------------------------------------------------------------------- Tue Dec 19 14:24:44 UTC 2023 - Jeff Mahoney - Fix %SOURCE references. ------------------------------------------------------------------- Fri Dec 15 22:35:01 UTC 2023 - Jeff Mahoney - Temporarily use the NODE_MODULES BEGIN/END form of the node_modules service due to a bug in debbuild preventing Debian builds from succeeding. ------------------------------------------------------------------- Fri Dec 15 19:32:04 UTC 2023 - Jeff Mahoney - 0.7.0.4.git4.c1b68a5b - Update to version 0.7.0.4.git4.c1b68a5b: * hash: fix nil pointer dereference panic * velociraptor: add dummy main function for mage - Removed patch: * velociraptor-golang-mage-vendoring.diff - Switched to using go_modules and node_modules source services - Eliminated bespoke vendoring scripts. - Pulled sysuser definition into the velociraptor package. ------------------------------------------------------------------- Tue Dec 5 13:54:03 UTC 2023 - Darragh O'Reilly - Remove PrivateTmp and PrivateDevices settings in velociraptor-client.service (SENS-70) ------------------------------------------------------------------- Wed Nov 15 18:17:04 UTC 2023 - jeffm@suse.com - 0.7.0.4.git0.e09a0df8 - Update to version 0.7.0.4.git0.e09a0df8: * Add additional sanitization to HTML templates on JS side. (#2) (#3077) (CVE-2023-5950) * vql/linux/sdjournal: Fix open/close lifetimes * vql/linux/audit: fix shutdown races * vql/linux/audit: fix goroutine lifetimes * vql/linux/audit: limit messageQueue to within runService * vql/linux/audit: add auditService.Log() * vql/linux/audit: pull parts of shutdown into shutdown watcher * vql/linux/audit: remove unnecessary error handling for reassembler * vql/linux/audit: remove unused waitgroup from main event loop * vql/linux/audit: handle top-level cancelation properly * vql/linux/audit: make explicit that goroutines in the main errgroup don't return errors * vql/linux/audit: make stats reporting separate from debug prints * vql/linux/audit: simplify polling in listener * vql/linux/audit: tests, check various rule scenarios * vql/linux/audit: Add more client failure test cases * vql/linux/audit: Fix audit client lifecycle * vql/linux/audit: Change listener lifecycle to enable testing * vql/linux/audit: Fix DeleteRule in mock client * vql/linux/audit: Fix typo causing double-lock in notifyMissingRule * vql/linux/audit: Close reassembler if NewListenerBytes fails * vql/linux/audit: limit messageQueue scope to within runService * vql/linux/audit: Make messageQueue lifetime more apparent * vql/linux/audit: mainEventLoop shouldn't exit on canceled context * vql/linux/audit: Clean up context handling in shutdown goroutine * vql/linux/audit: fix test suite handling * bpf: only build libbpf in the go generate stage * bpf: add libbpf/include/uapi to the include path for bpf.h ------------------------------------------------------------------- Fri Nov 3 01:36:35 UTC 2023 - Jeff Mahoney - Enabled builds on CentOS 7/8 (currently without eBPF, needs llvm) - Enabled builds on Ubuntu 20.04 and 22.04 (23.* pending OBS changes) - Enabled builds on Debian 11, 12, Unstable, Testing, and Next - Limit server builds to x86_64 until esbuild issue is sorted ------------------------------------------------------------------- Tue Oct 31 20:07:16 UTC 2023 - jeffm@suse.com - 0.7.0~git0.602f673 - Update to version sensor-base-0.7.0~git0.602f673: * vql/linux/audit: fix staticcheck checks * vql/linux/audit: gofumpt -extra * vql/linux/audit: don't overload EAGAIN * vql/linux/audit: actually add test cases * cronsnoop: fix panic when crontab has empty line * SUSE: Add docker-compose environment * SUSE: add Docker files * SUSE: Do build tests on every pull request * Github: Run build workflow on each pull request * vql/functions/hash: cache results on Linux * rpm: introduce rpm vql plugin * Add Linux.Sys.Bash to Server.Monitor.Shell artifact * Updating the NewFiles and ProcessStatuses Artifacts * vql/linux/cronsnoop: Add cronsnoop() plugin * Extend audit artifacts to use new interface * vql/linux/audit: rearchitect plugin for scalability * vql/linux/audit: use go-libaudit v2 for live audit message processing * file_store/directory/listener_bytes: Add listener to use serialized interface * utils/refcount: add simple refcount implementation * file_store/directory/buffer: add direct-serialized interface * Add artifact to monitor user group updates (#24) * Linux.Events.ProcessExecutions: catch 32-bit execve calls * Add custom artifacts for login and logout attempts recorded by auditd * vql/linux/bpflib: add sample vmlinux.h includes for test builds * vql/linux/bpf/chattrsnoop: Add plugin to catch changes to inode attributes * vql/linux/bpf/dnssnoop: Add dnssnoop() plugin * vql/linux/bpf/tcpsnoop: Add tcpsnoop plugin * vql/linux/bpf: add support to add bpf plugins for Linux * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() * SUSE: Add SSHLogin artifacts * Update the Linux.Events.SSHLogin artifact to scan the systemd journal * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal * Add parser to read systemd journal on Linux * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path * linux: add lsattr() function to enumerate file attributes * github/workflows/linux: do apt-get update to refresh package lists * github: run testcases on Linux builds in new workflow * Add systemd-dev as build dependency for github workflow * magefile.go: use current architecture for Linux builds * build: update to mage 0.15 * Update tool dependencies on each build (#2987) (#2989) * Various Bugfixes (#2981) * Fixed IPv6 formatting in Windows.Forensics.UserAccessLogs (#2980) * Add Yara device scanning (#44) (#2978) * Added a sample bash script for offline collector generation. (#2975) * Implemented a fix for Windows.Timeline.Prefetch (#2974) * Include MAC addresses in client host dashboard (#2943) * logscale: fix stats_interval parameter handling (#2973) * Update Lnk.yaml (#2972) * [Snyk] Upgrade: @babel/core, @babel/plugin-transform-react-jsx, @babel/runtime (#2970) * add suspicious field and targeted default (#2971) * Add filesystem type to data returned by file accessor on Unix (#2967) * [Snyk] Upgrade axios-retry from 3.6.1 to 3.7.0 (#2963) * Implemented a writeback service to manage the writeback file. (#2966) * [Snyk] Upgrade axios-retry from 3.6.0 to 3.6.1 (#2949) * Added FAT accessor for parsing FAT filesystems (#2961) * [Snyk] Upgrade recharts from 2.7.3 to 2.8.0 (#2950) * [Snyk] Upgrade axios from 1.4.0 to 1.5.0 (#2951) * Fix device major/minor number calculations (#2958) * Relay hunt creation errors to the Hunts API (#2953) * [Snyk] Upgrade: @babel/core, @babel/runtime (#2948) * Improve various bits of VQL documentation (#2945) * Update bluemonday dependency. (#2941) * Users testcases (#2942) * Order columns in hostname flatten output (#2939) * Add a generic hostsfile artifact (#2930) * Report process names as well as pid for errors (#2937) * Send hard coded labels in periodic client info updates (#2935) * [Snyk] Upgrade ace-builds from 1.24.0 to 1.24.1 (#2932) * Add Modify() method to client info manager. (#2933) * Remove unused parameter by Bloodhound artifact (#2924) * [Snyk] Upgrade ace-builds from 1.23.4 to 1.24.0 (#2928) * Fix AptSources deb822 parsing bug and add deb822 test (#2926) * Bugfixes: Artifact bugs due to FullPath->OSPath refactor (#2923) * [Snyk] Upgrade: @babel/core, @babel/runtime (#2917) * fix: upgrade recharts from 2.7.2 to 2.7.3 * Update the config file docs. * Bugfix: Include tool versions from root org (#2913) * Fix issues in AptSources artifact and support deb822 format (#2851) * Disable compatibility with URL style paths (#2912) * [Snyk] Upgrade: @fortawesome/fontawesome-svg-core, @fortawesome/free-solid-svg-icons (#2907) * Added Windows.ETW.FileCreation (#2905) * Various documentation improvements (#2904) * [Snyk] Upgrade interactjs from 1.10.17 to 1.10.18 (#2902) * Update to latest SQLiteHunter (#2901) * [Snyk] Upgrade axios-retry from 3.5.1 to 3.6.0 (#2900) * Fix URL for VelociraptorWindowsMSI (#2868) * Allow embedded config to come from an external file (#2899) * Add OriginalFileName to Name regex search for better hunting (#2895) * Bugfix: Allow serve url to be set without materializing (#2894) * Bugfix: accessors should provide their underlying file (#2893) * Shuffle the list of URLs (#2888) * Create Mutants.yaml (#2877) * Added profile_memory() and profile_goroutines() VQL functions (#2887) * [Snyk] Upgrade ace-builds from 1.23.3 to 1.23.4 (#2883) * Create Notification.yaml (#2878) * Fix the issue of full cpus/ram when handling corrupted org (#2886) * [Snyk] Upgrade ace-builds from 1.23.2 to 1.23.3 (#2854) * Fix copy-pasted comment in Admin.Client.Uninstall artifact (#2872) * Create Windows.Detection.Registry.yaml (#2861) * [Snyk] Upgrade @babel/core from 7.22.8 to 7.22.9 (#2862) * fix: upgrade humanize-duration from 3.28.0 to 3.29.0 * fix test * Bugfix: Hunt creation with labels * Bugfix: CreateCollector bug in uploading to the cloud (#2852) * [Snyk] Upgrade ace-builds from 1.23.1 to 1.23.2 (#2850) * Merge fix for ntfs library, add back KapeTriage SDS target (#2849) * Encode download filename in UTF8 to support better i8n (#2848) * [Snyk] Upgrade @babel/core from 7.22.6 to 7.22.8 (#2846) * [Snyk] Upgrade axios-retry from 3.5.0 to 3.5.1 (#2847) * Bugfix: Add Cell From Flow adapted to new flow widgets (#2844) * Feature/humio plugin (#2617) * [Snyk] Upgrade @babel/runtime from 7.22.5 to 7.22.6 (#2841) * Implemented memory protections for notebook cell calculations (#2842) * Added search term label:none for unlabeled clients. (#2840) * Incorporate SQLiteHunter project (#2839) * Add RDP cache (#43) (#2838) * Leave collection behind when uploading to cloud (#2834) * Added a VSS accessor to automatically diff files from different vss (#2833) * Added query debug endpoint at http://localhost:6060/debug/query (#2832) * Fixed bug in KapeFiles Extract (#2830) * Various bug fixes (#2829) * [Snyk] Upgrade axios-retry from 3.5.0 to 3.5.1 (#2827) * [Snyk] Upgrade ace-builds from 1.23.0 to 1.23.1 (#2826) * Implement src IP filtering for the GUI (#2825) * Refactor code to wrap gopsutils (#2824) * Extended Client Event GUI to allow specifying max_wait (#2821) * Bump word-wrap from 1.2.3 to 1.2.4 in /gui/velociraptor (#2820) * Bugfix: Max Wait deadline was reset when a query returned a row (#2819) * Implemented better uploads UI for notebooks (#2816) * [Snyk] Upgrade ace-builds from 1.22.1 to 1.23.0 (#2812) * Modified glob() to return the globs that hit the result. (#2813) * [Snyk] Upgrade ace-builds from 1.22.0 to 1.22.1 (#2786) * Update