SQL powered operating system instrumentation, monitoring, and analytics.
OTHER License
Bot releases are hidden (Show)
Published by theopolis almost 7 years ago
This is a pre-release for internal testing of extensions changes.
Published by theopolis almost 7 years ago
#3884 The macOS firewall exception URLs are now included in alf_exceptions
The systemd service unit includes a post-init script to reload the units properly.
#3892 Use better precision for calculating process start time on macOS
#3917 Event tap publisher resource management fixes
Added table curl
to All Platforms
Added table curl_certificate
to All Platforms
Added table pipes
to Microsoft Windows
Added column dst_port
(TEXT_TYPE
) to table iptables
Added column src_port
(TEXT_TYPE
) to table iptables
Published by theopolis almost 7 years ago
Published by obelisk almost 7 years ago
We've ported our HTTP client to Boost Beast to allow for more meaningful TLS errors and support for HTTP proxies.
#3623 Use Boost Beast as the HTTP client implementation (previously we used cpp-netlib)
#3862 Lock access to individual SQL databases
#3856 Fix extended_schema on Windows (previously all extended columns were HIDDEN)
Added table key_events
to Darwin (Apple OS X)
Added table authenticode
to Microsoft Windows
Added table logical_drives
to Microsoft Windows
Added table physical_disk_performance
to Microsoft Windows
Added column version
(TEXT_TYPE
) to table usb_devices
Published by theopolis almost 7 years ago
Published by theopolis about 7 years ago
Published by muffins about 7 years ago
This is a security release, it includes fixes for weaknesses in several virtual tables.
Please check out the new SECURITY.md
security issues tracker for more details. This release has updated several dependency formulas. The focus for those updates was also security related. While it is unclear if weaknesses in dependencies have an exact adverse effect on osquery, it is important to update them regardless. These updates mean a stronger and safer set of binary versions available on the https://osquery.io downloads page.
#3785 (CVE-2017-15026) Use sanitized SQL for ie_extensions
on Windows
#3783 Drop temporary privileges to the intended user within safari_extensions
#3782 (CVE-2017-15027) Use the owner of parent path in dropToParent
event if the parent is a symlink
#3781 (CVE-2017-15028) Drop temporary privileges to the intended user within known_hosts
The notable dependency updates include:
#3780 libmagic
updated to 5.32
#3775 libxml2
updated to 2.9.5
#3767 augeas
updated to 1.8.1
#3770 libarchive
updated to 3.3.3
Published by muffins about 7 years ago
This is largely a break-fix release addressing an issue with Kinesis/Firehose logging format. This release also sees a few small changes to the newly designed website as well as a small overhaul to the filesystem abstraction to make use of boosts path
objects.
#3746 Check Crypt API values for nullptr
before using in disk_encryption
table
#3743 Add newline character between loglines for Firehose/Kinesis
Added column last_opened_time
(DOUBLE_TYPE
) to table apps
Published by muffins about 7 years ago
This release merges the osqueryi shell into the osqueryd daemon. Both binaries will still be shipped with all platforms packages and the osqueryi binary is simply a copy of osqueryd binary. The core logic of the shell meerly checks the name of the running executable, and if it's osqueryi we launch into the shell. This release also sees various changes to our third party dependencies. Firstly we have dropped snappy and LZ4 from our dependency chain in favor of ZSTD, so these packages will no longer be required for builds. Further we have upgraded all platforms to make use of Boost 1.65.0, and finally we have successfully seen Firehose/Kinesis logging brought to the Windows platform. Lastly a few hardening changes to the RocksDB interface will ensure a better and more robust interface with the local caching database and strive to recover from database corruption.
#3635 RocksDB interface has been extended to include a 'backup' and recover feature
#3641 Firehose/Kinesis logging is now supported on Windows
#3613 Fixed boost 1.65.0 builds for macos
#3599 Addressed an issue in the Kinesis/Firehose record size check
#3628 Wrapped the Windows shutdown event logic in a Mutex
#3651 New query counter added to ignore initial results for differential querying
#3661 Fixed listening_ports table to use readlink instead of readpath
#3663 Fixed RocksDB interface to avoid calling DB::Flush so often
#3662 Fixed debug info breakage introduced via binary merging
#3673 Fixed builds linking against shared objects
#3671 Fixed bug which had changed enrollment tests path
#3685 Use PackageKit to better enumerate package receipts on macos
#3698 Address shutdown behavior on Windows to ensure safe service stop
Added table python_packages
to All Platforms
Added table chocolatey_packages
to Microsoft Windows
Added table curl
to POSIX-compatible Plaforms
Added column friendly_name
(TEXT_TYPE
) to table interface_addresses
Added column friendly_name
(TEXT_TYPE
) to table interface_details
Added column host
(TEXT_TYPE
) to table preferences
Removed table process_file_events
from Darwin (Apple OS X)
Removed table python_packages
from POSIX-compatible Plaforms
Published by theopolis about 7 years ago
#3506 FSEvents on macOS will monitor mount events within already-monitored directories
#3503 OpenBSM events are monitored as process_events
on macOS
#3265 Add RapidJSON integration as a boost property tree replacement
#3530 Implement excluded paths for FIM for Linux and macOS
#3517 Wait for each extension before respawning
#3553 and #3552 Fixing memory leaks in virtual tables
#3534 Improve macOS process start_time
