Releases: osquery/osquery
1.5.0
New features in 1.5.0:
#1171 Allow file read restrictions on size, user-controlled size, and symlink modes
#1194 Unofficial support for Ubuntu 10.04 dependency building
#1216 OS X's Disk Arbitration-based publishers, and related disk-event tables
#1259 Use RocksDB's LITE version to reduce binary size
#1266 Use "mostly" POSIX globbing, along with SQLite, style wildcarding for FIM
#1277 Forward status logs to worker processes when using osqueryd
#1321 Use OpenSSL's x509 certificate parsing to improve speed/memory on OS X
#1330 OS X kernel extension (beta, optional, not included in release builds)
Version 1.5.0 introduces Facebook's “Query Packs”, a method to share and utilize high-value queries.
Bug fixes:
#1237 Fix certificate table crash on OS X
#1276 Add subscriber optimizations to reduce diff latency using —events_optimize
#1283 Include 'epoch' number to package dependencies on Redhat 7 based distros
#1284 Require libsnappy headers and functionality for RocksDB
#1308 Fix TLS plugin client user agent string versions
#1312 Fix potential crash in interface enumeration on Ubuntu
#1341 Include osqueryctl
in Homebrew builds
Config options / CLI flags changes:
—config_tls_refresh VALUE
Optional interval in seconds to re-read configuration (min=10)
—events_optimize
Optimize subscriber select queries (scheduler only)
—read_max VALUE
Maximum file read size
—read_user_links
Read user-owned filesystem links
—read_user_max VALUE
Maximum non-su read size
Table changes (from 1.4.7 to 1.5.0):
Added table uptime
to All Platforms
Added table authorization_mechanisms
to Darwin (Apple OS X)
Added table authorizations
to Darwin (Apple OS X)
Added table disk_events
to Darwin (Apple OS X)
Added column day
(INTEGER
) to table time
Added column iso_8601
(TEXT
) to table time
Added column month
(INTEGER
) to table time
Added column timestamp
(TEXT
) to table time
Added column unix_time
(INTEGER
) to table time
Added column weekday
(TEXT
) to table time
Added column year
(INTEGER
) to table time
1.4.7
New features in 1.4.7:
Note: this is a minor update!
#1212 A new logger plugin: syslog (use --logger_plugin=syslog
, see #1207)
#1224 Support for SQLite's DOUBLE type
Bug fixes:
#1202 osqueryd workers could \0
-out their argv, not friendly
#1205 Average memory reporting in schedule monitor mode does not wrap
#1224 Fix OS X package_receipts
reporting installed time as a DOUBLE
#1224 Fix check of extensions_socket
in the shell
Config options / CLI flags changes:
--logger_syslog_facility
when using the --logger_plugin=syslog
set a specific facility (0-23, default 19)
Table changes (from 1.4.6 to 1.4.7):
Added table app_schemes
to Darwin (Apple OS X)
Added table keychain_acls
to Darwin (Apple OS X)
Added table sandboxes
to Darwin (Apple OS X)
1.4.6
New features in 1.4.6:
Added "Query Packs", a way to easily distribute sets of related scheduled queries.
Now using RocksDB 3.10.2 on Linux/OS X, with more control over CPU optimizations.
Support for Vagrant building in AWS/EC2: RHEL, Amazon Linux, and older platforms.
Now building libcryptsetup inline and linking statically, removed install-time package dependencies.
Various FreeBSD tables and "beta" support for building in ports.
Simple TLS-based config and logger plugins, (see Remote Settings).
More control over scheduled query output: removed-less mode and snapshot-mode.
New default processes scheduling and filesystem I/O limiting and niceness.
Table and column APIs are more expressive about actions/indexes.
Bug fixes:
#1104 Limit the number (10) and type (WARNING) of RocksDB logs.
#1111 Apply safePermissions
check to worker process execs.
#1121 Fix .show
meta command crash in osqueryi.
#1131 Fix missing install-time dependency for cryptsetup libraries.
#1151 Fix crontab parsing paths on RHEL6.5/7.
#1163 Use UTFTime for OS X certificates not_valid_before/after
columns.
#1195 Parse OS X process cmdline
and environment variables correctly.
#1195 Enable faster JOINs with OpenDirectory selections on OS X.
#1195 Limit shell_history
searches to current user or context actions via username
.
#1197 Emit multiple FSEvents actions for transactions-multiplexed events.
#1199 Include UNIX domain sockets in process_open_sockets
on OS X/Linux.