ServiceCreationComspec.yaml (#2806) * [Snyk] Upgrade recharts from 2.7.1 to 2.7.2 (#2809) * [Snyk] Security upgrade @babel/core from 7.22.5 to 7.22.6 (#2787) * [Snyk] Upgrade recharts from 2.6.2 to 2.7.1 (#2794) * Bump semver from 5.7.1 to 5.7.2 in /gui/velociraptor (#2803) * Bugfix: Update GUI shell interface to use the new GetClientFlows API. (#2802) * RPM packaging: architecture autodetection & spec compliance (#2797) * Debian packaging: architecture autodetection & spec compliance (#2796) * Added Linux.Forensics.Journal artifact (#2799) * Bring back highlight for urgent collections. (#2795) * Update flow list view to use paged table (#2791) * Add lnk and test refresh (#2790) * Report total number of matching clients in search (#2789) * Rebuild the index from the client info snapshot (#2781) * [Snyk] Upgrade: @babel/core, @babel/plugin-syntax-flow, @babel/plugin-transform-react-jsx, @babel/runtime (#2783) * Update Favicons.yaml (#2780) * Write client info database to a snapshot (#2776) * Added an S3 accessor (#2774) * Removed unknown parameter 'Separator' from options in call of Artifac… (#2773) * Trimmed Spaces around labels in labels.go (#2771) * Bugfix: Allow `user_grant` to set roles through the policy (#2769) * [Snyk] Upgrade @popperjs/core from 2.11.7 to 2.11.8 (#2758) * Introduces the `really_do_it` argument to `org_delete` (#2767) * Audit user creation and user role modifications. (#2766) * Update Bam.yaml due to a dead link. Previous link is dead due to a website restructuring. (#2763) * [Snyk] Upgrade styled-components from 5.3.10 to 5.3.11 (#2759) * [Snyk] Upgrade: @babel/core, @babel/plugin-transform-react-jsx, @babel/runtime (#2757) * Update and rename Kerbroasting.yaml to Kerberoasting.yaml (#2754) * Bugfix: Org admin should see all orgs (#2753) * [Snyk] Upgrade ace-builds from 1.21.1 to 1.22.0 (#2750) * Correct UI typo and update translations (#2748) * Correct `scope` plugin reference typo (#2747) * [Snyk] Upgrade axios-retry from 3.4.0 to 3.5.0 (#2743) * Log error messages during rekeying (#2745) * [Snyk] Upgrade ace-builds from 1.21.0 to 1.21.1 (#2738) * Bump fast-xml-parser from 4.1.3 to 4.2.4 in /gui/velociraptor (#2739) * Bugfix: Sort flows before fetching them into the GUI (#2740) * Bump vite from 4.1.4 to 4.1.5 in /gui/velociraptor (#2736) * [Snyk] Upgrade ace-builds from 1.20.0 to 1.21.0 (#2733) * [Snyk] Upgrade qs from 6.11.1 to 6.11.2 (#2734) * Allow in place updating of simple result sets (#2732) * [Snyk] Upgrade recharts from 2.6.0 to 2.6.2 (#2727) * [Snyk] Upgrade ace-builds from 1.19.0 to 1.20.0 (#2728) * Update NetstatEnriched.yaml (#2724) * Update NetstatEnriched (#2723) * Added a leveldb plugin and parser for Chrome Session Storage. (#2722) * [Snyk] Upgrade recharts from 2.5.0 to 2.6.0 (#2720) * Allow SQLite files to be copied always. (#2719) * Add Linux.SuSE.Packages artifact (#2712) * Ehancement: Add Source field to Windows.Applicaiton.History to show sync status (#2716) * Revert "Add SyncStatus to History.yaml" (#2715) * Add SyncStatus to History.yaml (#2714) * Propagate default hunt expiry from the config to the GUI (#2713) * [Snyk] Upgrade ace-builds from 1.18.0 to 1.19.0 (#2709) * [Snyk] Upgrade react-bootstrap from 1.6.6 to 1.6.7 (#2710) * Updated the SQLECmd artifact to support MacOS and Linux (#2708) * Bugfix: http_client parameters did not handle url().Query objects (#2706) * [Snyk] Upgrade @babel/core from 7.21.5 to 7.21.8 (#2704) * Linux.RHEL.Packages: Silence dnf output (#2703) * Allow the inventory service to disable external fetching (#2701) * S3_Upload: Adding KMS and Prefix arguments (#2699) * [Snyk] Upgrade: @babel/core, @babel/plugin-transform-react-jsx, @babel/runtime (#2693) * http_client(): Don't drop responses with empty Content (#2696) * Treat Tool name+version as a unique tool. (#2697) * Updated Windows.KapeFiles.Targets to support multiple drives (#2692) * Added tgz support to the unzip() plugin. (#2691) * Bugfix: SkipVerify did not remove custom verification function. (#2690) * [Snyk] Upgrade axios from 1.3.6 to 1.4.0 (#2686) * Fix typo in vi.jsx (#2684) * Update Vietnamese language (#2681) * Copy scope responder when calling an VQL function. (#2682) * Added Vietnamese translation (#2680) * Bugfix: Miscounting total rows (#2679) * [Snyk] Upgrade axios from 1.3.5 to 1.3.6 (#2672) * Added a Certs authenticator (#2678) * [Snyk] Upgrade ace-builds from 1.17.0 to 1.18.0 (#2674) * [Snyk] Upgrade styled-components from 5.3.9 to 5.3.10 (#2677) * Block collections in locked down servers (#2667) * Allow additional event artifacts to be specified in client config. (#2664) * add fixed decoded data output as preview_upload method (#2663) * [Snyk] Upgrade ace-builds from 1.16.0 to 1.17.0 (#2662) * Added context menu for downloading VFS files. (#2659) * Bugfix: Total row count was inaccurate (#2658) * Refactored vfs widget (#2657) * Refactored VFS download GUI (#2656) * Add filters for hunting to Windows.System.Powershell.ModuleAnalysisCache (#2655) * Improved the artifact import GUI (#2654) * Modify Windows.EventLogs.ScheduledTasks (#2652) * [Snyk] Upgrade axios from 1.3.4 to 1.3.5 (#2650) * Fix typo - "filesyste" to "filesystem" (#2649) * Added binary parser for appcompatcache (#2645) * Improved eslint score (#2642) * Added a more complete text viewer implementation (#2641) * [Snyk] Upgrade react-datetime-picker from 4.2.0 to 4.2.1 (#2640) * [Snyk] Upgrade: @babel/core, @babel/plugin-syntax-flow (#2637) * [Snyk] Upgrade moment-timezone from 0.5.42 to 0.5.43 (#2638) * Added a filter to the artifact search screen (#2639) * Add network usage transfer summary suggestion (#2636) * Extend http_client() to support SMB urls. (#2635) * Handle client crashes by reporting to the server (#2634) * [Snyk] Upgrade: @fortawesome/fontawesome-svg-core, @fortawesome/free-solid-svg-icons (#2633) * [Snyk] Upgrade @popperjs/core from 2.11.6 to 2.11.7 (#2626) * [Snyk] Upgrade moment-timezone from 0.5.41 to 0.5.42 (#2627) * Initial implementation of alerting framework. (#2631) * Update tool definitions to support expected_hash and version (#2629) * Update test certs (#2625) * Refactored repository service. (#2624) * Forward audit events to a server artifact (#2623) * Document vql plugin and function permissions (#2620) * Added a lockdown mode to the server config. (#2619) * Added a VQL function upload_smb() (#2618) * Added upload_azure() function (#2616) * Added the EXPLAIN keyword (#2614) * [Snyk] Upgrade ace-builds from 1.15.3 to 1.16.0 (#2612) * [Snyk] Upgrade recharts from 2.4.3 to 2.5.0 (#2613) * Create monitoring_logs.go (#2611) * [Snyk] Upgrade @babel/core from 7.21.0 to 7.21.3 (#2609) * Add UserAccessLogs and formatting fix (#2607) * Bugfix: Preparing flow export from server artifact flows (#2606) * [Snyk] Upgrade styled-components from 5.3.8 to 5.3.9 (#2605) * Refactor launcher to split writing record and queuing message (#2604) * Added an SMB accessor (#2601) * Uplift client id validation to the client info manager (#2598) * Refactor launcher service to use a storage dependency (#2597) * Update Amcache.yaml (#2596) * Rework table filtering UI (#2595) * Splunk Configuration Details (#2594) * Implement TLS certificate pinning and Fallback Address (#2585) * [Snyk] Upgrade qs from 6.11.0 to 6.11.1 (#2593) * Fixed bug in grok library (#2592) * Add functionality to get efi variables (#2583) * Bugfix: Flow Deletion did not remove uploaded bulk files. (#2589) * Added hunt_update() VQL function to allow stopping/starting hunt (#2587) * Protect CryptCATAdmin functions behind dangerous api flag (#2586) * Close the WinVerifyTrust structure regardless of error. (#2584) * Added DISABLE_DANGEROUS_API_CALLS parameter (#2582) * [Snyk] Upgrade ace-builds from 1.15.2 to 1.15.3 (#2580) * [Snyk] Upgrade styled-components from 5.3.7 to 5.3.8 (#2581) * Bugfix: Trace file generator regression (#2579) * Restrict VerifyFileSignature to only run on a single thread. (#2578) * Dedudplicate labels in GUI (#2577) * Build(deps): Bump github.com/crewjam/saml from 0.4.12 to 0.4.13 (#2575) * Suppress logging to files for admin commands (#2571) * Add client id to client monitoring events (#2569) * Added START_HUNT permission to control who can start a hunt (#2566) * Added automated translations for missing terms (#2565) * More work on pedump vql function (#2557) * Add a hunt reconstruct command to recover hunt objects from logs. (#2556) * Bugfix: When exporting a sparse file also export the idx file. (#2555) * [Snyk] Upgrade moment-timezone from 0.5.40 to 0.5.41 (#2553) * Added pe_dump VQL function (#2554) * Bugfix: Race condition in minions (#2552) * Bugfix: Fixed bug in fifo plugin. (#2550) * Support reading raw devices with the file accessor. (#2549) * Bugfix: Lstat of device using NTFS accessor (#2547) * Refactored path handling in auth handlers (#2546) * Fixed base path bug (#2545) * Bugfix: Do not require repack to load a valid config (#2543) * Fixed incorrect usage of HTTP transport that broke in go1.19.6 (#2536) * Disabled http2 client. (#2535) * Build With go 1.19 (#2534) * Fix bug in template (#2533) * Prepare for 0.6.8-rc2 (#2529) * Bugfix: Parsing OSPath from list of components (#2528) * Bugfix: notebook export did not include uploads (#2527) * Bugfix: Client delete in non-root org did not invalidate cache (#2525) * Add 'Headers' to output * Sync KapeFiles.Targets artifact (#2522) * Allow http_client() to handle cookies. (#2520) * [Snyk] Upgrade ace-builds from 1.15.1 to 1.15.2 (#2519) * Added some Linux artifacts (#2514) * Refactoring side panel navigation as "main menu" navigation, tweaked the hamburger button (#2497) * Add Windows.Registry.PuttyHostKeys (#2516) * [Snyk] Security upgrade styled-components from 5.3.6 to 5.3.7 (#2491) * [Snyk] Upgrade ace-builds from 1.15.0 to 1.15.1 (#2504) * Update ModuleAnalysisCache.yaml (#2512) * Update description formatting (#2509) * Add first round of yara context updates (#2505) * Trigger client and server monitoring table rebuild (#2501) * Added more uploader tests (#2500) * Bugfix: Notebook Uploader so it reports filestore components. (#2499) * Added a max_row_buffer_size parameter (#2498) * Revamped the Metadata UI (#2496) * Added new artifact parameter type: server_metadata (#2494) * Bugfix: Server artifact running should use parent context for save (#2493) * Deduplicate glob hits (#2490) * Hex column types did not required hex encoding (#2488) * Pass collection_context to server artifact runner directly. (#2487) * [Snyk] Security upgrade is-svg from 4.3.2 to 4.4.0 (#2485) * Additional button labels, alt text for screen readers (#2486) * Reload inventory service from an event artifact (#2484) * Client summary