- Update to version 0.7.0.4.git74.3426c0a:
* Fix services artifact symbol pid not found error
* chattrsnoop: correct read size for flags
* chattrsnoop: fix wrong FS_IOC_SETFLAGS value for ppc
* chattrsnoop: fix do_vfs_ioctl kprobe failure
- Remove nodejs sources from main spec file.
- Update to version 0.7.0.4.git68.ad1f4e5:
* Fix undefined binary.NativeEndian build errors
- Add llvm16-libclang13 dependency for SLE 15 SP5 and above
- Disable eBPF for SLE 15 SP2
- Fix builds for SLE 15 SP3 and SLE 12
* Revert to gzip compression instead of zstd for go modules
OBS-URL: https://build.opensuse.org/request/show/1164383
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=66
- Update to version 0.7.0.4.git66.eea7659:
* dnssnoop: fix loading protocol from ip header on s390
* dnssnoop: fix htons() so it works on s390 too
* Fix systemd Services artifact missing events
* chattrsnoop: replace global variables with locals
* tcpsnoop: fix garbled results on s390
* chattrsnoop: fix immutable attribute set on s390
* chattrsnoop: fix bpf_probe_read for s390
* tcpsnoop: remove unused filtering code
* Add artifact to collect new files without owner
* bpf plugins: set a logger callback
- Add CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
(bsc#1221456)
OBS-URL: https://build.opensuse.org/request/show/1161552
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=65
- Update to version 0.7.0.4.git47.0f8a4de1:
* Rename SUSE specific artifacts to have SUSE prefix
* Add SUSE.Linux.Events.NewZeroSizeLogFile artifact
* Move NewFiles artifact to SUSE
* Move ImmutableFile artifact to SUSE
* Make ImmutableFile artifact consistent with others
* Fix absolute path case in ExecutableFiles artifact
* Add client monitoring artifact for RPMs
* Add artifact to collect new hidden files
* Add artifact to monitor ssh authorized_keys files
* Fix split_records error on older clients
* Add hash fields to Linux.Events.ProcessExecutions
* Add artifact to collect systemd service events
* Fix SystemLogins artifacts file extensions
* Add SUSE.Linux.Events.Timers artifact
* Fix audit filter key typo in Linux.Events.NewFiles
* Add server artifact to delete old client data on server
* Add SUSE.Linux.Sys.At artifact
* chattrsnoop: include full error details in logs
* chattrsnoop: handle os.Stat() error properly
* chattrsnoop: don't log.Fatal() on hash error
* Fix Linux.Events.ImmutableFile not showing hash in GUI
* SUSE.Linux.Events.Crontab: Add task execution artifacts
* Raise client connection log level to ERROR
* sdjournal: Correctly seek to current tail
- Remove verbose flag from client config
- Update to version 0.7.0.4.git6.7b40b8b:
* go.mod: increase go version to 1.19
OBS-URL: https://build.opensuse.org/request/show/1149917
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=62
- Added workaround for missing Maintainers tag in Debian-based packages.
obs-service-format_spec_file strips the Packager tag from the spec file
before committing. The build service replaces it with its own. debbuild
expects the Packager field to be present to generate the Maintainers tag
in the output but it only receives the "cleaned" spec file.
- Added Recommends: auditd
- Technically not *required* but Velociraptor's audit client enables
audit and then listens on the multicast socket. Without a listener
on the unicast socket, the kernel will spam the system log with events.
- Fixed debian packaging:
* /etc/sysconfig -> /etc/default
* %postun for systemd service cleanup
* Note: obs-service-format_spec_file strips the Packager tag that
debbuild uses to generate the Maintainer tag
OBS-URL: https://build.opensuse.org/request/show/1134354
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=59
- Temporarily use the NODE_MODULES BEGIN/END form of the node_modules
service due to a bug in debbuild preventing Debian builds from succeeding.
