Skip to content
Compare
Choose a tag to compare

5.2.3

Git Commits

Osquery 5.2.3 is a security update that focuses on updating some third-party libraries
which contained CVEs that could affect osquery.
Additionally some other third-party libraries and tables have been dropped,
since they were not maintained or considered safe anymore.

Deprecation Notices

  • Remove the shortcut_files table #7545
  • Remove the ssdeep library and remove its support in the hash table #7520
  • Remove the libelfin library and elf parsing tables #7510

Hardening

  • libs: Update OpenSSL from version 1.1.1l to 1.1.1n #7506
  • libs: Update zlib from v1.2.11 to v1.2.12 #7548
  • Update librpm to 4.17.0 #7529
  • libs: Update expat from version 2.2.10 to 2.4.7 #7526
6969e07
Compare
Choose a tag to compare

Osquery 5.2.2 brings native Apple Silicon (M1) support to the macOS platform. It also represents a comprehensive review and update of our third-party dependencies. To support this work, the developer docs have been updated, as have several parts of the build system

This release represents commits from 24 contributors! Thank you all.

New Features

  • Apple Silicon support (#7330)

Deprecation Notices

  • The cpuid table is x86 only. See #7462
  • The smart_drive_info table has been deprecated, and is not included in the m1 builds. See #7464
  • The lldp_neighbors table has been deprecated, and is not included in the m1 builds. See #7463

Table Changes

  • Update time table to always reflect UTC values (#7276, #7460, #7437)
  • Hide the deprecated antispyware column in windows_security_center (#7411)
  • Add windows_firewall_rules table for windows (#7403)

Bug Fixes

  • Update the ATC table path column check to be case insensitive (#7442)
  • Fix a crash introduced by 5.2.0 when Yara uses its own strutils functions (#7439)
  • Fix user_time and system_time unit in processes table on M1 (#7473)

Documentation

Build

  • Update sqlite to version 3.37.0 (#7426)
  • Fix linking of thirdparty_sleuthkit (#7425)
  • Fix how we disable tables in the fuzzer init method (#7419)
  • Prevent running discovery queries when fuzzing (#7418)
  • Add BOOST_USE_ASAN define when enabling Asan (#7469)
  • Removing unnecessary macOS version check (#7451)
  • Fix submodule cache for macOS CI runner (#7456)
  • Add osquery version to macOS app bundle Info.plist (#7452)
  • libs: Update OpenSSL to verion 1.1.1l (#7330)
  • libs: Update augeas to version 1.12.0 (#7330)
  • libs: Update aws-sdk to version 1.9.116 (#7330)
  • libs: Update boost to version 1.77 (#7330)
  • libs: Update gflags to 2.2.2 (#7330)
  • libs: Update glog to version 0.5.0 (#7330)
  • libs: Update googletest to version 1.11.0 (#7330)
  • libs: Update libarchive to version 3.5.2 (#7330)
  • libs: Update libcap to version 1.2.59 (#7330)
  • libs: Update libmagic to version 5.40 (#7330)
  • libs: Update librdkafka to version 1.8.0 (#7330)
  • libs: Update libxml2 to version 2.9.12 (#7330)
  • libs: Update linenoise-ng to the latest commit (#7330)
  • libs: Update lzma to version 5.2.5 (#7330)
  • libs: Update rocksdb to version 6.22.1 (#7330)
  • libs: Update sleuthkit to version 4.11.0 (#7330)
  • libs: Update ssdeep-cpp to the latest commit (d8705da) (#7330)
  • libs: Update thrift to version 0.15.0 (#7330)
  • libs: Update yara to version 4.1.3 (#7330)
  • libs: Update zstd to version 1.4.0 (#7330)
2051e72
Compare
Choose a tag to compare

5.2.1

Pre-release
Pre-release

Use 5.2.2

4274d3b
Compare
Choose a tag to compare

5.2.0

Pre-release
Pre-release

Use 5.2.2

510d762
Compare
Choose a tag to compare

Git Commits

Representing commits from 20 contributors! Thank you all.

