Tighten permission in Windows MSI installer. (#3875)

Also fix quarantine artifact to access the port in cases where the URL does not have an explicit port. Update documentation references.
Velocidex · Nov 4, 2024 · 4f3c8f3 · 4f3c8f3
1 parent eaf4e4e
commit 4f3c8f3
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 16 deletions.
diff --git a/artifacts/definitions/Windows/Remediation/Quarantine.yaml b/artifacts/definitions/Windows/Remediation/Quarantine.yaml
@@ -102,7 +102,9 @@ sources:
 
         // Parse a URL to get the port or use 443. We deliberately do
         // not support plain http!
-        LET get_port(URL) = split(string=url(parse=URL).Host, sep=":")[1] || "443"
+        LET get_port(URL) = if(condition=url(parse=URL).Host =~ ":",
+            then=split(string=url(parse=URL).Host, sep=":")[1],
+            else="443")
 
         // extract Velociraptor config for policy
         LET extracted_config <= SELECT * FROM foreach(

diff --git a/docs/references/vql.yaml b/docs/references/vql.yaml
@@ -5869,7 +5869,7 @@
     description: The accessor to use.
   - name: raw
     type: bool
-    description: Emit raw events (no parsed).
+    description: Emit raw events (not parsed).
   - name: start_time
     type: time.Time
     description: Only parse events newer than this time (default all times).
@@ -10359,13 +10359,7 @@
     description: The accessor to use.
   - name: raw
     type: bool
-    description: Emit raw events (no parsed).
-  - name: start_time
-    type: time.Time
-    description: Only parse events newer than this time (default all times).
-  - name: end_time
-    type: time.Time
-    description: Only parse events older than this time (default all times).
+    description: Emit raw events (not parsed).
   metadata:
     permissions: FILESYSTEM_READ
   platforms:

diff --git a/docs/wix/velociraptor_amd64.xml b/docs/wix/velociraptor_amd64.xml
@@ -39,7 +39,7 @@
           <Component Id='Install' Guid='9f3cfed0-b89d-43d4-8fcf-242824e84fd8'>
             <CreateFolder>
               <Permission User="[WIX_ACCOUNT_USERS]" GenericRead="no" Read="no"
-                          ChangePermission="yes"/>
+                          ChangePermission="no"/>
               <Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"
                           ChangePermission="yes"/>
               <Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"
@@ -50,7 +50,7 @@
             <Component Id="Tools" Guid="97dc953a-8a2f-494f-9585-56ae526d0b48">
               <CreateFolder>
                 <Permission User="[WIX_ACCOUNT_USERS]" GenericRead="no" Read="no"
-                            ChangePermission="yes"/>
+                            ChangePermission="no"/>
                 <Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"
                             ChangePermission="yes"/>
                 <Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"

diff --git a/services/client_info/tasks.go b/services/client_info/tasks.go
@@ -309,8 +309,9 @@ func (self *ClientInfoManager) getClientTasks(
 		if message.FlowRequest != nil {
 			total_flow_requests++
 
-			// Only include the first number requests
-			if total_flow_requests <= number {
+			// Only include the first number requests, unless they are
+			// urgent requests which are always delivered regardless.
+			if total_flow_requests <= number || message.Urgent {
 				result = append(result, message)
 
 				// Add extra backwards compatibility messages for

diff --git a/vql/parsers/journald/journald.go b/vql/parsers/journald/journald.go
@@ -21,7 +21,7 @@ import (
 type JournalPluginArgs struct {
 	Filenames []*accessors.OSPath `vfilter:"required,field=filename,doc=A list of journal log files to parse."`
 	Accessor  string              `vfilter:"optional,field=accessor,doc=The accessor to use."`
-	Raw       bool                `vfilter:"optional,field=raw,doc=Emit raw events (no parsed)."`
+	Raw       bool                `vfilter:"optional,field=raw,doc=Emit raw events (not parsed)."`
 	StartTime time.Time           `vfilter:"optional,field=start_time,doc=Only parse events newer than this time (default all times)."`
 	EndTime   time.Time           `vfilter:"optional,field=end_time,doc=Only parse events older than this time (default all times)."`
 }
@@ -105,6 +105,12 @@ func (self JournalPlugin) Call(
 	return output_chan
 }
 
+type WatchJournalPluginArgs struct {
+	Filenames []*accessors.OSPath `vfilter:"required,field=filename,doc=A list of journal log files to parse."`
+	Accessor  string              `vfilter:"optional,field=accessor,doc=The accessor to use."`
+	Raw       bool                `vfilter:"optional,field=raw,doc=Emit raw events (not parsed)."`
+}
+
 type WatchJournaldPlugin struct{}
 
 func (self WatchJournaldPlugin) Call(
@@ -117,7 +123,7 @@ func (self WatchJournaldPlugin) Call(
 		defer close(output_chan)
 		defer vql_subsystem.RegisterMonitor("watch_journald", args)()
 
-		arg := &JournalPluginArgs{}
+		arg := &WatchJournalPluginArgs{}
 		err := arg_parser.ExtractArgsWithContext(ctx, scope, args, arg)
 		if err != nil {
 			scope.Log("watch_journald: %v", err)
@@ -176,7 +182,7 @@ func (self WatchJournaldPlugin) Info(scope vfilter.Scope, type_map *vfilter.Type
 	return &vfilter.PluginInfo{
 		Name:     "watch_journald",
 		Doc:      "Watch a journald file and stream events from it. ",
-		ArgType:  type_map.AddType(scope, &JournalPluginArgs{}),
+		ArgType:  type_map.AddType(scope, &WatchJournalPluginArgs{}),
 		Metadata: vql.VQLMetadata().Permissions(acls.FILESYSTEM_READ).Build(),
 	}
 }