- Update to version 0.7.0.4.git66.eea7659:
* dnssnoop: fix loading protocol from ip header on s390
* dnssnoop: fix htons() so it works on s390 too
* Fix systemd Services artifact missing events
* chattrsnoop: replace global variables with locals
* tcpsnoop: fix garbled results on s390
* chattrsnoop: fix immutable attribute set on s390
* chattrsnoop: fix bpf_probe_read for s390
* tcpsnoop: remove unused filtering code
* Add artifact to collect new files without owner
* bpf plugins: set a logger callback
- Add CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
(bsc#1221456)
OBS-URL: https://build.opensuse.org/request/show/1161552
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=65
- Update to version 0.7.0.4.git47.0f8a4de1:
* Rename SUSE specific artifacts to have SUSE prefix
* Add SUSE.Linux.Events.NewZeroSizeLogFile artifact
* Move NewFiles artifact to SUSE
* Move ImmutableFile artifact to SUSE
* Make ImmutableFile artifact consistent with others
* Fix absolute path case in ExecutableFiles artifact
* Add client monitoring artifact for RPMs
* Add artifact to collect new hidden files
* Add artifact to monitor ssh authorized_keys files
* Fix split_records error on older clients
* Add hash fields to Linux.Events.ProcessExecutions
* Add artifact to collect systemd service events
* Fix SystemLogins artifacts file extensions
* Add SUSE.Linux.Events.Timers artifact
* Fix audit filter key typo in Linux.Events.NewFiles
* Add server artifact to delete old client data on server
* Add SUSE.Linux.Sys.At artifact
* chattrsnoop: include full error details in logs
* chattrsnoop: handle os.Stat() error properly
* chattrsnoop: don't log.Fatal() on hash error
* Fix Linux.Events.ImmutableFile not showing hash in GUI
* SUSE.Linux.Events.Crontab: Add task execution artifacts
* Raise client connection log level to ERROR
* sdjournal: Correctly seek to current tail
- Remove verbose flag from client config
- Update to version 0.7.0.4.git6.7b40b8b:
* go.mod: increase go version to 1.19
OBS-URL: https://build.opensuse.org/request/show/1149917
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=62
- Temporarily use the NODE_MODULES BEGIN/END form of the node_modules
service due to a bug in debbuild preventing Debian builds from succeeding.
- Update to version 0.7.0.4.git4.c1b68a5b:
* hash: fix nil pointer dereference panic
* velociraptor: add dummy main function for mage
- Removed patch:
* velociraptor-golang-mage-vendoring.diff
- Switched to using go_modules and node_modules source services
- Eliminated bespoke vendoring scripts.
- Pulled sysuser definition into the velociraptor package.
- Remove PrivateTmp and PrivateDevices settings in velociraptor-client.service (SENS-70)
- Update to version 0.7.0.4.git0.e09a0df8:
* Add additional sanitization to HTML templates on JS side. (#2) (#3077) (CVE-2023-5950)
* vql/linux/sdjournal: Fix open/close lifetimes
* vql/linux/audit: fix shutdown races
* vql/linux/audit: fix goroutine lifetimes
* vql/linux/audit: limit messageQueue to within runService
* vql/linux/audit: add auditService.Log()
* vql/linux/audit: pull parts of shutdown into shutdown watcher
* vql/linux/audit: remove unnecessary error handling for reassembler
* vql/linux/audit: remove unused waitgroup from main event loop
* vql/linux/audit: handle top-level cancelation properly
* vql/linux/audit: make explicit that goroutines in the main errgroup don't return errors
* vql/linux/audit: make stats reporting separate from debug prints
* vql/linux/audit: simplify polling in listener
* vql/linux/audit: tests, check various rule scenarios
* vql/linux/audit: Add more client failure test cases
* vql/linux/audit: Fix audit client lifecycle
OBS-URL: https://build.opensuse.org/request/show/1133905
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=55
- Update to version 0.6.7.5~git78.2bef6fc:
* bpf: fix path to vmlinux.h
- Update to version 0.6.7.5~git77.997aa73:
* file_store/test_utils/server_config.go: update test certificate
* Update bluemonday dependency.
* vql/functions/hash: cache results on Linux
* libbpfgo: update to velociraptor-branch-v0.4.8-libbpf-1.2.0
* logscale/backport: don't use networking.GetHttpTransport
* vql/tools/logscale: add plugin to post events to LogScale ingestion endpoint
* file_store/directory: add ability to report pending size
- Change clang dependency to clang16
- Fix velociraptor-golang-mage-vendoring.diff to account for newer
'go mod vendor' honoring build flags.
- Fix update-vendoring.sh script to actually run the %setup part of
the spec.
- Merge client package into server spec and use _multibuild to create
client package from same spec file.
