SQL powered operating system instrumentation, monitoring, and analytics.
OTHER License
Bot releases are hidden (Show)
Published by directionless 4 months ago
Representing commits from 20 contributors! Thank you all.
The Windows binaries and MSI package have been signed with the Fleet Device Management codesigning certificate as the osquery project is currently working on identity verification to get a new signing certificate.
.egg-info
and .dist-info
, contain flat file hierarchies (#8318)alf
plist (macOS 15) (#8352)users
on linux by default to return only users in /etc/passwd
(#8342)sha256
hash to apparmor_profiles
table (#8345)yum_sources
table (#8307)user_ssh_keys
with additional details for OpenSSL-style keys (#8314)dns_resolvers
dns-search bug with multiple search domains (#8329)process_open_sockets
to correctly displays family
and protocol
on macOS (#8315)authorized_keys
that support FIDO2 authentication (#8319)ServiceArgumentParser
's Constructor (#8368)ServiceArgumentParser
via ServiceMain
(#8353)curl_certificates
table (#8339)processes
table spec and docs, to remove outdated column alias (#8363)device_partitions
(#8364)package_receipts
table example (#8326)macwin
(#8311)sqlite_encoding.cpp
(#8361)Published by directionless 5 months ago
This release is a hot fix. It reverts #8233, which had inadvertently broken ATC tables under some conditions.
Representing commits from 3 contributors! Thank you all.
Published by directionless 7 months ago
Draft
Published by directionless 8 months ago
draft
Published by directionless 10 months ago
Draft
Published by directionless 12 months ago
This release has several updates and bugfixes. Several improvements to various tables, and their handling.
One potential breaking change, is in how the watchdog calculates CPU utilization.
Previously, this calculation was based on physical CPUs, now it is based on virtual cores. We believe this makes more sense with modern CPUs.
A second potential breaking change, is in PR #8102. In addition to allowing decorations to the top level of the status logs, this PR normalizes the decorations format to the results log. In practice, this means that the unixTime
, severity
and line
JSON fields are now numbers instead of strings.
Representing commits from 18 contributors! Thank you all.
--enable_watchdog_debug
flag and improve watchdog error messages (#8070)--aws_enforce_fips
to enforce AWS FIPS endpoints (#8075)decorations_top_level
flag for status logs (#8102)cloud
_id to ycloud_instance_metadata
- the vm metadata table for Yandex Cloud (#8086)es_process_file_events
adding support for open events, and for only triggering on file_paths
(#8114)firefox_addons
to use rapidjson to parse and don't block on read (#8089)es_process_events
table: quote spaces in command line and environment variables (#8054)disk_encryption
to recursively query parent crypt status (#8052)block_devices
(#8037, #8151)wifi_survey
table not to crash if the ssid cannot be retrieved (#8153)serial_number
in connected_displays
(#8113)SSLContext.wrap_socket()
instead of deprecated ssl.wrap_socket()
(#8169)Published by directionless about 1 year ago
draft
Published by directionless about 1 year ago
draft
Published by directionless about 1 year ago
Sorry for thge noise
Published by directionless over 1 year ago
Big shoutout for the Windows Arm port!
Representing commits from 14 contributors! Thank you all.
string_batch
request type to compliment existing string
type (#8027)connected_displays
table on macOS (#7946)windows_search
table (#7990)crashes
table on macOS 12 and newer (#7819)keychain_items
to include data about key types (#8002)os_version
to include Apple RSR fields using native API (#8011)safari_extensions
to handle the current app extensions pattern (#7991)system_info
to include the nnumber of sockets (#8038)unified_log
table to add predicate
column and optimize timestamp constraint (#8019)listDirectoriesInDirectory
by using std::fs
(#7974)version
column in homebrew_packages
(#8057)es_process_file_events.table
description (#7978)Published by directionless over 1 year ago
5.8.2 is a hotfix for how osquery's COM security initialization works See https://github.com/osquery/osquery/issues/7962 for details.
Representing commits from 6 contributors! Thank you all.
Published by directionless over 1 year ago
Representing commits from 22 contributors! Thank you all.
pid_with_namespace
for yara
table (#7920)kernel_keys
to the Linux platform (#7876)min_version
empty in xprotect_meta
when not specified (#7926)secureboot
table to macOS (#7692)docker_container_stats
table to include cached_memory
column (#7807)cpu_info
: Port the table to macOS x86 and Apple Silicon (#7757)bpf_process_events_v2
table (#7773)systemd_units
: Add new unit_file_state
column (#7895)scheduled_tasks
(#7903) (#7904)routes
table (#7916)windows_security_products
compatibility (#7880)Published by directionless almost 2 years ago
Representing commits from 12 contributors! Thank you all.
