Skip to content

@theopolis theopolis released this Sep 12, 2019 · 43 commits to master since this release

This release fixes crashes identified in 4.0.1. There are no changes in functionality.

Git Commits

Bug Fixes

  • Fix configuration of AWS libraries to address crash in Linux (#5799)
  • Remove RocksDB optimization causing crash (#5797)
Assets 7
Pre-release
Pre-release

@alessandrogario alessandrogario released this Sep 10, 2019 · 51 commits to master since this release

This release has two major focuses. It is the first release since osquery transitioned to a Linux Foundation project.

It features a heavily reworked build system. This aims to provide flexibility and stability.

Git Commits

New Features / Under the Hood improvements

  • Linux Audit process_events Implement support for fork/vfork/clone/execveat (#5701)
  • New SQLite function regex_match to match across columns (#5444)
  • LRU cache for syscall tracing (#5521)
  • Basic tracing via eBPF on Linux (#5403, #5386, #5384)
  • Experimental kill and setuid syscall tracing in Linux via eBPF (#5519)
  • New eventing (ev2) framework (#5401)
  • Improved table performance profiles (#5187)
  • macOS query pack: detect SearchAwesome malware (#5713)
  • macOS query pack: detect when a process is tapping keyboard event (#5345)

Build

Harderning

  • Link binaries with Full RELRO on Linux (#5748)
  • Remove FTS features from SQLite (#5703) (#5702)
  • Fix SQLite API usage errors (#5551)
  • Fix issues reported by ASAN (#5665)
  • Handle bad FDs in md_tables (#5553)
  • Fix lock resource leak in events/syslog (#5552)
  • Fix memory leak in macOS keychain_items and extended_attributes tables (#5550, #5538)
  • Fix memory leak in genLoggedInUsers (Windows). Update WTSFreeMemoryEx to WTSFreeMemory (#5642)
  • Fix potential null dereferences in smbios_tables (#5332)
  • Fix osquery exiting with wrong status (3824c2e6)
  • Add additional install and uninstall flag incompatibility check (85eb77a0)
  • Fix warning with constants initialisation in magic (2a624f2f)
  • Fix sign compare warning in file_compression (b93069b3)
  • Refactored logical_drives table on Windows (#5400)
  • Refactored core/windows/wmi to use smart pointers (#5492)
  • Fixed various potential crashes in the virtual table implementaion (6ade85a5)
  • Increase the amount of MaxRecvRetries for Thrift sockets (#5390)

Bug Fixes

  • Fix the reading of the serial of a certificate (little-endian big int) (#5742)
  • Fix bugs and update pathname variables in MSI package build script (#5733)
  • Fix registry table exception closing an uninitialized key handle (#5718)
  • Config views are now recreated on startup (#5732)
  • Change MSI Service Error handling on Windows (#5467)
  • Allow mounting SQLite DBs using WAL journaling with ATC (#5525, #5633)
  • Fix mount table interacting with direct autofs (#5635)
  • Fix HTTP Host Header to include port (#5576)
  • Various fixes to the Windows certificates table and expansion to include Personal certificates (#5697), (#5696), (#5640), (#5631)
  • Add optimization back to macOS users and groups (#5684)
  • Do not return a row for macOS battery if no data is present (#5650)
  • Fix several integer conversions in process_ops (#5614)
  • Include weekends on the kernel_panics table (#5298)
  • Fix key_strength bug for Windows certificates table (#5304)
  • The interface column of routes table could be empty on Windows (bcf0ab8e)
  • The name column of programs table could be empty on Windows (7bceba4b)
  • Fix disable_watcher flag (08dc11b7)
  • Populate path column correctly in firefox_addons table (#5462)
  • Fix numeric monitoring plugin not being registered (#5484)
  • Fix wrong error code returned when querying the Windows registry (#5621)
  • Fix logical_drives boot partition detection (#5477)
  • Replace sync calls by async within the HTTP client implementation (#5606)
  • Fix RocksDB crash related to OptimizeForSmallDb (a31d7582)
  • Fix bug in table column data validator (e3037331)
  • Fix random port problem (a32ed7c4)
  • Refactor battery table and return information even if advanced information is missing (6a64e353)

