SQL powered operating system instrumentation, monitoring, and analytics.
OTHER License
Bot releases are hidden (Show)
Published by theopolis over 8 years ago
This is a quick bug-fix pre-release.
#2195 Most boost::filesystem
API calls are now noexcept
#2187 Fix regression add in 1.7.6 leading to nullptr
dereferences in PlatformFile
Published by theopolis over 8 years ago
This is a quick bug-fix pre-release.
#2166 The AWS Firehose logger plugin now inserts newlines "\n"
#2163 The systemd osqueryd service unit is installed correctly on Ubuntu 16.04
#2174 The OS X Launch Daemon script arguments have been corrected
--ephemeral
Can be used for osqueryd
to choose a random pidfile.
--disable_database
Can be used to select an in-memory transient database. This is turned on by-default for the shell.
--pack PACKNAME
Can be used by the shell to execute all queries in a pack.
--aws_kinesis_random_partition_key
Added to the AWS Kinesis logger plugin.
Published by theopolis over 8 years ago
#2077 Within-query caching allows for more efficient subqueries
#2079 Remove the ::logHealth
methods from logger plugins
#2088 Add an optional ::logEvent
API for logger plugins
#2089 Add Ubuntu Xenial 16.04 build support
#2093 Add --pack
option to the osqueryi
shell
#2101 Introduce table options to represent keyed-columns in SQLite
#2104 Introduce table aliases to support future deprecation of table names
#2123 Add basic math functions to SQLite: pow
, sqrt
, log
, floor
, etc
#2124 Add string splitting functions to SQLite: split
, split_regex
, etc
#2137 Update SQLite to 3.14.0 to support combined LIKE
and =
in single predicates
#2139 Update the AWS APIs to version 0.12.4
There are two breaking API changes to TablePlugin and LoggerPlugin that will affect extensions.
TablePlugins must now return osquery::TableColumns
as a set of tuple
s:
class exampleTablePlugin : public TablePlugin {
private:
TableColumns columns() const {
return {
std::make_tuple("key", TEXT_TYPE, DEFAULT),
std::make_tuple("value", TEXT_TYPE, DEFAULT),
};
}
};
Logger plugins use ::init
and ::logStatus
must (1) change the return type for ::init
to void
and define a ::usesLogStatus
method:
class exampleLoggerPlugin : LoggerPlugin {
public:
void init(const std::string& name,
const std::vector<StatusLogLine>& log) override;
bool usesLogStatus() override { return true; }
};
The provision scripts (make deps
) for several distributions have been improved.
#2151 Fix autoloading of the osquery kernel extension on OS X
#2135 Limit SMBIOS reads to the 1M-2M region
#2116 Add ::removeService
to the Dispatcher API to fix kernel tests
The process_events
table was significantly changes. The time-related column names now match file
.
Added table quicklook_cache
to Darwin (Apple OS X)
Renamed column access_time
to atime
in table process_events
Renamed column create_time
to btime
in table process_events
Renamed column change_time
to ctime
in table process_events
Renamed column modify_time
to mtime
in table process_events
Renamed column environment
to env
in table process_events
Renamed column environment_count
to env_count
in table process_events
Renamed column environment_size
to env_size
in table process_events
Published by theopolis over 8 years ago
#1983 Decorator queries allow the configuration to extend every scheduled query by adding 'decorations'.
#2036 Buffered log forwarding simplifies new logger pluggin development.
#2015 Basic build support for Windows 10 and Visual Studio 2015.
#2046 Add AWS SDK to build dependencies for Kinesis and Firehose integration.
#2064 Begin cut over to UTC, some columns and UNIX times are still local-time based; version 1.8.0 will complete the cut over.
#2064 Add a version
field to buffered status logs.
The change to UTC times (where UTC is not already used) can be started now by enabling --utc
, this option will become default in version 1.8.0.
#2053 Prevent client errors when TLS plugin responses are empty.
#2060 Send Content-Encoding
header when using TLS logging compression: --logger_tls_compress
.
#2061 Add an {action: snapshot}
to snapshot results.
Added table crashes
to Darwin (Apple OS X)
Added table package_install_history
to Darwin (Apple OS X)
Added table syslog
to Ubuntu, CentOS
Added column time
(INTEGER_TYPE
) to table shell_history
Added column datetime
(TEXT_TYPE
) to table time
Added column local_time
(INTEGER_TYPE
) to table time
Added column local_timezone
(TEXT_TYPE
) to table time
Published by theopolis over 8 years ago
This release fixes #1972, which was introduced in 1.7.2.
