Osquery Release Notes-Release 4.2.xx.xx

Osquery Release Notes-Release 4.2.xx.xx

The following features and enhancements have been added:

  • Support for YARA process memory scanning with the YARA table, YARA process events, and process memory carving for Linux and Windows.
  • Merged eBPF tables into Audit tables.
  • New columns added in the process_eventsprocess_file_events, and socket_events tables.
  • Improved ancestor lists:
    • cmdline and exe_name now included in the ancestor_list for parent processes.
    • Significant improvements to the completeness of the ancestor list on Linux and Windows.
  • eBPF support available on Ubuntu 20.04, Amazon Linux 1.
  • Support to Legacy Suse 10 and 11 versions is available.
  • Linux namespace IDs added to crio and lxd container tables to match docker tables to make joining against events easier.
  • Augeas dependency upgraded to 1.12, which includes updated/new lenses, etc. Added an ability to use a custom lens with custom paths (new hidden column called lens). For example:
      select * from augeas where lens = 'xml' and path in ('/tmp/foo.xml', '/tmp/bar.xml')
  • Removed the dependency over id clause from docker_container_processes.
  • Improvements in the cis_independent_linux table.
  • Fix for exclusion rules in the unified tables.
  • Support to capture chmod syscall in eBPF and mode arg in open syscall.
  • The is_container_privileged column added to process_events, process_file_events, and socket_events.
  • Support to exclude network file system verification by cis_indepenent_linux queries.
  • Functionality to query container processes without provided id.
  • Functionality to specify lens and custom include paths.
  • Fix for process_event path/exe_name on Win32.
  • Functionality to capture container image on new containers with --add_container_image_to_events.
  • CRI-o fixes for missing ppid_time and is_container_namespace.
  • Added is_container_init in eBPF_process_events, socket type column in socket_events, and flags column in file_open_events.
  • Support for hidden file carving.
  • Audit is set as the default publisher.
  • Functionality to populate success and status fields in the eBPF_socket_events table.
  • A source column added in the syscall_events table.
  • Uniform default values added for remote_ipremote_portlocal_ip and local_port between eBPF and Audit.
  • Fix for -audit_force_dispatcher_mode = true after osquery auto-update.
  • Support for APK, RPM, and DEB package listings inside running Docker and CRI-O containers as well as Docker Images.
  • The docker_events table added.
  • The diag_watcher_stats table added, and a new log file osqueryd.diag.log introduced to capture osqueryd diagnostic details.
  • The osquery_tail table introduced that populates data from the osqueryd.worker.logosqueryd.watcher.log, and osqueryd.diag.log files.
  • Support for querying containers within the os_version table.
  • Windows installer path is updated from Program Data to Program Files.