osquery
SQL powered operating system instrumentation, monitoring, and analytics.
OTHER License
Bot releases are hidden (Show)
Published by theopolis over 8 years ago
New features in 1.7.7:
This is a quick bug-fix pre-release.
Bug fixes:
#2195 Most boost::filesystem API calls are now noexcept
#2187 Fix regression add in 1.7.6 leading to nullptr dereferences in PlatformFile
Published by theopolis over 8 years ago
New features in 1.7.6:
This is a quick bug-fix pre-release.
Plugin API changes
#2166 The AWS Firehose logger plugin now inserts newlines "\n"
Bug fixes:
#2163 The systemd osqueryd service unit is installed correctly on Ubuntu 16.04
#2174 The OS X Launch Daemon script arguments have been corrected
Config options / CLI flags changes
--ephemeral Can be used for osqueryd to choose a random pidfile.
--disable_database Can be used to select an in-memory transient database. This is turned on by-default for the shell.
--pack PACKNAME Can be used by the shell to execute all queries in a pack.
--aws_kinesis_random_partition_key Added to the AWS Kinesis logger plugin.
Published by theopolis over 8 years ago
New features in 1.7.5:
#2077 Within-query caching allows for more efficient subqueries
#2079 Remove the ::logHealth methods from logger plugins
#2088 Add an optional ::logEvent API for logger plugins
#2089 Add Ubuntu Xenial 16.04 build support
#2093 Add --pack option to the osqueryi shell
#2101 Introduce table options to represent keyed-columns in SQLite
#2104 Introduce table aliases to support future deprecation of table names
#2123 Add basic math functions to SQLite: pow, sqrt, log, floor, etc
#2124 Add string splitting functions to SQLite: split, split_regex, etc
#2137 Update SQLite to 3.14.0 to support combined LIKE and = in single predicates
#2139 Update the AWS APIs to version 0.12.4
Plugin API changes
There are two breaking API changes to TablePlugin and LoggerPlugin that will affect extensions.
TablePlugins must now return osquery::TableColumns as a set of tuples:
class exampleTablePlugin : public TablePlugin {
private:
TableColumns columns() const {
return {
std::make_tuple("key", TEXT_TYPE, DEFAULT),
std::make_tuple("value", TEXT_TYPE, DEFAULT),
};
}
};
Logger plugins use ::init and ::logStatus must (1) change the return type for ::init to void and define a ::usesLogStatus method:
class exampleLoggerPlugin : LoggerPlugin {
public:
void init(const std::string& name,
const std::vector<StatusLogLine>& log) override;
bool usesLogStatus() override { return true; }
};
Bug fixes:
The provision scripts (make deps) for several distributions have been improved.
#2151 Fix autoloading of the osquery kernel extension on OS X
#2135 Limit SMBIOS reads to the 1M-2M region
#2116 Add ::removeService to the Dispatcher API to fix kernel tests
Table changes (from 1.7.4 to 1.7.5):
The process_events table was significantly changes. The time-related column names now match file.
Added table quicklook_cache to Darwin (Apple OS X)
Renamed column access_time to atime in table process_events
Renamed column create_time to btime in table process_events
Renamed column change_time to ctime in table process_events
Renamed column modify_time to mtime in table process_events
Renamed column environment to env in table process_events
Renamed column environment_count to env_count in table process_events
Renamed column environment_size to env_size in table process_events
Published by theopolis over 8 years ago
New features in 1.7.4:
#1983 Decorator queries allow the configuration to extend every scheduled query by adding 'decorations'.
#2036 Buffered log forwarding simplifies new logger pluggin development.
#2015 Basic build support for Windows 10 and Visual Studio 2015.
#2046 Add AWS SDK to build dependencies for Kinesis and Firehose integration.
#2064 Begin cut over to UTC, some columns and UNIX times are still local-time based; version 1.8.0 will complete the cut over.
#2064 Add a version field to buffered status logs.