react call should be ignored if call was cancelled. (#2483) * Record the client's install time in the writeback file. (#2482) * Fix bug in uploading of sparse files. (#2481) * Adding eslint support (#2480) * Explicitly set the data length in FileBuffer messages (#2479) * Adding label names to various buttons for accessibility (#2474) * Fixed x86 autoruns tool definition (#2477) * Use a more compact flow_id for hunts. (#2472) * Reuse the same session id for all flows in the same hunt. (#2471) * Implemented file_nocase for Linux and Darwin (#2468) * Bugfix: Timestamp detection assumed entire cell is a timestamp (#2467) * Implemented utf8 preserving Zip encoding. (#2464) * Bump golang.org/x/net from 0.5.0 to 0.7.0 (#2462) * Refactored repack functionality into a VQL function (#2461) * [Snyk] Upgrade axios from 1.2.5 to 1.2.6 (#2460) * [Snyk] Upgrade ace-builds from 1.14.0 to 1.15.0 (#2455) * [Snyk] Upgrade axios from 1.2.4 to 1.2.5 (#2456) * Fix crashes when parsing malformed PE and OLE files. (#2457) * Allow redirect when changing org selection (#2453) * [Snyk] Upgrade axios from 1.2.3 to 1.2.4 (#2448) * Store client path components in the uploads metadata (#2451) * Bugfix: syslog and csv watchers did not initialize scope (#2450) * Bugfix: missing rows in VFS ListDirectory (#2449) * Updated mail plugin to support skip_verify (#2447) * Fixed some race conditions (#2446) * [Snyk] Upgrade axios-retry from 3.3.1 to 3.4.0 (#2445) * Refactor and reimplement the pool client. (#2444) * Update ClientInfo message for pool client (#2442) * [Snyk] Upgrade: @babel/plugin-transform-react-jsx, @babel/runtime (#2440) * Track tool definitions by defining artifact (#2439) * [Snyk] Upgrade axios-retry from 3.3.1 to 3.4.0 (#2438) * Refactored event monitoring to not use globals (#2437) * Update WDigest.yaml (#2434) * Refactor and add tests for Linux.Remediation.Quarantine (#2433) * Reworked split_records() and parse_records_with_regex() (#2431) * [Snyk] Upgrade axios from 1.2.2 to 1.2.3 (#2429) * [Snyk] Upgrade react-datetime-picker from 4.1.1 to 4.2.0 (#2430) * minor changed to PSlist and DllList (#2428) * Fixed GUI to handle tables with varying columns per row. (#2425) * Split Windows.Sys.Users into two different artifacts (#2424) * Added progress reporting to offline collector (#2423) * Allow client side collections to be traced. (#2422) * [Snyk] Upgrade humanize-duration from 3.27.3 to 3.28.0 (#2421) * Added a tempfile based materializer to have safe queries (#2420) * Update Process.yaml (#2419) * Brought back the pool client (#2418) * Update Process.yaml (#2417) * [Snyk] Upgrade recharts from 2.3.1 to 2.3.2 (#2416) * Uploads are now deduplicated on store_as_name. (#2415) * Enrich SRUM artifact with the Username as well as SID (#2413) * Implemented a preview Column renderer (#2412) * [Snyk] Upgrade recharts from 2.3.0 to 2.3.1 (#2411) * Add PSList filters (#2407) * Put back the extra ForemanCheckin message on each post (#2410) * Send ClientInfo messages all the time (#2409) * Implement limits on server artifacts (#2406) * Support backwards compatibility comms with older clients. (#2405) * Implement collection limits on client (#2403) * Update go.yml (#2401) * Read flow object from storage for System.Flow.Completion (#2400) * Refactor client flow context manager (#2399) * [Snyk] Upgrade @babel/core from 7.20.7 to 7.20.12 (#2396) * Bump ua-parser-js from 0.7.32 to 0.7.33 in /gui/velociraptor (#2398) * utils/time.jsx: fix handling of nanosecond-resolution timestamps (#2397) * Memory uplift (#39) (#2394) * http_comms: create ring buffer temporary file in the same directory (#2393) * Update server artifact runner to use FlowRequests (#2392) * Added new client message type FlowRequest (#2391) * Allow default timezone to be specified on commandline (#2388) * [Snyk] Upgrade axios from 1.2.1 to 1.2.2 (#2387) * Verify FILESYSTEM_WRITE permission on copy() function (#2384) * Apply Minimum TLS version to the API server (#2383) * [Snyk] Upgrade: @babel/core, @babel/plugin-transform-react-jsx, @babel/runtime (#2382) * [Snyk] Security upgrade recharts from 2.2.0 to 2.3.0 (#2381) * Update and rename Server.Alerts.ProcessCreation.yaml to ProcessCreati… (#2380) * Update collection artifacts_with_results during execution (#2379) * Process monitoring messages with the new comms protocol. (#2378) * Create Windows.Detection.ProcessCreation (#2362) * Create Server.Alerts.ProcessCreation.yaml (#2363) * Fix time factor in FlowStat (#2377) * Refactored comms between client and server (#2375) * Update Splunk Artifact and notebook cells (#2374) * Allow for dynamic base_path (#2365) * Update ParentProcess.yaml (#2369) * Refactor: TLS config is now consitant for all TLS servers (#2367) * Bump json5 from 1.0.1 to 1.0.2 in /gui/velociraptor (#2366) * [Snyk] Upgrade ace-builds from 1.13.2 to 1.14.0 (#2361) * Add rate limits for client connections. (#2360) * Batch client log messages into JSONL groups (#2359) * Added client manager to keep track of all queries in the same flow. (#2358) * [Snyk] Upgrade ace-builds from 1.13.1 to 1.13.2 (#2356) * Added a client plugin vfs_ls (#2355) * Correct uninstall args for RPM based agents (#2354) * Fix download link colors in themes (#2349) * Theme fixes (#2346) * Refactored hunt and collection export code (#2347) * Use pageable tables for the VFS (#2343) * Compress all assets with brotli and serve them already compressed. (#2342) * Add BinaryRename update (#2341) * Vite improvements (#2340) * Update History.yaml (#2339) * Migrate GUI from create-react-app (CRA) to Vite (#2332) * Fix Linux.Sys.LastUserLogin (#2333) * Use 'auto' accessor to prevent issues with uploads (#2331) * Refactored audit logging (#2328) * Fix typo - 'Passowrd' to 'Password' (#2327) * Disable escape to close artifact editor (#2324) * Add starlark,yaml,xml, and float params (#2323) * Bump express from 4.17.2 to 4.18.2 in /gui/velociraptor (#2321) * [Snyk] Upgrade moment-timezone from 0.5.38 to 0.5.39 (#2319) * More fixes for Windows.System.VAD (#2317) * Bugfix: When org is not specified this JS code raised (#2315) * Fixed typo in VAD PR (#2313) * Add VAD protection message, status and type for completeness (#2312) * Bugfix: Do not materialize the VAD array in Windows.System.VAD (#2310) * Bugfix: Reset crypto cache when client is deleted (#2308) * Fixed Windows.Sys.Users artifact. (#2306) * Theme fixes and improvements (#2305) * Added an --msi flag to the config repack command (#2304) * Fix golden tests (#2302) * [Snyk] Upgrade ace-builds from 1.12.5 to 1.13.0 (#2301) * Bump decode-uri-component from 0.2.0 to 0.2.2 in /gui/velociraptor (#2299) * Fix freebsd build (#2298) * Bugfix: Collector timeout was set in ns (#2297) * Added write_jsonl plugin. (#2296) * Bugfix: Export notebook to zip broken (#2295) * Theme fixes (#2291) * User admin management screeb (#2212) * Use 'HuntDescription' value for hunt() 'description' value (#2289) * Add shaded container around artifact description content (#2287) * ACE editor font corrections (#2285) * Ensure reserved user names can not be used (#2284) * Theme fixes and improvements (#2283) * Fix example for dummy proxy in documentation (#2281) * Bugfix: uploads.json in the flow download refered to filestore paths (#2282) * Bugfix: Downloading CSV from table breaks with error. (#2280) * Theme fixes and improvements (#2278) * Upgrade Velociraptor's yara plugin to support yara 4.2.3 (#2277) * Fixed the Windows.KapeFiles.Extract artifact (#2275) * [Snyk] Upgrade ace-builds from 1.12.4 to 1.12.5 (#2269) * Added code to automatically reformat VQL in notebook. (#2271) * Bugfix: http_client was unable to open unix domain sockets (#2270) * [Snyk] Upgrade ace-builds from 1.12.3 to 1.12.4 (#2264) * Bugfix: Minions should not start the ServerMonitoringService (#2260) * Made threshold for sparse file expansions configurable. (#2259) * Bugfix: Export download supports expanding sparse files (#2258) * Bugfix: Do not expand sparse files when importing (#2257) * Bugfix: Store client specific dashboard in client space. (#2255) * Bugfix: Dashboard refresh button did not refresh it (#2254) * Return EOF from timed result set when reading past the end (#2253) * Fix context management in event table updates. (#2252) * Bugfix: Dashboard refresh button did not refresh it (#2251) * Theme fixes (#2250) * Bump loader-utils from 1.4.1 to 1.4.2 in /gui/velociraptor (#2249) * Fixed bug in line splitting in execve() plugin (#2248) * Fixed bug in VQL Drilldown view (#2246) * Update Server.Import.PreviousReleases (#2245) * Update colors in tree widget to match theme (#2243) * Font adjustments in themes (#2242) * Refactor the Windows.NTFS.MFT artifact for back compatibility (#2241) * Theme improvements and alignment (#2240) * Update user delete VQL and grant (#2238) * Refactored Org to OrgRecord protobuf (#2237) * Update parse_mft() and parse_usn() to allow drive prefix. (#2236) * Add choice to config wizard for allow list (#2234) * Bugfix: Allow client metadata with , (#2233) * [Snyk] Upgrade ace-builds from 1.12.0 to 1.12.3 (#2230) * Propagate user's prefered timezone for export tables (#2232) * MappingNameRegex fix (#2231) * More documentation of the config file. (#2228) * Bump loader-utils from 1.4.0 to 1.4.1 in /gui/velociraptor (#2225) * users: AddUserToOrg needs GetUserWithHashes or it will remove passwor… (#2227) * Refactored user management code into a separate module. (#2224) * [Snyk] Upgrade ace-builds from 1.11.1 to 1.12.0 (#2221) * [Snyk] Upgrade moment-timezone from 0.5.37 to 0.5.38 (#2222) * Added an LRU for ACL manager (#2223) * Enforce an allow list on plugins, functions and accessors (#2214) * tests: fix binary copying in CollectorSetupTest (#2210) * Update protobuf generation script (#2213) * Linux quarantine (#2211) * Bugfix: Flush server artifact logs into storage frequently (#2207) * Fix HTTP Params/Add HTTP Method Validation (#2203) * Bugfix: Sync NTFS (#2206) * file_store: handle watching artifacts with named sources (#2204) * Add Provider and ProviderRegex (#2198) * Bugfix: sparse files were not properly detected. (#2200) * Add timestamp_field, hostname_field, and hostname param to splunk_upload (#2187) ------------------------------------------------------------------- Tue Jul 18 09:31:19 UTC 2023 - Marcus Meissner - require the group / user only in the server build ------------------------------------------------------------------- Tue May 9 14:10:31 UTC 2023 - Marcus Rueckert - bump minimum nodejs to 18: building against 16 causes errors ------------------------------------------------------------------- Tue May 9 01:25:01 UTC 2023 - Jeff Mahoney - Provide sysuser template for