Note: The linux .tar.gz includes debugging symbols. This may be larger than you expect

New Features

  • Allow custom cpu limit duration for the watchdog (#7348)
  • Support custom endpoints for AWS Kinesis and Firehose. (#7317)

Table Changes

  • Add docker_container_envs table for access to docker container environment (#7313)
  • curl table now returns peer certificates even if the TLS handshake does not complete (#7349)

Under the Hood improvements

  • Allow tests and SDK to reset dispatcher state (#7372)
  • Avoid string copies when looping through cron search dirs (#7331)
  • Respect read_max flag when hashing using ssdeep (#7367)

Bug Fixes

  • Detect when an extension has not started correctly on Windows (#7355)
  • Fix crash #7353 when osquery captures kill syscall when not subscribed to them (#7354)
  • Fix crash in AuditdNetlinkReader::configureAuditService when audit_add_rule_data returns an error (#7337)
  • Fix crash when windows_security_products errors out (#7401)
  • Fix for #7394 where cleanup of some event tables never occures (#7395)
  • Improve BPF publisher reliability (#7302)
  • Lower log level of "executing distributed query" (#7386)
  • Reduce excessive log messages from authorized_keys table implementation (#7318)

Documentation

  • Add 5.0.1 CHANGELOG (#7284)
  • Fix typo in Everything in SQL docs (#7338)
  • Fix typo in SQL docs (#7376)
  • Update GitHub issue templates (#7361, #7396)
  • Update installation guide to use newer macOS paths (#7311)
  • Update macOS ESF documentation (#7303)

Packs

  • Add Forcepoint Endpoint Chrome Extension detection to packs (#7346)
  • Add beurk rootkit detection to packs (#7345)

Build

  • Allow tests to reset the restarting state (#7373)
  • Build librpm with ndb support (#7294)
  • Customizable installation logic (#7315)
  • Fix ASL test on macOS 11 and later (#7320)
  • Restore query packs in Windows packaging (#7388)
  • Skip deprecated ASL test when targeting macOS 10.13+ SDK (#7358)
  • Update packaging commit to fix Linux symlinks (#7404)
  • Update the CI Linux Docker image (#7332)
aa45673
Compare
Choose a tag to compare

osquery 5.0 is a tremendously exciting release!

  • We now install into /opt/osquery on macOS and Linux for better portability.
  • Our default and recommended installation for macOS uses an application bundle to support entitlement-based features.
  • We now use Endpoint Security APIs for various event-based tables on macOS (more to come in the future!)
  • We now use an osquery-organization macOS code signing certificate.

There are several breaking changes:

  • Installation paths have changes from /usr/local to /opt/osquery on macOS and Linux (symlinks to executables are provided).
  • macOS codesigning is now done through the Osquery Foundation account.
  • If you manage macOS full disk permission through a profile, you will need to update it.
    See docs
  • We removed the deprecated blacklist key from the configuration (#7153)
  • Search semantics on the augeas table have changed to be more performant, but do break the existing query API.

Representing commits from 21 contributors! Thank you all.

Note: The linux .tar.gz includes debugging symbols. This may be larger than you expect

Table Changes

  • Add secureboot table for Linux and Windows (#7202)
  • Add tpm_info for Windows (#7107)
  • Fix osquery_info build_platform column value on Linux (#7254)
  • Support pid_with_namespace in more tables (#7132)
  • Update augeas table to use native pattern matching (BREAKING) (#6982)
  • Update chrome_extensions to include Edge & EdgeBeta (#7170)
  • Update disk_encryption table to support QueryContext (#7209)
  • Update last to include utmp type name column (#7201)
  • Update sudoers table to support newer include syntax (#7185)
  • Update user_ssh_keys to detect encryption of ed25519 keys (#7168)

Under the Hood Improvements

  • Add ruby namespace to the thrift definition (#7191)
  • Always initialize variable change in PerformanceChange (#7176)
  • Remove deprecated blacklist key (#7153)
  • Use total_size within watchdog on Windows (#7157)
  • Support AF_PACKET sockets reporting on Linux (#7282)
  • socket_events improvements in Linux audit system (#7269)

