osquery
SQL powered operating system instrumentation, monitoring, and analytics.
OTHER License
Bot releases are hidden (Show)
Published by theopolis over 9 years ago
New features in 1.4.4:
Async configuration updates
Static compilation of libsnappy on CentOS 6.5 + 7
Bug fixes:
#878 Speed up shell when using the default pretty-print mode
#885 Homebrew package lists
#884 Incorrect Linux initscript return codes
#895 OS X preference table subkey stacking
#883 Remove escaped "/" from JSON log results output
#907 Limit the number of glog files by using date instead of data-time.pid
#908 Remove libproc dependency on Ubuntu/CentOS
Table changes (from 1.4.3 to 1.4.4):
Added table ad_config to Darwin (Apple OS X)
Added table package_bom to Darwin (Apple OS X)
Added table package_receipts to Darwin (Apple OS X)
Published by theopolis over 9 years ago
New features in 1.4.3:
Load dependent extensions plugins for Config and Logger in osqueryd
Python integration testing for watchdog/shell/extensions loading
Monitor folders for new files using file_changes API and subscribers
Read osqueryd startup flags from /etc/osquery/osquery.flags on Linux
Bug fixes:
#833 Thrift/glog are now built on CentOS/Ubuntu without debug info and asserts
#808 Use /private/var/osquery instead of /var/osquery on OS X
#818 Allow watchdog worker to fail nicely with incorrect DB paths
Table changes (from 1.4.2 to 1.4.3):
Added table file_changes to All Platforms
Added table system_controls to All Platforms
Added table chrome_extensions to Darwin (Apple OS X)
Added table firefox_addons to Darwin (Apple OS X)
Added table keychain_items to Darwin (Apple OS X)
Added table safari_extensions to Darwin (Apple OS X)
Added table safari_plugins to Darwin (Apple OS X)
Renamed table osx_version to os_version, for All Platforms
Renamed table ca_certs to certificates on Darwin (Apple OS X)
Added column path (TEXT) to table kernel_extensions
Renamed column is_pseudo to pseudo (INTEGER) to table process_memory_map
Removed column wired (BIGINT) from table kernel_extensions
Published by theopolis over 9 years ago
New features in 1.4.2:
The local thrift extensions API and osquery SDK.
osqueryctl tool with several helpful deployment macros.
Bug fixes:
#758 startup_items now emits the correct OS X Alias-type path
#769 osquery_extensions used to include an incorrect ".0" for extension sockets
#789 The osqueryd watcher process would fail if using PATH-expanded locations
#788 Parent pids on OS X when using a WHERE pid = <INT> were set to -1
#792 Linux process sockets used a GCC 4.8-broken std::regex
Published by theopolis over 9 years ago
New features in 1.4.1:
CentOS 7 support
Improved query scheduling performance
Improved file table and "directory" predicate: select * from file where directory = '/'
Extensions details and list tables
OS X defaults: defaults read is select * from preferences optionally uses a file predicate.
Bug fixes:
OS X apps table was missing information
Package update/reinstallation failed in make deps
Table changes (from 1.4.0 to 1.4.1):
Added table osquery_extensions to All Platforms
Added table preferences to Darwin (Apple OS X)
Added column element (TEXT) to table apps
Added column environment (TEXT) to table apps
Added column directory (TEXT) to table file
Added column extensions (TEXT) to table osquery_info
Added column cwd (TEXT) to table processes
Added column root (TEXT) to table processes
Published by theopolis over 9 years ago
New features in 1.4:
- Extensions Thrift API
- osqueryd "worker" performance monitoring
- Filesystem QueryContext wildcards
Potential API incompatibility changes:
Removed column name (TEXT) from table process_envs
Removed column path (TEXT) from table process_envs
Config options / CLI flags changes:
--config_retriever renamed --config_plugin
--config_check will check the config parsing status and exit
--event_pubsub=true renamed --disable_events=false
--disable_watchdog=false controls the osqueryd worker process usage
--extensions_socket=/var/osquery/osquery.em added
--force=false if set will attempt to kill previously running osqueryd daemons
--log_receiver renamed --logger_plugin
--watchdog_level=1 controls the acceptable performance impact of osqueryd workers
Additional API changes:
Added table block_devices to All Platforms
Added table kernel_info to All Platforms
Added table xattr_where_from to Darwin (Apple OS X)
Added table memory_map to Ubuntu, CentOS
Added table process_memory_map to Ubuntu, CentOS
Added table shared_memory to Ubuntu, CentOS
Added column atime (BIGINT) to table file
Added column block_size (INTEGER) to table file
Added column ctime (BIGINT) to table file
Added column device (BIGINT) to table file
Added column gid (BIGINT) to table file
Added column hard_links (INTEGER) to table file
Added column inode (BIGINT) to table file
Added column is_block (INTEGER) to table file
Added column is_char (INTEGER) to table file
Added column mode (TEXT) to table file
Added column mtime (BIGINT) to table file
Added column size (BIGINT) to table file
Added column uid (BIGINT) to table file
Removed table block_devices from Ubuntu, CentOS
Published by marpaia over 9 years ago
Published by marpaia over 9 years ago
Table changes (from 1.2.2 to 1.3.0):
Potential API incompatibility changes:
Added table rpm_packages to CentOS, removed from Linux/Ubuntu
Added table kernel_extensions to Darwin (Apple OS X), renamed from kextstat
The process_open_files table has changed drastically, please see the new process_open_files and process_open_sockets tables. These two new tables take the place of port_inode and socket_inode on Linux.
Additional API changes:
Added table acpi_tables to All Platforms
Added table interface_addresses to All Platforms
Added table interface_details to All Platforms
Added table listening_ports to All Platforms
Added table process_open_sockets to All Platforms
Added table smbios_tables to All Platforms
Added table iokit_devicetree to Darwin (Apple OS X)
Added table iokit_registry to Darwin (Apple OS X)
Added table nfs_shares to Darwin (Apple OS X)
Added table xprotect_entries to Darwin (Apple OS X)
Added table xprotect_reports to Darwin (Apple OS X)
Added table kernel_integrity to Ubuntu, CentOS
Added table apt_sources to Ubuntu
Added table deb_packages to Ubuntu
Added column sha1 (TEXT) to table hash
Added column sha256 (TEXT) to table hash
Added column fd (BIGINT) to table process_open_files
Added column path (TEXT) to table process_open_files
Removed column file_type (TEXT) from table process_open_files
Removed column local_host (TEXT) from table process_open_files
Removed column local_path (TEXT) from table process_open_files
Removed column local_port (TEXT) from table process_open_files
Removed column remote_host (TEXT) from table process_open_files
Removed column remote_port (TEXT) from table process_open_files
Published by theopolis almost 10 years ago
Including self-monitoring tables.
Published by marpaia almost 10 years ago
Published by marpaia almost 10 years ago
Published by marpaia almost 10 years ago
Published by marpaia almost 10 years ago
Published by marpaia almost 10 years ago
Published by marpaia almost 10 years ago
Published by marpaia about 10 years ago
