom from 5.3.2 to 5.3.3 (#1861) + * fix: upgrade recharts from 2.1.9 to 2.1.10 (#1862) + * Bugfix: raw registry accessor supports read_file() (#1859) + * Add LogHunter - a generic grep over log capability (#1853) + * Added a GUI element to easily filter log messages (#1858) + * Added an oidc-cognito authenticator (#1854) + * build(deps): bump tar from 6.0.5 to 6.1.11 in /gui/velociraptor (#1852) + * fix: upgrade react-router-dom from 5.3.1 to 5.3.2 (#1850) + * Fix ACE font handling (#1849) + * Format timestamps opportunistically. (#1848) + * Update cidr_contains() to return true if any of the ranges match. (#1847) + * Sync KapeFiles and SQLECmd artifacts (#1845) + * Prepare 0.6.5-rc1 release (#1844) + * Added a default process tracker (#1843) + * Implement log levels in VQL (#1839) + * Theme development checkpoint (#1838) + * fix: upgrade ace-builds from 1.4.14 to 1.5.0 (#1836) + * fix: upgrade react-bootstrap from 1.6.4 to 1.6.5 (#1837) + * Added an LRU VQL function (#1835) + * Bugfix: VFS viewer was unable to access files with \ in name (#1832) + * use group SID instead of name to get local admins (#1833) + * Added Portuguese and Spanish languages (#1831) + * fix: upgrade react-overlays from 5.1.1 to 5.1.2 (#1830) + * Make display timezone user selectable (#1827) + * Added Musl build target (#1826) + * Fix deadlock in hunt dispatcher (#1825) + * Theme tweaks (#1821) + * add groupname parameter to LocalAdmins artifact (#1823) + * Fix/activitescache glob expression - Timeline.yaml (#1824) + * Update TemplateInjection.yaml (#1820) + * Prevent text wrap on sidebar (#1819) + * Added some missing translations (#1817) + * Added Deutsch UI Language (#1816) + * Support UNC paths in windows accessors. (#1815) + * Add enrichment callback for process tracker (#1814) + * Prevent null FailureActions error (#1811) + * Make ACL manager pluggable. (#1813) + * Allow custom override for GUI artifacts by default (#1810) + * Refactored hunt related functions to use the hunt_dispatcher (#1807) + * artifactset: add ability to select named sources (#1809) + * UI enhancements (#1805) + * Refactor: Create user manager service (#1804) + * New themes and refactoring of existing CSS (#1801) + * Bugfix: Server monitoring queries were not correctly cancelled. (#1803) + * Add gunzip function (#1802) + * GUI: Artifact selector (#1790) + * Refactor and improve the way clients send query related information (#1800) + * fix: upgrade axios from 0.26.1 to 0.27.2 (#1798) + * Add Cobalt Strike carver sleep function capability (#1795) + * Bugfix: Create new buffer to accumulate VQL results (#1794) + * Make velociraptor_client executable in postint script (#1788) + * Support addition on dicts (#1785) + * fix: upgrade moment from 2.29.2 to 2.29.3 (#1782) + * fix: upgrade react-router-dom from 5.3.0 to 5.3.1 (#1783) + * Reset nanny when client connection failed. (#1780) + * Fix artifacts that use yara parameters to specify yara type (#1779) + * SysmonInstall artifact now skips install if not needed (#1777) + * Suppress warning message for offline collector (#1776) + * Bug fix (#1774) + * Avoid bash process lingering around while server is running (#1775) + * oidc: Fix typo: Genric -> Generic (#1773) + * Make MaxWait for event table settable. (#1772) + * Fixed bug in Windows.Detection.Yara.Process (#1771) + * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) + * Initial implementation of client side process tracker. (#1768) + * Bugfix: Client did not update list of query columns (#1767) + * Fixed bug in ETWSessions artifact (#1766) + * build(deps): bump async from 2.6.3 to 2.6.4 in /gui/velociraptor (#1761) + * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) + * Add fix for dupliate entries from flattern bug (#1760) + * build(deps): bump ejs from 3.1.6 to 3.1.7 in /gui/velociraptor (#1758) + * build(deps): bump cross-fetch from 3.1.3 to 3.1.5 in /gui/velociraptor (#1759) + * Fix undefined types in some artifact parameters (#1757) + * Update Glob.yaml (#1754) + * Bugfix: Unable to set cpu limits in hunt GUI (#1751) + * Support case insensitive notebook cell types (#1747) + * Fixed a bug in the Userassist artifact (#1746) + * Bugfix: Hunt stats were not properly incremented (#1744) + * Invalidate