Skip to content

1.6.2
Compare
Choose a tag to compare
@theopolis theopolis released this 16 Dec 22:38
· 3894 commits to master since this release
1.6.2
5a66d5b

New features in 1.6.2:

The Sleuth Kit integration is complete, use device_* tables to list partitions, files and hashes.
Results for 'expired' queries are now purged from the backing store (RocksDB).
The file_events tables are now designed for modification/alter events only.
The file_access_events tables have been superseded by process_file_events, accesses use the new file_accesses configuration key.
Additionally, the file_events table include many more helpful fields populated at event time.
SQLite has been updated to 3.10.0 and the JSON-extensions are now enabled.
File hashing now includes algorithm parallelism, but all algorithms are still always run regardless of selections.
For debugging the osqueryi client can be used to dump configuration JSON or the backing store items.
The configuration can now specify multiple loggers, for example --config_plugin=filesystem,syslog.
Packs and queries now support a shard=N option.

Bug fixes:

#1660 Fixes NETLINK errors with routes table on CentOS 6
#1676 Clear node_key when TLS plugins respond with node_invalid=True
#1689 Boost 1.59 removed support for comments in JSON files, we now 'only' support #-style.
#1714 Columns with the DOUBLE type no longer return '-1'

Config options / CLI flags changes:

--config_check Check the format of an osquery config and exit
--config_dump Dump the contents of the configuration
--database_dump Dump the contents of the backing store
--disable_reenrollment Disable re-enrollment attempts if related plugins return invalid
--header Toggle column headers true/false
--planner Enable osquery runtime planner output

Table changes (from 1.6.1 to 1.6.2):

Added table device_file to All Platforms
Added table device_hash to All Platforms
Added table device_partitions to All Platforms
Added table platform_info to All Platforms
Added table process_file_events to Darwin (Apple OS X)

Added column btime (BIGINT_TYPE) to table file
Added column atime (BIGINT_TYPE) to table file_events
Added column ctime (BIGINT_TYPE) to table file_events
Added column gid (BIGINT_TYPE) to table file_events
Added column hashed (INTEGER_TYPE) to table file_events
Added column inode (BIGINT_TYPE) to table file_events
Added column mode (TEXT_TYPE) to table file_events
Added column mtime (BIGINT_TYPE) to table file_events
Added column size (BIGINT_TYPE) to table file_events
Added column uid (BIGINT_TYPE) to table file_events
Added column shard (INTEGER_TYPE) to table osquery_packs

Table API breaking changes in 1.6.2:

Removed table passwd_changes from All Platforms
Removed table file_access_events from Darwin (Apple OS X)

Assets 2