column
#3539 Fix sizes for block_devices
on macOS and Linux
#3574 Display correct UID for proceses for Domain Users on Windows
#3580 Fix handling of multiple LIKE and GLOB predicates*
LIKE
and GLOB
with OR
in query predicates the SQLite optimizer may replace TEXT
fields with incorrect values, causing unexpected behavior for tables like file
expecting globbing input for path names.Added table process_memory_map
to All Platforms (from POSIX)
Added table device_firmware
to Darwin (Apple OS X)
Added table gatekeeper
to Darwin (Apple OS X)
Added table gatekeeper_approved_apps
to Darwin (Apple OS X)
Added table shared_folders
to Darwin (Apple OS X)
Added table sharing_preferences
to Darwin (Apple OS X)
Added table certificates
to MacOS and Windows
Added table user_events
to POSIX-compatible Plaforms
Added table ec2_instance_metadata
to Ubuntu, CentOS
Added table ec2_instance_tags
to Ubuntu, CentOS
Added column block_size
(INTEGER_TYPE
) to table block_devices
Added column cwd
(TEXT_TYPE
) to table process_events
Added column status
(BIGINT_TYPE
) to table process_events
Added column action
(TEXT_TYPE
) to table scheduled_tasks
Added column class
(TEXT_TYPE
) to table usb_devices
Added column protocol
(TEXT_TYPE
) to table usb_devices
Added column subclass
(TEXT_TYPE
) to table usb_devices
Published by theopolis about 7 years ago
Published by obelisk about 7 years ago
This is the next stable build of osquery, ready for production. This release fixes many bugs in the Windows version vastly improving stability and some tables. The SQLite version was also bumped to 3.19.3 and improvements were made to inotify eventing on linux. The preferences table on Darwin has also been changed and it's core functionality moved to a new plist table. See (#3455) for more details as this may require updates to any scheduled queries that use this table. For more complete release notes, see the highlights below.
Several bug fixes pertaining to Windows:
A few bug fixes to POSIX/macOS
General Updates
Published by theopolis over 7 years ago
Published by theopolis over 7 years ago
Published by theopolis over 7 years ago
Published by muffins over 7 years ago
There are several new features and bug fixes.
#3356 Only reconfigure event publishers if configuration content changes
#3375 Add the "platform mask" to enrollment requests
#3376 Allow Linux publishers to be interrupted (previously they would stop)
#3360 Add a watchdog delay (60s) before enforcing limits to allow for log flushing
#3402 Increase max rpm_package_files
to 64k on Linux
Added table virtual_memory_info
to Darwin (Apple OS X)
Added table load_average
to POSIX-compatible Plaforms
Added column local_hostname
(TEXT_TYPE
) to table system_info
Added and removed several columns from Window's drivers
table
Published by muffins over 7 years ago
Published by muffins over 7 years ago
This release contains a 'Rebuild the World' release of third party dependencies with bumps in most of the libraries used by osquery. As a part of this bump in third party dependencies we now make use of Clang's ThinLTO to enhance the linking experience. This release further brings in fixes to our build process to facilitate using ASAN and TSAN frameworks. Lastly this release introduces the concept of views for osquery queries, as well as SQL to_base64 and from_base64 column functions.
#3297 Windows interface_addresses
now leverages native Win32 APIs as opposed to WMI
#3312 Add base64 encode and decoding functions
#3306 Adding a config block to create views
#3307 Fix reading past the end of buffer in fileops tests
#3308 Fix temperature sorting in darwin temperature_sensors table
#3309 Fix crash caused by boost's unhandled exception in filesystem
#3286 Fix sudoers path on FreeBSD, add fields to os_version
#3291 Fix patchlevel reporting for FreeBSD
#3322 Removing pretty printing from windows event log data
#3335 Fix invalid control character in profile.py
[Tidy] Fix all C99 warnings #3353
Added table fbsd_kmods
to FreeBSD
Added column device
(TEXT_TYPE
) to table disk_events
Added column type
(TEXT_TYPE
) to table interface_addresses
Removed column bsd_name
(TEXT_TYPE
) from table disk_events
Published by muffins over 7 years ago
Published by theopolis over 7 years ago
#3267 New SQLite functions: md5
, sha1
, and sha256
#2956 Augeas' lenses are now bundled with osquery packages
#3226 External build systems can disable YARA, TSK, or LLDB with SKIP_
environment variables.
#3219 Fix extensions use of database during reset phase
#3248 Submodules will now update correctly on Windows
#3257 The IPv4 route gateways on Windows now work
Added column args
(TEXT_TYPE
) to table startup_items
Added column channel
(INTEGER_TYPE
) to table wifi_status
Added column channel
(INTEGER_TYPE
) to table wifi_survey
Added table pkg_packages
to FreeBSD
Added table docker_container_labels
to POSIX-compatible Plaforms
Added table docker_container_mounts
to POSIX-compatible Plaforms
Added table docker_container_networks
to POSIX-compatible Plaforms
Added table docker_container_ports
to POSIX-compatible Plaforms
Added table docker_container_processes
to POSIX-compatible Plaforms
Added table docker_container_stats
to POSIX-compatible Plaforms
Added table docker_containers
to POSIX-compatible Plaforms
Added table docker_image_labels
to POSIX-compatible Plaforms
Added table docker_images
to POSIX-compatible Plaforms
Added table docker_info
to POSIX-compatible Plaforms
Added table docker_network_labels
to POSIX-compatible Plaforms
Added table docker_networks
to POSIX-compatible Plaforms
Added table docker_version
to POSIX-compatible Plaforms
Added table docker_volume_labels
to POSIX-compatible Plaforms
Added table docker_volumes
to POSIX-compatible Plaforms