The change to UTC times (where UTC is not already used) can be started now by enabling --utc, this option will become default in version 1.8.0.
Bug fixes:
#2053 Prevent client errors when TLS plugin responses are empty.
#2060 Send Content-Encoding header when using TLS logging compression: --logger_tls_compress.
#2061 Add an {action: snapshot} to snapshot results.
Table changes (from 1.7.3 to 1.7.4):
Added table crashes to Darwin (Apple OS X)
Added table package_install_history to Darwin (Apple OS X)
Added table syslog to Ubuntu, CentOS
Added column time (INTEGER_TYPE) to table shell_history
Added column datetime (TEXT_TYPE) to table time
Added column local_time (INTEGER_TYPE) to table time
Added column local_timezone (TEXT_TYPE) to table time
Published by theopolis over 8 years ago
New features in 1.7.3:
This release fixes #1972, which was introduced in 1.7.2.
#1963 YARA events yara_events now include MOVE file events.
Bug fixes:
#1972 Fix deadlock when using osquery_schedule (only present in 1.7.2)
#1966 Clear cache of distributed query results
Additional fix-ups to the osquery systemd service.
Table changes (from 1.7.2 to 1.7.3):
Added column disabled (INTEGER_TYPE) to table browser_plugins
Published by theopolis over 8 years ago
New features in 1.7.2:
The SQLite included in 1.7.2 includes support for IN and OR operators!
RocksDB can now be swapped with SQLite as the backing store to help support new platforms.
The certificates table on OS X now supports both DER and PEM formats.
The use of boost::thread has been removed, as well as shared mutexes.
TLS SNI support via cpp-netlib's 0.12-rc1 build.
Extensions should no longer use Initializer::shutdown()
Prior to 1.7.2 an extension's main file resembled:
int main(int argc, char* argv[]) {
osquery::Initializer runner(argc, argv, OSQUERY_EXTENSION);
auto status = startExtension("your_name", "1.0.0", "1.7.2");
if (!status.ok()) {
LOG(ERROR) << status.getMessage();
}
// Finally shutdown.
runner.shutdown();
return 0;
}
It should now use the following flow:
int main(int argc, char* argv[]) {
osquery::Initializer runner(argc, argv, OSQUERY_EXTENSION);
auto status = startExtension("your_name", "1.0.0", "1.7.2");
if (!status.ok()) {
LOG(ERROR) << status.getMessage();
runner.requestShutdown(status.getCode());
}
// Finally wait for a signal / interrupt to shutdown.
runner.waitForShutdown();
return 0;
}
NULLs in results
NULL values are now allowed in column results.
This means values which were NOT filled in for INTEGER, BIGINT, and DOUBLE types would previously, in error, return a -1. This was very confusing as we do not differentiate between signed/unsigned SQLite types so it was difficult to determine if the -1 indicated an error. Expect these values to return empty JSON strings in logs. Eventually table implementation will be able to explicitly return a null type, which will propagate into JSON.
Bug fixes:
#1888 OS X's process table would generate a result row for 'fake' pids if a pid was used in the query constraint
#1893 libdevmapper is now built and linked statically for CentOS6/7 packages
#1913 Process 'state' on Linux and OS X was overloaded and typed incorrectly
#1936 Event expiring in 1.7.1 left stay events in the outer indexes
#1944 TLS-based configuration could lead to a spurious final config request on shutdown
#1946 The 'unsupported' Debian package build scripts were adding incorrect package dependencies
Table changes (from 1.7.1 to 1.7.2):
Added table asl to Darwin (Apple OS X)
Added table cpu_time to Ubuntu, CentOS
Added column name (TEXT_TYPE) to table fan_speed_sensors
Added column authority (TEXT_TYPE) to table signature
Added column cdhash (TEXT_TYPE) to table signature
Added column team_identifier (TEXT_TYPE) to table signature
Table API breaking changes in 1.7.2:
Renamed column group to pgroup in table processes
Published by theopolis over 8 years ago
New features in 1.7.1:
#1836 Extensions autoloading is now supported in osqueryi.