velociraptor user and group. ------------------------------------------------------------------- Mon Mar 13 20:50:12 UTC 2023 - Jeff Mahoney - Test implementation for hash caching. - Added patches: * 0001-vql-functions-hash-cache-results-on-Linux.patch ------------------------------------------------------------------- Mon Mar 13 20:47:05 UTC 2023 - Jeff Mahoney - Build client for Debian-based distros using debbuild. Only build server on SUSE releases. ------------------------------------------------------------------- Sat Mar 11 03:11:19 UTC 2023 - Jeff Mahoney - Merge client package into server spec and use _multibuild to create client package from same spec file. - Adjust changelog to retain changes for client package. - Fix building in static mode on earlier releases. - Added patch: velociraptor-libbpfgo-only-build-libbpf.patch ------------------------------------------------------------------- Fri Mar 10 18:54:37 UTC 2023 - Marcus Rueckert - Tightening the security of the services a bit: - tmp files are now moved to /var/lib/velociraptor{,-client}/tmp from /tmp - run velociraptor server as user velociraptor instead of root we do not really need root permissions here - introduce /var/lib/velociraptor/filestore to make it easier to split out large file upload - change permissions for the data directory and subdirectories to /var/lib/velociraptor/ u=rwX,go= velociraptor:velociraptor /var/lib/velociraptor-client/ u=rwX,go= root:root - change permissions of config directory to: /etc/velociraptor/ u=rwX,g=rX,o= root:velociraptor /etc/velociraptor/server.config u=rw,g=r,o= root:velociraptor /etc/velociraptor/client.config u=rw,go= root:root ------------------------------------------------------------------- Fri Mar 10 15:36:18 UTC 2023 - jeffm@suse.com - 0.6.7.5~git6.73efb2a - Update to version 0.6.7.5~git6.73efb2a: * libbpfgo: update submodule to require libzstd for newer libelf * utils/time.js: fix handling of nanosecond-resolution timestamps * libbpfgo: switch to using regular static builds * Create a new 0.6.7-5 release (#2385) - Verify FILESYSTEM_WRITE permission on copy() function (#2384) (bsc#1207936, CVE-2023-0242) - Also ensure client id is considered unsafe (bsc#1207937, CVE-2023-0290) * github/workflows/linux: do apt-get update to refresh package lists - Remove unnecessary dependency on libtsan0. - Allow velociraptor and velociraptor-client packages to coexist. ------------------------------------------------------------------- Thu Jan 26 20:06:09 UTC 2023 - jeffm@suse.com - 0.6.7.4~git63.4a1ed09d - Update to version 0.6.7.4~git63.4a1ed09d: * utils/time.js: fix handling of nanosecond-resolution timestamps - Added patches: * velociraptor-reproducible-timestamp.diff ------------------------------------------------------------------- Tue Jan 24 20:57:08 UTC 2023 - Jeff Mahoney - Use obsinfo mtime to produce stable build timestamp (bsc#1207369). ------------------------------------------------------------------- Tue Jan 24 15:07:09 UTC 2023 - jeffm@suse.com - 0.6.7.4~git60.8abed37a: - Update to version 0.6.7.4~git60.8abed37a: * http_comms: create ring buffer temporary file in the same directory * cronsnoop: plumb in real scope logging * cronsnoop: don't treat routine errors as fatal * cronsnoop: fix typo ------------------------------------------------------------------- Sat Jan 21 04:07:38 UTC 2023 - Jeff Mahoney - Fixed release detection to include Tumblweed ------------------------------------------------------------------- Sat Jan 21 02:20:07 UTC 2023 - Jeff Mahoney - Increase required release to enable eBPF to SLE 15 SP2 and openSUSE Leap 15.2. Earlier versions don't have a usable eBPF and can't easily build llvm13. ------------------------------------------------------------------- Sat Jan 21 01:44:59 UTC 2023 - Jeff Mahoney - Remove dependency on bpftool. We use the vmlinux.h archive to provide vmlinux.h. ------------------------------------------------------------------- Fri Jan 20 20:18:49 UTC 2023 - Jeff Mahoney - Restored %defattr due to SLE12 using rpm-4.11. - Fix builds in vendor code on SLE12 - Fix build in third_party/sdjournal due to older systemd on SLE12 - Added patches: - vendor-build-fixes-for-SLE12.patch - sdjournal-build-fix-for-SLE12.patch ------------------------------------------------------------------- Fri Jan 20 16:37:17 UTC 2023 - Dirk Müller - client: add memory limit to systemd unit ------------------------------------------------------------------- Thu Jan 19 15:17:22 UTC 2023 - Jeff Mahoney - Restore requirement to build with clang13. Newer versions cause libbpfgo to crash immediately. ------------------------------------------------------------------- Thu Jan 19 14:36:42 UTC 2023 - Jeff Mahoney - Added support for setting command line options via sysconfig ------------------------------------------------------------------- Thu Jan 19 05:00:55 UTC 2023 - Jeff Mahoney - 0.6.7.4~git53.0e85855 - Update to version 0.6.7.4~git53.0e85855: * sdjournal: work around missing _SYSTEMD_UNIT fields ------------------------------------------------------------------- Thu Jan 19 01:01:09 UTC 2023 - Jeff Mahoney - Clean up for Factory submission: - Make bpf-enabled builds conditional - Removed %defattr and combined service lines. - Change clang and llvm dependencies to use >= 13 - Newer versions of clang hit a DWARF parsing bug in go < 1.19, so increase go version dependecy - Define ExclusiveArch for x86_64, ppc64le, aarch64, and s390x Neither the client or server builds on ix86. ------------------------------------------------------------------- Mon Jan 9 16:01:44 UTC 2023 - Jeff Mahoney - Added Restart=on-failure to restart the client automatically. ------------------------------------------------------------------- Mon Dec 12 20:03:23 UTC 2022 - Jeff Mahoney - 0.6.7.4~git51.a588d6e4 - Update to version 0.6.7.4~git51.a588d6e4: * magefile.go: use current architecture for Linux builds * Update libbpfgo submodule to include non-AMD64 build fixes * bpf: bpf expects s390 instead of s390x ------------------------------------------------------------------- Wed Dec 07 04:21:36 UTC 2022 - Jeff Mahoney - 0.6.7.4~git46.5d88d80: - Update to version 0.6.7.4~git46.5d88d80: * contrib/kafka-humio-gateway: add new debug option for noisy events * contrib/kafka-humio-gateway: backoff and retry for metadata * vql/server/kafka: connect sarama logging to velociraptor logging * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries * vql/server/kafka: set appropriate ClientID ------------------------------------------------------------------- Wed Dec 07 02:49:56 UTC 2022 - Jeff Mahoney - 0.6.7.4~git41.678ed56: - Update to version 0.6.7.4~git41.678ed56: * rpm: introduce rpm vql plugin * users: extend DeleteUser testcase to ensure org membership was dropped * users: ensure baseline user state is correct * github: run testcases on Linux builds in new workflow * gui/reporting: update bluemonday dependency to latest * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() * SUSE: Add docker-compose environment * SUSE: add Docker files * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * Add Linux.Sys.Bash to Server.Monitor.Shell artifact * kafka-humio-gateway: add sample config file * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: rework testcases to use t.TempDir * vql/linux/cronsnoop: Add cronsnoop() plugin * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * audit: use caller-allocated buffer * use github.com/jeffmahoney/go-libaudit/v2 for audit * Kafka.Events.Client: Update to use new artifactset type * Add artifact for chattrsnoop plugin * bpflib: ensure it's built only on linux and when requesting bpf * Add chattrsnoop plugin * Add artifact to monitor user group updates (#24) * vql/linux/dnssnoop: Add dnssnoop() plugin * Log Sudo/root command by auditd * Add custom artifacts for login and logout attempts recorded by auditd * Add tcpsnoop plugin * vql/linux/bpflib: add helper package for bpf plugins * libbpfgo: add submodule with forked repo for fully static builds * Add Kafka-Humio Gateway [Depends on PR#10] (#8) * Add a Kafka export plugin * SUSE: Add SSHLogin artifacts * SUSE: Do build tests on every pull request * Add systemd-dev as build dependency for github workflow * Update the Linux.Events.SSHLogin artifact to scan the systemd journal * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal * Add parser to read systemd journal on Linux * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path * linux: add lsattr() function to enumerate file attributes * Github: Run build workflow on each pull request * More fixes for Windows.System.VAD (#2317) (#2318) * Bugfix: When org is not specified this JS code raised (#2315) (#2316) ------------------------------------------------------------------- Tue Dec 06 21:53:43 UTC 2022 - Jeff Mahoney - 0.6.7.3~git41.fa6afa7: - Update to version 0.6.7.3~git41.fa6afa7: * rpm: introduce rpm vql plugin * users: extend DeleteUser testcase to ensure org membership was dropped * users: ensure baseline user state is correct * github: run testcases on Linux builds * gui/reporting: update bluemonday dependency to latest * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() * SUSE: Add docker-compose environment * SUSE: add Docker files * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * Add Linux.Sys.Bash to Server.Monitor.Shell artifact * kafka-humio-gateway: add sample config file * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: rework testcases to use t.TempDir * vql/linux/cronsnoop: Add cronsnoop() plugin * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * audit: use caller-allocated buffer * use github.com/jeffmahoney/go-libaudit/v2 for audit * Kafka.Events.Client: Update to use new artifactset type * Add artifact for chattrsnoop plugin * bpflib: ensure it's built only on linux and when requesting bpf * Add chattrsnoop plugin * Add artifact to monitor user group updates (#24) * vql/linux/dnssnoop: Add dnssnoop() plugin * Log Sudo/root command by auditd * Add custom artifacts for login and logout attempts recorded by auditd * Add tcpsnoop plugin * vql/linux/bpflib: add helper package for bpf plugins * libbpfgo: add submodule with forked repo for fully static builds * Add Kafka-Humio Gateway [Depends on PR#10] (#8) * Add a Kafka export plugin * SUSE: Add SSHLogin artifacts * SUSE: Do build tests on every pull request * Add systemd-dev as build dependency for github workflow * Update the Linux.Events.SSHLogin artifact to scan the systemd journal * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal * Add parser to read systemd journal on Linux * Linux.Detection.ImmutableFiles: Enumerate