This release brings some new changes to the Santa tables, and a new experimental (not yet ready for production) DNS monitoring table.

Santa

This extension allows users to acquire the Santa activity log and the configured rules. Thanks to the osquery writable tables, it is also possible to add and remove new configuration rules (provided that there is no sync-server configured).

santa_events

The table has been split into two:

• santa_allowed
• santa_denied

santa_rules

• Added support for custom rule messages.

Network monitoring

This experimental extension (not yet ready for production) aims at introducing new network monitoring capabilities to osquery.

dns_events

This table captures the DNS queries and answers that have been passing through the configured interface.

Sample configuration

Location: /var/osquery/extensions/com/trailofbits/network_monitor.json.

{
  "dns_events": {
    "interface": "interface_name"
  }
}

Changes

1. The new windows_sync_objects table allows osquery to list and acquire mutants, events and semaphores.
2. The ntfs_forensics tables have been refactored, and several issues have been fixed.

Downloads

Windows

• Extension binary
• osquery package (3.3.0 unstable)
• Boost package (for developers)

Linux

• Extension binary
• osquery package (3.3.0 unstable)

macOS

• Extension binary
• osquery package (3.3.0 unstable)

Initial release containing all the extensions we have published. Note that osquery 3.3.0 is required to run them.