#1963 YARA events yara_events
now include MOVE file events.
#1972 Fix deadlock when using osquery_schedule
(only present in 1.7.2)
#1966 Clear cache of distributed query results
Additional fix-ups to the osquery systemd service.
Added column disabled
(INTEGER_TYPE
) to table browser_plugins
Published by theopolis over 8 years ago
The SQLite included in 1.7.2 includes support for IN
and OR
operators!
RocksDB can now be swapped with SQLite as the backing store to help support new platforms.
The certificates table on OS X now supports both DER and PEM formats.
The use of boost::thread
has been removed, as well as shared mutexes.
TLS SNI support via cpp-netlib's 0.12-rc1 build.
Initializer::shutdown()
Prior to 1.7.2 an extension's main file resembled:
int main(int argc, char* argv[]) {
osquery::Initializer runner(argc, argv, OSQUERY_EXTENSION);
auto status = startExtension("your_name", "1.0.0", "1.7.2");
if (!status.ok()) {
LOG(ERROR) << status.getMessage();
}
// Finally shutdown.
runner.shutdown();
return 0;
}
It should now use the following flow:
int main(int argc, char* argv[]) {
osquery::Initializer runner(argc, argv, OSQUERY_EXTENSION);
auto status = startExtension("your_name", "1.0.0", "1.7.2");
if (!status.ok()) {
LOG(ERROR) << status.getMessage();
runner.requestShutdown(status.getCode());
}
// Finally wait for a signal / interrupt to shutdown.
runner.waitForShutdown();
return 0;
}
NULL
s in resultsNULL
values are now allowed in column results.
This means values which were NOT filled in for INTEGER
, BIGINT
, and DOUBLE
types would previously, in error, return a -1. This was very confusing as we do not differentiate between signed/unsigned SQLite types so it was difficult to determine if the -1 indicated an error. Expect these values to return empty JSON strings in logs. Eventually table implementation will be able to explicitly return a null
type, which will propagate into JSON.
#1888 OS X's process table would generate a result row for 'fake' pids if a pid was used in the query constraint
#1893 libdevmapper is now built and linked statically for CentOS6/7 packages
#1913 Process 'state' on Linux and OS X was overloaded and typed incorrectly
#1936 Event expiring in 1.7.1 left stay events in the outer indexes
#1944 TLS-based configuration could lead to a spurious final config request on shutdown
#1946 The 'unsupported' Debian package build scripts were adding incorrect package dependencies
Added table asl
to Darwin (Apple OS X)
Added table cpu_time
to Ubuntu, CentOS
Added column name
(TEXT_TYPE
) to table fan_speed_sensors
Added column authority
(TEXT_TYPE
) to table signature
Added column cdhash
(TEXT_TYPE
) to table signature
Added column team_identifier
(TEXT_TYPE
) to table signature
Renamed column group
to pgroup
in table processes
Published by theopolis over 8 years ago
#1836 Extensions autoloading is now supported in osqueryi
.
#1850 String parsing, tokenization, and UTF8 conversions methods have been removed from the public API.
#1858 SQLite has been bumped to 3.11.0, this adds support for LIKE
within query constraints.
LIKE
The bump to 3.11.0 (#1858) and support for LIKE
has induced a breaking table spec API change. The pattern
column has been removed from file
and yara
as it was used has a small hack to support LIKE
-style operations.
Prior to osquery 1.7.1 a query would use:
SELECT * FROM file WHERE pattern = '/etc/%';
Now you must use the more natural:
SELECT * FROM file WHERE path LIKE '/etc/%';
#1829 Adds significant hardening around dispatcher / extension thread safety for the osquery core. An equivalent study is yet to be committed for extension processes.
#1831 Thrift 0.9.3 is now required to build-- packages prior to 1.7.1 used 0.9.1.
#1847 CTRL^C will now exit the shell, previously only CTRL^D exited.
#1856 If using cpp-netlib version 0.12+, osquery will attempt SNI for TLS plugins.
#1868 Setting an invalid option within the config will generate a WARNING status log.