#1850 String parsing, tokenization, and UTF8 conversions methods have been removed from the public API.
#1858 SQLite has been bumped to 3.11.0, this adds support for LIKE within query constraints.
SQLite 3.11.0 and LIKE
The bump to 3.11.0 (#1858) and support for LIKE has induced a breaking table spec API change. The pattern column has been removed from file and yara as it was used has a small hack to support LIKE-style operations.
Prior to osquery 1.7.1 a query would use:
SELECT * FROM file WHERE pattern = '/etc/%';
Now you must use the more natural:
SELECT * FROM file WHERE path LIKE '/etc/%';
Notes:
#1829 Adds significant hardening around dispatcher / extension thread safety for the osquery core. An equivalent study is yet to be committed for extension processes.
#1831 Thrift 0.9.3 is now required to build-- packages prior to 1.7.1 used 0.9.1.
#1847 CTRL^C will now exit the shell, previously only CTRL^D exited.
#1856 If using cpp-netlib version 0.12+, osquery will attempt SNI for TLS plugins.
#1868 Setting an invalid option within the config will generate a WARNING status log.
Bug fixes:
#1815 Prevent duplicate events for Linux inotify events
#1813 Use 'rom' on OS X to report platform_info
#1823 Handle osqueryi usage by users with restricted (or without) home directories
#1841 Setting file_paths within packs now applies platform/shard restrictions.
#1863 The filesystem logger plugin now adds a newline for snapshot queries.
#1872 The Linux init-script has sane Default Start/Stop levels.
Config options / CLI flags changes:
The --flagfile option has always existed, but it is not outputted with --help.
--flagfile=PATH Line-delimited file of additional flags
Table changes (from 1.7.0 to 1.7.1):
Added table dns_resolvers to All Platforms
Added table fan_speed_sensors to Darwin (Apple OS X)
Added table power_sensors to Darwin (Apple OS X)
Added table temperature_sensors to Darwin (Apple OS X)
Added column user_uuid (TEXT_TYPE) to table disk_encryption
Added column developer_id (TEXT_TYPE) to table safari_extensions
Added column uuid (TEXT_TYPE) to table users
Table API breaking changes in 1.7.1:
Removed column pattern (TEXT_TYPE) from table file
Removed column pattern (TEXT_TYPE) from table yara
Published by theopolis over 8 years ago
New features in 1.7.0:
Query packs can now include FIM categories and paths.
OS X TLS-based plugins now require an explicit path to a certificate authority PEM bundle.
The TLS-based plugins continue to receive performance and feature improvements.
For CentOS and RHEL 7 builds the make packages macro will include a basic systemd unit.
Notes:
The OS X signature table now only reports success if the target path passes 'strict' code signing checks.
This release marks the first release build built using 10.11, and the TLS implementation uses LibreSSL.
For a short period between 1.6.3 and 1.6.4 the RocksDB options were not compatible with previous databases. There are no compatibility issues with 1.7.0 and previous releases.
Bug fixes:
#1796 Query constraints tracking support for multi-sub queries
#1801 Fix ROWID constraint interpreted as a column index
Plugin API change:
#1581 Logger plugin logString methods are called once per logline
Config options / CLI flags changes:
--events_max=COUNT Maximum number of events per type to buffer
--logger_tls_compress=False GZip compress TLS/HTTPS request body
--logger_tls_max=COUNT Max size in bytes allowed per log line
Table changes (from 1.6.3 to 1.7.0):
Added table sip_config to Darwin (Apple OS X)
Added table smc_keys to Darwin (Apple OS X)
Added column key_strength (TEXT_TYPE) to table certificates
Added column uid (TEXT_TYPE) to table disk_encryption
Added column hardware_vendor (TEXT_TYPE) to table system_info
Added column hardware_version (TEXT_TYPE) to table system_info
Published by theopolis almost 9 years ago
This 1.6.4 release does not include binary packages, a brew commit, or change logs docs.
