SUSE · djoreilly · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023
diff --git a/SUSE/docker-compose/README.md b/SUSE/docker-compose/README.md
@@ -95,6 +95,13 @@ The initial user must be an email address associated with a valid remote account
 
 When configuring the authentication service, the callback URI should be the same as `public_url` above but with `/auth/oidc/callback` appended. For example, `https://sensor-demo.dyn.cloud.suse.de/auth/oidc/callback`
 
+The sensor frontend runs as user velociraptor in the container and needs permissions to some directories on the host. Find the ids that are baked into the image and chown the directories to those, e.g.:
+
+    # docker run --rm -t registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest id velociraptor
+    uid=499(velociraptor) gid=486(velociraptor) groups=486(velociraptor)
+
+    # chown 499:486 config/velociraptor logs/velociraptor data/velociraptor artifacts
+
 ### Traefik
 
 An example `traefik.toml` file is provided as `config/traefik/traefik.toml.example`. Several values must be filled in and the resultant file installed in `config/traefik/traefik.toml`.

diff --git a/SUSE/docker-compose/artifacts/README.md b/SUSE/docker-compose/artifacts/README.md
@@ -0,0 +1,4 @@
+Placeholder file
+=
+
+This file is a placeholder so that the artifacts  directory exists in the Git repository.
diff --git a/SUSE/docker-compose/docker-compose.yml b/SUSE/docker-compose/docker-compose.yml
@@ -31,10 +31,10 @@ services:
       - /var/lib/ca-certificates/ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt:ro
     restart: unless-stopped
   sensor-frontend:
-    image: registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest
+    image: ${SENSOR_IMAGE}
     hostname: sensor-frontend
     container_name: sensor-frontend
-    user: "1000:100"
+    user: "velociraptor:velociraptor"
     ports:
       - "8000:8000" # Frontend
       # - "8003:8003" # Monitoring
@@ -44,6 +44,7 @@ services:
       - ./config/velociraptor:/config
       - ./data/velociraptor:/data
       - ./logs/velociraptor:/logs
+      - ./artifacts:/artifacts
       - /var/lib/ca-certificates/ca-bundle.pem:/etc/ssl/certs/ca-certificates.crt:ro
     labels:
       traefik.enable: "true"
@@ -61,7 +62,7 @@ services:
     restart:
       unless-stopped
   sensor-client:
-    image: registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest
+    image: ${SENSOR_IMAGE}
     hostname: sensor-client
     container_name: sensor-client
     user: root

diff --git a/SUSE/docker-compose/env.example b/SUSE/docker-compose/env.example
@@ -1 +1,2 @@
 SENSOR_GUI_HOSTNAME=<fully-qualified-domain-name-for-public-dns>
+SENSOR_IMAGE=registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest
diff --git a/SUSE/docker/Dockerfile b/SUSE/docker/Dockerfile
@@ -17,6 +17,7 @@ LABEL org.opensuse.reference="registry.opensuse.org/security/sensor/containers/l
 VOLUME /data
 VOLUME /logs
 VOLUME /config
+VOLUME /artifacts
 
 # API
 EXPOSE 8801

diff --git a/SUSE/docker/Dockerfile.devel b/SUSE/docker/Dockerfile.devel
@@ -1,8 +1,11 @@
 FROM opensuse/leap:15.4
 
+ARG SENSOR_BIN=velociraptor-v0.7.0-4-linux-amd64
+
 VOLUME /data
 VOLUME /logs
 VOLUME /config
+VOLUME /artifacts
 
 # API
 EXPOSE 8801
@@ -20,6 +23,9 @@ COPY entry-point.sh generate-config.sh /
 COPY init-config.json /etc/velociraptor/
 RUN chmod a+x /entry-point.sh /generate-config.sh
 RUN zypper -q --non-interactive install catatonit && zypper clean -a
-COPY velociraptor-v0.6.4-2-linux-amd64 /usr/bin/velociraptor
+COPY ${SENSOR_BIN} /usr/bin/velociraptor
+
+RUN groupadd velociraptor && useradd -c "Velociraptor User" -g velociraptor -d /var/lib/velociraptor -s /sbin/nologin velociraptor
+USER velociraptor:velociraptor
 
 CMD ["/usr/bin/catatonit", "--", "/entry-point.sh" ]
diff --git a/SUSE/docker/Dockerfile.local b/SUSE/docker/Dockerfile.local
@@ -3,6 +3,7 @@ FROM opensuse/leap:15.4
 VOLUME /data
 VOLUME /logs
 VOLUME /config
+VOLUME /artifacts
 
 # API
 EXPOSE 8801

diff --git a/SUSE/docker/entry-point.sh b/SUSE/docker/entry-point.sh
@@ -7,4 +7,4 @@ if test ! -e "${SERVER_CONFIG}"; then
 	/generate-config.sh
 fi
 
-exec velociraptor frontend -v --config "${SERVER_CONFIG}"
+exec velociraptor frontend -v --config "${SERVER_CONFIG}" --definitions=/artifacts
diff --git a/SUSE/docker/generate-config.sh b/SUSE/docker/generate-config.sh
@@ -37,4 +37,4 @@ awk "
 { if (seen_client == 1 && skip_record != 1) print \$0; }
 " < "${SERVER_CONFIG}" > "${CLIENT_CONFIG}"
 
-sed -e 's#https://sensor-frontend:8000/#https//velociraptor.fqdn:8000/' < "${CLIENT_CONFIG}" > "${CLIENT_CONFIG}.template"
+sed -e 's#https://sensor-frontend:8000/#https//velociraptor.fqdn:8000/#' < "${CLIENT_CONFIG}" > "${CLIENT_CONFIG}.template"
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		SENSOR_GUI_HOSTNAME=<fully-qualified-domain-name-for-public-dns>
		SENSOR_IMAGE=registry.opensuse.org/security/sensor/containers/linux-security-sensor:latest