Osquery 3.3.2.24 : Release Details

Osquery 3.3.2.24 : Release Details

Uptycs is excited to announce Osquery release 3.3.2.24, released 08/19/2019.


Following are the key improvements / issues addressed in this release :

  1. Ancestor List column for process_events:
    process_events table contains a new column indicating the process' parent, grandparent and further ancestor processes as string representation. This feature provides a complete view of the process tree for each process event.
  2. Compute process hash for every process event:
    process_events table contains a new column indicating the process' parent, grandparent and further ancestor processes as string representation. This feature provides a complete view of the process tree for each process in a process event.
  3. Optimization of maximum memory utilization by osquery based on system memory - Taxi fare algorithm based maximum osquery memory utilization calculation :
    Use a more distributed approach to calculate maximum memory limit. Algorithm calculations below -
    Below 2 GB Base Memory – 400 MB fixed.
    2GB to 16 GB – +80 MB/1 GB( configurable)
    Above 16GB - +32 MB/1 GB
  4. Yara Events

            With this release, Uptycs supports configuration of Yara events. Configuration of Yara events is supported under File Integrity Monitoring.


New tables added -


New Table

Description

batteryProvides information about the internal battery of a Macbook.
ulimit_infoProvides System resource usage limits.
ntfs_acl_permissionsRetrieve NTFS ACL permission information for files and directories
ssh_configsA table of parsed ssh_configs
smart_drive_infoDrive information read by SMART controller utilizing autodetect.
elf_infoELF file information on Linux
winbaseobjLists named Windows objects in the default object directories, across all terminal services sessions
oem_stringsGets OEM defined strings from SMBIOS
interface_ipv6Provides IPv6 configuration and stats of network interfaces
platform_infoProvides Information about EFI/UEFI/ROM and platform/boot
ntdomainsDisplay basic NT domain information of a Windows machine
yara_eventsNew table implementation for Windows signifying events related to modified or created files that match preconfigured yara signatures (Uptycs version only)
prefetchInformation about prefetch database (Windows only) that provides forensic level visibility into recently launched programs (Uptycs version only)
logon_sessionsWindows logon session information


New columns added -


Table Name

New Columns

cpuidVarious new columns for CPU identification
hashssdeep columns to hash table for Mac And Linux
interface_detailslink_speed
sharing_preferencesnew column indicating if content caching is enabled
routeshopcount - indicating maximum hopcounts expected per route
pci_devicesNew columns providing vendor and model information from the system copy of pci.ids. Also added new columns about pci class and subclasses.
os_versionNew column to os_version table related to installation dates
processesPer process performance information data for Windows processes
process_eventsancestor_list, process hash - md5, sha1, sha256



Other notable features / improvements:


  • Killswitch feature allowing switching off new features using remote config-like settings
  • Thread Names: View the names of threads and not just numbers while listing threads using debugging tools
  • More robust and optimized Rocks DB usage, reducing resource consumption while reporting higher volume of data
  • Auto configuration of syslog-ng and rsyslogd based syslog servers via osquery
  • Major optimization and performance gain on auditd based events and tables