SQL powered operating system instrumentation, monitoring, and analytics.
Representing commits from 15 contributors! Thank you all.
es_process_file_events
table. (#7579)es_process_file_events
for macOS Endpoint Security based FIM (#7579)password_policy
table for macOS (#7594)windows_update_history
(#7407)memory_available
to linux memory_info
table (#7669)cpu_info
table to linux (#7499)lldp_neighbors
table (#7664)deb_packages
table to not sisplay arch info in the package name (#7638)hardware_model
in the system_info
table on Apple M1 machines to report correctly (#7662)shared_resources
table to add type names, fix type/maximum_allowed handling (#7645)windows_crashes
table (#7391)local_timezone
column in the time
table on Windows (#7656)system_info
table to support unicode on Windows (#7626)linux
and not posix
(#7644)spec/example.table
when generating documentation (#7647)disk_encryption
table (#7608)osquery 5.3.0 brings several table improvements and bugfixes.
Worth mentioning also the deprecation of the smart_drive_info
table
and the new warning added when incorrectly configuring a CLI only flag
via the config file. In the next release CLI only flags will not be
configurable through the config file or refresh anymore.
This release represents commits from 15 contributors! Thank you all.
smart_drive_info
#7464
tls_disable_status_log
to prevent status logs from being sent via TLS #7550
in_cidr_block
to check if IPv4/v6 addresses are within the supplied CIDR block #7563
admindir
column to the deb_packages
table to parse package databases on different paths #7549
wifi_networks
on macOS Big Sur and newer #7503
npm_packages
#7536
apt_sources
and yum_sources
tables to linux only #7537
python_packages
table #7535
wall_time
column in osquery_schedule
as hidden #7501
osquery_schedule
#7438
mirrorlist
column in the table yum_sources
#7479
output_size
for osquery_schedule
#7436
deb_packages
table: Use additional instead of index for the admindir
column #7573
certificates
table: Add Linux support #7570
translated
column to processes
table to indicate whether the process is running under Apple Rosetta #7507
keychain_items
table #7576
original filename
column to file
table on Windows #7156
test_http_server.py
--persist
option #7497
profile.py --leaks
for python3 #7534
python_packages
table so that it lists python packages from any user Python installations #7414
drivers
table #7444
size
column is empty #7569
cpu_info
test to expect at least one socket, not just one #7490
Osquery 5.2.3 is a security update that focuses on updating some third-party libraries which contained CVEs that could affect osquery. Additionally some other third-party libraries and tables have been dropped, since they were not maintained or considered safe anymore.
shortcut_files
table #7545
hash
table #7520
Osquery 5.2.2 brings native Apple Silicon (M1) support to the macOS platform. It also represents a comprehensive review and update of our third-party dependencies. To support this work, the developer docs have been updated, as have several parts of the build system
This release represents commits from 24 contributors! Thank you all.
cpuid
table is x86 only. See #7462
smart_drive_info
table has been deprecated, and is not included in the m1 builds. See #7464
lldp_neighbors
table has been deprecated, and is not included in the m1 builds. See #7463
time
table to always reflect UTC values (#7276, #7460, #7437)antispyware
column in windows_security_center
(#7411)windows_firewall_rules
table for windows (#7403)path
column check to be case insensitive (#7442)user_time
and system_time
unit in processes table on M1 (#7473)Use 5.2.2
Use 5.2.2
Representing commits from 20 contributors! Thank you all.
Note: The linux .tar.gz includes debugging symbols. This may be larger than you expect
docker_container_envs
table for access to docker container environment (#7313)curl
table now returns peer certificates even if the TLS handshake does not complete (#7349)read_max
flag when hashing using ssdeep (#7367)windows_security_products
errors out (#7401)authorized_keys
table implementation (#7318)beurk
rootkit detection to packs (#7345)There are several breaking changes:
/usr/local
to /opt/osquery
on macOS and Linux (symlinks to executables are provided).blacklist
key from the configuration (#7153)Representing commits from 21 contributors! Thank you all.
Note: The linux .tar.gz
includes debugging symbols. This may be larger than you expect
secureboot
table for Linux and Windows (#7202)tpm_info
for Windows (#7107)osquery_info
build_platform column value on Linux (#7254)pid_with_namespace
in more tables (#7132)augeas
table to use native pattern matching (BREAKING) (#6982)chrome_extensions
to include Edge & EdgeBeta (#7170)disk_encryption
table to support QueryContext (#7209)last
to include utmp type name column (#7201)sudoers
table to support newer include syntax (#7185)user_ssh_keys
to detect encryption of ed25519 keys (#7168)blacklist
key (#7153)process_open_sockets
type error on darwin (#6546)MOVED_TO
is tracked with yara events. (#7203)--force
flag is used (#7295)uptime
table description (#7270)Initial draft of the 5.0. This release may be deleted!
Representing commits from 16 contributors! Thank you all.
Note: The linux .tar.gz
includes debugging symbols. This may be larger than you expect
mdm_managed
column to system_extensions
on macOS (#6915)prefetch
table on Windows (#7076)homebrew_packages
to include new prefix, and allow specifying alternate prefixes (#7117)ntfs_acl_permissions
to list all ACE entries (using GetAce()
) (#7114)processes
table to display additional Windows attributes (secured
, protected
, virtual
, elevated
) (#7121)package_install_history
identifies the packageIdentifiers key (#7099)identifier
is calculated in chrome_extensions
(#7124)pipe_channel
not reading all data in a message (#7139)curl_certificate
timeouts (#7151)xprotect_entries
, xprotect_meta
, launchd
(#7138, #7154)-fexceptions
flag on Windows (#7126)