- Adjust changelog to retain changes for client package.
- Fix building in static mode on earlier releases.
- Added patch: velociraptor-libbpfgo-only-build-libbpf.patch
- Tightening the security of the services a bit:
- tmp files are now moved to /var/lib/velociraptor{,-client}/tmp
from /tmp
- run velociraptor server as user velociraptor instead of root
we do not really need root permissions here
- introduce /var/lib/velociraptor/filestore to make it easier to
split out large file upload
- change permissions for the data directory and subdirectories to
OBS-URL: https://build.opensuse.org/request/show/1085591
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=46
- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).
- Update to version 0.6.7.4~git60.8abed37a:
* http_comms: create ring buffer temporary file in the same directory
* cronsnoop: plumb in real scope logging
* cronsnoop: don't treat routine errors as fatal
* cronsnoop: fix typo
- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).
- Update to version 0.6.7.4~git60.8abed37a:
* http_comms: create ring buffer temporary file in the same directory
* cronsnoop: plumb in real scope logging
* cronsnoop: don't treat routine errors as fatal
* cronsnoop: fix typo
OBS-URL: https://build.opensuse.org/request/show/1060929
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=41
- Clean up for Factory submission:
- Make bpf-enabled builds conditional
- Removed %defattr and combined service lines.
- Change clang and llvm dependencies to use >= 13
- Newer versions of clang hit a DWARF parsing bug in go < 1.19,
so increase go version dependecy
- Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x
Neither the client or server builds on ix86.
- Added Restart=on-failure to restart the client automatically.
- Update to version 0.6.7.4~git51.a588d6e4:
* magefile.go: use current architecture for Linux builds
* Update libbpfgo submodule to include non-AMD64 build fixes
* bpf: bpf expects s390 instead of s390x
- Clean up for Factory submission:
- Make bpf-enabled builds conditional
- Removed %defattr and combined service lines.
- Change clang and llvm dependencies to use >= 13
- Newer versions of clang hit a DWARF parsing bug in go < 1.19,
so increase go version dependecy
- Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x
Neither the client or server builds on ix86.
- Update to version 0.6.7.4~git51.a588d6e4:
* magefile.go: use current architecture for Linux builds
* Update libbpfgo submodule to include non-AMD64 build fixes
* bpf: bpf expects s390 instead of s390x
OBS-URL: https://build.opensuse.org/request/show/1059461
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=30
* contrib/kafka-humio-gateway: add new debug option for noisy events
* contrib/kafka-humio-gateway: backoff and retry for metadata
* vql/server/kafka: connect sarama logging to velociraptor logging
* vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
* vql/server/kafka: set appropriate ClientID
- Update to version 0.6.7.4~git46.5d88d80:
* contrib/kafka-humio-gateway: add new debug option for noisy events
* contrib/kafka-humio-gateway: backoff and retry for metadata
* vql/server/kafka: connect sarama logging to velociraptor logging
* vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
* vql/server/kafka: set appropriate ClientID
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=26
- Update to version 0.6.7.4~git41.678ed56:
* rpm: introduce rpm vql plugin
* users: extend DeleteUser testcase to ensure org membership was dropped
* users: ensure baseline user state is correct
* github: run testcases on Linux builds in new workflow
* gui/reporting: update bluemonday dependency to latest
* SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()
* SUSE: Add docker-compose environment
* SUSE: add Docker files
* clients/host-info.js: add MAC addresses to client dashboard
* linux: Add ability to interrogate system and network configuration
* Add Linux.Sys.Bash to Server.Monitor.Shell artifact
* kafka-humio-gateway: add sample config file
* Updating the NewFiles and ProcessStatuses Artifacts
* cronsnoop: rework testcases to use t.TempDir
* vql/linux/cronsnoop: Add cronsnoop() plugin
* Extend audit artifacts to use new interface
* audit: rearchitect plugin to scale better with multiple invocations
* audit: use caller-allocated buffer
* use github.com/jeffmahoney/go-libaudit/v2 for audit
* Kafka.Events.Client: Update to use new artifactset type
* Add artifact for chattrsnoop plugin
* bpflib: ensure it's built only on linux and when requesting bpf
* Add chattrsnoop plugin
* Add artifact to monitor user group updates (#24)
* vql/linux/dnssnoop: Add dnssnoop() plugin
* Log Sudo/root command by auditd
* Add custom artifacts for login and logout attempts recorded by auditd
* Add tcpsnoop plugin
* vql/linux/bpflib: add helper package for bpf plugins
OBS-URL: https://build.opensuse.org/request/show/1040837
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=25
- Update to version 0.6.4.2~git86.b5931f7:
* cleanup: go mod tidy
- Fix vendoring of replaced modules.