#1815 Prevent duplicate events for Linux inotify events
#1813 Use 'rom' on OS X to report platform_info
#1823 Handle osqueryi
usage by users with restricted (or without) home directories
#1841 Setting file_paths
within packs now applies platform/shard restrictions.
#1863 The filesystem logger plugin now adds a newline for snapshot queries.
#1872 The Linux init-script has sane Default Start/Stop levels.
The --flagfile
option has always existed, but it is not outputted with --help
.
--flagfile=PATH
Line-delimited file of additional flags
Added table dns_resolvers
to All Platforms
Added table fan_speed_sensors
to Darwin (Apple OS X)
Added table power_sensors
to Darwin (Apple OS X)
Added table temperature_sensors
to Darwin (Apple OS X)
Added column user_uuid
(TEXT_TYPE
) to table disk_encryption
Added column developer_id
(TEXT_TYPE
) to table safari_extensions
Added column uuid
(TEXT_TYPE
) to table users
Removed column pattern
(TEXT_TYPE
) from table file
Removed column pattern
(TEXT_TYPE
) from table yara
Published by theopolis over 8 years ago
Query packs can now include FIM categories and paths.
OS X TLS-based plugins now require an explicit path to a certificate authority PEM bundle.
The TLS-based plugins continue to receive performance and feature improvements.
For CentOS and RHEL 7 builds the make packages
macro will include a basic systemd unit.
The OS X signature
table now only reports success if the target path passes 'strict' code signing checks.
This release marks the first release build built using 10.11, and the TLS implementation uses LibreSSL.
For a short period between 1.6.3 and 1.6.4 the RocksDB options were not compatible with previous databases. There are no compatibility issues with 1.7.0 and previous releases.
#1796 Query constraints tracking support for multi-sub queries
#1801 Fix ROWID constraint interpreted as a column index
#1581 Logger plugin logString
methods are called once per logline
--events_max=COUNT
Maximum number of events per type to buffer
--logger_tls_compress=False
GZip compress TLS/HTTPS request body
--logger_tls_max=COUNT
Max size in bytes allowed per log line
Added table sip_config
to Darwin (Apple OS X)
Added table smc_keys
to Darwin (Apple OS X)
Added column key_strength
(TEXT_TYPE
) to table certificates
Added column uid
(TEXT_TYPE
) to table disk_encryption
Added column hardware_vendor
(TEXT_TYPE
) to table system_info
Added column hardware_version
(TEXT_TYPE
) to table system_info
Published by theopolis almost 9 years ago
This 1.6.4
release does not include binary packages, a brew commit, or change logs docs.
This is used as a demarcation for building on OS X 10.11 for integration tests and packages.
Published by theopolis almost 9 years ago
This version is a quick release on top of 1.6.2.
#1735 Remove OPENED
events from file_events
#1736 Allow TLS endpoints to return node_invalid
multiple times.
Added column issuer
(TEXT_TYPE
) to table certificates
Added column self_signed
(INTEGER_TYPE
) to table certificates
Published by theopolis almost 9 years ago
The Sleuth Kit integration is complete, use device_
* tables to list partitions, files and hashes.
Results for 'expired' queries are now purged from the backing store (RocksDB).
The file_events
tables are now designed for modification/alter events only.
The file_access_events
tables have been superseded by process_file_events
, accesses use the new file_accesses
configuration key.
Additionally, the file_events
table include many more helpful fields populated at event time.
SQLite has been updated to 3.10.0 and the JSON-extensions are now enabled.
File hashing now includes algorithm parallelism, but all algorithms are still always run regardless of selections.
For debugging the osqueryi
client can be used to dump configuration JSON or the backing store items.
The configuration can now specify multiple loggers, for example --config_plugin=filesystem,syslog
.
Packs and queries now support a shard=N
option.
#1660 Fixes NETLINK errors with routes
table on CentOS 6
#1676 Clear node_key
when TLS plugins respond with node_invalid=True
#1689 Boost 1.59 removed support for comments in JSON files, we now 'only' support #-style.
