Osquery Release Notes-Release 4.4.xx.xx

Osquery Release Notes-Release 4.4.xx.xx

The following features and enhancements have been added:

  • Enhanced password validation criteria for files with pam_cracklib.so configured.
  • A new custom parameter patterns added for the CIS section 1.4.2 and improved regex for the CIS section 2.2.1.2.
  • Enhanced CIS sections parameters.
  • Added more sections for Windows CIS compliance.
  • Fix for the apt_sources table to observe all the APT repositories form the /etc/apt/sources.list and /etc/apt/sources.list.d files.
  • Enhancement in the CIS section 6.2.10 to ensure checks only for dot (regular) files and no checks for dot directories and symlinks.
  • Fix for Windows osquery logs rotation.
  • Removed the Augeas lenses directory from Windows.
  • A new flag --query_blacklist_duration is added to manage the duration when a query is added to the deny list.
  • The user_events table can now capture failed SSH logins.
  • The following three columns have been newly added to the compliance table:
    • expected value : To customize the output of command to avoid ambiguity.
    • remediation : To learn how to modify your system to make it compliant.
    • authoritative source : To view the source information in a column while importing it to a third party.
  • Improvements in Windows DNS answers to align with Linux and MacOS.
  • Support for the start_time process in Windows socket_events and process_file_events.
  • Support to capture file magic cookies on Linux and MacOS.
  • Improvements in the process_file_events table to capture absolute paths specified in the command line of up to 800 characters.
  • Support to implement CIS configuration on Ubuntu16.
  • New command line flags added to limit the size of the ancestor list, i.e. --ancestor_list_max_entries and --ancestor_list_cmdline_max_length.
  • Support for the community_id() function.
  • Fix for the ec2_instance_tags table. Now it returns instance tag key values successfully.
  • Support for the efivars table to get Extensible Firmware Interface details.
  • Support for CIS on Windows including the CIS Section 2.2.x.
  • Support for Powershell events on Windows endpoints with a new flag win_allow_powershell_events.
  • Added the cvss_score column for the cis_independentcis_rhel7 and cis_ububtu16 tables.
  • Support for system integrity protection on MacOS.
  • Support to implement CIS configuration on Red Hat Enterprise Linux.
  • Improvements in ptrace system call detections.
  • Improvements in the performance and reduced log spew on servers for a large number of exited containers.
  • Support for standard event times on Windows.
  • Improvements in the carving capabilities with an increased timeout.
  • Support for image load events and process hollowing detections.
  • Support to detect credential dumping malware.