Error: Unknown artifact reference Windows.Sys.Users

dmach commented 2 years ago

I'm unable to run Generic.Client.Info.

The reproducer is:

click Hunt Manager in the menu
click New Hunt
click Select Artifacts, select Generic.Client.Info
click Launch
-> error pops up: Error: Unknown artifact reference Windows.Sys.Users

Maybe I was looking in a wrong place, but it seems that the following precondition is not evaluated correctly: velociraptor/artifacts/definitions/Generic/Client/Info.yaml

  - name: Users
    precondition: SELECT OS From info() where OS = 'windows'
    query: |
      SELECT Name, Description, Mtime AS LastLogin
      FROM Artifact.Windows.Sys.Users()

It might be also caused by the following line in the spec file: rm -rf artifacts/definitions/Windows

dmach commented 2 years ago

Update: the error has disappeared after removing the rm -rf artifacts/definitions/Windows line from spec. What's more important, the clients started reporting to the server (it was broken and I couldn't make it work until now).

jeffmahoney commented 2 years ago

Those files being removed was intentional but, it would seem, incomplete. I've temporarily restored them until we can clean it up properly.

https://build.opensuse.org/request/show/952144

SUSE / linux-security-sensor

Error: Unknown artifact reference Windows.Sys.Users #4