From b0d9a7282398ef4be4ed7e88f0a008cbca84a1c7 Mon Sep 17 00:00:00 2001
From: Darragh O'Reilly <doreilly@suse.com>
Date: Wed, 22 Nov 2023 13:07:18 +0000
Subject: [PATCH 1/6] docker: allow server to load artifacts from a directory

---
 SUSE/docker-compose/artifacts/README.md | 4 ++++
 SUSE/docker-compose/docker-compose.yml  | 1 +
 SUSE/docker/Dockerfile                  | 1 +
 SUSE/docker/Dockerfile.devel            | 1 +
 SUSE/docker/Dockerfile.local            | 1 +
 SUSE/docker/entry-point.sh              | 2 +-
 6 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 SUSE/docker-compose/artifacts/README.md

diff --git a/SUSE/docker-compose/artifacts/README.md b/SUSE/docker-compose/artifacts/README.md
new file mode 100644
index 000000000..74d1a063c
--- /dev/null
+++ b/SUSE/docker-compose/artifacts/README.md
@@ -0,0 +1,4 @@
+Placeholder file
+=
+
+This file is a placeholder so that the artifacts  directory exists in the Git repository.
diff --git a/SUSE/docker-compose/docker-compose.yml b/SUSE/docker-compose/docker-compose.yml
index 8176f19c7..6975c4e41 100644
--- a/SUSE/docker-compose/docker-compose.yml
+++ b/SUSE/docker-compose/docker-compose.yml
@@ -44,6 +44,7 @@ services:
       - ./config/velociraptor:/config
       - ./data/velociraptor:/data
       - ./logs/velociraptor:/logs
+      - ./artifacts:/artifacts
       - /var/lib/ca-certificates/ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt:ro
     labels:
       traefik.enable: "true"
diff --git a/SUSE/docker/Dockerfile b/SUSE/docker/Dockerfile
index 6655f00b5..807649403 100644
--- a/SUSE/docker/Dockerfile
+++ b/SUSE/docker/Dockerfile
@@ -17,6 +17,7 @@ LABEL org.opensuse.reference="registry.opensuse.org/security/sensor/containers/l
 VOLUME /data
 VOLUME /logs
 VOLUME /config
+VOLUME /artifacts
 
 # API
 EXPOSE 8801
diff --git a/SUSE/docker/Dockerfile.devel b/SUSE/docker/Dockerfile.devel
index 41178c703..e26cf2814 100644
--- a/SUSE/docker/Dockerfile.devel
+++ b/SUSE/docker/Dockerfile.devel
@@ -3,6 +3,7 @@ FROM opensuse/leap:15.4
 VOLUME /data
 VOLUME /logs
 VOLUME /config
+VOLUME /artifacts
 
 # API
 EXPOSE 8801
diff --git a/SUSE/docker/Dockerfile.local b/SUSE/docker/Dockerfile.local
index da7aa7edc..9a76bda65 100644
--- a/SUSE/docker/Dockerfile.local
+++ b/SUSE/docker/Dockerfile.local
@@ -3,6 +3,7 @@ FROM opensuse/leap:15.4
 VOLUME /data
 VOLUME /logs
 VOLUME /config
+VOLUME /artifacts
 
 # API
 EXPOSE 8801
diff --git a/SUSE/docker/entry-point.sh b/SUSE/docker/entry-point.sh
index b2267d062..8e4dec279 100644
--- a/SUSE/docker/entry-point.sh
+++ b/SUSE/docker/entry-point.sh
@@ -7,4 +7,4 @@ if test ! -e "${SERVER_CONFIG}"; then
 	/generate-config.sh
 fi
 
-exec velociraptor frontend -v --config "${SERVER_CONFIG}"
+exec velociraptor frontend -v --config "${SERVER_CONFIG}" --definitions=/artifacts

