This PR adds a Kafka plugin that can be used to export events to a Kafka instance. The instance is expected to be running in the same container ecosystem as the velociraptor server. We do this so that we can ensure that events are queued properly if the Humio server can't be reached. Once the events are queued, a consumer formats and forwards them to Humio.

This PR allows the builder to create their own template pages for unauthenticated users, unauthorized users, and logoff rather than relying on the default simple html messages. This works only for OAUTH2 for now.

I'm unable to run Generic.Client.Info.

The reproducer is:

• click Hunt Manager in the menu
• click New Hunt
• click Select Artifacts, select Generic.Client.Info
• click Launch
• -> error pops up: Error: Unknown artifact reference Windows.Sys.Users

Maybe I was looking in a wrong place, but it seems that the following precondition is not evaluated correctly: velociraptor/artifacts/definitions/Generic/Client/Info.yaml

  - name: Users
    precondition: SELECT OS From info() where OS = 'windows'
    query: |
      SELECT Name, Description, Mtime AS LastLogin
      FROM Artifact.Windows.Sys.Users()

It might be also caused by the following line in the spec file: rm -rf artifacts/definitions/Windows

This PR implements a new artifact picker interface for the configuration UI. The gist is that rather than having to hand-assemble a CSV that describes the artifacts to include as parameters, the user can use a set of switches to select the artifacts visually. The artifact itself doesn't need to be modified once enabled and reconfigured. I've converted the Kafka.Events.Client artifact to use it.

This prq adds the chattr plugin as per SENS-20. Example json output of an event:

 {
  "Timestamp": "2022-04-12 13:50:42",
  "Path": "/root/get-num-extwriters.py",
  "Dir": false,
  "Sha256sum": "f01b48d4763f5b122d218c1faff8419ca41b27b1f3161984790f82b90fa85675",
  "Action": "SET"
 }

In case we have a directory the hash sum won't be calculated. THe bpf code is coded such that an event is triggered only when it will result in an actual change of immutable state i.e 2 or more consecutive set or clear operations would result in a single event being produced.

Tested on both 5.3 kernel and upstream.

Here is the initial implementation of the tcp connection snooping. I'm sending now so that people can try running this on their machines and report any problems with the ebpf code loading. In order to build the ebpf code you'd need to run

make linux CLANG=clang-13 LLVM_STRIP=llvm-strip-13 LIBBPF_SRC=/root/bcc/src/cc/libbpf

CLANG/LLVM_STRIP should point to a recent enough (at least version 10) clang compiler and respective strip binary and LIBBPF_SRC should point to the root directory of a libbpf checkout. It's important to run the make linux target as it includes the extra command necessary to build libbpf as a static library and also build the ebpf object.

If your kernel doesn't have CONFIG_DEBUG_INFO_BTF then the path to an external btf file can be provided via TCPSNOOP_BTF environmental variable.

The vmlinux.h file is generated from kernel 5.5

While velociraptor-client package contains only client, velociraptor package contains both server and client functionality. Unfortunately, the following client files are not part of the velociraptor package:

/etc/velociraptor/client.config
/usr/lib/systemd/system/velociraptor-client.service

This PR resolves SENS-46 and provides iteration and tailing of the systemd journal. It depends on the installed journald shared library, but this should be expected on any system that provides the journal.

Velociraptor has been building fine on OBS but it's limited to x86_64 and i586 (and we don't care about i586). This PR includes fixes for building Velociraptor on non-x86_64 and syncs the libbpfgo submodule to include changes pushed upstream for building on non-x86_64.

The only code change is the handling of the MAP_32BIT flag for mmap() in libbpfgo which nothing should be using anyway.

When watch_monitoring() is called to monitor an artifact with a named source, it returns immediately with zero results and nothing in the log.

It turns out that file_store/directory/queue QueuePool.NewListener was failing silently due to the path containing a slash in it. This commit replaces the slash with three dots and reports an error when it happens in NewListener.

This PR allows display of MAC Addreses in the host info dashboard as well as allows interrogation to produce network configuration information on Linux.

If any of the cron files that cronsnoop is expected to monitor is missing, it calls log.Fatal which causes the client to exit. We should log an error and continue.