This is used as a demarcation for building on OS X 10.11 for integration tests and packages.
Published by theopolis almost 9 years ago
New features in 1.6.3:
This version is a quick release on top of 1.6.2.
Bug fixes:
#1735 Remove OPENED events from file_events
#1736 Allow TLS endpoints to return node_invalid multiple times.
Table changes (from 1.6.2 to 1.6.3):
Added column issuer (TEXT_TYPE) to table certificates
Added column self_signed (INTEGER_TYPE) to table certificates
Published by theopolis almost 9 years ago
New features in 1.6.2:
The Sleuth Kit integration is complete, use device_* tables to list partitions, files and hashes.
Results for 'expired' queries are now purged from the backing store (RocksDB).
The file_events tables are now designed for modification/alter events only.
The file_access_events tables have been superseded by process_file_events, accesses use the new file_accesses configuration key.
Additionally, the file_events table include many more helpful fields populated at event time.
SQLite has been updated to 3.10.0 and the JSON-extensions are now enabled.
File hashing now includes algorithm parallelism, but all algorithms are still always run regardless of selections.
For debugging the osqueryi client can be used to dump configuration JSON or the backing store items.
The configuration can now specify multiple loggers, for example --config_plugin=filesystem,syslog.
Packs and queries now support a shard=N option.
Bug fixes:
#1660 Fixes NETLINK errors with routes table on CentOS 6
#1676 Clear node_key when TLS plugins respond with node_invalid=True
#1689 Boost 1.59 removed support for comments in JSON files, we now 'only' support #-style.
#1714 Columns with the DOUBLE type no longer return '-1'
Config options / CLI flags changes:
--config_check Check the format of an osquery config and exit
--config_dump Dump the contents of the configuration
--database_dump Dump the contents of the backing store
--disable_reenrollment Disable re-enrollment attempts if related plugins return invalid
--header Toggle column headers true/false
--planner Enable osquery runtime planner output
Table changes (from 1.6.1 to 1.6.2):
Added table device_file to All Platforms
Added table device_hash to All Platforms
Added table device_partitions to All Platforms
Added table platform_info to All Platforms
Added table process_file_events to Darwin (Apple OS X)
Added column btime (BIGINT_TYPE) to table file
Added column atime (BIGINT_TYPE) to table file_events
Added column ctime (BIGINT_TYPE) to table file_events
Added column gid (BIGINT_TYPE) to table file_events
Added column hashed (INTEGER_TYPE) to table file_events
Added column inode (BIGINT_TYPE) to table file_events
Added column mode (TEXT_TYPE) to table file_events
Added column mtime (BIGINT_TYPE) to table file_events
Added column size (BIGINT_TYPE) to table file_events
Added column uid (BIGINT_TYPE) to table file_events
Added column shard (INTEGER_TYPE) to table osquery_packs
Table API breaking changes in 1.6.2:
Removed table passwd_changes from All Platforms
Removed table file_access_events from Darwin (Apple OS X)
Published by theopolis almost 9 years ago
New features in 1.6.1:
This release introduces schedule caching, greatly improving performance when using default packs.
The getQueryColumns thrift API now uses heuristics to determine expression types.
OS X's hardware_events table is now backed by an IOKit eventing API (previously it only included HID events).
Constraints stacking within subqueries is improved (part 4 of #1651).
Tables that act on user data (on Linux) have been refactored to require a JOIN against users to enumerate. There are still several tables on OS X that search user-owned directories, they will eventually be refactored too. In all cases, the pack queries operating on these tables have been updated to include JOIN users USING (uid).
