SHA256
1
0
forked from pool/velociraptor
Commit Graph

61 Commits

Author SHA256 Message Date
c7549ca9ab Accepting request 1168648 from home:jeff_mahoney:branches:security:sensor
- Restore velociraptor group for client
- Add %{name}(project:%_project) Provides for SLE15 and newer
- Fixed SLE12-SP5 build

OBS-URL: https://build.opensuse.org/request/show/1168648
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=69
2024-04-17 19:45:07 +00:00
4606785411 Accepting request 1165645 from home:ateixeira:branches:security:sensor
- Obsolete old velociraptor-kafka-humio-gateway package

OBS-URL: https://build.opensuse.org/request/show/1165645
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=67
2024-04-05 13:08:37 +00:00
84e1ed1154 Accepting request 1164383 from home:ateixeira:branches:security:sensor
- Update to version 0.7.0.4.git74.3426c0a:
  * Fix services artifact symbol pid not found error
  * chattrsnoop: correct read size for flags
  * chattrsnoop: fix wrong FS_IOC_SETFLAGS value for ppc
  * chattrsnoop: fix do_vfs_ioctl kprobe failure

- Remove nodejs sources from main spec file. 

- Update to version 0.7.0.4.git68.ad1f4e5:
  * Fix undefined binary.NativeEndian build errors
- Add llvm16-libclang13 dependency for SLE 15 SP5 and above

- Disable eBPF for SLE 15 SP2

- Fix builds for SLE 15 SP3 and SLE 12
  * Revert to gzip compression instead of zstd for go modules

OBS-URL: https://build.opensuse.org/request/show/1164383
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=66
2024-04-03 15:02:45 +00:00
241ebf3914 Accepting request 1161552 from home:ateixeira:branches:security:sensor
- Update to version 0.7.0.4.git66.eea7659:
  * dnssnoop: fix loading protocol from ip header on s390
  * dnssnoop: fix htons() so it works on s390 too
  * Fix systemd Services artifact missing events
  * chattrsnoop: replace global variables with locals
  * tcpsnoop: fix garbled results on s390
  * chattrsnoop: fix immutable attribute set on s390
  * chattrsnoop: fix bpf_probe_read for s390
  * tcpsnoop: remove unused filtering code
  * Add artifact to collect new files without owner
  * bpf plugins: set a logger callback
- Add CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
  (bsc#1221456)

OBS-URL: https://build.opensuse.org/request/show/1161552
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=65
2024-03-25 20:16:39 +00:00
5968657952 Accepting request 1153587 from home:ateixeira:branches:security:sensor
- Reintroduce system-user-velociraptor package due to client %pre
  and %postun scripts depending on velociraptor user and group.

OBS-URL: https://build.opensuse.org/request/show/1153587
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=64
2024-02-29 19:22:00 +00:00
b0c8b246d2 Accepting request 1152799 from home:ateixeira:branches:security:sensor
- Obsolete old system-user-velociraptor package.
- Use zst compression for go modules.

- Changelog formatting and adding lost entries

OBS-URL: https://build.opensuse.org/request/show/1152799
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=63
2024-02-27 23:25:38 +00:00
1565eb03b8 Accepting request 1149917 from home:doreilly:branches:security:sensor
- Update to version 0.7.0.4.git47.0f8a4de1:
  * Rename SUSE specific artifacts to have SUSE prefix
  * Add SUSE.Linux.Events.NewZeroSizeLogFile artifact
  * Move NewFiles artifact to SUSE
  * Move ImmutableFile artifact to SUSE
  * Make ImmutableFile artifact consistent with others
  * Fix absolute path case in ExecutableFiles artifact
  * Add client monitoring artifact for RPMs
  * Add artifact to collect new hidden files
  * Add artifact to monitor ssh authorized_keys files
  * Fix split_records error on older clients
  * Add hash fields to Linux.Events.ProcessExecutions
  * Add artifact to collect systemd service events
  * Fix SystemLogins artifacts file extensions
  * Add SUSE.Linux.Events.Timers artifact
  * Fix audit filter key typo in Linux.Events.NewFiles
  * Add server artifact to delete old client data on server
  * Add SUSE.Linux.Sys.At artifact
  * chattrsnoop: include full error details in logs
  * chattrsnoop: handle os.Stat() error properly
  * chattrsnoop: don't log.Fatal() on hash error
  * Fix Linux.Events.ImmutableFile not showing hash in GUI
  * SUSE.Linux.Events.Crontab: Add task execution artifacts
  * Raise client connection log level to ERROR
  * sdjournal: Correctly seek to current tail
- Remove verbose flag from client config
 