immutable files under a path * linux: add lsattr() function to enumerate file attributes * Github: Run build workflow on each pull request * Bugfix: Do not materialize the VAD array in Windows.System.VAD (#2311) * Sync to master's bugfixes (#2309) * Prepare for 0.6.7-2 release (#2300) * 0.6.7 sync (#2261) * 0.6.7 sync3 (#2256) * 0.6.7 sync (#2239) * Prepare a 0.6.7-rc3 (#2217) * Bugfix: sparse files were not properly detected. (#2200) (#2201) * Propagate progress timeout for collections. (#2193) * Verify client's key with or without the org id. (#2192) * Add Windows.System.Shares (#2191) * Allow artifacts to have aliases (#2190) * Added a regex_array column type to allow multiple regex to be set. (#2188) * [Snyk] Upgrade react-router-dom from 5.3.3 to 5.3.4 (#2180) * Add 'UsedBy' column to results (#2186) * Update flow and hunt download exports to use the container (#2185) * Disable toolbar buttons when no options are available (#2183) * Allow hunts to be scheduled on multiple orgs (#2182) * Update WIndows PSList and VAD artifacts (#38) (#2181) * Add in amcache (#2176) * Added additional sources for UserAccessLogs (aka SUM) artifact (#2179) * Fixed tests (#2177) * [Snyk] Upgrade styled-components from 5.3.5 to 5.3.6 (#2174) * Page Cell logs in notebook (#2172) * Break client connection stats by org id (#2171) * Added a remapping export to Windows.Registry.NTUser (#2170) * Added tlsh hash (#2169) * Check sparse files for large size before padding them out. (#2167) * Linux and macOS Packet Capture Artifact Updates (#2168) * Update deps (#2166) * Add some suggested groks for parsing IIS logs (#2165) * Refactor collection container (#2163) * Implement transparent decryption for collector accessor (#2162) * [Snyk] Upgrade ace-builds from 1.11.0 to 1.11.1 (#2161) * Automatically decrypt collections with collector accessor (#2159) * Fix css colors. (#2158) * [Snyk] Upgrade ace-builds from 1.10.1 to 1.11.0 (#2156) * Retry reads on EOF in NTFS accessor (#2157) * Updated zip implementation to support crypto (#2155) * Target 'Cmdline' instead of 'CommandLine' (#2154) * Bugfix: Extra interpolation when client logs messages with % (#2152) * Add 'Active' column to show whether or not a firewall rule is enabled. (#2150) * Added test for encrypted offline collector. (#2149) * Update parsing for Dock plist details (#2148) * Implement filter for large artifact forms (#2147) * Add Public Key Encryption Support to Offline Collections (#2133) * Implemented a max memory grouper (#2146) * Check if setgid flag is set (#2145) * [Snyk] Upgrade react-overlays from 5.2.0 to 5.2.1 (#2144) * Add context to yara.NTFS (#36) (#2143) * Add `auth_redirect_template` config for handling unauthorized API calls (#2140) * Allow the user to specify a collection as urgent (#2139) * Fix typo, slightly improve translations (de,fr) (#2137) * Add 'CronScripts' query/source and 'Length' option (#2138) * Check sanity of inventory service for all orgs (#2136) * Change 'filename' to 'file' for upload (#2135) * Sync with latest NTFS changes. (#2134) * [Snyk] Upgrade classnames from 2.3.1 to 2.3.2 (#2130) * Added URLRegex to FireFox history (#2129) * Link to collection in host shell (#2128) * additional references (#2126) * Sync to go-ntfs (#2125) * Provide the option to expand sparse files in export (#2124) * Bugfix: Process address space lockup under some conditions (#2123) * Added URLRegex to Firefox and Chrome history (#2122) * Add note about RecentApps key not being available after Windows 10, version 1803 (#2119) * Expose the communicator's crypto manager (#2118) * Further refactor of the download handler. (#2117) * [Snyk] Upgrade ace-builds from 1.10.0 to 1.10.1 (#2114) * Uploaded files are now shows with client paths (#2116) * [Snyk] Upgrade recharts from 2.1.13 to 2.1.14 (#2115) * Maintain row count per query. (#2113) * Update Trackaccount.yaml (#2112) * Clean up artifact references (#2111) * Prevent null error when choosing to calculate hash and when providing authenticode information (#2109) * Add Length option and re-arrange output (#2107) * Bugfix: Merge file option should work with config show (#2108) * Always write content to lock files (#2106) * [Snyk] Upgrade ace-builds from 1.9.6 to 1.10.0 (#2102) * Authentication configuration error reporting/validation (#2101) * auth: don't return a base path with two leading slashes (#2100) * Added org report in root org dashboard (#2098) * [Snyk] Upgrade react-bootstrap from 1.6.5 to 1.6.6 (#2094) * [Snyk] Upgrade humanize-duration from 3.27.2 to 3.27.3 (#2095) * authenticode is a function and not a plug (#2092) * Allow '+' in usernames (#2093) * Attempt to decompress client messages if errors occur. (#2088) * Pass org config to mutations in MemcacheFileDataStore (#2087) * Support oauth with a different base path. (#2082) * Allow client->server compression to be disabled (#2081) * Keep track of collected results using collection status (#2075) * Enforce a hard timeout for incoming processing (#2074) * Expand API of user service to include context (#2071) * When creating a new org pass the new org id to the acl function (#2068) * Allow collect_client() etc to accept ArtifactSpec protobuf (#2067) * Only create initial orgs on first run. (#2066) * Bugfix: Do not start multiple communicators in windows service. (#2064) * Added initial_orgs to the config (#2063) * Bugfix- Server.Utils.DeleteClient over sanitized client id (#2061) * Fixed backwards compatible bug (#2057) * [Snyk] Upgrade ace-builds from 1.9.5 to 1.9.6 (#2055) * Fixed CSS for column selector ui (#2053) * Split server sanity checks into root org and other orgs (#2052) * collect each query's status separately (#2049) * Pass org ids in href parameters (#2047) * Org manager maintains services lifetime (#2045) * Added org_delete() function to remove orgs. (#2042) * Updated themes for context menu (#2041) * Made context menus settable in the config file (#2040) * Added Send to CyberChef context menu on table cells. (#2039) * [Snyk] Upgrade ace-builds from 1.9.3 to 1.9.5 (#2037) * [Snyk] Upgrade ace-builds from 1.8.1 to 1.9.3 (#2033) * Bugfix: watch_usn() was not flushing the mft LRU properly (#2032) * Bugfix: Maintain field order in sysmon based tracker (#2030) * Added regex protocols for int, float etc. (#2028) * Refactor client monitoring API to use service (#2027) * Bugfix: Switch GUI to first available org (#2025) * Update Linux pslist() to use CommandLine column (#2024) * Add embedded stager parse usecase (#34) (#2023) * update to clean up null fields (#2020) * Refactor code to propagate the context in more cases. (#2019) * Bugix: Raw file accessor had different behaviour on Windows (#2018) * Cater for unknown parents in process tracker. (#2015) * Fix sense of multiple regexp in all() function (#2014) * Added all() and any() VQL functions (#2013) * Capitalize 'i' in config generation output (#2012) * Fixed crash in api_client command (#2010) * Update UserAccessLogs.yaml (#2009) * Fixed bug in UserAccessLog artifact (#2008) * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 (#2000) * Collect domain role info on interrogate (#1998) * Added new GUI column type for tree (#1997) * Fixed CSS to make column selector more visible (#1996) * Send a System.Upload.Completion event on server artifact upload (#1995) * Refactor of oauth code (#1993) * Added some helpful server artifacts (#1992) * Bugfix: "rpm server" command did not produce minion packages (#1991) * Add ability to delete monitoring events. (#1990) * Allow notebook GUI to set notebooks to public. (#1989) * Allow the user to change password in the GUI (#1988) * Added a delay() VQL function (#1987) * Fixed a crash when add_monitoring was called without parameters. (#1986) * Allow hunt() to limit by OS condition (#1985) * [Snyk] Upgrade ace-builds from 1.7.1 to 1.8.1 (#1984) * Fix "last_visit_time" timestamp (#1983) * Added Generic.System.ProcessSiblings (#1982) * [Snyk] Upgrade bootstrap from 4.6.1 to 4.6.2 (#1979) * General cleanup (#1977) * Update BinaryRename.yaml (#1976) * Support multi orgs in server-server communication (#1975) * Inventory service should upload tools to global public directory (#1973) * fixed path issue (#1972) * Support REG_MULTI_SZ in raw registry accessor (#1969) * fix: upgrade interactjs from 1.10.16 to 1.10.17 (#1968) * Update prefetch library to fix bug (#1965) * The "fs" accessor should also be org sensitive. (#1964) * Added user_grant() VQL function (#1963) * fix: upgrade interactjs from 1.10.14 to 1.10.16 (#1961) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1960) * Several security related bugfixes. (#1962) * Fixed bug in watch_evtx() (#1955) * fix: upgrade ace-builds from 1.7.0 to 1.7.1 (#1952) * Fixed visted_url typo (#1953) * Added NewOrg artifact to make creating new orgs easier. (#1951) * Fix broken deps due to snyke merge (#1950) * build(deps): bump terser from 4.8.0 to 4.8.1 in /gui/velociraptor (#1946) * fix: upgrade recharts from 2.1.11 to 2.1.12 (#1945) * fix: upgrade @fortawesome/react-fontawesome from 0.1.18 to 0.2.0 (#1948) * Added orgs() plugin and user management (#1949) * fix: upgrade ace-builds from 1.6.1 to 1.7.0 (#1944) * Add new embedded pe in data section parse (#1943) * Refactor startup code (#1942) * fix: upgrade qs from 6.10.4 to 6.11.0 (#1941) * fix: upgrade recharts from 2.1.10 to 2.1.11 (#1939) * fix: upgrade ace-builds from 1.6.0 to 1.6.1 (#1938) * Added artifact Windows.Attack.IncorrectImagePath (#1927) * Account for pid reuse in process tracker. (#1936) * add precondition for only windows (#1935) * Make ddclient service parameters configurable (#1933) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1930) * fix: upgrade interactjs from 1.10.13 to 1.10.14 (#1918) * replace YaraUrl type (#1922) * Add other url yara fixes (#1921) * Update Glob.yaml (#1920) * Fixed bug in startup code. (#1919) * Initial commit of multitenant support (#1917) * Adds three Linux artifacts (#1916) * Fixed a crash when using artifact plugin with tools (#1915) * Added a collector accessor (#1912) * fix: upgrade interactjs from 1.10.11 to 1.10.13 (#1909) * fix: upgrade qs from 6.10.3 to 6.10.4 (#1910) * Japanese translation (#1906) * Fix spanish translations. (#1907) * fix: upgrade react-overlays from 5.1.2 to 5.2.0 (#1904) * Add Shimcache reformat (#1892) * A couple of performance tweaks. (#1903) * Fix Amcache artifact (#1902) * Retry axios requests (#1901) * Revert "fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899)" (#1900) * fix: upgrade ace-builds from 1.5.2 to 1.5.3 (#1899) * Use the auto accessor as first level of VFS (#1898) * Theme fixes (#1895) * Added additional logging for windows client