Bug fixes:
#1527 Building from source is no longer required for profiling with ./tools/profile.py
#1635 Dropping privileges temporarily on Linux would cause thrift sockets to close
#1675 Constraints "stacked" onto the same table would overwrite subquery constraints
#1685 OS X's LaunchDaemon's ProgramArguments rewrite argv[0] and could trample status log filenames
Breaking changes
#1647 Remove "result=" from logs sent to the syslog logger plugin, see #1212
Config options / CLI flags changes:
--disable_caching Disable scheduled query caching
--logger_mode MODE Mode for log files (default '0640')
--profile COUNT Enable profile mode when non-0, set number of iterations
Table changes (from 1.6.0 to 1.6.1):
Added table authorized_keys to All Platforms
Added table known_hosts to All Platforms
Added table signature to Darwin (Apple OS X)
Added table user_events to Ubuntu, CentOS
Added column sgid (BIGINT_TYPE) to table processes
Added column suid (BIGINT_TYPE) to table processes
Added column uid (BIGINT_TYPE) to table browser_plugins
Added column uid (BIGINT_TYPE) to table chrome_extensions
Added column uid (BIGINT_TYPE) to table firefox_addons
Added column uid (BIGINT_TYPE) to table opera_extensions
Added column uid (BIGINT_TYPE) to table safari_extensions
Added column uid (BIGINT_TYPE) to table shell_history
Added column timezone (TEXT_TYPE) to table time
Added column signing_algorithm (TEXT_TYPE) to table certificates
Added column subject (TEXT_TYPE) to table certificates
Table API breaking changes in 1.6.1:
Removed column username (TEXT) from table shell_history
Published by theopolis almost 9 years ago
New features in 1.6.0:
Improved scheduling logic focused on reliable and deterministic query execution.
More usable and performant Linux file integrity monitoring.
Facilities for dropping privileges within table implementations when operating on user controlled data.
Linux audit-based socket binds and connect tracking.
Bug fixes:
#1537 Correct config_valid boolean in osquery_info table
#1536 Fix pack discovery queries from losing cached results
#1545 Fix JSON syntax error in example configuration
#1549 Limit RocksDB LITE warnings and swap EFI path delimiters in kernel_info on OS X
#1554 Fix file descriptor leak in Linux interface_details table
#1550 The extension manager should clean managed extension UNIX socks on exit
#1559 Prevent boost exceptions when invalid LC_CTYPE variable is used
#1579 Fix potential crashes when calling getifaddrs(3) on Linux interface_details
#1580 Protect against invalid /proc data when parsing memory maps
#1598 Fix various filesystem access TOCTOU errors
#1621 Fix schedule iteration restoration logic to use UNIX time instead of a 0-60 seconds modulus
#1631 Use blank values for missing keys in OS X startup_items
Config options / CLI flags changes:
--pack_delimiter SYMBOL Delimiter for pack and query names
--distributed_enabled renamed to --disable_distributed and the default is now false
--distributed_poll_interval renamed to --distributed_interval
--read_user_links has been removed
Table changes (from 1.5.3 to 1.6.0):
Added table system_info to All Platforms
Added table wifi_networks to Darwin (Apple OS X)
Added table socket_events to Ubuntu, CentOS
Added column type (TEXT) to table file
Added column start_time (INTEGER) to table osquery_info
Added column last_executed (BIGINT) to table osquery_schedule
Added column fd (BIGINT) to table process_open_sockets
Table API breaking changes in 1.6.0:
Change column config_md5 to config_hash (TEXT) in table osquery_info
Change column cpu_serial to hardware_serial (TEXT) in table system_info
Removed column is_block (INTEGER) from table file
Removed column is_char (INTEGER) from table file
Removed column is_dir (INTEGER) from table file
Removed column is_file (INTEGER) from table file
Removed column is_link (INTEGER) from table file
Removed column md5 (TEXT) from table kernel_info
Removed column config_path (TEXT) from table osquery_info
Published by theopolis about 9 years ago
New features in 1.5.3:
Support for Linux process events using libaudit.
Packs and pack queries can now be included inline with configuration content.
Distributed query support has been refactored/improved but is still in alpha.
Simultaneous osqueryi shells are now supported.
Removed building Google benchmark and cpp-netlib in third party.