Config options / CLI flags changes:
Version 1.4.6 adds optional TLS plugins for configuration and logging.
See the wiki on optional remote settings for more information.
flag | description |
---|---|
--disable_enrollment |
Disable enrollment functions on related config/logger plugins |
--enroll_secret_path=PATH |
Path to an optional client enrollment-auth secret |
--enroll_tls_endpoint=ENDPOINT |
TLS/HTTPS endpoint for client enrollment |
--tls_client_cert=PATH |
Optional path to a TLS client-auth PEM certificate |
--tls_client_key=ENDPOINT |
Optional path to a TLS client-auth PEM private key |
--tls_hostname=HOSTNAME |
TLS/HTTPS hostname for Config, Logger, and Enroll plugins |
--tls_server_certs=PATH |
Optional path to a TLS server PEM certificate(s) bundle |
Table changes (from 1.4.5 to 1.4.6):
Added table user_groups
to All Platforms
Added table iptables
to Ubuntu, CentOS
Added table msr
to Ubuntu, CentOS
Added table osquery_packs
to Utility
Added column path
(TEXT
) to table process_open_sockets
1.4.5
New features in 1.4.5:
OS X extended attributes generalization (merged quarantine
/xattr_where_from
)
RHEL6.5/7 supported building and custom RPM creation
Schedule logs now report UTC calendar time (with a " UTC" suffix) instead of localtime
Moved our Github Wiki to ReadTheDocs (https://osquery.readthedocs.org)
Less SQLite shell flags and switches, now with -A/-L for easy full-table querying
Barebones TLS/HTTP-based plugin interfaces, examples for external plugin development
Build YARA and snappy locally and compile/link statically (easier deploy)
Monitor schedule performance using the osquery_schedule
table and --enable_monitoring
Bug fixes:
#921 Keychain table crashing with empty keychains
#915 Skip initialization tasks when only checking configurations
#922 Normalized EventSubscriber time, expected seconds since epoch
#937 osqueryd initscript correct error codes
#953 Empty SQLite predicate parsing in virtual table modules
#964 Restrict APT sources to AMD64 (no more x86-32)
#968 User-local LaunchAgents not found
#991 Debug and Optimized build overlaps (increased build time)
#1000 Upgrade SQLite to 3.8.9, bug fixes from libfuzz
#1040 Unknown EventSubscriber table implementations will crash
#1080 Raw sockets in Linux are not included (only TCP/UDP)
Config options / CLI flags changes:
Removed bail, batch, column, echo, explain, header, html, interactive, and stats from shell CLI
Added --A
that takes a single table name arg and acts like: SELECT * FROM table
Added --L
that lists all tables names
--disabled_tables
takes a comma-delimited set of table names to runtime remove
Consolidated beta distributed flags into --distributed_retries
--enable_monitor
keeps runtime schedule stats in osquery_schedule
Table changes (from 1.4.4 to 1.4.5):
API Change: Renamed table file_changes
to file_events
for All Platforms
API Change: Merged tables xattr_where_from
and quarantine
into extended_attributes
Moved table chrome_extensions
to All Platforms
Moved table firefox_addons
to All Platforms
Moved table opera_extensions
to All Platforms
Moved table disk_encryption
to All Platforms
Moved table process_memory_map
to All Platforms
Added table etc_protocols
to All Platforms
Added table yara
to All Platforms
Added table yara_events
to All Platforms
Added table rpm_package_files
to CentOS
Added table launchd_overrides
to Darwin (Apple OS X)
Added table managed_policies
to Darwin (Apple OS X)
Added table osquery_schedule
to Utility
Added column pattern
(TEXT
) to table file
Added column build
(TEXT
) to table os_version
Added column name
(TEXT
) to table os_version
Added column build_distro
(TEXT
) to table osquery_info
Added column build_platform
(TEXT
) to table osquery_info
1.4.4
New features in 1.4.4:
Async configuration updates
Static compilation of libsnappy on CentOS 6.5 + 7
Bug fixes:
#878 Speed up shell when using the default pretty-print mode
#885 Homebrew package lists
#884 Incorrect Linux initscript return codes
#895 OS X preference table subkey stacking
#883 Remove escaped "/" from JSON log results output
#907 Limit the number of glog files by using date instead of data-time.pid
#908 Remove libproc dependency on Ubuntu/CentOS
Table changes (from 1.4.3 to 1.4.4):
Added table ad_config
to Darwin (Apple OS X)
Added table package_bom
