Osquery Release Notes-Release 4.6

Osquery Release Notes-Release 4.6

The following features and enhancements have been added:

  • Support to configure fatal_cvss_score in the osquery-scan script.
  • Support for the regex patterns ending with .*$ in the kernel.
  • Support for ECS fargate tables.
  • Support for farquery to include secrets/hostname in the ENV instead of private image.
  • Fix for removing custom exclusion rules from osquery. Removing the rules from config now removes them from osquery successfully.
  • Support for labels on older containerd events.
  • Support for the exe path validation (specified by syscall audit rules) at defined intervals. Added two new flags to support the enhancement, i.e. audit_exe_rules_sync and audit_exe_rules_sync_period.
  • Support to validate if the audit rules pushed to a kernel are in sync with the audit rules pushed by the Uptycs cloud. Added two new flags to support the enhancement, i.e. audit_rules_sync and audit_rules_sync_period.
  • Support for screenlock query when the watchdog is active.
  • Improvements in generic conditional checks for compliance.
  • Fix for the missing PIDs in the docker_container_stats table.
  • CIS support for macOS 10.15 and rhel7.
  • Fix for unsupported JSON input formats.
  • Support to include YARA rule metadata in the yara_process_events table.
  • Added a new column version_info in the processes and process_events tables that includes file version information for PE executables.
  • Added a new column ancestor_list in the yara_process_events table to correlate yara rule alerts in a detection.
  • Added a new table ntp to identify any clock drift. A new flag enable_ntp_query is introduced to enable this feature.
  • Support to capture file attribute changes for auditd based FIM events.
  • Event exclude profiles now support CIDR values in the remote/local addresses for socket_events.
  • Support to handle osquery runtime at a scale for Windows endpoints.
  • Support to keep the count of event records discarded by the event exclude profile rules for Linux endpoints.
  • Added a new column container_age in the eBPF events table to improve event time handling.
  • Support for Kringle decision cache.
  • Added generic compliance checks for file exist, permission and owner.
  • Added a new table firmware_password to capture events for firmware password settings on macOS endpoints.
  • Added a new table mdm_profile to capture events for MDM profile settings on macOS endpoints.
  • Added ARM64 (Apple Silicon) support to the apps table.
  • Enhanced support for vulnerability scans to report threat indicators download error instead of zero count.
  • Integrated Santa macOS application blocker.
  • Fix for Xcode compiler warnings and potential leaks.
  • Support to specify check IDs as a rule for Windows endpoints.
  • Enhanced support for osquery-scan to detect all .jar and .JAR files in the docker images and scan them for vulnerabilities.
  • Fix for the diag_watcher_stats table for macOS endpoints.
  • Support to detect a process from non ELF files (scripts, etc.).
  • API support for downloading Santa/Kringle rules.
  • Support to capture file attribute changes (chown and chmod) for FIM events.
  • Support for Automated Table Creation (ATC) queries.
  • Added file_vault status to the disk_encryption table.
  • Support to re-check the list of packages in an image for new vulnerabilities.
  • Support for JAR package listing and vulnerability scanning.
  • Cleaned up logs due to parameter mismatch.
  • Carving support for a file without write permission.
  • Support for PCI Windows KIOSK.
  • New compliance_on_demand table to run queries (global and real-time) on the selected hosts.
  • Support for containerd.
  • Added a new flag windows_event_excluded_ids to exclude Windows events based on event ID.
  • Fix for multiple check_id execution with different parameters.
  • Fix for empty columns in the process_file_events table.
  • Support for the PCI Linux server checks.
  • Enhanced the diag_watcher_stats table to display more granular details about osquery CPU utilization. This helps in debugging any high CPU issue.
  • Support for a single compliance table.
  • Support for the SQLite3.
  • Support for the OpenSSL 1.1.1i version to address CVE-2020-1971.
  • New osquery_log table to parse worker and watcher logs.
  • Support to collect information about missing Windows patchers.