Bug fixes:
#1432 Improved USB device reporting on OS X
#1455 Add libgcrypt11 to package dependency list for Debian/Ubuntu
#1506 OS X kernel driver is only loaded if the package is installed
#1517 Fix YARA sigfile cachine (previously, sigfiles were only applied once)
#1522 OS X startup items includes more search paths
Config options / CLI flags changes:
--config_tls_max_attempts INT Number of times to attempt a request
--schedule_default_interval SECONDS Query interval to use if none is provided
--pack_refresh_interval SECONDS Cache expiration for a packs discovery queries
--enroll_secret_env VALUE Name of environment variable holding enrollment-auth secret
Table changes (from 1.5.2 to 1.5.3):
Added table magic to All Platforms
Added table process_events to All Platforms
Added table system_info to Darwin (Apple OS X)
Added table xprotect_meta to Darwin (Apple OS X)
Added table osquery_events to Utility
Added column config_valid (INTEGER) to table osquery_info
Added column discovery_cache_hits (INTEGER) to table osquery_packs
Added column discovery_executions (INTEGER) to table osquery_packs
Added column group (BIGINT) to table processes
Added column nice (INTEGER) to table processes
Added column state (TEXT) to table processes
Added column author (TEXT) to table safari_extensions
Added column description (TEXT) to table safari_extensions
Added column identifier (TEXT) to table safari_extensions
Added column sdk (TEXT) to table safari_extensions
Added column update_url (TEXT) to table safari_extensions
Added column version (TEXT) to table safari_extensions
Removed table process_events from Darwin (Apple OS X)
Removed column description (TEXT) from table osquery_packs
Removed column interval (INTEGER) from table osquery_packs
Removed column path (TEXT) from table osquery_packs
Removed column query (TEXT) from table osquery_packs
Removed column query_name (TEXT) from table osquery_packs
Removed column scheduled (INTEGER) from table osquery_packs
Removed column scheduled_name (TEXT) from table osquery_packs
Removed column value (TEXT) from table osquery_packs
Published by theopolis about 9 years ago
New features in 1.5.2:
#1415 Build support for OS X 10.9
#1443 Build support for OS X 10.11 (beta)
#1335 Support for file access events from OS X kernel extension (beta)
Several components are now benchmarked: binary size, events performance, SQL performance, etc
Several high-impact performance optimizations:
#1448 Use faster casting for SQLite table type data
#1448 Cache YARA signature compilations when using ad-hoc YARA scans
#1451 Allow Read-Only RocksDB usage and improve record lookups
#1452 Remove unneeded virtual table rotations
Bug fixes:
#1412 Use SIGKILL on OS X when force replacing daemon processes
#1422 Query options from pack queries are now applied
#1423 Fix executions on 10.11 (still not supported in Jenkins)
Table changes (from 1.5.1 to 1.5.2):
Added table uptime to All Platforms
Added table authorization_mechanisms to Darwin (Apple OS X)
Added table authorizations to Darwin (Apple OS X)
Added table disk_events to Darwin (Apple OS X)
Added column day (INTEGER) to table time
Added column iso_8601 (TEXT) to table time
Added column month (INTEGER) to table time
Added column timestamp (TEXT) to table time
Added column unix_time (INTEGER) to table time
Added column weekday (TEXT) to table time
Added column year (INTEGER) to table time
Published by theopolis about 9 years ago
New features in 1.5.1:
Several important bug fixes!
Bug fixes:
#1368 Restore OS X autostart post-install scripts (custom packaging)
#1367 Disable reads from user-controlled FIFOs
#1369 Limit IOKit HID remove and unhelpful (information sparse) events
#1371 Fix duplicate events in YARA subscribers
#1380 Fix query packs version checker
#1385 Remove high-false positive generators from query packs
Published by theopolis over 9 years ago
New features in 1.5.0:
#1171 Allow file read restrictions on size, user-controlled size, and symlink modes
#1194 Unofficial support for Ubuntu 10.04 dependency building
#1216 OS X's Disk Arbitration-based publishers, and related disk-event tables
#1259 Use RocksDB's LITE version to reduce binary size
#1266 Use "mostly" POSIX globbing, along with SQLite, style wildcarding for FIM
#1277 Forward status logs to worker processes when using osqueryd
#1321 Use OpenSSL's x509 certificate parsing to improve speed/memory on OS X
#1330 OS X kernel extension (beta, optional, not included in release builds)
Version 1.5.0 introduces Facebook's “Query Packs”, a method to share and utilize high-value queries.