- Update to version 0.7.0.4.git6.7b40b8b:
  * go.mod: increase go version to 1.19

OBS-URL: https://build.opensuse.org/request/show/1149917
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=62
2024-02-23 12:55:34 +00:00
241bb91d31 Accepting request 1149391 from home:ateixeira:branches:security:sensor
- Use clang16 for SLE 15 SP4 and above.

OBS-URL: https://build.opensuse.org/request/show/1149391
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=61
2024-02-22 13:27:13 +00:00
Darragh O'Reilly
7e4a12a3fa Accepting request 1139763 from home:ateixeira:branches:security:sensor
- Fixed Debian %postun scripts being used for other distros.

OBS-URL: https://build.opensuse.org/request/show/1139763
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=60
2024-01-23 14:28:17 +00:00
0c4d6def1a Accepting request 1134354 from home:jeff_mahoney:branches:security:sensor
- Added workaround for missing Maintainers tag in Debian-based packages.
  obs-service-format_spec_file strips the Packager tag from the spec file
  before committing.  The build service replaces it with its own.  debbuild
  expects the Packager field to be present to generate the Maintainers tag
  in the output but it only receives the "cleaned" spec file.

- Added Recommends: auditd
  - Technically not *required* but Velociraptor's audit client enables
    audit and then listens on the multicast socket.  Without a listener
    on the unicast socket, the kernel will spam the system log with events.

- Fixed debian packaging:
  * /etc/sysconfig -> /etc/default
  * %postun for systemd service cleanup
  * Note: obs-service-format_spec_file strips the Packager tag that
    debbuild uses to generate the Maintainer tag

OBS-URL: https://build.opensuse.org/request/show/1134354
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=59
2023-12-21 00:29:28 +00:00
befaca9186 - Fix %SOURCE references.
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=58
2023-12-19 14:25:07 +00:00
8c712ed88b revert: - go.mod asks for go 1.18, so we don't need to require go 1.19
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=57
2023-12-18 20:31:47 +00:00
de4fd9d928 - go.mod asks for go 1.18, so we don't need to require go 1.19
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=56
2023-12-18 20:13:13 +00:00
ac85413735 Accepting request 1133905 from home:jeff_mahoney:branches:security:sensor
- Temporarily use the NODE_MODULES BEGIN/END form of the node_modules
  service due to a bug in debbuild preventing Debian builds from succeeding.
- Update to version 0.7.0.4.git4.c1b68a5b:
  * hash: fix nil pointer dereference panic
  * velociraptor: add dummy main function for mage
- Removed patch:
  * velociraptor-golang-mage-vendoring.diff
- Switched to using go_modules and node_modules source services
  - Eliminated bespoke vendoring scripts.
- Pulled sysuser definition into the velociraptor package.