- Update to version 0.7.0.4.git4.c1b68a5b:
* hash: fix nil pointer dereference panic
* velociraptor: add dummy main function for mage
- Removed patch:
* velociraptor-golang-mage-vendoring.diff
- Switched to using go_modules and node_modules source services
- Eliminated bespoke vendoring scripts.
- Pulled sysuser definition into the velociraptor package.
- Remove PrivateTmp and PrivateDevices settings in velociraptor-client.service (SENS-70)
- Update to version 0.7.0.4.git0.e09a0df8:
* Add additional sanitization to HTML templates on JS side. (#2) (#3077) (CVE-2023-5950)
* vql/linux/sdjournal: Fix open/close lifetimes
* vql/linux/audit: fix shutdown races
* vql/linux/audit: fix goroutine lifetimes
* vql/linux/audit: limit messageQueue to within runService
* vql/linux/audit: add auditService.Log()
* vql/linux/audit: pull parts of shutdown into shutdown watcher
* vql/linux/audit: remove unnecessary error handling for reassembler
* vql/linux/audit: remove unused waitgroup from main event loop
* vql/linux/audit: handle top-level cancelation properly
* vql/linux/audit: make explicit that goroutines in the main errgroup don't return errors
* vql/linux/audit: make stats reporting separate from debug prints
* vql/linux/audit: simplify polling in listener
* vql/linux/audit: tests, check various rule scenarios
* vql/linux/audit: Add more client failure test cases
* vql/linux/audit: Fix audit client lifecycle
OBS-URL: https://build.opensuse.org/request/show/1133905
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=55
- Update to version 0.6.7.5~git78.2bef6fc:
* bpf: fix path to vmlinux.h
- Update to version 0.6.7.5~git77.997aa73:
* file_store/test_utils/server_config.go: update test certificate
* Update bluemonday dependency.
* vql/functions/hash: cache results on Linux
* libbpfgo: update to velociraptor-branch-v0.4.8-libbpf-1.2.0
* logscale/backport: don't use networking.GetHttpTransport
* vql/tools/logscale: add plugin to post events to LogScale ingestion endpoint
* file_store/directory: add ability to report pending size
- Change clang dependency to clang16
- Fix velociraptor-golang-mage-vendoring.diff to account for newer
'go mod vendor' honoring build flags.
- Fix update-vendoring.sh script to actually run the %setup part of
the spec.
- Merge client package into server spec and use _multibuild to create
client package from same spec file.
- Adjust changelog to retain changes for client package.
- Fix building in static mode on earlier releases.
- Added patch: velociraptor-libbpfgo-only-build-libbpf.patch
- Tightening the security of the services a bit:
- tmp files are now moved to /var/lib/velociraptor{,-client}/tmp
from /tmp
- run velociraptor server as user velociraptor instead of root
we do not really need root permissions here
- introduce /var/lib/velociraptor/filestore to make it easier to
split out large file upload
- change permissions for the data directory and subdirectories to
OBS-URL: https://build.opensuse.org/request/show/1085591
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=46
- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).
- Update to version 0.6.7.4~git60.8abed37a:
* http_comms: create ring buffer temporary file in the same directory
* cronsnoop: plumb in real scope logging
* cronsnoop: don't treat routine errors as fatal
* cronsnoop: fix typo
- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).
- Update to version 0.6.7.4~git60.8abed37a:
* http_comms: create ring buffer temporary file in the same directory
* cronsnoop: plumb in real scope logging
* cronsnoop: don't treat routine errors as fatal
* cronsnoop: fix typo
OBS-URL: https://build.opensuse.org/request/show/1060929
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=41
- Remove dependency on bpftool. We use the vmlinux.h archive
to provide vmlinux.h.
- Restored %defattr due to SLE12 using rpm-4.11.
- Fix builds in vendor code on SLE12
- Fix build in third_party/sdjournal due to older systemd on SLE12
- Added patches:
- vendor-go-magic-build-fix-for-SLE12.patch
- sdjournal-build-fix-for-SLE12.patch
- Remove dependency on bpftool. We use the vmlinux.h archive
to provide vmlinux.h.