Bug fixes:
#1237 Fix certificate table crash on OS X
#1276 Add subscriber optimizations to reduce diff latency using —events_optimize
#1283 Include 'epoch' number to package dependencies on Redhat 7 based distros
#1284 Require libsnappy headers and functionality for RocksDB
#1308 Fix TLS plugin client user agent string versions
#1312 Fix potential crash in interface enumeration on Ubuntu
#1341 Include osqueryctl in Homebrew builds
Config options / CLI flags changes:
—config_tls_refresh VALUE Optional interval in seconds to re-read configuration (min=10)
—events_optimize Optimize subscriber select queries (scheduler only)
—read_max VALUE Maximum file read size
—read_user_links Read user-owned filesystem links
—read_user_max VALUE Maximum non-su read size
Table changes (from 1.4.7 to 1.5.0):
Added table uptime to All Platforms
Added table authorization_mechanisms to Darwin (Apple OS X)
Added table authorizations to Darwin (Apple OS X)
Added table disk_events to Darwin (Apple OS X)
Added column day (INTEGER) to table time
Added column iso_8601 (TEXT) to table time
Added column month (INTEGER) to table time
Added column timestamp (TEXT) to table time
Added column unix_time (INTEGER) to table time
Added column weekday (TEXT) to table time
Added column year (INTEGER) to table time
Published by marpaia over 9 years ago
New features in 1.4.7:
Note: this is a minor update!
#1212 A new logger plugin: syslog (use --logger_plugin=syslog, see #1207)
#1224 Support for SQLite's DOUBLE type
Bug fixes:
#1202 osqueryd workers could \0-out their argv, not friendly
#1205 Average memory reporting in schedule monitor mode does not wrap
#1224 Fix OS X package_receipts reporting installed time as a DOUBLE
#1224 Fix check of extensions_socket in the shell
Config options / CLI flags changes:
--logger_syslog_facility when using the --logger_plugin=syslog set a specific facility (0-23, default 19)
Table changes (from 1.4.6 to 1.4.7):
Added table app_schemes to Darwin (Apple OS X)
Added table keychain_acls to Darwin (Apple OS X)
Added table sandboxes to Darwin (Apple OS X)
Published by theopolis over 9 years ago
New features in 1.4.6:
Added "Query Packs", a way to easily distribute sets of related scheduled queries.
Now using RocksDB 3.10.2 on Linux/OS X, with more control over CPU optimizations.
Support for Vagrant building in AWS/EC2: RHEL, Amazon Linux, and older platforms.
Now building libcryptsetup inline and linking statically, removed install-time package dependencies.
Various FreeBSD tables and "beta" support for building in ports.
Simple TLS-based config and logger plugins, (see Remote Settings).
More control over scheduled query output: removed-less mode and snapshot-mode.
New default processes scheduling and filesystem I/O limiting and niceness.
Table and column APIs are more expressive about actions/indexes.
Bug fixes:
#1104 Limit the number (10) and type (WARNING) of RocksDB logs.
#1111 Apply safePermissions check to worker process execs.
#1121 Fix .show meta command crash in osqueryi.
#1131 Fix missing install-time dependency for cryptsetup libraries.
#1151 Fix crontab parsing paths on RHEL6.5/7.
#1163 Use UTFTime for OS X certificates not_valid_before/after columns.
#1195 Parse OS X process cmdline and environment variables correctly.
#1195 Enable faster JOINs with OpenDirectory selections on OS X.
#1195 Limit shell_history searches to current user or context actions via username.
