SQL powered operating system instrumentation, monitoring, and analytics.
OTHER License
Bot releases are hidden (Show)
Published by directionless almost 3 years ago
Representing commits from 20 contributors! Thank you all.
Note: The linux .tar.gz includes debugging symbols. This may be larger than you expect
docker_container_envs
table for access to docker container environment (#7313)curl
table now returns peer certificates even if the TLS handshake does not complete (#7349)read_max
flag when hashing using ssdeep (#7367)windows_security_products
errors out (#7401)authorized_keys
table implementation (#7318)beurk
rootkit detection to packs (#7345)Published by directionless about 3 years ago
There are several breaking changes:
/usr/local
to /opt/osquery
on macOS and Linux (symlinks to executables are provided).blacklist
key from the configuration (#7153)Representing commits from 21 contributors! Thank you all.
Note: The linux .tar.gz
includes debugging symbols. This may be larger than you expect
secureboot
table for Linux and Windows (#7202)tpm_info
for Windows (#7107)osquery_info
build_platform column value on Linux (#7254)pid_with_namespace
in more tables (#7132)augeas
table to use native pattern matching (BREAKING) (#6982)chrome_extensions
to include Edge & EdgeBeta (#7170)disk_encryption
table to support QueryContext (#7209)last
to include utmp type name column (#7201)sudoers
table to support newer include syntax (#7185)user_ssh_keys
to detect encryption of ed25519 keys (#7168)blacklist
key (#7153)process_open_sockets
type error on darwin (#6546)MOVED_TO
is tracked with yara events. (#7203)--force
flag is used (#7295)uptime
table description (#7270)Published by directionless about 3 years ago
Initial draft of the 5.0. This release may be deleted!
Published by directionless over 3 years ago
Representing commits from 16 contributors! Thank you all.
Note: The linux .tar.gz
includes debugging symbols. This may be larger than you expect
mdm_managed
column to system_extensions
on macOS (#6915)prefetch
table on Windows (#7076)homebrew_packages
to include new prefix, and allow specifying alternate prefixes (#7117)ntfs_acl_permissions
to list all ACE entries (using GetAce()
) (#7114)processes
table to display additional Windows attributes (secured
, protected
, virtual
, elevated
) (#7121)package_install_history
identifies the packageIdentifiers key (#7099)identifier
is calculated in chrome_extensions
(#7124)pipe_channel
not reading all data in a message (#7139)curl_certificate
timeouts (#7151)xprotect_entries
, xprotect_meta
, launchd
(#7138, #7154)-fexceptions
flag on Windows (#7126)Published by directionless over 3 years ago
Representing commits from 14 contributors! Thank you all.
This version fixes a regression introduced in 4.7.0 related to events expiration optimization. Please read (#7055) for more information.
This release upgrades openssl, as is general good practice. Osquery is not known to be effected by any security issues in OpenSSL.
.connect
meta command (#6944)deb_packages
fields as optional in test (#7001)chrome_extensions
warnings to verbose (#7032)tls_enroll_max_attempts
flag name in the documentation (#7049)windows_events
table spec (#7035)Published by directionless over 3 years ago
Commits from 21 contributors! Thank you all!
concat
and concat_ws
sql functions (#6927)computer
column to Windows Eventlogs (#6952)docker_image_history
table (#6884)filevault_status
column to disk_encryption table (#6823)location_services
table on macOS (#6826)shellbags
table (#6949)system_extensions
table on macOS (#6863)systemd_units
table (#6593)ycloud_instance_metadata
table (#6961)augeas
table not to autoload system lenses (#6980)chrome_extensions
table -- more browser support and tests (#6780)office_mru
table to correct platforms (#6827)request_id
and add this to the schema (#6959)journal_mode
to the sqlite authorizer PRAGMAs (#6999)table_info
to the sqlite authorizer PRAGMAs (#6814)long long
data (#6986)augeas
table output bug for non-path entries (#6981)pids
column in docker_container_stats
table (#6965)process_open_files
inode need stoul, not stoi (#6983)hash
and yara
table from fuzz harnesses (#6972)deb_packages
table (#6892)Published by directionless almost 4 years ago
Published by directionless about 4 years ago
postCarve
(#6659)carve
SQL function is disabled (#6658)carves
specs to allow full scan (#6657)carves
table to use JSON (#6656)registry
querying (#6647)ephemeral
database plugin into core and simplify tests (#6648)curl_certificate
(#6641)atom_packages
table spec to window (#6649)authenticode
table on windows (#6677)curl_certificate
(#6664)EvtNext
function (#6660)wmi_bios_info
table searching (#5246)image
column within drivers
table on Windows (#6652)dirPathsAreEqual
to use the documented way (#6690)stat()
return checking within process_events (#6694)stdout
when called with --help
(#6693)test_osqueryi
(#6631)osqueryd
CPU usage to 20% in systemd unit file (#6644)test_osqueryi
(#6688)cppcheck
support to macOS (#6685)Published by theopolis about 4 years ago
We would like to thank all of the contributors working on bootstrapping the ARM64/AARCH64 support and Windows 32bit support.