service (#1894) * Theme updates (#1893) * Prepare for release 0.6.5 (#1890) * Bugfix: CPU limit was not properly enforced on endpoint. (#1889) * fix: upgrade react-calendar-timeline from 0.27.0 to 0.28.0 (#1887) * fix: upgrade ace-builds from 1.5.1 to 1.5.2 (#1888) * Improve the Windows.Sys.StartupItems artifact (#1886) * Fixed the --remap flag (#1883) * Fixed bug in client_delete() (#1882) * Added a delete_flow VQL plugin (#1880) * Add fix for generic bin file payload (#1879) * Bugfix: Notebook calculation did not update cell (#1878) * fix: upgrade humanize-duration from 3.27.1 to 3.27.2 (#1877) * Revised Portuguese translation (#1876) * Update usn.go (#1873) * Added French language (#1874) * Updated german translation (#1875) * Refactor artifact plugin to be more efficient. (#1871) * Update de.js (#1870) * fix: upgrade ace-builds from 1.5.0 to 1.5.1 (#1867) * Refactor server artifacts service (#1868) * Refactored notebook into a service (#1863) * fix: upgrade react-router-dom from 5.3.2 to 5.3.3 (#1861) * fix: upgrade recharts from 2.1.9 to 2.1.10 (#1862) * Bugfix: raw registry accessor supports read_file() (#1859) * Add LogHunter - a generic grep over log capability (#1853) * Added a GUI element to easily filter log messages (#1858) * Added an oidc-cognito authenticator (#1854) * build(deps): bump tar from 6.0.5 to 6.1.11 in /gui/velociraptor (#1852) * fix: upgrade react-router-dom from 5.3.1 to 5.3.2 (#1850) * Fix ACE font handling (#1849) * Format timestamps opportunistically. (#1848) * Update cidr_contains() to return true if any of the ranges match. (#1847) * Sync KapeFiles and SQLECmd artifacts (#1845) * Prepare 0.6.5-rc1 release (#1844) * Added a default process tracker (#1843) * Implement log levels in VQL (#1839) * Theme development checkpoint (#1838) * fix: upgrade ace-builds from 1.4.14 to 1.5.0 (#1836) * fix: upgrade react-bootstrap from 1.6.4 to 1.6.5 (#1837) * Added an LRU VQL function (#1835) * Bugfix: VFS viewer was unable to access files with \ in name (#1832) * use group SID instead of name to get local admins (#1833) * Added Portuguese and Spanish languages (#1831) * fix: upgrade react-overlays from 5.1.1 to 5.1.2 (#1830) * Make display timezone user selectable (#1827) * Added Musl build target (#1826) * Fix deadlock in hunt dispatcher (#1825) * Theme tweaks (#1821) * add groupname parameter to LocalAdmins artifact (#1823) * Fix/activitescache glob expression - Timeline.yaml (#1824) * Update TemplateInjection.yaml (#1820) * Prevent text wrap on sidebar (#1819) * Added some missing translations (#1817) * Added Deutsch UI Language (#1816) * Support UNC paths in windows accessors. (#1815) * Add enrichment callback for process tracker (#1814) * Prevent null FailureActions error (#1811) * Make ACL manager pluggable. (#1813) * Allow custom override for GUI artifacts by default (#1810) * Refactored hunt related functions to use the hunt_dispatcher (#1807) * artifactset: add ability to select named sources (#1809) * UI enhancements (#1805) * Refactor: Create user manager service (#1804) * New themes and refactoring of existing CSS (#1801) * Bugfix: Server monitoring queries were not correctly cancelled. (#1803) * Add gunzip function (#1802) * GUI: Artifact selector (#1790) * Refactor and improve the way clients send query related information (#1800) * fix: upgrade axios from 0.26.1 to 0.27.2 (#1798) * Add Cobalt Strike carver sleep function capability (#1795) * Bugfix: Create new buffer to accumulate VQL results (#1794) * Make velociraptor_client executable in postint script (#1788) * Support addition on dicts (#1785) * fix: upgrade moment from 2.29.2 to 2.29.3 (#1782) * fix: upgrade react-router-dom from 5.3.0 to 5.3.1 (#1783) * Reset nanny when client connection failed. (#1780) * Fix artifacts that use yara parameters to specify yara type (#1779) * SysmonInstall artifact now skips install if not needed (#1777) * Suppress warning message for offline collector (#1776) * Bug fix (#1774) * Avoid bash process lingering around while server is running (#1775) * oidc: Fix typo: Genric -> Generic (#1773) * Make MaxWait for event table settable. (#1772) * Fixed bug in Windows.Detection.Yara.Process (#1771) * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) * Initial implementation of client side process tracker. (#1768) * Bugfix: Client did not update list of query columns (#1767) * Fixed bug in ETWSessions artifact (#1766) * build(deps): bump async from 2.6.3 to 2.6.4 in /gui/velociraptor (#1761) * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) * Add fix for dupliate entries from flattern bug (#1760) * build(deps): bump ejs from 3.1.6 to 3.1.7 in /gui/velociraptor (#1758) * build(deps): bump cross-fetch from 3.1.3 to 3.1.5 in /gui/velociraptor (#1759) * Fix undefined types in some artifact parameters (#1757) * Update Glob.yaml (#1754) * Bugfix: Unable to set cpu limits in hunt GUI (#1751) * Support case insensitive notebook cell types (#1747) * Fixed a bug in the Userassist artifact (#1746) * Bugfix: Hunt stats were not properly incremented (#1744) * Invalidate transformed cache when the base table changes. (#1742) * GUI Table widgets now can apply transformations on the table. (#1740) * Update FilenameSearch.yaml (#1741) ------------------------------------------------------------------- Fri Nov 11 21:12:02 UTC 2022 - Jeff Mahoney - 0.6.4.2~git86.b5931f7 - Update to version 0.6.4.2~git86.b5931f7: * cleanup: go mod tidy - Fix vendoring of replaced modules. - Only require libtsan0 on x86_64 - Only attempt to copy vmlinux.h if /sys/kernel/btf/vmlinux doesn't exist ------------------------------------------------------------------- Fri Nov 11 20:13:00 UTC 2022 - Jeff Mahoney - 0.6.4.2~git84.1b38fda - Update to version 0.6.4.2~git84.1b38fda: * Clean up libbpfgo mess * libbpfgo: use forked repo for fully static builds * libbpfgo: sync to v0.4.4-libbpf-1.0.1 * contrib/kafka-humio-gateway: add new debug option for noisy events * contrib/kafka-humio-gateway: backoff and retry for metadata * vql/server/kafka: connect sarama logging to velociraptor logging * vql/server/kafka: add exponential backoff (limited to 30s) for metadata retries * vql/server/kafka: set appropriate ClientID * libbpfgo: add selftest to build so testcases work * cronsnoop: rework testcases to use t.TempDir * cronsnoop: move external dependencies to end of import list * SSHLogin: require _TRANSPORT != 'kernel' from watch_journal() ------------------------------------------------------------------- Fri Nov 11 20:08:20 UTC 2022 - Jeff Mahoney - 0.6.4.2~git67.85b608e - Update to version 0.6.4.2~git67.85b608e: * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * SUSE: Add docker-compose environment * SUSE: add Docker files * Add Linux.Sys.Bash to Server.Monitor.Shell artifact * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 * kafka-humio-gateway: add sample config file * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37) * third_party/go-libaudit: don't directly use unix.* * Add Linux.Remediation.Quarantine artifact * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * third_party/go-libaudit: move handling of receive buffer to caller * third_party/go-libaudit: move buffer handling from netlink to audit * third_party/go-libaudit: allow audit fd to be pollable * third_party/go-libaudit: Add support for removing individual rules * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls * third_party/go-libaudit: Report missing rules during deletion * import go-libaudit as a third-party module * quarantine: actually call the OS-specific artifact * artifactset: add ability to select named sources * GUI: Artifact selector (#1790) * host-info: make quarantine UI more robust with non-Windows client hosts * shell-viewer: default to Bash on non-Windows clients ------------------------------------------------------------------- Thu Nov 10 15:22:27 UTC 2022 - Jeff Mahoney - 0.6.4.2~git70.b7df8172 - Update to version 0.6.4.2~git70.b7df8172: * file_store: handle watching artifacts with named sources ------------------------------------------------------------------- Thu Sep 29 14:16:05 UTC 2022 - Jeff Mahoney - 0.6.4.2~git68.5226b23b - Update to version 0.6.4.2~git68.5226b23b: * api/authenticators/basic: fix logoff endpoint * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * SUSE: Add docker-compose environment * SUSE: add Docker files * Add Linux.Sys.Bash to Server.Monitor.Shell artifact ------------------------------------------------------------------- Fri Aug 19 21:07:15 UTC 2022 - Jeff Mahoney - Updated vendoring. - Fixed update-vendoring script to use an independent go module cache. ------------------------------------------------------------------- Fri Aug 19 01:59:35 UTC 2022 - Jeff Mahoney - 0.6.4.2~git59.5ebb49db - Update to version 0.6.4.2~git59.5ebb49db: * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 ------------------------------------------------------------------- Thu Aug 11 19:40:21 UTC 2022 - Jeff Mahoney - 0.6.4.2~git57.fcb11adf - Update to version 0.6.4.2~git57.fcb11adf: * kafka-humio-gateway: add sample config file ------------------------------------------------------------------- Fri Jul 15 14:30:49 UTC 2022 - Jeff Mahoney - Updated BuildRequires to use go 1.17 after updating vendoring ------------------------------------------------------------------- Fri Jul 15 02:24:03 UTC 2022 - Jeff Mahoney - Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only) ------------------------------------------------------------------- Fri Jul 15 00:00:39 UTC 2022 - Jeff Mahoney - 0.6.4.2~git56.47b4adb4 - Update to version 0.6.4.2~git56.47b4adb4: * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37) * third_party/go-libaudit: don't directly use unix.