to Darwin (Apple OS X)
Added table package_receipts
to Darwin (Apple OS X)
1.4.3
New features in 1.4.3:
Load dependent extensions plugins for Config and Logger in osqueryd
Python integration testing for watchdog/shell/extensions loading
Monitor folders for new files using file_changes
API and subscribers
Read osqueryd startup flags from /etc/osquery/osquery.flags
on Linux
Bug fixes:
#833 Thrift/glog are now built on CentOS/Ubuntu without debug info and asserts
#808 Use /private/var/osquery
instead of /var/osquery
on OS X
#818 Allow watchdog worker to fail nicely with incorrect DB paths
Table changes (from 1.4.2 to 1.4.3):
Added table file_changes
to All Platforms
Added table system_controls
to All Platforms
Added table chrome_extensions
to Darwin (Apple OS X)
Added table firefox_addons
to Darwin (Apple OS X)
Added table keychain_items
to Darwin (Apple OS X)
Added table safari_extensions
to Darwin (Apple OS X)
Added table safari_plugins
to Darwin (Apple OS X)
Renamed table osx_version
to os_version
, for All Platforms
Renamed table ca_certs
to certificates
on Darwin (Apple OS X)
Added column path
(TEXT
) to table kernel_extensions
Renamed column is_pseudo
to pseudo
(INTEGER
) to table process_memory_map
Removed column wired
(BIGINT
) from table kernel_extensions
1.4.2
New features in 1.4.2:
The local thrift extensions API and osquery SDK.
osqueryctl
tool with several helpful deployment macros.
Bug fixes:
#758 startup_items
now emits the correct OS X Alias-type path
#769 osquery_extensions
used to include an incorrect ".0" for extension sockets
#789 The osqueryd watcher process would fail if using PATH-expanded locations
#788 Parent pids on OS X when using a WHERE pid = <INT>
were set to -1
#792 Linux process sockets used a GCC 4.8-broken std::regex
1.4.1
New features in 1.4.1:
CentOS 7 support
Improved query scheduling performance
Improved file table and "directory" predicate: select * from file where directory = '/'
Extensions details and list tables
OS X defaults: defaults read
is select * from preferences
optionally uses a file predicate.
Bug fixes:
OS X apps table was missing information
Package update/reinstallation failed in make deps
Table changes (from 1.4.0 to 1.4.1):
Added table osquery_extensions
to All Platforms
Added table preferences
to Darwin (Apple OS X)
Added column element
(TEXT
) to table apps
Added column environment
(TEXT
) to table apps
Added column directory
(TEXT
) to table file
Added column extensions
(TEXT
) to table osquery_info
Added column cwd
(TEXT
) to table processes
Added column root
(TEXT
) to table processes
1.4.0
New features in 1.4:
- Extensions Thrift API
- osqueryd "worker" performance monitoring
- Filesystem QueryContext wildcards
Potential API incompatibility changes:
Removed column name
(TEXT
) from table process_envs
Removed column path
(TEXT
) from table process_envs
Config options / CLI flags changes:
--config_retriever
renamed --config_plugin
--config_check
will check the config parsing status and exit
--event_pubsub=true
renamed --disable_events=false
--disable_watchdog=false
controls the osqueryd worker process usage
--extensions_socket=/var/osquery/osquery.em
added
--force=false
if set will attempt to kill previously running osqueryd daemons
--log_receiver
renamed --logger_plugin
--watchdog_level=1
controls the acceptable performance impact of osqueryd workers
Additional API changes:
Added table block_devices
to All Platforms
Added table kernel_info
to All Platforms
Added table xattr_where_from
to Darwin (Apple OS X)
Added table memory_map
to Ubuntu, CentOS
Added table process_memory_map
to Ubuntu, CentOS
Added table shared_memory
to Ubuntu, CentOS
Added column atime
(BIGINT
) to table file
Added column block_size
(INTEGER
) to table file
Added column ctime
(BIGINT
) to table file
Added column device
(BIGINT
) to table file
Added column gid
(BIGINT
) to table file
Added column hard_links
(INTEGER
) to table file
Added column inode
(BIGINT
) to table file
Added column is_block
(INTEGER
) to table file
Added column is_char
(INTEGER
) to table file
Added column mode
(TEXT
) to table file
Added column mtime
(BIGINT
) to table file
Added column size
(BIGINT
) to table file
Added column uid
(BIGINT
) to table file
Removed table block_devices
from Ubuntu, CentOS