Releases: osquery/osquery
1.5.0
New features in 1.5.0:
#1171 Allow file read restrictions on size, user-controlled size, and symlink modes
#1194 Unofficial support for Ubuntu 10.04 dependency building
#1216 OS X's Disk Arbitration-based publishers, and related disk-event tables
#1259 Use RocksDB's LITE version to reduce binary size
#1266 Use "mostly" POSIX globbing, along with SQLite, style wildcarding for FIM
#1277 Forward status logs to worker processes when using osqueryd
#1321 Use OpenSSL's x509 certificate parsing to improve speed/memory on OS X
#1330 OS X kernel extension (beta, optional, not included in release builds)
Version 1.5.0 introduces Facebook's “Query Packs”, a method to share and utilize high-value queries.
Bug fixes:
#1237 Fix certificate table crash on OS X
#1276 Add subscriber optimizations to reduce diff latency using —events_optimize
#1283 Include 'epoch' number to package dependencies on Redhat 7 based distros
#1284 Require libsnappy headers and functionality for RocksDB
#1308 Fix TLS plugin client user agent string versions
#1312 Fix potential crash in interface enumeration on Ubuntu
#1341 Include osqueryctl in Homebrew builds
Config options / CLI flags changes:
—config_tls_refresh VALUE Optional interval in seconds to re-read configuration (min=10)
—events_optimize Optimize subscriber select queries (scheduler only)
—read_max VALUE Maximum file read size
—read_user_links Read user-owned filesystem links
—read_user_max VALUE Maximum non-su read size
Table changes (from 1.4.7 to 1.5.0):
Added table uptime to All Platforms
Added table authorization_mechanisms to Darwin (Apple OS X)
Added table authorizations to Darwin (Apple OS X)
Added table disk_events to Darwin (Apple OS X)
Added column day (INTEGER) to table time
Added column iso_8601 (TEXT) to table time
Added column month (INTEGER) to table time
Added column timestamp (TEXT) to table time
Added column unix_time (INTEGER) to table time
Added column weekday (TEXT) to table time
Added column year (INTEGER) to table time
1.4.7
New features in 1.4.7:
Note: this is a minor update!
#1212 A new logger plugin: syslog (use --logger_plugin=syslog, see #1207)
#1224 Support for SQLite's DOUBLE type
Bug fixes:
#1202 osqueryd workers could \0-out their argv, not friendly
#1205 Average memory reporting in schedule monitor mode does not wrap
#1224 Fix OS X package_receipts reporting installed time as a DOUBLE
#1224 Fix check of extensions_socket in the shell
Config options / CLI flags changes:
--logger_syslog_facility when using the --logger_plugin=syslog set a specific facility (0-23, default 19)
Table changes (from 1.4.6 to 1.4.7):
Added table app_schemes to Darwin (Apple OS X)
Added table keychain_acls to Darwin (Apple OS X)
Added table sandboxes to Darwin (Apple OS X)
1.4.6
New features in 1.4.6:
Added "Query Packs", a way to easily distribute sets of related scheduled queries.
Now using RocksDB 3.10.2 on Linux/OS X, with more control over CPU optimizations.
Support for Vagrant building in AWS/EC2: RHEL, Amazon Linux, and older platforms.
Now building libcryptsetup inline and linking statically, removed install-time package dependencies.
Various FreeBSD tables and "beta" support for building in ports.
Simple TLS-based config and logger plugins, (see Remote Settings).
More control over scheduled query output: removed-less mode and snapshot-mode.
New default processes scheduling and filesystem I/O limiting and niceness.
Table and column APIs are more expressive about actions/indexes.
Bug fixes:
#1104 Limit the number (10) and type (WARNING) of RocksDB logs.
#1111 Apply safePermissions check to worker process execs.
#1121 Fix .show meta command crash in osqueryi.
#1131 Fix missing install-time dependency for cryptsetup libraries.
#1151 Fix crontab parsing paths on RHEL6.5/7.
#1163 Use UTFTime for OS X certificates not_valid_before/after columns.
#1195 Parse OS X process cmdline and environment variables correctly.
#1195 Enable faster JOINs with OpenDirectory selections on OS X.
#1195 Limit shell_history searches to current user or context actions via username.
#1197 Emit multiple FSEvents actions for transactions-multiplexed events.