- Restored %defattr due to SLE12 using rpm-4.11.
- Fix builds in vendor code on SLE12
- Fix build in third_party/sdjournal due to older systemd on SLE12
- Added patches:
- vendor-go-magic-build-fix-for-SLE12.patch
- sdjournal-build-fix-for-SLE12.patch
OBS-URL: https://build.opensuse.org/request/show/1060070
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=35
---------------------------------------------------------------------
- Restore requirement to build with clang13. Newer versions
cause libbpfgo to crash immediately.
-----------------------------------------------------------------
- Added support for setting command line options via sysconfig
- Restore requirement to build with clang13. Newer versions
cause libbpfgo to crash immediately.
- Added support for setting command line options via sysconfig
OBS-URL: https://build.opensuse.org/request/show/1059625
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=32
- Clean up for Factory submission:
- Make bpf-enabled builds conditional
- Removed %defattr and combined service lines.
- Change clang and llvm dependencies to use >= 13
- Newer versions of clang hit a DWARF parsing bug in go < 1.19,
so increase go version dependecy
- Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x
Neither the client or server builds on ix86.
- Added Restart=on-failure to restart the client automatically.
- Update to version 0.6.7.4~git51.a588d6e4:
* magefile.go: use current architecture for Linux builds
* Update libbpfgo submodule to include non-AMD64 build fixes
* bpf: bpf expects s390 instead of s390x
- Clean up for Factory submission:
- Make bpf-enabled builds conditional
- Removed %defattr and combined service lines.
- Change clang and llvm dependencies to use >= 13
- Newer versions of clang hit a DWARF parsing bug in go < 1.19,
so increase go version dependecy
- Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x
Neither the client or server builds on ix86.
- Update to version 0.6.7.4~git51.a588d6e4:
* magefile.go: use current architecture for Linux builds
* Update libbpfgo submodule to include non-AMD64 build fixes
* bpf: bpf expects s390 instead of s390x
OBS-URL: https://build.opensuse.org/request/show/1059461
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=30
* contrib/kafka-humio-gateway: add new debug option for noisy events
* contrib/kafka-humio-gateway: backoff and retry for metadata
* vql/server/kafka: connect sarama logging to velociraptor logging
* vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
* vql/server/kafka: set appropriate ClientID
- Update to version 0.6.7.4~git46.5d88d80:
* contrib/kafka-humio-gateway: add new debug option for noisy events
* contrib/kafka-humio-gateway: backoff and retry for metadata
* vql/server/kafka: connect sarama logging to velociraptor logging
* vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
* vql/server/kafka: set appropriate ClientID
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=26
- Update to version 0.6.7.4~git41.678ed56:
* rpm: introduce rpm vql plugin
* users: extend DeleteUser testcase to ensure org membership was dropped
* users: ensure baseline user state is correct
* github: run testcases on Linux builds in new workflow
* gui/reporting: update bluemonday dependency to latest
* SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()
* SUSE: Add docker-compose environment
* SUSE: add Docker files
* clients/host-info.js: add MAC addresses to client dashboard
* linux: Add ability to interrogate system and network configuration
* Add Linux.Sys.Bash to Server.Monitor.Shell artifact
* kafka-humio-gateway: add sample config file
* Updating the NewFiles and ProcessStatuses Artifacts
* cronsnoop: rework testcases to use t.TempDir
* vql/linux/cronsnoop: Add cronsnoop() plugin
* Extend audit artifacts to use new interface
* audit: rearchitect plugin to scale better with multiple invocations
* audit: use caller-allocated buffer
* use github.com/jeffmahoney/go-libaudit/v2 for audit
* Kafka.Events.Client: Update to use new artifactset type
* Add artifact for chattrsnoop plugin
* bpflib: ensure it's built only on linux and when requesting bpf
* Add chattrsnoop plugin
* Add artifact to monitor user group updates (#24)
* vql/linux/dnssnoop: Add dnssnoop() plugin
* Log Sudo/root command by auditd
* Add custom artifacts for login and logout attempts recorded by auditd
* Add tcpsnoop plugin
* vql/linux/bpflib: add helper package for bpf plugins
OBS-URL: https://build.opensuse.org/request/show/1040837
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=25
- Update to version 0.6.4.2~git86.b5931f7:
* cleanup: go mod tidy
- Fix vendoring of replaced modules.