- Remove PrivateTmp and PrivateDevices settings in velociraptor-client.service (SENS-70)

- Update to version 0.7.0.4.git0.e09a0df8:
  * Add additional sanitization to HTML templates on JS side. (#2) (#3077) (CVE-2023-5950)
  * vql/linux/sdjournal: Fix open/close lifetimes
  * vql/linux/audit: fix shutdown races
  * vql/linux/audit: fix goroutine lifetimes
  * vql/linux/audit: limit messageQueue to within runService
  * vql/linux/audit: add auditService.Log()
  * vql/linux/audit: pull parts of shutdown into shutdown watcher
  * vql/linux/audit: remove unnecessary error handling for reassembler
  * vql/linux/audit: remove unused waitgroup from main event loop
  * vql/linux/audit: handle top-level cancelation properly
  * vql/linux/audit: make explicit that goroutines in the main errgroup don't return errors
  * vql/linux/audit: make stats reporting separate from debug prints
  * vql/linux/audit: simplify polling in listener
  * vql/linux/audit: tests, check various rule scenarios
  * vql/linux/audit: Add more client failure test cases
  * vql/linux/audit: Fix audit client lifecycle

OBS-URL: https://build.opensuse.org/request/show/1133905
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=55
2023-12-18 18:44:23 +00:00
6ab20944e0 Accepting request 1099705 from home:msmeissn:branches:security:sensor
- require the group / user only in the server build

OBS-URL: https://build.opensuse.org/request/show/1099705
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=53
2023-07-20 09:59:08 +00:00
154074cae5 - Update to version 0.6.7.5~git81.01be570:
* libbpfgo: pull fix for double-free
  * logscale: add documentation for plugin

OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=51
2023-05-10 00:51:00 +00:00
7bb1958b78 Accepting request 1085748 from home:darix:apps
- bump minimum nodejs to 18:
  building against 16 causes errors

OBS-URL: https://build.opensuse.org/request/show/1085748
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=50
2023-05-09 23:43:33 +00:00
c313187484 Accepting request 1085596 from home:jeff_mahoney:branches:security:sensor:updates
- Provide sysuser template for velociraptor user and group.

OBS-URL: https://build.opensuse.org/request/show/1085596
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=48
2023-05-09 02:00:49 +00:00
f537d3a99b OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=47 2023-05-09 00:52:45 +00:00
3a5ec10ba3 Accepting request 1085591 from home:jeff_mahoney:branches:security:sensor:updates
- Update to version 0.6.7.5~git78.2bef6fc:
  * bpf: fix path to vmlinux.h

- Update to version 0.6.7.5~git77.997aa73:
  * file_store/test_utils/server_config.go: update test certificate
  * Update bluemonday dependency.
  * vql/functions/hash: cache results on Linux
  * libbpfgo: update to velociraptor-branch-v0.4.8-libbpf-1.2.0
  * logscale/backport: don't use networking.GetHttpTransport
  * vql/tools/logscale: add plugin to post events to LogScale ingestion endpoint
  * file_store/directory: add ability to report pending size
- Change clang dependency to clang16
- Fix velociraptor-golang-mage-vendoring.diff to account for newer
  'go mod vendor' honoring build flags.
- Fix update-vendoring.sh script to actually run the %setup part of
  the spec.
- Merge client package into server spec and use _multibuild to create
  client package from same spec file.
- Adjust changelog to retain changes for client package.
- Fix building in static mode on earlier releases.
  - Added patch: velociraptor-libbpfgo-only-build-libbpf.patch

- Tightening the security of the services a bit:
  - tmp files are now moved to /var/lib/velociraptor{,-client}/tmp
    from /tmp
  - run velociraptor server as user velociraptor instead of root
    we do not really need root permissions here
  - introduce /var/lib/velociraptor/filestore to make it easier to
    split out large file upload
  - change permissions for the data directory and subdirectories to

OBS-URL: https://build.opensuse.org/request/show/1085591
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=46
2023-05-09 00:49:51 +00:00
bfb6d78d98 Added patch to patch list
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=44
2023-02-10 12:58:24 +00:00
50651d3408 Fixed changelog
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=43
2023-02-06 14:35:01 +00:00
8fbd6d6882 Accepting request 1062529 from home:jeff_mahoney:branches:security:sensor
- Update to version 0.6.7.4~git63.4a1ed09d:
  * utils/time.js: fix handling of nanosecond-resolution timestamps

- Update to version 0.6.7.4~git63.4a1ed09d:
  * utils/time.js: fix handling of nanosecond-resolution timestamps

OBS-URL: https://build.opensuse.org/request/show/1062529
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=42
2023-02-01 18:28:25 +00:00
d5a3e31f79 Accepting request 1060929 from home:jeff_mahoney:branches:security:sensor
- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).