#1199 Include UNIX domain sockets in process_open_sockets on OS X/Linux.
Config options / CLI flags changes:
Version 1.4.6 adds optional TLS plugins for configuration and logging.
See the wiki on optional remote settings for more information.
| flag | description |
|---|---|
--disable_enrollment |
Disable enrollment functions on related config/logger plugins |
--enroll_secret_path=PATH |
Path to an optional client enrollment-auth secret |
--enroll_tls_endpoint=ENDPOINT |
TLS/HTTPS endpoint for client enrollment |
--tls_client_cert=PATH |
Optional path to a TLS client-auth PEM certificate |
--tls_client_key=ENDPOINT |
Optional path to a TLS client-auth PEM private key |
--tls_hostname=HOSTNAME |
TLS/HTTPS hostname for Config, Logger, and Enroll plugins |
--tls_server_certs=PATH |
Optional path to a TLS server PEM certificate(s) bundle |
Table changes (from 1.4.5 to 1.4.6):
Added table user_groups to All Platforms
Added table iptables to Ubuntu, CentOS
Added table msr to Ubuntu, CentOS
Added table osquery_packs to Utility
Added column path (TEXT) to table process_open_sockets
1.4.5
New features in 1.4.5:
OS X extended attributes generalization (merged quarantine/xattr_where_from)
RHEL6.5/7 supported building and custom RPM creation
Schedule logs now report UTC calendar time (with a " UTC" suffix) instead of localtime
Moved our Github Wiki to ReadTheDocs (https://osquery.readthedocs.org)
Less SQLite shell flags and switches, now with -A/-L for easy full-table querying
Barebones TLS/HTTP-based plugin interfaces, examples for external plugin development
Build YARA and snappy locally and compile/link statically (easier deploy)
Monitor schedule performance using the osquery_schedule table and --enable_monitoring
Bug fixes:
#921 Keychain table crashing with empty keychains
#915 Skip initialization tasks when only checking configurations
#922 Normalized EventSubscriber time, expected seconds since epoch
#937 osqueryd initscript correct error codes
#953 Empty SQLite predicate parsing in virtual table modules
#964 Restrict APT sources to AMD64 (no more x86-32)
#968 User-local LaunchAgents not found
#991 Debug and Optimized build overlaps (increased build time)
#1000 Upgrade SQLite to 3.8.9, bug fixes from libfuzz
#1040 Unknown EventSubscriber table implementations will crash
#1080 Raw sockets in Linux are not included (only TCP/UDP)
Config options / CLI flags changes:
Removed bail, batch, column, echo, explain, header, html, interactive, and stats from shell CLI
Added --A that takes a single table name arg and acts like: SELECT * FROM table
Added --L that lists all tables names
--disabled_tables takes a comma-delimited set of table names to runtime remove
Consolidated beta distributed flags into --distributed_retries
--enable_monitor keeps runtime schedule stats in osquery_schedule
Table changes (from 1.4.4 to 1.4.5):
API Change: Renamed table file_changes to file_events for All Platforms
API Change: Merged tables xattr_where_from and quarantine into extended_attributes
Moved table chrome_extensions to All Platforms
Moved table firefox_addons to All Platforms
Moved table opera_extensions to All Platforms
Moved table disk_encryption to All Platforms
Moved table process_memory_map to All Platforms
Added table etc_protocols to All Platforms
Added table yara to All Platforms
Added table yara_events to All Platforms
Added table rpm_package_files to CentOS
Added table launchd_overrides to Darwin (Apple OS X)
Added table managed_policies to Darwin (Apple OS X)
Added table osquery_schedule to Utility
Added column pattern (TEXT) to table file
Added column build (TEXT) to table os_version
Added column name (TEXT) to table os_version
Added column build_distro (TEXT) to table osquery_info
Added column build_platform (TEXT) to table osquery_info
1.4.4
New features in 1.4.4:
Async configuration updates
Static compilation of libsnappy on CentOS 6.5 + 7
Bug fixes:
#878 Speed up shell when using the default pretty-print mode
#885 Homebrew package lists
#884 Incorrect Linux initscript return codes
#895 OS X preference table subkey stacking
#883 Remove escaped "/" from JSON log results output
#907 Limit the number of glog files by using date instead of data-time.pid
#908 Remove libproc dependency on Ubuntu/CentOS
Table changes (from 1.4.3 to 1.4.4):