From 1e5e0e37f38a8b3133801280abe1b34780fb07b8 Mon Sep 17 00:00:00 2001
From: Darragh O'Reilly <doreilly@suse.com>
Date: Wed, 22 Nov 2023 13:12:10 +0000
Subject: [PATCH 2/6] docker: fix sed command in generate-config.sh

---
 SUSE/docker/generate-config.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SUSE/docker/generate-config.sh b/SUSE/docker/generate-config.sh
index 67b010605..5a2da9634 100644
--- a/SUSE/docker/generate-config.sh
+++ b/SUSE/docker/generate-config.sh
@@ -37,4 +37,4 @@ awk "
 { if (seen_client == 1 && skip_record != 1) print \$0; }
 " < "${SERVER_CONFIG}" > "${CLIENT_CONFIG}"
 
-sed -e 's#https://sensor-frontend:8000/#https//velociraptor.fqdn:8000/' < "${CLIENT_CONFIG}" > "${CLIENT_CONFIG}.template"
+sed -e 's#https://sensor-frontend:8000/#https//velociraptor.fqdn:8000/#' < "${CLIENT_CONFIG}" > "${CLIENT_CONFIG}.template"

From edd2c80f055ee783d33b326480dd5163a3d9eadf Mon Sep 17 00:00:00 2001
From: Darragh O'Reilly <doreilly@suse.com>
Date: Wed, 22 Nov 2023 13:15:41 +0000
Subject: [PATCH 3/6] docker-compose: make it easier to switch sensor image

---
 SUSE/docker-compose/docker-compose.yml | 4 ++--
 SUSE/docker-compose/env.example        | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/SUSE/docker-compose/docker-compose.yml b/SUSE/docker-compose/docker-compose.yml
index 6975c4e41..209d752a6 100644
--- a/SUSE/docker-compose/docker-compose.yml
+++ b/SUSE/docker-compose/docker-compose.yml
@@ -31,7 +31,7 @@ services:
       - /var/lib/ca-certificates/ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt:ro
     restart: unless-stopped
   sensor-frontend:
-    image: registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest
+    image: ${SENSOR_IMAGE}
     hostname: sensor-frontend
     container_name: sensor-frontend
     user: "1000:100"
@@ -62,7 +62,7 @@ services:
     restart:
       unless-stopped
   sensor-client:
-    image: registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest
+    image: ${SENSOR_IMAGE}
     hostname: sensor-client
     container_name: sensor-client
     user: root
diff --git a/SUSE/docker-compose/env.example b/SUSE/docker-compose/env.example
index 9de78a766..9259c9446 100644
--- a/SUSE/docker-compose/env.example
+++ b/SUSE/docker-compose/env.example
@@ -1 +1,2 @@
 SENSOR_GUI_HOSTNAME=<fully-qualified-domain-name-for-public-dns>
+SENSOR_IMAGE=registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest

From 6278e6282c7cf625d5bac382563d6e09f6ce0c5d Mon Sep 17 00:00:00 2001
From: Darragh O'Reilly <doreilly@suse.com>
Date: Wed, 22 Nov 2023 13:44:32 +0000
Subject: [PATCH 4/6] docker-compose: fix/doc permission denied errors

User 1000 in the container can't read /etc/velociraptor:
velociraptor: error: open /etc/velociraptor/init-config.json: permission denied, try --help
Changed the user in docker-compose to velociraptor which can.

The velociraptor user in the container can't use the volumes mounts:
/generate-config.sh: line 32: /config/server.conf: Permission denied
Documented a workaround.
---
 SUSE/docker-compose/README.md          | 7 +++++++
 SUSE/docker-compose/docker-compose.yml | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/SUSE/docker-compose/README.md b/SUSE/docker-compose/README.md
index 99e145e14..077d69de9 100644
--- a/SUSE/docker-compose/README.md
+++ b/SUSE/docker-compose/README.md
@@ -95,6 +95,13 @@ The initial user must be an email address associated with a valid remote account
 