- Update to version 0.6.7.4~git60.8abed37a:
  * http_comms: create ring buffer temporary file in the same directory
  * cronsnoop: plumb in real scope logging
  * cronsnoop: don't treat routine errors as fatal
  * cronsnoop: fix typo

- Use obsinfo mtime to produce stable build timestamp (bsc#1207369).

- Update to version 0.6.7.4~git60.8abed37a:
  * http_comms: create ring buffer temporary file in the same directory
  * cronsnoop: plumb in real scope logging
  * cronsnoop: don't treat routine errors as fatal
  * cronsnoop: fix typo

OBS-URL: https://build.opensuse.org/request/show/1060929
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=41
2023-01-25 13:29:03 +00:00
a66ed310ea Accepting request 1060079 from home:jeff_mahoney:branches:security:sensor
- Fixed release detection to include Tumblweed

OBS-URL: https://build.opensuse.org/request/show/1060079
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=39
2023-01-21 04:12:03 +00:00
be20427f10 Fixed dropped changelog entry
---------------------------------------------------------------------
- add memory limit to systemd unit

OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=38
2023-01-21 03:44:17 +00:00
4dddd873d1 Accepting request 1060074 from home:jeff_mahoney:branches:security:sensor
Fixed commit message after patch rename
  - vendor-build-fixes-for-SLE12.patch
  - vendor-build-fixes-for-SLE12.patch

OBS-URL: https://build.opensuse.org/request/show/1060074
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=37
2023-01-21 03:03:44 +00:00
868045c06c Accepting request 1060071 from home:jeff_mahoney:branches:security:sensor
- Increase required release to enable eBPF to SLE 15 SP2 and
  openSUSE Leap 15.2.  Earlier versions don't have a usable eBPF
  and can't easily build llvm13.

- Increase required release to enable eBPF to SLE 15 SP2 and
  openSUSE Leap 15.2.  Earlier versions don't have a usable eBPF
  and can't easily build llvm13.

OBS-URL: https://build.opensuse.org/request/show/1060071
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=36
2023-01-21 02:50:51 +00:00
d5702730fe Accepting request 1060070 from home:jeff_mahoney:branches:security:sensor
- Remove dependency on bpftool.  We use the vmlinux.h archive
  to provide vmlinux.h.

- Restored %defattr due to SLE12 using rpm-4.11.
- Fix builds in vendor code on SLE12
- Fix build in third_party/sdjournal due to older systemd on SLE12
- Added patches:
  - vendor-go-magic-build-fix-for-SLE12.patch
  - sdjournal-build-fix-for-SLE12.patch
- Remove dependency on bpftool.  We use the vmlinux.h archive
  to provide vmlinux.h.

- Restored %defattr due to SLE12 using rpm-4.11.
- Fix builds in vendor code on SLE12
- Fix build in third_party/sdjournal due to older systemd on SLE12
- Added patches:
  - vendor-go-magic-build-fix-for-SLE12.patch
  - sdjournal-build-fix-for-SLE12.patch

OBS-URL: https://build.opensuse.org/request/show/1060070
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=35
2023-01-21 02:03:49 +00:00
b16a5f1b3e Accepting request 1060003 from home:dirkmueller:Factory
- add memory limit to systemd unit

OBS-URL: https://build.opensuse.org/request/show/1060003
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=34
2023-01-20 16:50:46 +00:00
Dominique Leuenberger
16d33dd7bf Accepting request 1059630 from security:sensor
Fixed systemd pkgconfig issue.

Had to revert clang >= 13 back to clang13.  Allowing newer versions is
causing crashes in libbpfgo.

