OSQuery v5.0.1 Release Notes
-
Representing commits from 21 contributors! Thank you all.
๐ osquery 5.0 is a tremendously exciting release!
- ๐ We now install into /opt/osquery on macOS and Linux for better portability.
- ๐ Our default and recommended installation for macOS uses an application bundle to support entitlement-based features.
- ๐ We now use Endpoint Security APIs for various event-based tables on macOS (more to come in the future!)
- ๐ We now use an osquery-organization macOS code signing certificate.
There are several breaking changes:
- ๐ Installation paths have changes from
/usr/local
to/opt/osquery
on macOS and Linux (symlinks to executables are provided). - ๐ macOS codesigning is now down through the Osquery Foundation account
- โก๏ธ If you manage macOS full disk permission through a profile, you will need to update it. See docs
- ๐ง We removed the deprecated
blacklist
key from the configuration (#7153) - Search semantics on the augeas table have changed to be more performant, but do break the existing query API.
Table Changes
- โ Add
secureboot
table for Linux and Windows (#7202) - โ Add
tpm_info
for Windows (#7107) - ๐ Fix
osquery_info
build_platform column value on Linux (#7254) - Support
pid_with_namespace
in more tables (#7132) - โก๏ธ Update
augeas
table to use native pattern matching (BREAKING) (#6982) - โก๏ธ Update
chrome_extensions
to include Edge & EdgeBeta (#7170) - โก๏ธ Update
disk_encryption
table to support QueryContext (#7209) - โก๏ธ Update
last
to include utmp type name column (#7201) - โก๏ธ Update
sudoers
table to support newer include syntax (#7185) - Update
user_ssh_keys
to detect encryption of ed25519 keys (#7168)
Under the Hood Improvements
- โ Add ruby namespace to the thrift definition (#7191)
- ๐ Always initialize variable change in PerformanceChange (#7176)
- โ Remove deprecated
blacklist
key (#7153) - ๐ Use total_size within watchdog on Windows (#7157)
- ๐ Support AF_PACKET sockets reporting on Linux (#7282)
- ๐ง socket_events improvements in Linux audit system (#7269)
๐ Bug Fixes
- โ Add case sensitive pragma to the pragma/actions authorizer allow list (#7267)
- โ Add feature to skip denylist for event-based queries (#7158)
- ๐ Change logger_mode flag to be correctly interpreted as an octal (#7273)
- Do not let osquery create multiple copies of the extension running at once (#7178)
- ๐ Fix Linux audit rule removal upon osquery exit (#7221)
- ๐ Fix broadcasting empty logs to logger plugins (#7183)
- ๐ Fix issues applying ACLs during chocolatey deployment (#7166)
- ๐ Fix memory issue in Windows fileops (#7179)
- Fix
process_open_sockets
type error on darwin (#6546) - ๐ Make sure that the file action
MOVED_TO
is tracked with yara events. (#7203) - Prevent osquery from killing itself when the
--force
flag is used (#7295) - ๐ท Prevent race condition between shutdown and worker or extension launch (#7204)
๐ Documentation
- โ Add a security assurance case (#7048)
- Bring the YARA wiki page up to date (#7172)
- ๐ Spelling fixes (#7211, #7186)
- โก๏ธ Update
uptime
table description (#7270) - ๐ Update osquery installed artifacts paths in the documentation (#7286)
๐ Build
- โ Add TimeoutStopSec to systemd service files (#7190)
- ๐ Correct macOS installed app bundle path in osqueryctl and doc (#7289)
- ๐ Create an macOS app bundle (#7263)
- ๐ Fix choco packaging not failing when an error occurs during install or upgrade (#7182)
- ๐ Fix path in macOS launchd plist (#7288)
- ๐ Pin the packaging repo within GitHub workflows (#7208, #7255, #7279)
- ๐ Update Windows deployment icon to png (#7163)
- โก๏ธ Update install paths, and remove deprecated Facebook naming (#7210)
- โก๏ธ Update macOS build to include app bundle related files (#7184)
- โก๏ธ Update osquery installed artifacts default paths in code (#7285)
- โก๏ธ Update the installation path on Linux (#7271)
- libs: Add options to AWS Optionally enable debug option and restrict content-type header size for PUT req (#7216)
- ๐ libs: Enable and compile the YARA macho module on macOS (#7174)
- โก๏ธ libs: Update OpenSSL to version 1.1.1l (#7293)
- โก๏ธ libs: Update Strawberry Perl to 5.32.1.1, use HTTPS downloads (#7199)
- โก๏ธ libs: Update ebpfpub (#7173, #7219)