APIClient and Server Artifacts

[c-f]

Hey, i have a question regarding calling server Artifacts from APIclients.

Objetive:
Primary goal is to label clients automatically via the API client, without having SERVER_ADMIN privs if possible.

• Current approach is to write a server Artifact having filter logic and perform labeling when called ; then call it with parameters using the API client

Issue:

collect_client for server requires high privs (SERVER_ADMIN) (for obvious reason)
https://docs.velociraptor.app/vql_reference/server/collect_client/

Question:
Is it possible to declare Server Artifact "safe" to be called without requiring SERVER_ADMIN privs?
Or should the API client reimplement/copy VQLs from the the Artifact.

Context:

For this i wrote a small Server Artifact called Test.LabelClients, which contains the Vql and filters:

SELECT label(client_id=client_id, labels="label", operation="set") FROM clients()

On the API side.

/* does not work because of missing SERVER_ADMIN privs */
LET collection <= collect_client(client_id='server',artifacts='Test.LabelClients',env=dict())

/* does work */
SELECT label(client_id=client_id, labels="label", operation="set") FROM clients()

Related Links:

• https://docs.velociraptor.app/blog/2020/2020-03-29-velociraptors-acl-model-7f497575daee/#api-clients
• Handling via a SERVER_EVENT would also not work https://docs.velociraptor.app/exchange/artifacts/pages/label.domaincontroller/
• https://docs.velociraptor.app/exchange/artifacts/pages/iris.sync.asset/

[scudette]

Scheduling a server artifact requires the SERVER_ADMIN permission (I think it should be COLLECT_SERVER actually). From an API user you can just call the artifact using the SELECT * FROM Artifact.XX.YY.ZZ() format. This is almost the same as scheduling it but the results are not stored on the server but are streamed over the API.

So this basically reuses the VQL query in the artifact - no need to copy it out. The only issue is that the query will run with the ACL of the API user. Which means if you want to do a privileged operation (like collect new artifacts etc) you need to give the API user the relevant permissions.

For this reason there is actually not a lot of difference in giving collect_server permissions to an API user. The user can schedule new server side collections, but they are running with the User's ACLs which is the same as what the user can do over the api anyway.

In newer versions of Velociraptor we have the impersonation mechanism https://docs.velociraptor.app/blog/2024/2024-09-10-release-notes-0.73/#enable-a-server-artifact-to-specify-an-impersonation-user

This allows a user which can already collect an artifact, to impersonate another user (like SUID basically) and therefore get higher privileges.

[scudette]

We actually should honor COLLECT_BASIC permissions for server artifacts as well which it does not look like we do. This is probably a bug.

[scudette]

I think this is another bug: normally with the GUI we check COLLECT_SERVER for server collections but with vql() we check SERVER_ADMIN permission instead. We should delegate the check to the same as the GUI

[c-f]

Thanks for the quick response :)

Learned something new today - awesome. Ok this might solve the problem for me - at least with the simple use case. Will take a look at this right away.

Best regards,
c-f