OBS-URL: https://build.opensuse.org/request/show/1059630
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/velociraptor?expand=0&rev=1
2023-01-20 16:38:27 +00:00
6fbff8f638 Accepting request 1059625 from home:jeff_mahoney:branches:security:sensor
---------------------------------------------------------------------
- Restore requirement to build with clang13.  Newer versions
  cause libbpfgo to crash immediately.
-----------------------------------------------------------------
- Added support for setting command line options via sysconfig
- Restore requirement to build with clang13.  Newer versions
  cause libbpfgo to crash immediately.

- Added support for setting command line options via sysconfig

OBS-URL: https://build.opensuse.org/request/show/1059625
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=32
2023-01-19 15:27:12 +00:00
b77f05d020 - Update to version 0.6.7.4~git53.0e85855:
* sdjournal: work around missing _SYSTEMD_UNIT fields

- Update to version 0.6.7.4~git53.0e85855:
  * sdjournal: work around missing _SYSTEMD_UNIT fields

OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=31
2023-01-19 05:02:41 +00:00
3f054c52ce Accepting request 1059461 from home:jeff_mahoney:branches:security:sensor
- Clean up for Factory submission:
  - Make bpf-enabled builds conditional
  - Removed %defattr and combined service lines.
  - Change clang and llvm dependencies to use >= 13
  - Newer versions of clang hit a DWARF parsing bug in go < 1.19,
    so increase go version dependecy
  - Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x
    Neither the client or server builds on ix86.
- Added Restart=on-failure to restart the client automatically.

- Update to version 0.6.7.4~git51.a588d6e4:
  * magefile.go: use current architecture for Linux builds
  * Update libbpfgo submodule to include non-AMD64 build fixes
  * bpf: bpf expects s390 instead of s390x

- Clean up for Factory submission:
  - Make bpf-enabled builds conditional
  - Removed %defattr and combined service lines.
  - Change clang and llvm dependencies to use >= 13
  - Newer versions of clang hit a DWARF parsing bug in go < 1.19,
    so increase go version dependecy
  - Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x
    Neither the client or server builds on ix86.
- Update to version 0.6.7.4~git51.a588d6e4:
  * magefile.go: use current architecture for Linux builds
  * Update libbpfgo submodule to include non-AMD64 build fixes
  * bpf: bpf expects s390 instead of s390x

OBS-URL: https://build.opensuse.org/request/show/1059461
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=30
2023-01-19 01:05:43 +00:00
74851609fb - Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x
Neither the client or server builds on ix86.

- Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x                     
  Neither the client or server builds on ix86.

OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=29
2023-01-18 15:50:58 +00:00
b3e07f2505 Added update-vendoring.sh to source list
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=28
2023-01-18 14:41:54 +00:00
bbf44321e8 Removed obsolete Dockerfile
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=27
2023-01-18 14:29:39 +00:00
01f83bd1f6 - Update to version 0.6.7.4~git46.5d88d80:
* contrib/kafka-humio-gateway: add new debug option for noisy events
  * contrib/kafka-humio-gateway: backoff and retry for metadata
  * vql/server/kafka: connect sarama logging to velociraptor logging
  * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
  * vql/server/kafka: set appropriate ClientID

- Update to version 0.6.7.4~git46.5d88d80:
  * contrib/kafka-humio-gateway: add new debug option for noisy events
  * contrib/kafka-humio-gateway: backoff and retry for metadata
  * vql/server/kafka: connect sarama logging to velociraptor logging
  * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
  * vql/server/kafka: set appropriate ClientID

OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=26
2022-12-07 04:22:37 +00:00
62de5286f7 Accepting request 1040837 from home:jeff_mahoney:branches:security:sensor
- Update to version 0.6.7.4~git41.678ed56:
  * rpm: introduce rpm vql plugin
  * users: extend DeleteUser testcase to ensure org membership was dropped
  * users: ensure baseline user state is correct
  * github: run testcases on Linux builds in new workflow
  * gui/reporting: update bluemonday dependency to latest
  * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()
  * SUSE: Add docker-compose environment
  * SUSE: add Docker files
  * clients/host-info.js: add MAC addresses to client dashboard
  * linux: Add ability to interrogate system and network configuration
  * Add Linux.Sys.Bash to Server.Monitor.Shell artifact
  * kafka-humio-gateway: add sample config file
  * Updating the NewFiles and ProcessStatuses Artifacts
  * cronsnoop: rework testcases to use t.TempDir
  * vql/linux/cronsnoop: Add cronsnoop() plugin
  * Extend audit artifacts to use new interface
  * audit: rearchitect plugin to scale better with multiple invocations
  * audit: use caller-allocated buffer
  * use github.com/jeffmahoney/go-libaudit/v2 for audit
  * Kafka.Events.Client: Update to use new artifactset type
  * Add artifact for chattrsnoop plugin
  * bpflib: ensure it's built only on linux and when requesting bpf
  * Add chattrsnoop plugin
  * Add artifact to monitor user group updates (#24)
  * vql/linux/dnssnoop: Add dnssnoop() plugin
  * Log Sudo/root command by auditd
  * Add custom artifacts for login and logout attempts recorded by auditd
  * Add tcpsnoop plugin
  * vql/linux/bpflib: add helper package for bpf plugins

OBS-URL: https://build.opensuse.org/request/show/1040837
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=25
2022-12-07 03:37:22 +00:00
9dd9ebd585 Accepting request 1035679 from home:jeff_mahoney:security:sensor
re-add vmlinux handling

OBS-URL: https://build.opensuse.org/request/show/1035679
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=24
2022-11-14 15:01:41 +00:00
99d22d300a Accepting request 1035328 from home:jeff_mahoney:security:sensor
ok

OBS-URL: https://build.opensuse.org/request/show/1035328
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=23
2022-11-12 01:53:03 +00:00
4f3a31cc82 Accepting request 1035327 from home:jeff_mahoney:security:sensor
- Update to version 0.6.4.2~git86.b5931f7:
  * cleanup: go mod tidy
- Fix vendoring of replaced modules.
- Only require libtsan0 on x86_64
- Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist
- Fix building of libbpfgo on i586

- Update to version 0.6.4.2~git84.1b38fda:
  * Clean up libbpfgo mess
  * libbpfgo: use forked repo for fully static builds
  * libbpfgo: sync to v0.4.4-libbpf-1.0.1
  * contrib/kafka-humio-gateway: add new debug option for noisy events
  * contrib/kafka-humio-gateway: backoff and retry for metadata
  * vql/server/kafka: connect sarama logging to velociraptor logging
  * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries
  * vql/server/kafka: set appropriate ClientID
  * libbpfgo: add selftest to build so testcases work
  * cronsnoop: rework testcases to use t.TempDir
  * cronsnoop: move external dependencies to end of import list
  * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal()

- Update to version 0.6.4.2~git67.85b608e:
  * clients/host-info.js: add MAC addresses to client dashboard
  * linux: Add ability to interrogate system and network configuration
  * SUSE: Add docker-compose environment
  * SUSE: add Docker files
  * Add Linux.Sys.Bash to Server.Monitor.Shell artifact
  * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2
  * kafka-humio-gateway: add sample config file
  * Updating the NewFiles and ProcessStatuses Artifacts

OBS-URL: https://build.opensuse.org/request/show/1035327
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=22
2022-11-12 01:51:37 +00:00
2c83e467e2 - Update to version 0.6.4.2~git70.b7df8172:
* file_store: handle watching artifacts with named sources

- Update to version 0.6.4.2~git70.b7df8172:
  * file_store: handle watching artifacts with named sources

OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=21
2022-11-10 15:49:07 +00:00
08bbeb37f8 - Update to version 0.6.4.2~git68.5226b23b:
* api/authenticators/basic: fix logoff endpoint
  * clients/host-info.js: add MAC addresses to client dashboard
  * linux: Add ability to interrogate system and network configuration
  * SUSE: Add docker-compose environment
  * SUSE: add Docker files
  * Add Linux.Sys.Bash to Server.Monitor.Shell artifact