Bug Fixes

  • Add case sensitive pragma to the pragma/actions authorizer allow list (#7267)
  • Add feature to skip denylist for event-based queries (#7158)
  • Change logger_mode flag to be correctly interpreted as an octal (#7273)
  • Do not let osquery create multiple copies of the extension running at once (#7178)
  • Fix Linux audit rule removal upon osquery exit (#7221)
  • Fix broadcasting empty logs to logger plugins (#7183)
  • Fix issues applying ACLs during chocolatey deployment (#7166)
  • Fix memory issue in Windows fileops (#7179)
  • Fix process_open_sockets type error on darwin (#6546)
  • Make sure that the file action MOVED_TO is tracked with yara events. (#7203)
  • Prevent osquery from killing itself when the --force flag is used (#7295)
  • Prevent race condition between shutdown and worker or extension launch (#7204)

Documentation

  • Add a security assurance case (#7048)
  • Bring the YARA wiki page up to date (#7172)
  • Spelling fixes (#7211, #7186)
  • Update uptime table description (#7270)
  • Update osquery installed artifacts paths in the documentation (#7286)

Build

  • Add TimeoutStopSec to systemd service files (#7190)
  • Correct macOS installed app bundle path in osqueryctl and doc (#7289)
  • Create an macOS app bundle (#7263)
  • Fix choco packaging not failing when an error occurs during install or upgrade (#7182)
  • Fix path in macOS launchd plist (#7288)
  • Pin the packaging repo within GitHub workflows (#7208, #7255, #7279)
  • Update Windows deployment icon to png (#7163)
  • Update install paths, and remove deprecated Facebook naming (#7210)
  • Update macOS build to include app bundle related files (#7184)
  • Update osquery installed artifacts default paths in code (#7285)
  • Update the installation path on Linux (#7271)
  • libs: Add options to AWS Optionally enable debug option and restrict content-type header size for PUT req (#7216)
  • libs: Enable and compile the YARA macho module on macOS (#7174)
  • libs: Update OpenSSL to version 1.1.1l (#7293)
  • libs: Update Strawberry Perl to 5.32.1.1, use HTTPS downloads (#7199)
  • libs: Update ebpfpub (#7173, #7219)
2cd5b42
Compare
Choose a tag to compare
323fba9
Compare
Choose a tag to compare

Representing commits from 16 contributors! Thank you all.

Note: The linux .tar.gz includes debugging symbols. This may be larger than you expect

New Features

  • Add filesystem logrotate feature (#7015)
  • Add Non-Functional EndpointSecurity based process events to macOS (Requires updated codesigning due in 5.0) (#7046)

Table Changes

  • Add mdm_managed column to system_extensions on macOS (#6915)
  • Add prefetch table on Windows (#7076)
  • Add support for IMDSv2 to AWS tables (#7084)
  • Enable container stats on docker containers that don't have traditional networks (#7145)
  • Update homebrew_packages to include new prefix, and allow specifying alternate prefixes (#7117)
  • Update ntfs_acl_permissions to list all ACE entries (using GetAce()) (#7114)
  • Update processes table to display additional Windows attributes (secured, protected, virtual, elevated) (#7121)
  • Update how package_install_history identifies the packageIdentifiers key (#7099)
  • Update how identifier is calculated in chrome_extensions (#7124)

Under the Hood improvements

  • Improve speed of osquery shutdown procedure (#7077)
  • Improve shutdown speed during initialization (#7106)
  • Update website generators (#7136)
  • CLI flag to allow osquery to keep retrying enrollment (instead of exiting) (#7125)
  • rocksdb: Do not fsync WAL writes (#7094)
  • Move CPack packaging to a dedicated repository (#7059)
  • Restore thrift socket 5min timeout (#7072)
  • Consolidate syscalls to a single audit rule (#7063)