#1714 Columns with the DOUBLE
type no longer return '-1'
--config_check
Check the format of an osquery config and exit
--config_dump
Dump the contents of the configuration
--database_dump
Dump the contents of the backing store
--disable_reenrollment
Disable re-enrollment attempts if related plugins return invalid
--header
Toggle column headers true/false
--planner
Enable osquery runtime planner output
Added table device_file
to All Platforms
Added table device_hash
to All Platforms
Added table device_partitions
to All Platforms
Added table platform_info
to All Platforms
Added table process_file_events
to Darwin (Apple OS X)
Added column btime
(BIGINT_TYPE
) to table file
Added column atime
(BIGINT_TYPE
) to table file_events
Added column ctime
(BIGINT_TYPE
) to table file_events
Added column gid
(BIGINT_TYPE
) to table file_events
Added column hashed
(INTEGER_TYPE
) to table file_events
Added column inode
(BIGINT_TYPE
) to table file_events
Added column mode
(TEXT_TYPE
) to table file_events
Added column mtime
(BIGINT_TYPE
) to table file_events
Added column size
(BIGINT_TYPE
) to table file_events
Added column uid
(BIGINT_TYPE
) to table file_events
Added column shard
(INTEGER_TYPE
) to table osquery_packs
Removed table passwd_changes
from All Platforms
Removed table file_access_events
from Darwin (Apple OS X)
Published by theopolis almost 9 years ago
This release introduces schedule caching, greatly improving performance when using default packs.
The getQueryColumns
thrift API now uses heuristics to determine expression types.
OS X's hardware_events
table is now backed by an IOKit eventing API (previously it only included HID events).
Constraints stacking within subqueries is improved (part 4 of #1651).
Tables that act on user data (on Linux) have been refactored to require a JOIN
against users
to enumerate. There are still several tables on OS X that search user-owned directories, they will eventually be refactored too. In all cases, the pack queries operating on these tables have been updated to include JOIN users USING (uid)
.
#1527 Building from source is no longer required for profiling with ./tools/profile.py
#1635 Dropping privileges temporarily on Linux would cause thrift sockets to close
#1675 Constraints "stacked" onto the same table would overwrite subquery constraints
#1685 OS X's LaunchDaemon's ProgramArguments rewrite argv[0]
and could trample status log filenames
#1647 Remove "result=" from logs sent to the syslog logger plugin, see #1212
--disable_caching
Disable scheduled query caching
--logger_mode MODE
Mode for log files (default '0640')
--profile COUNT
Enable profile mode when non-0, set number of iterations
Added table authorized_keys
to All Platforms
Added table known_hosts
to All Platforms
Added table signature
to Darwin (Apple OS X)
Added table user_events
to Ubuntu, CentOS
Added column sgid
(BIGINT_TYPE
) to table processes
Added column suid
(BIGINT_TYPE
) to table processes
Added column uid
(BIGINT_TYPE
) to table browser_plugins
Added column uid
(BIGINT_TYPE
) to table chrome_extensions
Added column uid
(BIGINT_TYPE
) to table firefox_addons
Added column uid
(BIGINT_TYPE
) to table opera_extensions
Added column uid
(BIGINT_TYPE
) to table safari_extensions
Added column uid
(BIGINT_TYPE
) to table shell_history
Added column timezone
(TEXT_TYPE
) to table time
Added column signing_algorithm
(TEXT_TYPE
) to table certificates
Added column subject
(TEXT_TYPE
) to table certificates
Removed column username
(TEXT
) from table shell_history
Published by theopolis almost 9 years ago
Improved scheduling logic focused on reliable and deterministic query execution.
More usable and performant Linux file integrity monitoring.
Facilities for dropping privileges within table implementations when operating on user controlled data.
Linux audit-based socket binds and connect tracking.