transformed cache when the base table changes. (#1742) + * GUI Table widgets now can apply transformations on the table. (#1740) + * Update FilenameSearch.yaml (#1741) + ------------------------------------------------------------------- Fri Nov 11 21:12:02 UTC 2022 - jeffm@suse.com diff --git a/velociraptor.obsinfo b/velociraptor.obsinfo index 8d3a649..cf44d45 100644 --- a/velociraptor.obsinfo +++ b/velociraptor.obsinfo @@ -1,4 +1,4 @@ name: velociraptor -version: 0.6.4.2~git86.b5931f7 -mtime: 1668201110 -commit: b5931f73eb6c171a558d09d4ef8b3d4d7292d519 +version: 0.6.7.4~git41.678ed56 +mtime: 1670380876 +commit: 678ed562b0dc36217e5fc081936a57bc1e40be22 diff --git a/velociraptor.spec b/velociraptor.spec index ecb9396..290f7df 100644 --- a/velociraptor.spec +++ b/velociraptor.spec @@ -16,11 +16,11 @@ # %define projname velociraptor -%define vendor_version 0.6.4.2~git86.b5931f7 +%define vendor_version 0.6.7.4~git41.678ed56 %define vmlinux_h_version 5.14.21150400.22-150400-default Name: velociraptor -Version: 0.6.4.2~git86.b5931f7 +Version: 0.6.7.4~git41.678ed56 Release: 0 Summary: Endpoint visibility and collection tool Group: System/Monitoring @@ -37,13 +37,11 @@ Source7: %{name}-client.config.placeholder Source8: vmlinux.h-%{vmlinux_h_version}.tar.xz Patch1: velociraptor-golang-mage-vendoring.diff Patch2: velociraptor-skip-git-submodule-import-for-OBS-build.patch -Patch3: velociraptor-makefile-add-bpf-rules-to-linux_bare.patch Patch4: libbpfgo-i386.patch BuildRequires: golang-packaging BuildRequires: systemd-rpm-macros BuildRequires: systemd-devel -# We actually only require >= 1.17 -BuildRequires: golang(API) = 1.17 +BuildRequires: golang(API) >= 1.18 BuildRequires: fileb0x BuildRequires: mage %ifarch x86_64 @@ -71,7 +69,7 @@ For just the endpoint agent, please install the 'velociraptor-client' package. %package kafka-humio-gateway Summary: Gateway between Kafka and Humio for Velociraptor Artifacts -Version: 0.6.4.2~git86.b5931f7 +Version: 0.6.7.4~git41.678ed56 %description kafka-humio-gateway This tool is used to consume events generated by the Kafka Velociraptor plugin diff --git a/vendor-golang-0.6.4.2~git86.b5931f7.tar.xz b/vendor-golang-0.6.4.2~git86.b5931f7.tar.xz deleted file mode 100644 index 2e6a6bc..0000000 --- a/vendor-golang-0.6.4.2~git86.b5931f7.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5658ece191a8d0ab5c0d9e558d756ab688eb7faf8544441e5baf37d55ac9fbf1 -size 7824160 diff --git a/vendor-golang-0.6.7.4~git41.678ed56.tar.xz b/vendor-golang-0.6.7.4~git41.678ed56.tar.xz new file mode 100644 index 0000000..a18aba0 --- /dev/null +++ b/vendor-golang-0.6.7.4~git41.678ed56.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d0e93278e02bdcba1d6f81dc318ae07131c1f8492dc5db7340ddd8f3841d31f4 +size 27825180 diff --git a/vendor-golang-kafka-humio-gateway-0.6.4.2~git86.b5931f7.tar.xz b/vendor-golang-kafka-humio-gateway-0.6.4.2~git86.b5931f7.tar.xz deleted file mode 100644 index d5c9527..0000000 --- a/vendor-golang-kafka-humio-gateway-0.6.4.2~git86.b5931f7.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d32c165efeb3ace20edd14d308c0a4aacd441d0cfb29f8c3e74e5549781609e8 -size 454332 diff --git a/vendor-golang-kafka-humio-gateway-0.6.7.4~git41.678ed56.tar.xz b/vendor-golang-kafka-humio-gateway-0.6.7.4~git41.678ed56.tar.xz new file mode 100644 index 0000000..6f8bdf4 --- /dev/null +++ b/vendor-golang-kafka-humio-gateway-0.6.7.4~git41.678ed56.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73c425c59d06d58c64c5f0f45e4211f9d9f51e8e1e688e070ccf53a8eb9bbc6f +size 454256 diff --git a/vendor-nodejs-0.6.4.2~git86.b5931f7.tar.xz b/vendor-nodejs-0.6.4.2~git86.b5931f7.tar.xz deleted file mode 100644 index 880a2c1..0000000 --- a/vendor-nodejs-0.6.4.2~git86.b5931f7.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6a749b2c6b6e6544ed0a47e8aaf8df463e4a38a0dbc2233f0739a91e2de41c6d -size 37506080 diff --git a/vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz b/vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz new file mode 100644 index 0000000..a116a4b --- /dev/null +++ b/vendor-nodejs-0.6.7.4~git41.678ed56.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e8734e871d5df2ccfd120ab591ed195fcb2b111ee7cc41378e5c29b68c3e83cb +size 37872364