Added table ad_config to Darwin (Apple OS X)
Added table package_bom to Darwin (Apple OS X)
Added table package_receipts to Darwin (Apple OS X)
1.4.3
New features in 1.4.3:
Load dependent extensions plugins for Config and Logger in osqueryd
Python integration testing for watchdog/shell/extensions loading
Monitor folders for new files using file_changes API and subscribers
Read osqueryd startup flags from /etc/osquery/osquery.flags on Linux
Bug fixes:
#833 Thrift/glog are now built on CentOS/Ubuntu without debug info and asserts
#808 Use /private/var/osquery instead of /var/osquery on OS X
#818 Allow watchdog worker to fail nicely with incorrect DB paths
Table changes (from 1.4.2 to 1.4.3):
Added table file_changes to All Platforms
Added table system_controls to All Platforms
Added table chrome_extensions to Darwin (Apple OS X)
Added table firefox_addons to Darwin (Apple OS X)
Added table keychain_items to Darwin (Apple OS X)
Added table safari_extensions to Darwin (Apple OS X)
Added table safari_plugins to Darwin (Apple OS X)
Renamed table osx_version to os_version, for All Platforms
Renamed table ca_certs to certificates on Darwin (Apple OS X)
Added column path (TEXT) to table kernel_extensions
Renamed column is_pseudo to pseudo (INTEGER) to table process_memory_map
Removed column wired (BIGINT) from table kernel_extensions
1.4.2
New features in 1.4.2:
The local thrift extensions API and osquery SDK.
osqueryctl tool with several helpful deployment macros.
Bug fixes:
#758 startup_items now emits the correct OS X Alias-type path
#769 osquery_extensions used to include an incorrect ".0" for extension sockets
#789 The osqueryd watcher process would fail if using PATH-expanded locations
#788 Parent pids on OS X when using a WHERE pid = <INT> were set to -1
#792 Linux process sockets used a GCC 4.8-broken std::regex
1.4.1
New features in 1.4.1:
CentOS 7 support
Improved query scheduling performance
Improved file table and "directory" predicate: select * from file where directory = '/'
Extensions details and list tables
OS X defaults: defaults read is select * from preferences optionally uses a file predicate.
Bug fixes:
OS X apps table was missing information
Package update/reinstallation failed in make deps
Table changes (from 1.4.0 to 1.4.1):
Added table osquery_extensions to All Platforms
Added table preferences to Darwin (Apple OS X)
Added column element (TEXT) to table apps
Added column environment (TEXT) to table apps
Added column directory (TEXT) to table file
Added column extensions (TEXT) to table osquery_info
Added column cwd (TEXT) to table processes
Added column root (TEXT) to table processes
1.4.0
New features in 1.4:
- Extensions Thrift API
- osqueryd "worker" performance monitoring
- Filesystem QueryContext wildcards
Potential API incompatibility changes:
Removed column name (TEXT) from table process_envs
Removed column path (TEXT) from table process_envs
Config options / CLI flags changes:
--config_retriever renamed --config_plugin
--config_check will check the config parsing status and exit
--event_pubsub=true renamed --disable_events=false
--disable_watchdog=false controls the osqueryd worker process usage
--extensions_socket=/var/osquery/osquery.em added
--force=false if set will attempt to kill previously running osqueryd daemons
--log_receiver renamed --logger_plugin
--watchdog_level=1 controls the acceptable performance impact of osqueryd workers
Additional API changes:
Added table block_devices to All Platforms
Added table kernel_info to All Platforms
Added table xattr_where_from to Darwin (Apple OS X)
Added table memory_map to Ubuntu, CentOS
Added table process_memory_map to Ubuntu, CentOS
Added table shared_memory to Ubuntu, CentOS
Added column atime (BIGINT) to table file
Added column block_size (INTEGER) to table file
Added column ctime (BIGINT) to table file
Added column device (BIGINT) to table file
Added column gid (BIGINT) to table file
Added column hard_links (INTEGER) to table file
Added column inode (BIGINT) to table file
Added column is_block (INTEGER) to table file
Added column is_char (INTEGER) to table file
Added column mode (TEXT) to table file
Added column mtime (BIGINT) to table file
Added column size (BIGINT) to table file
Added column uid (BIGINT) to table file
Removed table block_devices from Ubuntu, CentOS