- Only require libtsan0 on x86_64
- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist
- Fix building of libbpfgo on i586
- Update to version 0.6.4.2~git84.1b38fda:
* Clean up libbpfgo mess
* libbpfgo: use forked repo for fully static builds
* libbpfgo: sync to v0.4.4-libbpf-1.0.1
* contrib/kafka-humio-gateway: add new debug option for noisy events
* contrib/kafka-humio-gateway: backoff and retry for metadata
* vql/server/kafka: connect sarama logging to velociraptor logging
* vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
* vql/server/kafka: set appropriate ClientID
* libbpfgo: add selftest to build so testcases work
* cronsnoop: rework testcases to use t.TempDir
* cronsnoop: move external dependencies to end of import list
* SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()
- Update to version 0.6.4.2~git67.85b608e:
* clients/host-info.js: add MAC addresses to client dashboard
* linux: Add ability to interrogate system and network configuration
* SUSE: Add docker-compose environment
* SUSE: add Docker files
* Add Linux.Sys.Bash to Server.Monitor.Shell artifact
* api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
* kafka-humio-gateway: add sample config file
* Updating the NewFiles and ProcessStatuses Artifacts
OBS-URL: https://build.opensuse.org/request/show/1035327
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=22
- Update to version 0.6.4.2~git59.5ebb49db:
* api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
- Update to version 0.6.4.2~git57.fcb11adf:
* kafka-humio-gateway: add sample config file
- Updated BuildRequires to use go 1.17 after updating vendoring
- Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only)
- Update to version 0.6.4.2~git56.47b4adb4:
* Updating the NewFiles and ProcessStatuses Artifacts
* cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37)
* third_party/go-libaudit: don't directly use unix.*
* Add Linux.Remediation.Quarantine artifact
* Extend audit artifacts to use new interface
* audit: rearchitect plugin to scale better with multiple invocations
* third_party/go-libaudit: move handling of receive buffer to caller
* third_party/go-libaudit: move buffer handling from netlink to audit
* third_party/go-libaudit: allow audit fd to be pollable
* third_party/go-libaudit: Add support for removing individual rules
* third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls
* third_party/go-libaudit: Report missing rules during deletion
* import go-libaudit as a third-party module
* quarantine: actually call the OS-specific artifact
* artifactset: add ability to select named sources
* GUI: Artifact selector (#1790)
* host-info: make quarantine UI more robust with non-Windows client hosts
* shell-viewer: default to Bash on non-Windows clients
OBS-URL: https://build.opensuse.org/request/show/998240
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=18
- Update to upstream 0.6.4-2:
* Reset nanny when client connection failed. (#1780)
* Fix artifacts that use yara parameters to specify yara type (#1779)
* Update release for bugfixes 0.6.4-2
* Add update to ADSHunter for better output on complete system hunts (#28) (#1765)
* SysmonInstall artifact now skips install if not needed (#1777)
* Initial implementation of client side process tracker. (#1768)
* Invalidate transformed cache when the base table changes. (#1742)
* GUI Table widgets now can apply transformations on the table. (#1740)
* Suppress warning message for offline collector (#1776)
* Bug fix (#1774)
* Avoid bash process lingering around while server is running (#1775)
* oidc: Fix typo: Genric -> Generic (#1773)
* Make MaxWait for event table settable. (#1772)
* Fixed bug in Windows.Detection.Yara.Process (#1771)
* fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770)
* Bugfix: Client did not update list of query columns (#1767)
* Merge bugfixes from master branch. (#1769)
- Revendored dependencies.