- Only require libtsan0 on x86_64
- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist
- Fix building of libbpfgo on i586
- Update to version 0.6.4.2~git84.1b38fda:
* Clean up libbpfgo mess
* libbpfgo: use forked repo for fully static builds
* libbpfgo: sync to v0.4.4-libbpf-1.0.1
* contrib/kafka-humio-gateway: add new debug option for noisy events
* contrib/kafka-humio-gateway: backoff and retry for metadata
* vql/server/kafka: connect sarama logging to velociraptor logging
* vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
* vql/server/kafka: set appropriate ClientID
* libbpfgo: add selftest to build so testcases work
* cronsnoop: rework testcases to use t.TempDir
* cronsnoop: move external dependencies to end of import list
* SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()
- Update to version 0.6.4.2~git67.85b608e:
* clients/host-info.js: add MAC addresses to client dashboard
* linux: Add ability to interrogate system and network configuration
* SUSE: Add docker-compose environment
* SUSE: add Docker files
* Add Linux.Sys.Bash to Server.Monitor.Shell artifact
* api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
* kafka-humio-gateway: add sample config file
* Updating the NewFiles and ProcessStatuses Artifacts
OBS-URL: https://build.opensuse.org/request/show/1035327
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=22
- Update to version 0.6.4.2~git59.5ebb49db:
* api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
- Update to version 0.6.4.2~git57.fcb11adf:
* kafka-humio-gateway: add sample config file
- Updated BuildRequires to use go 1.17 after updating vendoring
- Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only)
- Update to version 0.6.4.2~git56.47b4adb4:
* Updating the NewFiles and ProcessStatuses Artifacts
* cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37)
* third_party/go-libaudit: don't directly use unix.*
* Add Linux.Remediation.Quarantine artifact
* Extend audit artifacts to use new interface
* audit: rearchitect plugin to scale better with multiple invocations
* third_party/go-libaudit: move handling of receive buffer to caller
* third_party/go-libaudit: move buffer handling from netlink to audit
* third_party/go-libaudit: allow audit fd to be pollable
* third_party/go-libaudit: Add support for removing individual rules
* third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls
* third_party/go-libaudit: Report missing rules during deletion
* import go-libaudit as a third-party module
* quarantine: actually call the OS-specific artifact
* artifactset: add ability to select named sources
* GUI: Artifact selector (#1790)
* host-info: make quarantine UI more robust with non-Windows client hosts
* shell-viewer: default to Bash on non-Windows clients
OBS-URL: https://build.opensuse.org/request/show/998240
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=18
- Update to upstream 0.6.4-2:
* Reset nanny when client connection failed. (#1780)
* Fix artifacts that use yara parameters to specify yara type (#1779)
* Update release for bugfixes 0.6.4-2
* Add update to ADSHunter for better output on complete system hunts (#28) (#1765)
* SysmonInstall artifact now skips install if not needed (#1777)
* Initial implementation of client side process tracker. (#1768)
* Invalidate transformed cache when the base table changes. (#1742)
* GUI Table widgets now can apply transformations on the table. (#1740)
* Suppress warning message for offline collector (#1776)
* Bug fix (#1774)
* Avoid bash process lingering around while server is running (#1775)
* oidc: Fix typo: Genric -> Generic (#1773)
* Make MaxWait for event table settable. (#1772)
* Fixed bug in Windows.Detection.Yara.Process (#1771)
* fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770)
* Bugfix: Client did not update list of query columns (#1767)
* Merge bugfixes from master branch. (#1769)
- Revendored dependencies.
- Update to version 0.6.4~git31.4298eab0:
* Add artifact for chattrsnoop plugin
* bpflib: ensure it's built only on linux and when requesting bpf
* Add chattrsnoop plugin
* tcpsnoop: Properly close module in case of attach error
* Elastic.Events.Client: Update to use new artifactset type
* Kafka.Events.Client: Update to use new artifactset type
* artifacts: add artifactset parameter type
* api: add type and description fields to v1/GetArtifacts endpoint
* Add artifacts for dns/tcp snoop plugins
OBS-URL: https://build.opensuse.org/request/show/976934
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=17
- Update to version 0.6.4~git31.4298eab0:
* Elastic.Events.Client: Update to use new artifactset type
* Kafka.Events.Client: Update to use new artifactset type
* artifacts: add artifactset parameter type
* api: add type and description fields to v1/GetArtifacts endpoint
- Update to version 0.6.4~git31.4298eab0:
* Elastic.Events.Client: Update to use new artifactset type
* Kafka.Events.Client: Update to use new artifactset type
* artifacts: add artifactset parameter type
* api: add type and description fields to v1/GetArtifacts endpoint
OBS-URL: https://build.opensuse.org/request/show/976928
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=16
- Update to version 0.6.4~git26.4407b9b7:
* Add artifact for chattrsnoop plugin
* bpflib: ensure it's built only on linux and when requesting bpf
* Add chattrsnoop plugin
* tcpsnoop: Properly close module in case of attach error
* Add artifacts for dns/tcp snoop plugins
* tcpsnoop: Add timestamp to generated events
* dnssnoop: Add timestamp to generated events
- Update to version 0.6.4~git26.4407b9b7:
* Add artifact for chattrsnoop plugin
* bpflib: ensure it's built only on linux and when requesting bpf
* Add chattrsnoop plugin
* tcpsnoop: Properly close module in case of attach error
* Add artifacts for dns/tcp snoop plugins
* tcpsnoop: Add timestamp to generated events
* dnssnoop: Add timestamp to generated events
OBS-URL: https://build.opensuse.org/request/show/976815
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=15
- Fix error handling in tcpsnoop and dnssnoop.