- Update to version 0.6.4.2~git68.5226b23b:
  * api/authenticators/basic: fix logoff endpoint
  * clients/host-info.js: add MAC addresses to client dashboard
  * linux: Add ability to interrogate system and network configuration
  * SUSE: Add docker-compose environment
  * SUSE: add Docker files
  * Add Linux.Sys.Bash to Server.Monitor.Shell artifact

OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=20
2022-09-29 14:24:37 +00:00
ae188ff398 Accepting request 998259 from home:jeff_mahoney:branches:security:sensor
- Updated vendoring.
- Fixed update-vendoring script to use an independent go module cache.

- Updated vendoring.
- Fixed update-vendoring script to use an independent go module cache.

OBS-URL: https://build.opensuse.org/request/show/998259
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=19
2022-08-19 21:19:45 +00:00
5ae9450724 Accepting request 998240 from home:jeff_mahoney:branches:security:sensor
- Update to version 0.6.4.2~git59.5ebb49db:
  * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2

- Update to version 0.6.4.2~git57.fcb11adf:
  * kafka-humio-gateway: add sample config file

- Updated BuildRequires to use go 1.17 after updating vendoring

- Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only)

- Update to version 0.6.4.2~git56.47b4adb4:
  * Updating the NewFiles and ProcessStatuses Artifacts
  * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37)
  * third_party/go-libaudit: don't directly use unix.*
  * Add Linux.Remediation.Quarantine artifact
  * Extend audit artifacts to use new interface
  * audit: rearchitect plugin to scale better with multiple invocations
  * third_party/go-libaudit: move handling of receive buffer to caller
  * third_party/go-libaudit: move buffer handling from netlink to audit
  * third_party/go-libaudit: allow audit fd to be pollable
  * third_party/go-libaudit: Add support for removing individual rules
  * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls
  * third_party/go-libaudit: Report missing rules during deletion
  * import go-libaudit as a third-party module
  * quarantine: actually call the OS-specific artifact
  * artifactset: add ability to select named sources
  * GUI: Artifact selector (#1790)
  * host-info: make quarantine UI more robust with non-Windows client hosts
  * shell-viewer: default to Bash on non-Windows clients

OBS-URL: https://build.opensuse.org/request/show/998240
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=18
2022-08-19 18:30:12 +00:00
9b25021947 Accepting request 976934 from home:jeff_mahoney:branches:security:sensor
- Update to upstream 0.6.4-2:
  * Reset nanny when client connection failed. (#1780)
  * Fix artifacts that use yara parameters to specify yara type (#1779)
  * Update release for bugfixes 0.6.4-2
  * Add update to ADSHunter for better output on complete system hunts (#28) (#1765)
  * SysmonInstall artifact now skips install if not needed (#1777)
  * Initial implementation of client side process tracker. (#1768)
  * Invalidate transformed cache when the base table changes. (#1742)
  * GUI Table widgets now can apply transformations on the table. (#1740)
  * Suppress warning message for offline collector (#1776)
  * Bug fix (#1774)
  * Avoid bash process lingering around while server is running (#1775)
  * oidc: Fix typo: Genric -> Generic (#1773)
  * Make MaxWait for event table settable. (#1772)
  * Fixed bug in Windows.Detection.Yara.Process (#1771)
  * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770)
  * Bugfix: Client did not update list of query columns (#1767)
  * Merge bugfixes from master branch. (#1769)
- Revendored dependencies.

