SQL powered operating system instrumentation, monitoring, and analytics.
Representing commits from 15 contributors! Thank you all.
es_process_file_events table. (#7579)es_process_file_events for macOS Endpoint Security based FIM (#7579)password_policy table for macOS (#7594)windows_update_history (#7407)memory_available to linux memory_info table (#7669)cpu_info table to linux (#7499)lldp_neighbors table (#7664)deb_packages table to not sisplay arch info in the package name (#7638)hardware_model in the system_info table on Apple M1 machines to report correctly (#7662)shared_resources table to add type names, fix type/maximum_allowed handling (#7645)windows_crashes table (#7391)local_timezone column in the time table on Windows (#7656)system_info table to support unicode on Windows (#7626)linux and not posix (#7644)spec/example.table when generating documentation (#7647)disk_encryption table (#7608)osquery 5.3.0 brings several table improvements and bugfixes.
Worth mentioning also the deprecation of the smart_drive_info table
and the new warning added when incorrectly configuring a CLI only flag
via the config file. In the next release CLI only flags will not be
configurable through the config file or refresh anymore.
This release represents commits from 15 contributors! Thank you all.
smart_drive_info #7464
tls_disable_status_log to prevent status logs from being sent via TLS #7550
in_cidr_block to check if IPv4/v6 addresses are within the supplied CIDR block #7563
admindir column to the deb_packages table to parse package databases on different paths #7549
wifi_networks on macOS Big Sur and newer #7503
npm_packages #7536
apt_sources and yum_sources tables to linux only #7537
python_packages table #7535
wall_time column in osquery_schedule as hidden #7501
osquery_schedule #7438
mirrorlist column in the table yum_sources #7479
output_size for osquery_schedule #7436
deb_packages table: Use additional instead of index for the admindir column #7573
certificates table: Add Linux support #7570
translated column to processes table to indicate whether the process is running under Apple Rosetta #7507
keychain_items table #7576
original filename column to file table on Windows #7156
test_http_server.py --persist option #7497
profile.py --leaks for python3 #7534
python_packages table so that it lists python packages from any user Python installations #7414
drivers table #7444
size column is empty #7569
cpu_info test to expect at least one socket, not just one #7490
Osquery 5.2.3 is a security update that focuses on updating some third-party libraries which contained CVEs that could affect osquery. Additionally some other third-party libraries and tables have been dropped, since they were not maintained or considered safe anymore.
shortcut_files table #7545
hash table #7520
Osquery 5.2.2 brings native Apple Silicon (M1) support to the macOS platform. It also represents a comprehensive review and update of our third-party dependencies. To support this work, the developer docs have been updated, as have several parts of the build system
This release represents commits from 24 contributors! Thank you all.
cpuid table is x86 only. See #7462
smart_drive_info table has been deprecated, and is not included in the m1 builds. See #7464
lldp_neighbors table has been deprecated, and is not included in the m1 builds. See #7463
time table to always reflect UTC values (#7276, #7460, #7437)antispyware column in windows_security_center (#7411)windows_firewall_rules table for windows (#7403)path column check to be case insensitive (#7442)user_time and system_time unit in processes table on M1 (#7473)Use 5.2.2
Use 5.2.2
Representing commits from 20 contributors! Thank you all.
Note: The linux .tar.gz includes debugging symbols. This may be larger than you expect
docker_container_envs table for access to docker container environment (#7313)curl table now returns peer certificates even if the TLS handshake does not complete (#7349)read_max flag when hashing using ssdeep (#7367)windows_security_products errors out (#7401)authorized_keys table implementation (#7318)beurk rootkit detection to packs (#7345)There are several breaking changes:
/usr/local to /opt/osquery on macOS and Linux (symlinks to executables are provided).blacklist key from the configuration (#7153)Representing commits from 21 contributors! Thank you all.
Note: The linux .tar.gz includes debugging symbols. This may be larger than you expect
secureboot table for Linux and Windows (#7202)tpm_info for Windows (#7107)osquery_info build_platform column value on Linux (#7254)pid_with_namespace in more tables (#7132)augeas table to use native pattern matching (BREAKING) (#6982)chrome_extensions to include Edge & EdgeBeta (#7170)disk_encryption table to support QueryContext (#7209)last to include utmp type name column (#7201)sudoers table to support newer include syntax (#7185)user_ssh_keys to detect encryption of ed25519 keys (#7168)blacklist key (#7153)process_open_sockets type error on darwin (#6546)MOVED_TO is tracked with yara events. (#7203)--force flag is used (#7295)uptime table description (#7270)Initial draft of the 5.0. This release may be deleted!
Representing commits from 16 contributors! Thank you all.
Note: The linux .tar.gz includes debugging symbols. This may be larger than you expect
mdm_managed column to system_extensions on macOS (#6915)prefetch table on Windows (#7076)homebrew_packages to include new prefix, and allow specifying alternate prefixes (#7117)ntfs_acl_permissions to list all ACE entries (using GetAce()) (#7114)processes table to display additional Windows attributes (secured, protected, virtual, elevated) (#7121)package_install_history identifies the packageIdentifiers key (#7099)identifier is calculated in chrome_extensions (#7124)pipe_channel not reading all data in a message (#7139)curl_certificate timeouts (#7151)xprotect_entries, xprotect_meta, launchd (#7138, #7154)-fexceptions flag on Windows (#7126)