#1197 Emit multiple FSEvents actions for transactions-multiplexed events.
#1199 Include UNIX domain sockets in process_open_sockets on OS X/Linux.
Config options / CLI flags changes:
Version 1.4.6 adds optional TLS plugins for configuration and logging.
See the wiki on optional remote settings for more information.
| flag | description |
|---|---|
--disable_enrollment |
Disable enrollment functions on related config/logger plugins |
--enroll_secret_path=PATH |
Path to an optional client enrollment-auth secret |
--enroll_tls_endpoint=ENDPOINT |
TLS/HTTPS endpoint for client enrollment |
--tls_client_cert=PATH |
Optional path to a TLS client-auth PEM certificate |
--tls_client_key=ENDPOINT |
Optional path to a TLS client-auth PEM private key |
--tls_hostname=HOSTNAME |
TLS/HTTPS hostname for Config, Logger, and Enroll plugins |
--tls_server_certs=PATH |
Optional path to a TLS server PEM certificate(s) bundle |
Table changes (from 1.4.5 to 1.4.6):
Added table user_groups to All Platforms
Added table iptables to Ubuntu, CentOS
Added table msr to Ubuntu, CentOS
Added table osquery_packs to Utility
Added column path (TEXT) to table process_open_sockets
Published by theopolis over 9 years ago
New features in 1.4.5:
OS X extended attributes generalization (merged quarantine/xattr_where_from)
RHEL6.5/7 supported building and custom RPM creation
Schedule logs now report UTC calendar time (with a " UTC" suffix) instead of localtime
Moved our Github Wiki to ReadTheDocs (https://osquery.readthedocs.org)
Less SQLite shell flags and switches, now with -A/-L for easy full-table querying
Barebones TLS/HTTP-based plugin interfaces, examples for external plugin development
Build YARA and snappy locally and compile/link statically (easier deploy)
Monitor schedule performance using the osquery_schedule table and --enable_monitoring
Bug fixes:
#921 Keychain table crashing with empty keychains
#915 Skip initialization tasks when only checking configurations
#922 Normalized EventSubscriber time, expected seconds since epoch
#937 osqueryd initscript correct error codes
#953 Empty SQLite predicate parsing in virtual table modules
#964 Restrict APT sources to AMD64 (no more x86-32)
#968 User-local LaunchAgents not found
#991 Debug and Optimized build overlaps (increased build time)
#1000 Upgrade SQLite to 3.8.9, bug fixes from libfuzz
#1040 Unknown EventSubscriber table implementations will crash
#1080 Raw sockets in Linux are not included (only TCP/UDP)
Config options / CLI flags changes:
Removed bail, batch, column, echo, explain, header, html, interactive, and stats from shell CLI
Added --A that takes a single table name arg and acts like: SELECT * FROM table
Added --L that lists all tables names
--disabled_tables takes a comma-delimited set of table names to runtime remove
Consolidated beta distributed flags into --distributed_retries
--enable_monitor keeps runtime schedule stats in osquery_schedule
Table changes (from 1.4.4 to 1.4.5):
API Change: Renamed table file_changes to file_events for All Platforms
API Change: Merged tables xattr_where_from and quarantine into extended_attributes
Moved table chrome_extensions to All Platforms
Moved table firefox_addons to All Platforms
Moved table opera_extensions to All Platforms
Moved table disk_encryption to All Platforms
Moved table process_memory_map to All Platforms
Added table etc_protocols to All Platforms
Added table yara to All Platforms
Added table yara_events to All Platforms
Added table rpm_package_files to CentOS
Added table launchd_overrides to Darwin (Apple OS X)
Added table managed_policies to Darwin (Apple OS X)
Added table osquery_schedule to Utility
Added column pattern (TEXT) to table file
Added column build (TEXT) to table os_version
Added column name (TEXT) to table os_version
Added column build_distro (TEXT) to table osquery_info
Added column build_platform (TEXT) to table osquery_info