#1537 Correct config_valid
boolean in osquery_info
table
#1536 Fix pack discovery queries from losing cached results
#1545 Fix JSON syntax error in example configuration
#1549 Limit RocksDB LITE warnings and swap EFI path delimiters in kernel_info
on OS X
#1554 Fix file descriptor leak in Linux interface_details
table
#1550 The extension manager should clean managed extension UNIX socks on exit
#1559 Prevent boost exceptions when invalid LC_CTYPE
variable is used
#1579 Fix potential crashes when calling getifaddrs(3)
on Linux interface_details
#1580 Protect against invalid /proc
data when parsing memory maps
#1598 Fix various filesystem access TOCTOU errors
#1621 Fix schedule iteration restoration logic to use UNIX time instead of a 0-60 seconds modulus
#1631 Use blank values for missing keys in OS X startup_items
--pack_delimiter SYMBOL
Delimiter for pack and query names
--distributed_enabled
renamed to --disable_distributed
and the default is now false
--distributed_poll_interval
renamed to --distributed_interval
--read_user_links
has been removed
Added table system_info
to All Platforms
Added table wifi_networks
to Darwin (Apple OS X)
Added table socket_events
to Ubuntu, CentOS
Added column type
(TEXT
) to table file
Added column start_time
(INTEGER
) to table osquery_info
Added column last_executed
(BIGINT
) to table osquery_schedule
Added column fd
(BIGINT
) to table process_open_sockets
Change column config_md5
to config_hash
(TEXT
) in table osquery_info
Change column cpu_serial
to hardware_serial
(TEXT
) in table system_info
Removed column is_block
(INTEGER
) from table file
Removed column is_char
(INTEGER
) from table file
Removed column is_dir
(INTEGER
) from table file
Removed column is_file
(INTEGER
) from table file
Removed column is_link
(INTEGER
) from table file
Removed column md5
(TEXT
) from table kernel_info
Removed column config_path
(TEXT
) from table osquery_info
Published by theopolis about 9 years ago
Support for Linux process events using libaudit.
Packs and pack queries can now be included inline with configuration content.
Distributed query support has been refactored/improved but is still in alpha.
Simultaneous osqueryi
shells are now supported.
Removed building Google benchmark and cpp-netlib in third party.
#1432 Improved USB device reporting on OS X
#1455 Add libgcrypt11 to package dependency list for Debian/Ubuntu
#1506 OS X kernel driver is only loaded if the package is installed
#1517 Fix YARA sigfile cachine (previously, sigfiles were only applied once)
#1522 OS X startup items includes more search paths
--config_tls_max_attempts INT
Number of times to attempt a request
--schedule_default_interval SECONDS
Query interval to use if none is provided
--pack_refresh_interval SECONDS
Cache expiration for a packs discovery queries
--enroll_secret_env VALUE
Name of environment variable holding enrollment-auth secret
Added table magic
to All Platforms
Added table process_events
to All Platforms
Added table system_info
to Darwin (Apple OS X)
Added table xprotect_meta
to Darwin (Apple OS X)
Added table osquery_events
to Utility
Added column config_valid
(INTEGER
) to table osquery_info
Added column discovery_cache_hits
(INTEGER
) to table osquery_packs
Added column discovery_executions
(INTEGER
) to table osquery_packs
Added column group
(BIGINT
) to table processes
Added column nice
(INTEGER
) to table processes
Added column state
(TEXT
) to table processes
Added column author
(TEXT
) to table safari_extensions
Added column description
(TEXT
) to table safari_extensions
Added column identifier
(TEXT
) to table safari_extensions
Added column sdk
(TEXT
) to table safari_extensions
Added column update_url
(TEXT
) to table safari_extensions
Added column version
(TEXT
) to table safari_extensions
Removed table process_events
from Darwin (Apple OS X)
Removed column description
(TEXT
) from table osquery_packs
Removed column interval
(INTEGER
) from table osquery_packs
Removed column path
(TEXT
) from table osquery_packs
Removed column query
(TEXT
) from table osquery_packs
Removed column query_name
(TEXT
) from table osquery_packs
Removed column scheduled
(INTEGER
) from table osquery_packs
Removed column scheduled_name
(TEXT
) from table osquery_packs
Removed column value
(TEXT
) from table osquery_packs
Published by theopolis about 9 years ago
#1415 Build support for OS X 10.9
#1443 Build support for OS X 10.11 (beta)
#1335 Support for file access events from OS X kernel extension (beta)
Several components are now benchmarked: binary size, events performance, SQL performance, etc
Several high-impact performance optimizations:
#1448 Use faster casting for SQLite table type data
#1448 Cache YARA signature compilations when using ad-hoc YARA scans
#1451 Allow Read-Only RocksDB usage and improve record lookups
#1452 Remove unneeded virtual table rotations
#1412 Use SIGKILL on OS X when force replacing daemon processes
#1422 Query options from pack queries are now applied
#1423 Fix executions on 10.11 (still not supported in Jenkins)
Added table uptime
to All Platforms
Added table authorization_mechanisms
to Darwin (Apple OS X)
Added table authorizations
to Darwin (Apple OS X)
Added table disk_events
to Darwin (Apple OS X)
Added column day
(INTEGER
) to table time
Added column iso_8601
(TEXT
) to table time
Added column month
(INTEGER
) to table time
Added column timestamp
(TEXT
) to table time
Added column unix_time
(INTEGER
) to table time
Added column weekday
(TEXT
) to table time
Added column year
(INTEGER
) to table time
Published by theopolis about 9 years ago
Several important bug fixes!