Additionally, we want to thank those working on Unicode support and all the bug fixes, documentation improvements, and new features.
Thank you! 👏
process_events
callback (#6638)EventFactory::getType
(#6555)UNICODE
and _UNICODE
preprocessors for windows (#6338)Initialize
r (#6530)apparmor_events
table to Linux (#4982)sigurl
column to get YARA signatures from an HTTPS server (#6607)sigrules
column to pass YARA signatures within queries (#6568)windows_event_log
(#6563)chassis_types
and security_breach
columns within chassis_info
(#6608)powershell_events
(#6584)FileVersionRaw
column to file
table for Windows (#5771)dns_cache
table for Windows (#6505)startup_item
s table for Linux (#6502)shimcache
table (#6463)shell_history
to use generators (it will use less memory) (#6541)--scheduler_timeout
correctly (#6618)character_frequencies
size (#6625)TablePlugins
(#6623)readFile
params in createPidFile
(#6578)LocalFree
on deinit ptr inside getUidFromSid
(#6579)readFile
to observe requested read size (#6569)syslog_event
s with a custom non-blocking getline (#6539)psidToString
(#6548)rpm_package_files
(#6544)processes
table (#6596)ExecStartPre
from systemd service unit (#6586)MAJOR_IN_SYSMACROS
/MKDEV
for librpm in CMake (#6554)curl_certificate
tests (#5281)Published by directionless over 4 years ago
Published by Smjert over 4 years ago
path
column to the ATC generate specs (#6278)disk_info
table (#6323)ppid
in the process_events
table (#6339)--database_dump
flag for RocksDB not outputting anything (#6272)pci_devices
table pci ids extraction in non-existing paths (#6297)process
table cmdline
parsing (#6340)chrome_extension_content_scripts
to All Platforms (#6140)docker_container_fs_changes
to POSIX-compatible Plaforms (#6178)windows_security_center
to Microsoft Windows (#6256)lxd
(#6249)screenlock
to Darwin (Apple OS X) (#6243)userassist
to Microsoft Windows (#5539)status
(TEXT
) to table deb_packages
(#6341)curl_certificate
table (#6176)socket_events
to Darwin (Apple OS X) (#6028)hvci_status
, previously inadvertly left out from the build, to Microsoft Windows (6378)Published by muffins over 4 years ago
community_id_v1
added as a SQL function (#6211)firefox_addons
to All Platforms (#6200)ssh_configs
to All Platforms (#6161)user_ssh_keys
to All Platforms (#6161)mdls
to Darwin (Apple OS X) (#4825)hvci_status
to Microsoft Windows (#5426)ntfs_journal_events
to Microsoft Windows (#5426)docker_image_layers
to POSIX-compatible Plaforms (#6154)process_open_pipes
to POSIX-compatible Plaforms (#6142)apparmor_profiles
to Ubuntu, CentOS (#6138)selinux_settings
to Ubuntu, CentOS (#6118)lock_status
(INTEGER_TYPE
) to table bitlocker_info
(#6155)percentage_encrypted
(INTEGER_TYPE
) to table bitlocker_info
(#6155)version
(INTEGER_TYPE
) to table bitlocker_info
(#6155)optional_permissions
(TEXT_TYPE
) to table chrome_extensions
(#6115)firefox_addons
from POSIX-compatible Plaforms (#6200)ssh_configs
from POSIX-compatible Plaforms (#6161)user_ssh_keys
from POSIX-compatible Plaforms (#6161)Published by directionless almost 5 years ago
chrome_extensions
table now supports Chromium and Brave (#6126)com.facebook.osquery.plist
for Launch Daemon configuration (#6093)Published by directionless almost 5 years ago
nvram
table to use input variable names (#6053)apt_sources
source detection (#6047)atom_packages
to use user constraints (#6052)windows_optional_features
to Microsoft Windows #5991)Published by theopolis almost 5 years ago
processes
table (#5919)WHERE IN()
performance (#5924), (#5938)alf_services
to Darwin (Apple OS X) (#5378)connectivity
to Microsoft Windows (#5500)default_environment
to Microsoft Windows (#5441)windows_security_products
to Microsoft Windows (#5479)platform_mask
(INTEGER_TYPE
) to table osquery_info
(#5898)Published by theopolis about 5 years ago
This release fixes crashes identified in 4.0.1. There are no changes in functionality.