Table Changes

  • Added table ibridge_info on macOS (Notebooks only) (#5707)
  • Added table running_apps on macOS (#5216)
  • Added table atom_packages on macOS and Linux (6d159d40)
  • Remove EC2 tables on Windows (#5657)
  • Added column win_timestamp to time table on Windows (3bbe6c51)
  • Added column is_hidded to users and groups table on macOS (#5368)
  • Added column profile to chrome_extensions table (#5213)
  • Added column epoch to rpm_packages table on Linux (#5248)
  • Added column sid to logged_in_users table on Windows (#5454)
  • Added column registry_hive to logged_in_users table on Windows (#5454)
  • Added column sid to certificates table on Windows (#5631)
  • Added column store_location to certificates table on Windows (#5631)
  • Added column store to certificates table on Windows (#5631)
  • Added column username to certificates table on Windows (#5631)
  • Added column store_id to certificates table on Windows (#5631)
  • Added column product_version to file table on Windows (#5431)
  • Added column source to sudoers table on POSIX systems (#5350)
Assets 7
Pre-release
Pre-release

@alessandrogario alessandrogario released this Jun 29, 2019 · 151 commits to master since this release

This is a pre-release for the new version of osquery, based on the really cool refactor done by the Facebook's team in London.

Changes between 3.4.0 and 4.0.0

This prerelease mostly introduces CMake support, CI and packaging. The following are the commits that are not related to the build system:

  1. e6fe15e: macos: Add hack for boost asio string_view detection (#5592)
  2. 597a0c6: buck: Remove quotes from project/buck_out config
  3. 826723c: Fix boost asio string_view detection hack
  4. ae25976: Fixing port logic (bugfix for a small compatibility issue between remote::http_client and certain HTTP proxies)

Full changelog: git fetch --tags && git log 214302bdeb38fbdb606774ae9165dd633b908604..4.0.0

Build Requirements

Linux

Ubuntu 18.04 or better

macOS

Mojave

Windows

Windows 10 or Windows Server 2016

Assets 7

@muffins muffins released this May 23, 2019

osquery 3.4.0 Release Notes

This tag is a Windows only release containing various bug and vulnerability fixes, as well as numerous improvements to performance. The processes table has been re-written to no longer make use of WMI and various aspects of the Windows build system has been re-written to make use of the new buck build system. A critical deadlocking bug has been addressed in the thread management system which will allow osquery to make use of the TLS plugins without deadlocking on service restart.

Below are some of the highlights as they relate to the Windows release. This tag contains well over 250 commits, and there is considerably more content added than what is detailed below. Investigate the full commit history since our last tag for greater details on what has changed since the last tag.

Security Vulnerabilities

#5568 CVE-2019-3567 - osquery is now installed to Program Files to prevent a privilege escalation vulnerability

Bug Fixes

#5421 - addressing deadlock regression in windows dispatcher threads
#5304 - key_strength now correctly displays in certificates table

New Features

#5431 - Add Windows product version information to file table
#5400 - logical_drives table has been drastically refactored
#5454 - sid and hive columns added to the logged_in_users table
#5293 - Processes table now selectively generates columns, no longer uses WMI

Assets 4

@theopolis theopolis released this Jan 10, 2019 · 447 commits to master since this release

update aws-sdk-cpp 1.4.55 on windows (#5255)
Assets 2
Pre-release
Pre-release

@guliashvili guliashvili released this Sep 19, 2018 · 448 commits to master since this release

bug: explicitly set safe permissions on osquery dbs (#5229)
Assets 2
Pre-release
Pre-release

@muffins muffins released this Aug 6, 2018 · 603 commits to master since this release

New features include

#4094 Add opt-in write-support for extensions
#4224 Add SELinux event recording on Linux
#4626 Add number monitoring system concept

Bug fixes

#4416 Added custom version of realpath
#4599 Resource protection for udev structures
#4579 Fix case where regular files were reported as symlinks
#4695 Fix use of incorrect directory separator
#4686 Improve etc_hosts table data
#4647 Improve audit-based table performance

Table changes (from 3.2.7 to 3.2.8)