#1368 Restore OS X autostart post-install scripts (custom packaging)
#1367 Disable reads from user-controlled FIFOs
#1369 Limit IOKit HID remove and unhelpful (information sparse) events
#1371 Fix duplicate events in YARA subscribers
#1380 Fix query packs version checker
#1385 Remove high-false positive generators from query packs
Published by theopolis over 9 years ago
#1171 Allow file read restrictions on size, user-controlled size, and symlink modes
#1194 Unofficial support for Ubuntu 10.04 dependency building
#1216 OS X's Disk Arbitration-based publishers, and related disk-event tables
#1259 Use RocksDB's LITE version to reduce binary size
#1266 Use "mostly" POSIX globbing, along with SQLite, style wildcarding for FIM
#1277 Forward status logs to worker processes when using osqueryd
#1321 Use OpenSSL's x509 certificate parsing to improve speed/memory on OS X
#1330 OS X kernel extension (beta, optional, not included in release builds)
Version 1.5.0 introduces Facebook's “Query Packs”, a method to share and utilize high-value queries.
#1237 Fix certificate table crash on OS X
#1276 Add subscriber optimizations to reduce diff latency using —events_optimize
#1283 Include 'epoch' number to package dependencies on Redhat 7 based distros
#1284 Require libsnappy headers and functionality for RocksDB
#1308 Fix TLS plugin client user agent string versions
#1312 Fix potential crash in interface enumeration on Ubuntu
#1341 Include osqueryctl
in Homebrew builds
—config_tls_refresh VALUE
Optional interval in seconds to re-read configuration (min=10)
—events_optimize
Optimize subscriber select queries (scheduler only)
—read_max VALUE
Maximum file read size
—read_user_links
Read user-owned filesystem links
—read_user_max VALUE
Maximum non-su read size
Added table uptime
to All Platforms
Added table authorization_mechanisms
to Darwin (Apple OS X)
Added table authorizations
to Darwin (Apple OS X)
Added table disk_events
to Darwin (Apple OS X)
Added column day
(INTEGER
) to table time
Added column iso_8601
(TEXT
) to table time
Added column month
(INTEGER
) to table time
Added column timestamp
(TEXT
) to table time
Added column unix_time
(INTEGER
) to table time
Added column weekday
(TEXT
) to table time
Added column year
(INTEGER
) to table time
Published by marpaia over 9 years ago
Note: this is a minor update!
#1212 A new logger plugin: syslog (use --logger_plugin=syslog
, see #1207)
#1224 Support for SQLite's DOUBLE type
#1202 osqueryd workers could \0
-out their argv, not friendly
#1205 Average memory reporting in schedule monitor mode does not wrap
#1224 Fix OS X package_receipts
reporting installed time as a DOUBLE
#1224 Fix check of extensions_socket
in the shell
--logger_syslog_facility
when using the --logger_plugin=syslog
set a specific facility (0-23, default 19)
Added table app_schemes
to Darwin (Apple OS X)
Added table keychain_acls
to Darwin (Apple OS X)
Added table sandboxes
to Darwin (Apple OS X)
Published by theopolis over 9 years ago
Added "Query Packs", a way to easily distribute sets of related scheduled queries.
Now using RocksDB 3.10.2 on Linux/OS X, with more control over CPU optimizations.
Support for Vagrant building in AWS/EC2: RHEL, Amazon Linux, and older platforms.
Now building libcryptsetup inline and linking statically, removed install-time package dependencies.
Various FreeBSD tables and "beta" support for building in ports.
Simple TLS-based config and logger plugins, (see Remote Settings).
More control over scheduled query output: removed-less mode and snapshot-mode.
New default processes scheduling and filesystem I/O limiting and niceness.
Table and column APIs are more expressive about actions/indexes.
#1104 Limit the number (10) and type (WARNING) of RocksDB logs.