Bug Fixes

  • Add current WMI location for Dell BIOS info (#7103)
  • Correct RocksDB error code and subcode printing on open failure (#7069)
  • Fix pipe_channel not reading all data in a message (#7139)
  • Fix crash and deadlocks in recursive logging (#7127)
  • Fix custom curl_certificate timeouts (#7151)
  • Fix extensions crash on shutdown (#7075)
  • Handle updated paths on various macOS tables -- xprotect_entries, xprotect_meta, launchd (#7138, #7154)
  • Trigger event cleanup checks every 256 events (#7143)
  • Update generating an extension uuid to be thread safe (#7135)
  • Watchdog should wait for the worker to shutdown (#7116)

Documentation

  • Update process auditing requirements documentation (#7102)
  • Update website docs indicating windows support for YARA tables (#7130)
  • Add 4.9.0 CHANGELOG (#7152)

Build

  • Add Apple provisioning profile for distribution (#7119)
  • Add more tests for events expiration (#7071)
  • CI: Regenerate sccache cache when compiler version changes (#7081)
  • Fix flaky test test_daemon_sigint by waiting for pidfile (#7095)
  • Fix icon in Windows packaging (#7148)
  • Minor cleanup of unused variables (#7128)
  • Print extension SDK minimum version required when failing to load (#7074)
  • Remove POSIX-only -fexceptions flag on Windows (#7126)
  • Remove duplicated osquery_utils_aws_tests-test (#7078)
  • Remove flaky test decorators for python tests (#7070)
  • Update SQLite to version 3.35.5 (#7090)
  • Update librdkafka to version 1.7.0 (#7134)
  • Update libyara to version 4.1.1 (#7133)
89e32f9
Compare
Choose a tag to compare

Representing commits from 14 contributors! Thank you all.

This version fixes a regression introduced in 4.7.0 related to events expiration optimization. Please read (#7055) for more information.

This release upgrades openssl, as is general good practice. Osquery is not known to be effected by any security issues in OpenSSL.

New Features

  • shell: Add .connect meta command (#6944)

Table Changes

  • Add seccomp_events table for Linux (#7006)
  • Add shortcut_files table for Windows (#6994)

Under the Hood improvements

  • Removing Keyboard Event Taps from osx-attacks pack (#7023)
  • Refactor watcher out of singleton pattern (#7042)
  • Small events subscriber refactor to increase test coverage (#7050)
  • Setting non-required deb_packages fields as optional in test (#7001)

Bug Fixes

  • Handle events optimization edge cases (#7060)
  • Fix optimization for multiple queries using the same subscriber (#7055)
  • Use epoch and counter for events-based queries (#7051)
  • Guard node key to prevent duplicate enrollments (#7052)
  • Change windows calculation for physical_memory (#7028)
  • Free using WTSFreeMemoryEx for WTSEnumerateSessionsExW (#7039)
  • Release variable in Windows data conversation (#7024)
  • Change chrome_extensions warnings to verbose (#7032)
  • Add transactions to the SQLite authorizer PRAGMAs (#7029)
  • Change Windows messages to verbose (#7027)
  • Fix scheduler to print the correct number of elapsed seconds (#7016)

Documentation

  • Fix tls_enroll_max_attempts flag name in the documentation (#7049)
  • Improve docs on FIM, mention NTFS and Audit, etc. (#7036)
  • config: Add docs for the events top-level-key (#7040)
  • Add funding link on GitHub generated page (#7043)
  • Correct the example in the windows_events table spec (#7035)
  • Correct docs about OpenSSL and TLS behavior (#7033)
  • Update docs to describe how to build for aarch64/arm64 (#6285) (#6970)
  • Add a note on enabling Windows to build with CMake's long paths (#7010)
  • Add 4.8.0 CHANGELOG (#7057)

Build

  • Add an option to enable incremental linking on Windows (#7044)
  • Remove Buck leftovers that supported building with old versions of OpenSSL (#7034)
  • Add build_aarch64 workflow for push (#7014)
  • Move CI to using docker from osquery (#7012)
  • Update dockerfile to multiplatform (#7011)
  • Run GH Actions workflows on all tags (#7004)
  • Disable BPF events tests if OSQUERY_BUILD_BPF is false (#7002)
  • libs: Update OpenSSL to version 1.1.1k (#7026)