Osquery 4.6.5 Release notes

Osquery 4.6.5 Release notes

This osquery release includes and following features, enhancements, and bug fixes:

This osquery release includes the following features and enhancements:

  • UptycsProtect:

    • UptycsProtect engine support for multiple path regex.
    • UptycsProtect process event source functionality. The UptycsProtect process event source is exclusive of the BSM process event source and the Santa process blocking event decorator. When enabled, the process_events and process_blocking_events tables are populated by UptycsProtect events.
  • Blocking and remediation:

    • Support to refresh a blocking configuration when the remediation configuration refreshes.
    • Enforced process blocking path regex to start with the ^ character.
    • Added the rule column in the process_blocking_events table.
    • Decision logs support to control process execution on the Linux blocking feature.
    • macOS DNS blocking support.
    • An additional decision 'LOG' support - runs a process and generates a blocking event with decision = 'LOG'.
    • The 'reason' column support for Windows blocking feature. The reason column includes the possible explanations for the PATH, CERT, BIN, DEFAULT, UNSIGNED values.
    • Functionality to refresh the osquery config and restart the osquery worker via remediation.
    • Script execution support for remediation on Windows endpoints.
    • Windows process_blocking_events support.
    • Windows remediation support for process, file, registry, firewall, user, and Windows services.
  • Detections:

    • Improved YARA scanning criteria for Windows endpoints.
    • Improvements in the YARA scanning functionality by avoiding the scan for identical Mac process binaries multiple times.
    • Added high-resolution timestamp - the event_time field for the http_events table.
  • Compliance:

    • Added NIST checks to verify if the launch daemons are enabled rather than loaded.
  • Miscellaneous:

    • Added parent column (pid of the parent process) to the yara_process_events table.
    • Functionality to log an osqueryd warning message for macOS Full Disk Access.
    • For vulnerabilities build scan, added functionality to include build data (pass/fail) using the updateVulnerabilites API. Added new columns in the vulnerabilities_scanned_images table.
    • Added support for reporting process running state (Windows).
    • Support for new TLS logger format with chunked data.

This osquery release fixes the following bugs:

  • eBPF was unable to load RHEL 7 for the Kernel Versions 3.10.0-1062.1.2.el7.x86_64 and 3.10.0-1160.24.1.el7.x86_64. To fix this, RHEL 7.7 and RHEL 7 have been made compatible distros for eBPF.
  • Real-time query (for the cis_docker standard) results from the compliance table included junk entries in the evidence column. To fix this, added functionality to not collect evidence if not connected to the docker socket.
  • Process file events were not generated for the soft links and hard links in Linux for eBPF. To fix this, improved eBPF to always capture dest path even if src matches the FIM.
  • Asset enrollment was stuck at the enrolling stage. To fix this, modified flag profiles to fix farquery enroll and force disable audit (blocks ptrace events).
  • process_events were not reported from the Farquery container.
  • Unable to log off an asset from the Uptycs UI. After the fix, an asset can be logged off using the Uptycs UI.
  • The asset_details query pack was not running immediately after an asset was enrolled. To fix this, improved the run_now functionality and added the 'isRunning' check in the Scheduler lambda.
  • For the eBPF loaded assets, the osquery was crashed with a message *"terminating with uncaught exception of type std::invalid_argument: stoul: no conversion"*.
  • Incorrect RID in the yara_process_events table.
  • Metadata fields for user name and login name were missing from the Windows event tables. Added new columns to the corresponding Windows events tables.
  • No data was reported from the wifi_networks table (macOS).
  • yara_events were not getting generated for file rename actions (macOS). Added a new column dest_path to the process_file_events table for macOS.
  • PID and the related columns were not reporting entries in the powershell_events table because the script_name column was empty (Windows). Added the script_name column to powershell_events.
  • EC2 Windows Source and Service were not displayed on the Asset details page.
  • yara_events were not generated when override_audit_allow_fim_events: false, and enable_fs_events_based_file_events: true. Added support to forward events to the yara_events publisher from file_events.
  • Frequent restart of osquery worker due to exceeding CPU usage and memory limits.