 When configuring the authentication service, the callback URI should be the same as `public_url` above but with `/auth/oidc/callback` appended. For example, `https://sensor-demo.dyn.cloud.suse.de/auth/oidc/callback`
 
+The sensor frontend runs as user velociraptor in the container and needs permissions to some directories on the host. Find the ids that are baked into the image and chown the directories to those, e.g.:
+
+    # docker run --rm -t registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest id velociraptor
+    uid=499(velociraptor) gid=486(velociraptor) groups=486(velociraptor)
+
+    # chown 499:486 config/velociraptor logs/velociraptor data/velociraptor artifacts
+
 ### Traefik
 
 An example `traefik.toml` file is provided as `config/traefik/traefik.toml.example`. Several values must be filled in and the resultant file installed in `config/traefik/traefik.toml`.
diff --git a/SUSE/docker-compose/docker-compose.yml b/SUSE/docker-compose/docker-compose.yml
index 209d752a6..9dd019c57 100644
--- a/SUSE/docker-compose/docker-compose.yml
+++ b/SUSE/docker-compose/docker-compose.yml
@@ -34,7 +34,7 @@ services:
     image: ${SENSOR_IMAGE}
     hostname: sensor-frontend
     container_name: sensor-frontend
-    user: "1000:100"
+    user: "velociraptor:velociraptor"
     ports:
       - "8000:8000" # Frontend
       # - "8003:8003" # Monitoring

From a934295d1ddf4bd3e246f0cd267c16366750c546 Mon Sep 17 00:00:00 2001
From: Darragh O'Reilly <doreilly@suse.com>
Date: Wed, 22 Nov 2023 14:30:42 +0000
Subject: [PATCH 5/6] docker: allow specify sensor binary in build arg

---
 SUSE/docker/Dockerfile.devel | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/SUSE/docker/Dockerfile.devel b/SUSE/docker/Dockerfile.devel
index e26cf2814..2b047252d 100644
--- a/SUSE/docker/Dockerfile.devel
+++ b/SUSE/docker/Dockerfile.devel
@@ -1,5 +1,7 @@
 FROM opensuse/leap:15.4
 
+ARG SENSOR_BIN=velociraptor-v0.7.0-4-linux-amd64
+
 VOLUME /data
 VOLUME /logs
 VOLUME /config
@@ -21,6 +23,6 @@ COPY entry-point.sh generate-config.sh /
 COPY init-config.json /etc/velociraptor/
 RUN chmod a+x /entry-point.sh /generate-config.sh
 RUN zypper -q --non-interactive install catatonit && zypper clean -a
-COPY velociraptor-v0.6.4-2-linux-amd64 /usr/bin/velociraptor
+COPY ${SENSOR_BIN} /usr/bin/velociraptor
 
 CMD ["/usr/bin/catatonit", "--", "/entry-point.sh" ]

From fddec85c61f43221b04a2a2c4a9a46bb8978c84f Mon Sep 17 00:00:00 2001
From: Darragh O'Reilly <doreilly@suse.com>
Date: Wed, 22 Nov 2023 16:00:01 +0000
Subject: [PATCH 6/6] docker: add velociraptor user to Dockerfile.devel

---
 SUSE/docker/Dockerfile.devel | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/SUSE/docker/Dockerfile.devel b/SUSE/docker/Dockerfile.devel
index 2b047252d..6b1b2bc06 100644
--- a/SUSE/docker/Dockerfile.devel
+++ b/SUSE/docker/Dockerfile.devel
@@ -25,4 +25,7 @@ RUN chmod a+x /entry-point.sh /generate-config.sh
 RUN zypper -q --non-interactive install catatonit && zypper clean -a
 COPY ${SENSOR_BIN} /usr/bin/velociraptor
 
+RUN groupadd velociraptor && useradd -c "Velociraptor User" -g velociraptor -d /var/lib/velociraptor -s /sbin/nologin velociraptor
+USER velociraptor:velociraptor
+
 CMD ["/usr/bin/catatonit", "--", "/entry-point.sh" ]