* * Add Linux.Remediation.Quarantine artifact * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * third_party/go-libaudit: move handling of receive buffer to caller * third_party/go-libaudit: move buffer handling from netlink to audit * third_party/go-libaudit: allow audit fd to be pollable * third_party/go-libaudit: Add support for removing individual rules * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls * third_party/go-libaudit: Report missing rules during deletion * import go-libaudit as a third-party module * quarantine: actually call the OS-specific artifact * artifactset: add ability to select named sources * GUI: Artifact selector (#1790) * host-info: make quarantine UI more robust with non-Windows client hosts * shell-viewer: default to Bash on non-Windows clients ------------------------------------------------------------------- Thu May 12 20:15:26 UTC 2022 - Jeff Mahoney - 0.6.4.2~git16.e1b7fc0 - Update to upstream 0.6.4.2~git16.e1b7fc0: * Rebase on 0.6.4-2 * Reset nanny when client connection failed. (#1780) * Fix artifacts that use yara parameters to specify yara type (#1779) * Update release for bugfixes 0.6.4-2 * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) * SysmonInstall artifact now skips install if not needed (#1777) * Initial implementation of client side process tracker. (#1768) * Invalidate transformed cache when the base table changes. (#1742) * GUI Table widgets now can apply transformations on the table. (#1740) * Suppress warning message for offline collector (#1776) * Bug fix (#1774) * Avoid bash process lingering around while server is running (#1775) * oidc: Fix typo: Genric -> Generic (#1773) * Make MaxWait for event table settable. (#1772) * Fixed bug in Windows.Detection.Yara.Process (#1771) * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) * Bugfix: Client did not update list of query columns (#1767) * Merge bugfixes from master branch. (#1769) - Revendored dependencies. ------------------------------------------------------------------- Thu May 12 17:54:31 UTC 2022 - Jeff Mahoney - 0.6.4~git31.4298eab0: - Update to version 0.6.4~git31.4298eab0: * Elastic.Events.Client: Update to use new artifactset type * Kafka.Events.Client: Update to use new artifactset type * artifacts: add artifactset parameter type * api: add type and description fields to v1/GetArtifacts endpoint ------------------------------------------------------------------- Thu May 12 13:30:42 UTC 2022 - Jeff Mahoney - 0.6.4~git26.4407b9b7 - Update to version 0.6.4~git26.4407b9b7: * Add artifact for chattrsnoop plugin * bpflib: ensure it's built only on linux and when requesting bpf * Add chattrsnoop plugin * tcpsnoop: Properly close module in case of attach error * Add artifacts for dns/tcp snoop plugins * tcpsnoop: Add timestamp to generated events * dnssnoop: Add timestamp to generated events ------------------------------------------------------------------- Tue May 3 20:35:57 UTC 2022 - Jeff Mahoney - Fix error handling in tcpsnoop and dnssnoop. * If BTF information is unavailable, there is no indication that the query has failed. ------------------------------------------------------------------- Tue May 3 13:45:09 UTC 2022 - Jeff Mahoney - Rebase on 0.6.4: * Updated dependencies * Bugfix: startup bugs (#1680) * bugfix: Server event notebook not correctly created (#1737) * Bugfix: Start a dummy indexing service (#1736) * Add bugfix which would return no rows if the user removed whitelist (#1735) * Fixed bug in read_reg_key (#1734) * BUGFIX: Do not include config flag when darwin installer is repacked (#1733) * Refactored index into its own service. (#1730) * Bugfix: Write one index item per JSONL record. (#1727) * Bugfix: Estimating client impact should consider last active status (#1726) * Add complete ntfs metadata option to MFT output (#1725) * Various bugfixes. (#1724) * Update Usn.yaml (#1723) * Fixed a bug in hunt download preparation. (#1722) * Add Windows.Forensics.Usn filter and presentation updates (#1720) * Optimize writing event monitoring records (#1721) * Add Generic.Detection.Yara.Zip (#1718) * Fixed crash on master-pong response. (#1719) * Remove _type option from elastic. (#1715) * Opportunistically update directly connected client's ping times (#1713) * Fixed a bug in hunt download preparation. (#1722) * Add Windows.Forensics.Usn filter and presentation updates (#1720) * Optimize writing event monitoring records (#1721) * Add Generic.Detection.Yara.Zip (#1718) * Fixed crash on master-pong response. (#1719) * Remove _type option from elastic. (#1715) * Opportunistically update directly connected client's ping times (#1713) * Fixed bug in VQL cell splitting. (#1712) * artifact for parsing macos packages (#1706) * Bugfix: Create a cell for each collected source (#1710) * artifact for parsing macos packages (#1706) * Bugfix: Create a cell for each collected source (#1710) * Added Server.Utils.CollectClient to simplify direct collections (#1708) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1705) * Fix build on Go 1.18 (#1704) * build(deps): bump minimist from 1.2.5 to 1.2.6 in /gui/velociraptor (#1703) * Mft update - add uSecZeros (#1701) * Server monitoring service will reload if an artifact is modified (#1702) * Refactor client info manager (#1700) * A number of bugfixes (#1699) * Update Windows.NTFS.MFT (#1698) * Actually export HumanString attribute on OSPath (#1689) * RHEL/CentOS/Fedora dnf packages (#1684) * Implemented Human Readable OSPath method. (#1688) * Added lazy MFT attributes (#1685) * Maintain OSPath in mft artifacts (#1683) * Fix bug in deaddisk remapping of directories. (#1682) * Bugfix: startup bugs (#1680) * Updated SQLECmd artifacts (#1677) * Artifact repository needs to watch for changes across nodes. (#1676) * Update auto accessor to re-open file with ntfs if read failed (#1674) * Fix MacOS.System.Plist artifact (#1673) * Error collection based on VQL logs (#1672) * Add memory limiting to offline collector (#1666) * Allow mount overlays (#1664) * build(deps): bump node-forge from 1.2.1 to 1.3.0 in /gui/velociraptor (#1661) * Fixed bugs in remapping logic. (#1660) * Fixed bug in the windows auto accessor. (#1658) * Elastic.Events.Clients: synchronize parameters with Elastic.Flows.Upload (#1657) * Add initial commit for Windows.NTFS.ExtendedAttributes (#1656) * Added a shadow remapping type (#1655) * Implemented an event notebook (#1654) * Add Windows.System.WMIQuery (#1651) * Fixed data race in progress throttler. (#1653) * Implemented timeout and cpu limits on offline collector. (#1650) * Added an rpm server command. (#1647) * Artifacts can now define suggestions for notebook cells. (#1646) * Allow multiple OIDC authenticators to be specified. (#1645) * Added a multi authenticator. (#1644) * Add HashHunter hash() update for performance (#1643) * Change the DNSCache Artifact to WMI (#1640) * Added an uploader for notebooks. (#1639) * Added hashselect arg option to hash() (#1637) * Add Generic.Detection.HashHunter and tests (#1638) * Added Generic.Collectors.SQLECmd (#1635) * Add BinaryHunter (#1634) * String artifact parameters can now have validator regex (#1628) * Implemented CPU rate limited for better control (#1622) * Added a client nanny to detect deadlocks (#1621) * Linux.Sys.Services artifact, parse services from systemctl (#1619) * Collect MAC addresses during interrogation and index them (#1611) * Allow parse_ntfs() to operate on an image file. (#1610) * Fix regression in VFSGetBuffer (#1605) * Added rekey() VQL function (#1604) * switch to uninstall string (#1603) * freebsd /etc/rc.d/velociraptor service script (#1602) * Add Windows.Registry.BackupRestore (#1601) * Optimized NTFS code for better speed and added more fields to parse_mft (#1599) * Update BinaryRename.yaml (#1598) * Added LinuxM1 (#1597) * Add explicit check of sticky keys (#1592) * Remote data store should identify retryable errors (#1590) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1588) * Add test improvement clear system log (#18) (#1586) * Modified Windows.Forensics.Prefetch to use VQL binary parser (#1585) * add Windows.NTFS.ADSHunter first commit (#17) (#1583) * Resolves Velocidex/velociraptor#1543 Create new VQL entropy() function (#1574) * Remove C time and updating naming (#1546) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1568) * Update OSPath protocols to support slices. (#1575) * Implement array slice notation in VQL and Server.Import.PreviousReleases (#1573) * add rtf TemplateInjection to Windows.Detection.TemplateInjection (#1572) * Change accessors API to deal with OSPath objects directly. (#1570) * Bump follow-redirects from 1.14.4 to 1.14.8 in /gui/velociraptor (#1567) * Added a deaddisk command to generate config (#1564) * Fix bug in Windows.System.Services (#1565) * Fixed glob expand braces order of operations. (#1560) * Added an offset and raw_file accessors (#1559) * Update CertUtil.yaml (#1558) * remove users to include the system path (#1536) * Implement remap() VQL function and remapping config (#1555) * Make GitHub actions more flexible on Windows (#1549) * Bump normalize-url from 4.5.0 to 4.5.1 in /gui/velociraptor (#1548) * Fix typo (#1547) * Refractor of accessors and path manipulations (#1545) * Dns etw update (#1544) * add PowershellProfile (#1542) * Added dynamic pubsub attributes (#1540) * Fix Windows.Applications.Chrome.History (#1539) * windows.application to windows.applications merge. New firefox history artefact (#1534) * Fixed race condition in zip accessor reference counting. (#1531) * Added Windows.Persistence.SilentProcessExit (#1530) * Add limitations section and lastwrite timestamp (#1529) * Offline collector FetchBinary should respect the IsExecutable flag (#1528) * update description, order by, and hidden keypath (#1527) * add limitations section (#1520) * Avoid holding index lock for too long. (#1519) * re-introduce Windows.Collectors.File with deprecation note (#1516) * add limitations to description and key path to query (#1514) * Retry remote datastore connections (#1513) * Write minion log files and autocert in its own dir. (#1512) * Synced KapeFiles artifacts (#1511) * Added data retention server artifacts (#1510) * Set an upper limit for ttl in memcache (#1508) * Add updates to Windows.System.Services (#15) (#1509) * Ensure collector container is properly closed when interrupted. (#1507) * Continually rebuild the index at runtime. (#1506) * Harder vacuum - directly move client task directories to the attic. (#1505) * add limitation disclaimer (#1504) * Reduce critial section to avoid deadlock in repository manager (#1503) * Implemented a vacuum command to remove old tasks from client queues. (#1501) * Better format profile metrics output. (#1495) * Cap size of directories and report large directories. (#1493) * Set ACE completers per editor to avoid global state. (#1492) * Add HttpOnly flag to all cookies. (#1491) * Refactor completion routine calls (#1490) * Limit size of cached directories. (#1483) * Add more instrumentation to memory caches. (#1482) * Fixed chart resizing bug (#1481) * Removed the old queries: list from artifacts. (#1480) * [Snyk] Fix for 9 vulnerabilities (#1479) * Remove lock around critical section. (#1478) * Added MacOS.Forensics.AppleDoubleZip (#1476) * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) * Make index snapshot frequency configurable (#1474) * Bugfix: Setting notebook index did not escape username (#1471) * Flush index from memory to disk (#1470) * Fixed 2 bugs with the memcache file store (#1469) * Update flow active