- Update to version 0.6.4~git31.4298eab0:
* Add artifact for chattrsnoop plugin
* bpflib: ensure it's built only on linux and when requesting bpf
* Add chattrsnoop plugin
* tcpsnoop: Properly close module in case of attach error
* Elastic.Events.Client: Update to use new artifactset type
* Kafka.Events.Client: Update to use new artifactset type
* artifacts: add artifactset parameter type
* api: add type and description fields to v1/GetArtifacts endpoint
* Add artifacts for dns/tcp snoop plugins
OBS-URL: https://build.opensuse.org/request/show/976934
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=17
- Update to version 0.6.4~git31.4298eab0:
* Elastic.Events.Client: Update to use new artifactset type
* Kafka.Events.Client: Update to use new artifactset type
* artifacts: add artifactset parameter type
* api: add type and description fields to v1/GetArtifacts endpoint
- Update to version 0.6.4~git31.4298eab0:
* Elastic.Events.Client: Update to use new artifactset type
* Kafka.Events.Client: Update to use new artifactset type
* artifacts: add artifactset parameter type
* api: add type and description fields to v1/GetArtifacts endpoint
OBS-URL: https://build.opensuse.org/request/show/976928
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=16
- Update to version 0.6.4~git26.4407b9b7:
* Add artifact for chattrsnoop plugin
* bpflib: ensure it's built only on linux and when requesting bpf
* Add chattrsnoop plugin
* tcpsnoop: Properly close module in case of attach error
* Add artifacts for dns/tcp snoop plugins
* tcpsnoop: Add timestamp to generated events
* dnssnoop: Add timestamp to generated events
- Update to version 0.6.4~git26.4407b9b7:
* Add artifact for chattrsnoop plugin
* bpflib: ensure it's built only on linux and when requesting bpf
* Add chattrsnoop plugin
* tcpsnoop: Properly close module in case of attach error
* Add artifacts for dns/tcp snoop plugins
* tcpsnoop: Add timestamp to generated events
* dnssnoop: Add timestamp to generated events
OBS-URL: https://build.opensuse.org/request/show/976815
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=15
- Fix error handling in tcpsnoop and dnssnoop.
* If BTF information is unavailable, there is no indication that the
query has failed.
- Rebase on 0.6.4:
* Updated dependencies
* Bugfix: startup bugs (#1680)
* bugfix: Server event notebook not correctly created (#1737)
* Bugfix: Start a dummy indexing service (#1736)
* Add bugfix which would return no rows if the user removed whitelist (#1735)
* Fixed bug in read_reg_key (#1734)
* BUGFIX: Do not include config flag when darwin installer is repacked (#1733)
* Refactored index into its own service. (#1730)
* Bugfix: Write one index item per JSONL record. (#1727)
* Bugfix: Estimating client impact should consider last active status (#1726)
* Add complete ntfs metadata option to MFT output (#1725)
* Various bugfixes. (#1724)
* Update Usn.yaml (#1723)
* Fixed a bug in hunt download preparation. (#1722)
* Add Windows.Forensics.Usn filter and presentation updates (#1720)
* Optimize writing event monitoring records (#1721)
* Add Generic.Detection.Yara.Zip (#1718)
* Fixed crash on master-pong response. (#1719)
* Remove _type option from elastic. (#1715)
* Opportunistically update directly connected client's ping times (#1713)
* Fixed a bug in hunt download preparation. (#1722)
* Add Windows.Forensics.Usn filter and presentation updates (#1720)
* Optimize writing event monitoring records (#1721)
* Add Generic.Detection.Yara.Zip (#1718)
* Fixed crash on master-pong response. (#1719)
OBS-URL: https://build.opensuse.org/request/show/975255
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=14