* If BTF information is unavailable, there is no indication that the
query has failed.
- Rebase on 0.6.4:
* Updated dependencies
* Bugfix: startup bugs (#1680)
* bugfix: Server event notebook not correctly created (#1737)
* Bugfix: Start a dummy indexing service (#1736)
* Add bugfix which would return no rows if the user removed whitelist (#1735)
* Fixed bug in read_reg_key (#1734)
* BUGFIX: Do not include config flag when darwin installer is repacked (#1733)
* Refactored index into its own service. (#1730)
* Bugfix: Write one index item per JSONL record. (#1727)
* Bugfix: Estimating client impact should consider last active status (#1726)
* Add complete ntfs metadata option to MFT output (#1725)
* Various bugfixes. (#1724)
* Update Usn.yaml (#1723)
* Fixed a bug in hunt download preparation. (#1722)
* Add Windows.Forensics.Usn filter and presentation updates (#1720)
* Optimize writing event monitoring records (#1721)
* Add Generic.Detection.Yara.Zip (#1718)
* Fixed crash on master-pong response. (#1719)
* Remove _type option from elastic. (#1715)
* Opportunistically update directly connected client's ping times (#1713)
* Fixed a bug in hunt download preparation. (#1722)
* Add Windows.Forensics.Usn filter and presentation updates (#1720)
* Optimize writing event monitoring records (#1721)
* Add Generic.Detection.Yara.Zip (#1718)
* Fixed crash on master-pong response. (#1719)
OBS-URL: https://build.opensuse.org/request/show/975255
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=14
* SUSE: Add SSHLogin artifacts
* Add a Kafka export plugin
* SUSE: Do build tests on every pull request
* Add systemd-dev as build dependency for github workflow
- Update to version 0.6.3~git13.af7fdb00:
* SUSE: Add SSHLogin artifacts
* Add a Kafka export plugin
* SUSE: Do build tests on every pull request
* Add systemd-dev as build dependency for github workflow
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=10
- Resolved some rpmlint warnings and added client config placeholder.
- Update to version 0.6.3~git0.69e0fffa:
* Prepare for 0.6.3 release (#1515)
* add limitations to description and key path to query (#1514)
* Retry remote datastore connections (#1513)
* Write minion log files and autocert in its own dir. (#1512)
* Synced KapeFiles artifacts (#1511)
* Added data retention server artifacts (#1510)
* Set an upper limit for ttl in memcache (#1508)
* Add updates to Windows.System.Services (#15) (#1509)
* Ensure collector container is properly closed when interrupted. (#1507)
* Continually rebuild the index at runtime. (#1506)
* Harder vacuum - directly move client task directories to the attic. (#1505)
* add limitation disclaimer (#1504)
* Reduce critial section to avoid deadlock in repository manager (#1503)
* Implemented a vacuum command to remove old tasks from client queues. (#1501)
* Better format profile metrics output. (#1495)
* Cap size of directories and report large directories. (#1493)
* Set ACE completers per editor to avoid global state. (#1492)
* Add HttpOnly flag to all cookies. (#1491)
* Refactor completion routine calls (#1490)
* fix: upgrade react-bootstrap from 1.3.0 to 1.6.4 (#1486)
* fix: upgrade http-proxy-middleware from 1.0.5 to 1.3.1 (#1485)
* fix: upgrade react-ace from 9.1.3 to 9.5.0 (#1487)
* fix: upgrade recharts from 2.0.9 to 2.1.8 (#1488)
* fix: upgrade react-datetime-picker from 3.0.4 to 3.4.3 (#1489)
* Limit size of cached directories. (#1483)
* Add more instrumentation to memory caches. (#1482)
* Fixed chart resizing bug (#1481)
OBS-URL: https://build.opensuse.org/request/show/950798
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=3