Addressed by updating a library:
Ignored due to not affecting osquery:
security_profile_info
to retrieve security profile information on Windows (#7794)es_process_events
for process codesigning flags (#7726)shimcache
: Only check CurrentControlSet to avoid duplicate rows (#7832)processes
: Fix the procfs memory unit kB, which is 1024 bytes not 1000 (#7818)pipes
table (#7810)host
column from logged_in_users
table (#7685)docker_containers
: Don't report finished_at
for a container which is still running (#7783)processes
: Stabilize the start_time
column value on macOS and Linux (#7788)process_memory_map
is also applicable to Darwin (#7789)Published by directionless about 2 years ago
Representing commits from 10 contributors! Thank you all.
firmware_type
column to platform_info
on macOS (#7727)wmi_bios_info
table (#7631)docker_container_processes
on macOS (#7746)process_file_events
subscriber being incorrectly initialized (#7759)secureboot
on windows by acquire the necessary process privileges (#7743)mdfind
-- Reduce table overhead and support interruption (#7738)binary
column from firefox_addons
table (#7735)is_running
column from macOS running_apps
table (#7774)notes
field to the schema and associated json (#7747)--tls_dump
output body to stderr
(#7715)yara
and yara_events
(#7744)_changes
tables are not evented (#7762)Published by directionless about 2 years ago
Osquery 5.5.1 has some really exciting table updates! There is a much anticipated unified_log
for macOS, this table is the replacement for asl
, and uses the current Apple APIs. Additionally, several tables have improved their cross-platform support.
Representing commits from 14 contributors! Thank you all.
cgroup_path
column to processes
table on Linux (#7728)firmware_type
column to platform_info
table on Windows. (#7710)unified_log
table for macOS (UAL) (#7598, #7713)memory_devices
table to Windows (#7633)platform_info
table to M1 Macs (#7660)kernel_panics
table on modern macOS (#7585)battery
table on macOS m1 with correct raw battery max and current capacity (#7721)mdfind
query timeout to 30 seconds (#7725)password_policy
table to use use -1
as sentinel value for uid
column (#7699)authorized_keys
file (#7560)registry
table to be case insensitive for key
(#7708)COLLATE NOCASE
(#7680)GetMemorySize
for Windows memory_devices
table (#7711)tpm_info
bug where values were out of date (#7686)curl_certificate
table (#7706)process_open_sockets.state
(#7733)platform_info
columns not available in Windows (#7732)Published by directionless over 2 years ago
Representing commits from 15 contributors! Thank you all.
es_process_file_events
table. (#7579)es_process_file_events
for macOS Endpoint Security based FIM (#7579)password_policy
table for macOS (#7594)windows_update_history
(#7407)memory_available
to linux memory_info
table (#7669)cpu_info
table to linux (#7499)lldp_neighbors
table (#7664)deb_packages
table to not sisplay arch info in the package name (#7638)hardware_model
in the system_info
table on Apple M1 machines to report correctly (#7662)shared_resources
table to add type names, fix type/maximum_allowed handling (#7645)windows_crashes
table (#7391)local_timezone
column in the time
table on Windows (#7656)system_info
table to support unicode on Windows (#7626)linux
and not posix
(#7644)spec/example.table
when generating documentation (#7647)disk_encryption
table (#7608)Published by directionless over 2 years ago
osquery 5.3.0 brings several table improvements and bugfixes.
Worth mentioning also the deprecation of the smart_drive_info
table
and the new warning added when incorrectly configuring a CLI only flag
via the config file. In the next release CLI only flags will not be
configurable through the config file or refresh anymore.
This release represents commits from 15 contributors! Thank you all.
smart_drive_info
#7464
tls_disable_status_log
to prevent status logs from being sent via TLS #7550
in_cidr_block
to check if IPv4/v6 addresses are within the supplied CIDR block #7563
admindir
column to the deb_packages
table to parse package databases on different paths #7549
wifi_networks
on macOS Big Sur and newer #7503
npm_packages
#7536
apt_sources
and yum_sources
tables to linux only #7537
python_packages
table #7535
wall_time
column in osquery_schedule
as hidden #7501
osquery_schedule
#7438
mirrorlist
column in the table yum_sources
#7479
output_size
for osquery_schedule
#7436
deb_packages
table: Use additional instead of index for the admindir
column #7573
certificates
table: Add Linux support #7570
translated
column to processes
table to indicate whether the process is running under Apple Rosetta #7507
keychain_items
table #7576
original filename
column to file
table on Windows #7156
test_http_server.py
--persist
option #7497
profile.py --leaks
for python3 #7534
python_packages
table so that it lists python packages from any user Python installations #7414
drivers
table #7444
size
column is empty #7569
cpu_info
test to expect at least one socket, not just one #7490
Osquery 5.2.3 is a security update that focuses on updating some third-party libraries
which contained CVEs that could affect osquery.
Additionally some other third-party libraries and tables have been dropped,
since they were not maintained or considered safe anymore.
shortcut_files
table #7545
hash
table #7520
Published by directionless over 2 years ago
Osquery 5.2.2 brings native Apple Silicon (M1) support to the macOS platform. It also represents a comprehensive review and update of our third-party dependencies. To support this work, the developer docs have been updated, as have several parts of the build system
This release represents commits from 24 contributors! Thank you all.
cpuid
table is x86 only. See #7462
smart_drive_info
table has been deprecated, and is not included in the m1 builds. See #7464
lldp_neighbors
table has been deprecated, and is not included in the m1 builds. See #7463
time
table to always reflect UTC values (#7276, #7460, #7437)antispyware
column in windows_security_center
(#7411)windows_firewall_rules
table for windows (#7403)path
column check to be case insensitive (#7442)user_time
and system_time
unit in processes table on M1 (#7473)