- Update to version 0.6.4~git31.4298eab0:
  * Add artifact for chattrsnoop plugin
  * bpflib: ensure it's built only on linux and when requesting bpf
  * Add chattrsnoop plugin
  * tcpsnoop: Properly close module in case of attach error
  * Elastic.Events.Client: Update to use new artifactset type
  * Kafka.Events.Client: Update to use new artifactset type
  * artifacts: add artifactset parameter type
  * api: add type and description fields to v1/GetArtifacts endpoint
  * Add artifacts for dns/tcp snoop plugins

OBS-URL: https://build.opensuse.org/request/show/976934
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=17
2022-05-12 20:23:00 +00:00
3918cd153e Accepting request 976928 from home:jeff_mahoney:branches:security:sensor
- Update to version 0.6.4~git31.4298eab0:
  * Elastic.Events.Client: Update to use new artifactset type
  * Kafka.Events.Client: Update to use new artifactset type
  * artifacts: add artifactset parameter type
  * api: add type and description fields to v1/GetArtifacts endpoint

- Update to version 0.6.4~git31.4298eab0:
  * Elastic.Events.Client: Update to use new artifactset type
  * Kafka.Events.Client: Update to use new artifactset type
  * artifacts: add artifactset parameter type
  * api: add type and description fields to v1/GetArtifacts endpoint

OBS-URL: https://build.opensuse.org/request/show/976928
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=16
2022-05-12 18:34:03 +00:00
6b715abe43 Accepting request 976815 from home:jeff_mahoney:branches:security:sensor
- Update to version 0.6.4~git26.4407b9b7:
  * Add artifact for chattrsnoop plugin
  * bpflib: ensure it's built only on linux and when requesting bpf
  * Add chattrsnoop plugin
  * tcpsnoop: Properly close module in case of attach error
  * Add artifacts for dns/tcp snoop plugins
  * tcpsnoop: Add timestamp to generated events
  * dnssnoop: Add timestamp to generated events

- Update to version 0.6.4~git26.4407b9b7:
  * Add artifact for chattrsnoop plugin
  * bpflib: ensure it's built only on linux and when requesting bpf
  * Add chattrsnoop plugin
  * tcpsnoop: Properly close module in case of attach error
  * Add artifacts for dns/tcp snoop plugins
  * tcpsnoop: Add timestamp to generated events
  * dnssnoop: Add timestamp to generated events

OBS-URL: https://build.opensuse.org/request/show/976815
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=15
2022-05-12 17:50:00 +00:00
2d6a29d947 Accepting request 975255 from home:jeff_mahoney:security:sensor:devel
- Fix error handling in tcpsnoop and dnssnoop.
  * If BTF information is unavailable, there is no indication that the
    query has failed.

- Rebase on 0.6.4:
  * Updated dependencies
  * Bugfix: startup bugs (#1680)
  * bugfix: Server event notebook not correctly created (#1737)
  * Bugfix: Start a dummy indexing service (#1736)
  * Add bugfix which would return no rows if the user removed whitelist (#1735)
  * Fixed bug in read_reg_key (#1734)
  * BUGFIX: Do not include config flag when darwin installer is repacked (#1733)
  * Refactored index into its own service. (#1730)
  * Bugfix: Write one index item per JSONL record. (#1727)
  * Bugfix: Estimating client impact should consider last active status (#1726)
  * Add complete ntfs metadata option to MFT output (#1725)
  * Various bugfixes. (#1724)
  * Update Usn.yaml (#1723)
  * Fixed a bug in hunt download preparation. (#1722)
  * Add Windows.Forensics.Usn filter and presentation updates (#1720)
  * Optimize writing event monitoring records (#1721)
  * Add Generic.Detection.Yara.Zip (#1718)
  * Fixed crash on master-pong response. (#1719)
  * Remove _type option from elastic. (#1715)
  * Opportunistically update directly connected client's ping times (#1713)
  * Fixed a bug in hunt download preparation. (#1722)
  * Add Windows.Forensics.Usn filter and presentation updates (#1720)
  * Optimize writing event monitoring records (#1721)
  * Add Generic.Detection.Yara.Zip (#1718)
  * Fixed crash on master-pong response. (#1719)

OBS-URL: https://build.opensuse.org/request/show/975255
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=14
2022-05-05 18:38:36 +00:00