This release has two major focuses. It is the first release since osquery transitioned to a Linux Foundation project.
It features a heavily reworked build system. This aims to provide flexibility and stability.
process_events
Implement support for fork/vfork/clone/execveat (#5701)regex_match
to match across columns (#5444)kill
and setuid
syscall tracing in Linux via eBPF (#5519)urllib2
to automatically handle HTTP 301/302 redirections (#5612)Program Files
on Windows (#5579)md_tables
(#5553)keychain_items
and extended_attributes
tables (#5550, #5538)genLoggedInUsers
(Windows). Update WTSFreeMemoryEx
to WTSFreeMemory
(#5642)smbios_tables
(#5332)install
and uninstall
flag incompatibility check (85eb77a0)magic
(2a624f2f)file_compression
(b93069b3)logical_drives
table on Windows (#5400)MaxRecvRetries
for Thrift sockets (#5390)registry
table exception closing an uninitialized key handle (#5718)mount
table interacting with direct autofs (#5635)certificates
table and expansion to include Personal certificates (#5697), (#5696), (#5640), (#5631)users
and groups
(#5684)battery
if no data is present (#5650)process_ops
(#5614)kernel_panics
table (#5298)key_strength
bug for Windows certificates
table (#5304)interface
column of routes
table could be empty on Windows (bcf0ab8e)name
column of programs
table could be empty on Windows (7bceba4b)disable_watcher
flag (08dc11b7)path
column correctly in firefox_addons
table (#5462)logical_drives
boot partition detection (#5477)OptimizeForSmallDb
(a31d7582)battery
table and return information even if advanced information is missing (6a64e353)ibridge_info
on macOS (Notebooks only) (#5707)running_apps
on macOS (#5216)atom_packages
on macOS and Linux (6d159d40)win_timestamp
to time
table on Windows (3bbe6c51)is_hidded
to users
and groups
table on macOS (#5368)profile
to chrome_extensions
table (#5213)epoch
to rpm_packages
table on Linux (#5248)sid
to logged_in_users
table on Windows (#5454)registry_hive
to logged_in_users
table on Windows (#5454)sid
to certificates
table on Windows (#5631)store_location
to certificates
table on Windows (#5631)store
to certificates
table on Windows (#5631)username
to certificates
table on Windows (#5631)store_id
to certificates
table on Windows (#5631)product_version
to file
table on Windows (#5431)source
to sudoers
table on POSIX systems (#5350)Published by alessandrogario over 5 years ago
This is a pre-release for the new version of osquery, based on the really cool refactor done by Facebook's team in London.
This prerelease mostly introduces CMake support, CI and packaging. The following are the commits that are not related to the build system:
e6fe15e
: macos: Add hack for boost asio string_view detection (#5592)597a0c6
: buck: Remove quotes from project/buck_out config826723c
: Fix boost asio string_view detection hackae25976
: Fixing port logic (bugfix for a small compatibility issue between remote::http_client and certain HTTP proxies)Full changelog: git fetch --tags && git log 214302bdeb38fbdb606774ae9165dd633b908604..4.0.0
Ubuntu 18.04 or better
Mojave
Windows 10 or Windows Server 2016