#1111 Apply safePermissions
check to worker process execs.
#1121 Fix .show
meta command crash in osqueryi.
#1131 Fix missing install-time dependency for cryptsetup libraries.
#1151 Fix crontab parsing paths on RHEL6.5/7.
#1163 Use UTFTime for OS X certificates not_valid_before/after
columns.
#1195 Parse OS X process cmdline
and environment variables correctly.
#1195 Enable faster JOINs with OpenDirectory selections on OS X.
#1195 Limit shell_history
searches to current user or context actions via username
.
#1197 Emit multiple FSEvents actions for transactions-multiplexed events.
#1199 Include UNIX domain sockets in process_open_sockets
on OS X/Linux.
Version 1.4.6 adds optional TLS plugins for configuration and logging.
See the wiki on optional remote settings for more information.
flag | description |
---|---|
--disable_enrollment |
Disable enrollment functions on related config/logger plugins |
--enroll_secret_path=PATH |
Path to an optional client enrollment-auth secret |
--enroll_tls_endpoint=ENDPOINT |
TLS/HTTPS endpoint for client enrollment |
--tls_client_cert=PATH |
Optional path to a TLS client-auth PEM certificate |
--tls_client_key=ENDPOINT |
Optional path to a TLS client-auth PEM private key |
--tls_hostname=HOSTNAME |
TLS/HTTPS hostname for Config, Logger, and Enroll plugins |
--tls_server_certs=PATH |
Optional path to a TLS server PEM certificate(s) bundle |
Added table user_groups
to All Platforms
Added table iptables
to Ubuntu, CentOS
Added table msr
to Ubuntu, CentOS
Added table osquery_packs
to Utility
Added column path
(TEXT
) to table process_open_sockets
Published by theopolis over 9 years ago
OS X extended attributes generalization (merged quarantine
/xattr_where_from
)
RHEL6.5/7 supported building and custom RPM creation
Schedule logs now report UTC calendar time (with a " UTC" suffix) instead of localtime
Moved our Github Wiki to ReadTheDocs (https://osquery.readthedocs.org)
Less SQLite shell flags and switches, now with -A/-L for easy full-table querying
Barebones TLS/HTTP-based plugin interfaces, examples for external plugin development
Build YARA and snappy locally and compile/link statically (easier deploy)
Monitor schedule performance using the osquery_schedule
table and --enable_monitoring
#921 Keychain table crashing with empty keychains
#915 Skip initialization tasks when only checking configurations
#922 Normalized EventSubscriber time, expected seconds since epoch
#937 osqueryd initscript correct error codes
#953 Empty SQLite predicate parsing in virtual table modules
#964 Restrict APT sources to AMD64 (no more x86-32)
#968 User-local LaunchAgents not found
#991 Debug and Optimized build overlaps (increased build time)
#1000 Upgrade SQLite to 3.8.9, bug fixes from libfuzz
#1040 Unknown EventSubscriber table implementations will crash
#1080 Raw sockets in Linux are not included (only TCP/UDP)
Removed bail, batch, column, echo, explain, header, html, interactive, and stats from shell CLI
Added --A
that takes a single table name arg and acts like: SELECT * FROM table
Added --L
that lists all tables names
--disabled_tables
takes a comma-delimited set of table names to runtime remove
Consolidated beta distributed flags into --distributed_retries
--enable_monitor
keeps runtime schedule stats in osquery_schedule
API Change: Renamed table file_changes
to file_events
for All Platforms
API Change: Merged tables xattr_where_from
and quarantine
into extended_attributes
Moved table chrome_extensions
to All Platforms
Moved table firefox_addons
to All Platforms
Moved table opera_extensions
to All Platforms
Moved table disk_encryption
to All Platforms
Moved table process_memory_map
to All Platforms
Added table etc_protocols
to All Platforms
Added table yara
to All Platforms
Added table yara_events
to All Platforms
Added table rpm_package_files
to CentOS
Added table launchd_overrides
to Darwin (Apple OS X)
Added table managed_policies
to Darwin (Apple OS X)
Added table osquery_schedule
to Utility
Added column pattern
(TEXT
) to table file
Added column build
(TEXT
) to table os_version
Added column name
(TEXT
) to table os_version
Added column build_distro
(TEXT
) to table osquery_info
Added column build_platform
(TEXT
) to table osquery_info