SQL powered operating system instrumentation, monitoring, and analytics.
draft
Representing commits from 11 contributors! Thank you all.
vscode_extensions
(#8150)secureboot
table (#8215)file
table (#8143)atom_packages
table (#8181)certificates
, keychain_acls
, and keychain_items
tables (#8192). This is intended to reduce the occurrence of keychain corruption due to broken macOS APIs.This release has several updates and bugfixes. Several improvements to various tables, and their handling.
One potential breaking change, is in how the watchdog calculates CPU utilization. Previously, this calculation was based on physical CPUs, now it is based on virtual cores. We believe this makes more sense with modern CPUs.
A second potential breaking change, is in PR #8102. In addition to allowing decorations to the top level of the status logs, this PR normalizes the decorations format to the results log. In practice, this means that the unixTime
, severity
and line
JSON fields are now numbers instead of strings.
Representing commits from 18 contributors! Thank you all.
--enable_watchdog_debug
flag and improve watchdog error messages (#8070)--aws_enforce_fips
to enforce AWS FIPS endpoints (#8075)decorations_top_level
flag for status logs (#8102)cloud
_id to ycloud_instance_metadata
- the vm metadata table for Yandex Cloud (#8086)es_process_file_events
adding support for open events, and for only triggering on file_paths
(#8114)firefox_addons
to use rapidjson to parse and don't block on read (#8089)es_process_events
table: quote spaces in command line and environment variables (#8054)disk_encryption
to recursively query parent crypt status (#8052)block_devices
(#8037, #8151)wifi_survey
table not to crash if the ssid cannot be retrieved (#8153)serial_number
in connected_displays
(#8113)SSLContext.wrap_socket()
instead of deprecated ssl.wrap_socket()
(#8169)Big shoutout for the Windows Arm port!
Representing commits from 14 contributors! Thank you all.
string_batch
request type to compliment existing string
type (#8027)connected_displays
table on macOS (#7946)windows_search
table (#7990)crashes
table on macOS 12 and newer (#7819)keychain_items
to include data about key types (#8002)os_version
to include Apple RSR fields using native API (#8011)safari_extensions
to handle the current app extensions pattern (#7991)system_info
to include the nnumber of sockets (#8038)unified_log
table to add predicate
column and optimize timestamp constraint (#8019)listDirectoriesInDirectory
by using std::fs
(#7974)version
column in homebrew_packages
(#8057)es_process_file_events.table
description (#7978)5.8.2 is a hotfix for how osquery's COM security initialization works See https://github.com/osquery/osquery/issues/7962 for details.
Representing commits from 6 contributors! Thank you all.
Representing commits from 22 contributors! Thank you all.
pid_with_namespace
for yara
table (#7920)kernel_keys
to the Linux platform (#7876)min_version
empty in xprotect_meta
when not specified (#7926)secureboot
table to macOS (#7692)docker_container_stats
table to include cached_memory
column (#7807)cpu_info
: Port the table to macOS x86 and Apple Silicon (#7757)bpf_process_events_v2
table (#7773)systemd_units
: Add new unit_file_state
column (#7895)scheduled_tasks
(#7903) (#7904)routes
table (#7916)windows_security_products
compatibility (#7880)Representing commits from 12 contributors! Thank you all.
Addressed by updating a library:
Ignored due to not affecting osquery:
security_profile_info
to retrieve security profile information on Windows (#7794)es_process_events
for process codesigning flags (#7726)shimcache
: Only check CurrentControlSet to avoid duplicate rows (#7832)processes
: Fix the procfs memory unit kB, which is 1024 bytes not 1000 (#7818)pipes
table (#7810)host
column from logged_in_users
table (#7685)docker_containers
: Don't report finished_at
for a container which is still running (#7783)processes
: Stabilize the start_time
column value on macOS and Linux (#7788)process_memory_map
is also applicable to Darwin (#7789)Representing commits from 10 contributors! Thank you all.
firmware_type
column to platform_info
on macOS (#7727)wmi_bios_info
table (#7631)docker_container_processes
on macOS (#7746)process_file_events
subscriber being incorrectly initialized (#7759)secureboot
on windows by acquire the necessary process privileges (#7743)mdfind
-- Reduce table overhead and support interruption (#7738)binary
column from firefox_addons
table (#7735)is_running
column from macOS running_apps
table (#7774)notes
field to the schema and associated json (#7747)--tls_dump
output body to stderr
(#7715)yara
and yara_events
(#7744)_changes
tables are not evented (#7762)Osquery 5.5.1 has some really exciting table updates! There is a much anticipated unified_log
for macOS, this table is the replacement for asl
, and uses the current Apple APIs. Additionally, several tables have improved their cross-platform support.
Representing commits from 14 contributors! Thank you all.
cgroup_path
column to processes
table on Linux (#7728)firmware_type
column to platform_info
table on Windows. (#7710)unified_log
table for macOS (UAL) (#7598, #7713)memory_devices
table to Windows (#7633)platform_info
table to M1 Macs (#7660)kernel_panics
table on modern macOS (#7585)battery
table on macOS m1 with correct raw battery max and current capacity (#7721)mdfind
query timeout to 30 seconds (#7725)password_policy
table to use use -1
as sentinel value for uid
column (#7699)authorized_keys
file (#7560)registry
table to be case insensitive for key
(#7708)COLLATE NOCASE
(#7680)GetMemorySize
for Windows memory_devices
table (#7711)tpm_info
bug where values were out of date (#7686)curl_certificate
table (#7706)process_open_sockets.state
(#7733)platform_info
columns not available in Windows (#7732)Representing commits from 15 contributors! Thank you all.
es_process_file_events
table. (#7579)es_process_file_events
for macOS Endpoint Security based FIM (#7579)password_policy
table for macOS (#7594)windows_update_history
(#7407)memory_available
to linux memory_info
table (#7669)cpu_info
table to linux (#7499)lldp_neighbors
table (#7664)deb_packages
table to not sisplay arch info in the package name (#7638)hardware_model
in the system_info
table on Apple M1 machines to report correctly (#7662)shared_resources
table to add type names, fix type/maximum_allowed handling (#7645)windows_crashes
table (#7391)local_timezone
column in the time
table on Windows (#7656)system_info
table to support unicode on Windows (#7626)linux
and not posix
(#7644)spec/example.table
when generating documentation (#7647)disk_encryption
table (#7608)