time when the result set is completed (#1468) * Tag artifacts as built ins (#1467) * Fixed bug in the pathspec() VQL function. (#1465) * fix APIConfigLoader not applying command line args (#1463) ------------------------------------------------------------------- Mon May 02 14:55:07 UTC 2022 - Jeff Mahoney - Resync with git repository: * Add artifact to monitor user group updates (#24) * Add dnssnoop plugin (#15) * Log Sudo/root command by auditd * Add custom artifacts for login and logout attempts recorded by auditd ------------------------------------------------------------------- Fri Mar 18 14:12:59 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git19.640f7a1c: * Add tcpsnoop plugin ------------------------------------------------------------------- Tue Mar 15 13:31:21 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git17.741ebb59: * kafka-humio-gateway: update README.md * kafka-humio-gateway: Fix missing variable rename * Add Kafka-Humio Gateway [Depends on PR#10] (#8) ------------------------------------------------------------------- Tue Mar 15 01:04:29 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git13.af7fdb00: * SUSE: Add SSHLogin artifacts * Add a Kafka export plugin * SUSE: Do build tests on every pull request * Add systemd-dev as build dependency for github workflow ------------------------------------------------------------------- Fri Feb 18 00:52:01 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git6.d95ed32e: * Update the Linux.Events.SSHLogin artifact to scan the systemd journal * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal * Add parser to read systemd journal on Linux * Add an artifact to enumerate immutable files under a path * Add chattr function support for linux * Make GitHub actions more flexible on Windows ------------------------------------------------------------------- Thu Feb 10 02:12:54 UTC 2022 - Jeff Mahoney - Add simple default configs and provide dirs in /var/lib for client and server. ------------------------------------------------------------------- Mon Feb 7 14:40:47 UTC 2022 - Jeff Mahoney - Temporarily re-enable Windows artifacts (LSS#4). ------------------------------------------------------------------- Wed Feb 2 18:10:19 UTC 2022 - Jeff Mahoney - Added systemd unit file and placeholder config file. ------------------------------------------------------------------- Thu Jan 27 17:33:45 UTC 2022 - Jeff Mahoney - Update to version 0.6.3~git0.69e0fffa: * Prepare for 0.6.3 release (#1515) * add limitations to description and key path to query (#1514) * Retry remote datastore connections (#1513) * Write minion log files and autocert in its own dir. (#1512) * Synced KapeFiles artifacts (#1511) * Added data retention server artifacts (#1510) * Set an upper limit for ttl in memcache (#1508) * Add updates to Windows.System.Services (#15) (#1509) * Ensure collector container is properly closed when interrupted. (#1507) * Continually rebuild the index at runtime. (#1506) * Harder vacuum - directly move client task directories to the attic. (#1505) * add limitation disclaimer (#1504) * Reduce critial section to avoid deadlock in repository manager (#1503) * Implemented a vacuum command to remove old tasks from client queues. (#1501) * Better format profile metrics output. (#1495) * Cap size of directories and report large directories. (#1493) * Set ACE completers per editor to avoid global state. (#1492) * Add HttpOnly flag to all cookies. (#1491) * Refactor completion routine calls (#1490) * fix: upgrade react-bootstrap from 1.3.0 to 1.6.4 (#1486) * fix: upgrade http-proxy-middleware from 1.0.5 to 1.3.1 (#1485) * fix: upgrade react-ace from 9.1.3 to 9.5.0 (#1487) * fix: upgrade recharts from 2.0.9 to 2.1.8 (#1488) * fix: upgrade react-datetime-picker from 3.0.4 to 3.4.3 (#1489) * Limit size of cached directories. (#1483) * Add more instrumentation to memory caches. (#1482) * Fixed chart resizing bug (#1481) * Removed the old queries: list from artifacts. (#1480) * [Snyk] Fix for 9 vulnerabilities (#1479) * Remove lock around critical section. (#1478) * Added MacOS.Forensics.AppleDoubleZip (#1476) * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) * Make index snapshot frequency configurable * fix APIConfigLoader not applying command line args (#1463) * Flush index from memory to disk (#1470) * Prepare RC2 (#1473) * Bugfix: Setting notebook index did not escape username (#1471) * Fixed 2 bugs with the memcache file store (#1469) * Update flow active time when the result set is completed (#1468) * Tag artifacts as built ins (#1467) * Fixed bug in the pathspec() VQL function. (#1465) * Update PrivateKeys.yaml (#1459) * Added recursion_callback option to the glob plugin (#1461) * Added config wizard for multi-frontend configuration (#1460) * Calculate the sha256 hash of the offline container. (#1458) * Artifact inspection GUI now allows pivot. (#1457) * Client certs can now be specified in the config file. (#1456) * New Upload File Form element (#1455) * Added a sparse accessor (#1453) * Hunt wizard estimates clients affected (#1452) * Make the interrogation process customizable. (#1451) * Update Info.yaml (#1427) * Improved Lnk parser to include additional fields. (#1449) * Added a Yara GUI element editor. (#1447) * Added patch and merge to `config show` and `config generate` (#1445) * Remove usage of FatalIfError from main module (#1443) * Introduced a dedicated pathspec object (#1440) * Bump is-svg from 4.2.2 to 4.3.0 in /gui/velociraptor (#1437) * Only pass client config in the client VQL scope. (#1436) * rework protobuf message generator (#1435) * Update Autoruns.yaml * Added test for filefinder (#1431) * fix filters in filefinder artifact (#1430) * Add Artifact to collect KapeFile targets on Linux (#1426) * Enabled lazy quotes on csv parser (#1424) * Fixed bug in client comms. (#1423) * Add document filter for better usability (#1421) * Added resource information to the output of parse_pe() (#1420) * Low latency client connectivity discovery (#1419) * Add RecentDocs collection (#1416) * Update Amcache artifact for clarity (#1415) * Added extra parameters to parse_csv() (#1413) * Added netcat plugin to read from socket (#1412) * Updated SRUM with Network Usage and Upload option (#1408) * Synced darwin and freebsd file accessor with the linux one. (#1409) * Added Windows.Forensics.SAM artifact (#1404) * Initial artifacts can be specified in config (#1403) * Add conhost.exe to binary rename (#1402) * Add update Prefetch Btime execution fix (#1398) * Update Prefetch timeline (#1397) * Cleanup search API (#1396) * Update protobuf dependencies. (#1394) * More multi-frontend optimizations (#1393) * Client info manager now keeps track of scheduled tasks. (#1392) * add sid and lookupsid plugin (#1388) * Add Mutant whitelist (#1387) * Notify currently connected clients on new hunts (#1386) * Index rebuild command loads new index service. (#1385) * Changes to support distributed architecture. (#1384) * Added procdump and procdump64 (#1382) * Fixed heavy mutex contention in the labeler. (#1375) * Add shellcode to CobaltStrike carver (#10) (#1373) * Added an index rebuild command. (#1369) * GUI artifact form was ignoring the friendly name attribute (#1368) * Added a specialized form element for regex parameters. (#1367) * Added a gRPC based remote datastore (#1366) * Display all subauthorities for GUID in SRUM (#1365) * Verify all gRPC peer certificates were signed by the Velociraptor CA (#1362) * Implemented MemcacheFileDatastore - memory caching with file backend (#1361) * Added new plugins to manipulate event tables easier. (#1355) * Refactored in memory datastore to be more efficient. (#1353) * Sync vfilter (#1351) * Add both fqdn and hostname to the client search table (#1350) * BUGFIX: Datastore on windows is unable to represent files with . (#1348) * Added buffer_size parameter to parse_records_with_regex() (#1347) * Propagate column types from artifact to flow notebook. (#1346) * Cobalt parser update (#1345) * Allow listener to not use file buffer. (#1344) * Fix Deployment documentation link in README (#1343) * Preserve uint64 types across Listener (#1341) * Fix spelling (#1339) * Refactored queue listener to preserve order. (#1340) * Added a magic() VQL function (#1338) * Fixed bug in CSS (#1337) ------------------------------------------------------------------- Thu Jan 27 17:27:42 UTC 2022 - Jeff Mahoney - Update to version 0.6.2~git0.8dd598b2: * Update ese parser to fix timestamp bug * Prepare final 0.6.2 release (#1363) * Verify all gRPC peer certificates were signed by the Velociraptor CA * Removed search index parallelism (#1358) * Added new plugins to manipulate event tables easier. (#1355) * Sync vfilter (#1351) * Add both fqdn and hostname to the client search table (#1350) * BUGFIX: Datastore on windows is unable to represent files with . (#1348) * Added buffer_size parameter to parse_records_with_regex() (#1347) * Propagate column types from artifact to flow notebook. (#1346) ------------------------------------------------------------------- Thu Jan 6 21:50:43 UTC 2022 - Jeff Mahoney - client: Remove dependencies on nodejs since we don't use it in client mode. ------------------------------------------------------------------- Thu Jan 6 20:14:39 UTC 2022 - Jeff Mahoney - Update to version 0.6.2~git73.dc02b45e: * Update PrivateKeys.yaml (#1459) * Added recursion_callback option to the glob plugin (#1461) * Added config wizard for multi-frontend configuration (#1460) * Calculate the sha256 hash of the offline container. (#1458) * Artifact inspection GUI now allows pivot. (#1457) * Client certs can now be specified in the config file. (#1456) * New Upload File Form element (#1455) * Added a sparse accessor (#1453) * Hunt wizard estimates clients affected (#1452) * Make the interrogation process customizable. (#1451) ------------------------------------------------------------------- Tue Dec 21 20:25:43 UTC 2021 - Jeff Mahoney - Disable Windows artifacts. We don't target Windows endpoints and the queries clutter the GUI. ------------------------------------------------------------------- Thu Dec 16 14:12:05 UTC 2021 - Jeff Mahoney - Switch to using master branch via service files. - Added update-vendoring.sh to update the nodejs and go dependencies after version update. - Now building the client with linux_bare target that disables the GUI for endpoint usage. - Patch the version string to reflect the package version instead of an indistinguishable -dev. ------------------------------------------------------------------- Thu Dec 2 01:46:34 UTC 2021 - Jeff Mahoney - Initial packaging.