Added table logon_sessions to Microsoft Windows
Added table winbaseobj to Microsoft Windows
Added table ssh_configs to POSIX-compatible Plaforms
Added table smart_drive_info to SMART
Added table elf_dynamic to Ubuntu, CentOS
Added table elf_info to Ubuntu, CentOS
Added table elf_sections to Ubuntu, CentOS
Added table elf_segments to Ubuntu, CentOS
Added table elf_symbols to Ubuntu, CentOS
Added table selinux_events to Ubuntu, CentOS
Added column socket_designation (TEXT_TYPE) to table cpu_info
Added column encryption_status (TEXT_TYPE) to table disk_encryption
Added column attributes (TEXT_TYPE) to table file
Added column file_id (TEXT_TYPE) to table file
Added column volume_serial (TEXT_TYPE) to table file
Added column ssdeep (TEXT_TYPE) to table hash
Added column cpu_subtype (INTEGER_TYPE) to table processes
Added column cpu_type (INTEGER_TYPE) to table processes

Assets 2
Pre-release
Pre-release

@momopranto momopranto released this Jun 19, 2018 · 735 commits to master since this release

This releases updates some code dependencies and addresses several bugs.

Update libxml to version 2.9.7
Update yara to version 3.7.1
Update openssl to version 1.0.20

Bug fixes

#4561 Fix Dispatcher race conditions
#4597 Fix memory leak in Dispatcher
#4585 Never give up on failed extensions

Table changes (from 3.2.8 to 3.2.9)

Added table ntfs_acl_permissions to Microsoft Windows

Assets 2
Pre-release
Pre-release

@fmanco fmanco released this Jun 13, 2018 · 766 commits to master since this release

This release fixes a serious issue causing dead locks in the Registry. The bug was introduced in the 3.2 release.

Bug fixes

#4538 - Windows Events may drop events due to case-mismatches
#4549 - Writes to /dev/null on macOS caused performance issues
#4359 - Autoloaded extensions could outlive the main process
#4531 - Do note reset audit handle when poll returns EINTR
#4528 - Fix potential local in Registry caused by extensions

Table changes (from 3.2.7 to 3.2.8)

Added table process_namespaces to Linux
Removed column cgroup_namespace (TEXT_TYPE) from table processes
Removed column ipc_namespace (TEXT_TYPE) from table processes
Removed column mnt_namespace (TEXT_TYPE) from table processes
Removed column net_namespace (TEXT_TYPE) from table processes
Removed column pid_namespace (TEXT_TYPE) from table processes
Removed column user_namespace (TEXT_TYPE) from table processes
Removed column uts_namespace (TEXT_TYPE) from table processes

Assets 2
Pre-release
Pre-release

@obelisk obelisk released this Jun 11, 2018 · 785 commits to master since this release

This release is made available to address CVE-2018-6336.
The fix results in the macOS signature table reporting lines for each architecture within FAT bundled executables.

Improvements

We added lite-support for building the dependencies toolchain with GCC7.
The goal is to help folks building dependencies from source on Ubuntu 18.04 builds.

This also removes native compilation optimizations for RapidJSON.

#4437 Update AWS-SDK-CPP to version 1.4.55
#4439 Update libdpkg to version 1.19.0.5
#4440 Update The SleuthKit to version 4.6.1

#4393 Reduce drift time in query schedule

There was a minor unintentional drifting-effect on the query schedule.
This was adding slight delays to when queries are executed.

C++ extensions built using the external make target can now be bundled into a single executable.

Bug fixes

#3307 Various improvements to the python_packages table.
#4525 Address CVE-2018-6336 by making macOS signatures architecture-aware.

Table changes (from 3.2.6 to 3.2.7)

Added table battery to Darwin (Apple OS X)
Added table cpu_info to Microsoft Windows
Added table memory_array_mapped_addresses to POSIX-compatible Plaforms
Added table memory_arrays to POSIX-compatible Plaforms
Added table memory_device_mapped_addresses to POSIX-compatible Plaforms
Added table memory_error_info to POSIX-compatible Plaforms
Added table ulimit_info to POSIX-compatible Plaforms
Added column readonly_rootfs (INTEGER_TYPE) to table docker_containers
Added column directory (TEXT_TYPE) to table python_packages
Added column arch (TEXT_TYPE) to table signature

Assets 2
You can’t perform that action at this time.