Osquery Release notes - Release 5.0.1

Osquery Release notes - Release 5.0.1

This osquery release includes the following features, enhancements, and bug fixes:

  • Support for new tables and columns from open-source osquery 5.0.1.
  • Synced the pci_devices table with open-source osquery 4.9.0.
  • Refactored the chrome_extensions table to include all chromium-based browsers. Deprecated the opera_extensions table support.
  • Support to log CPU time spent on each Pub/Sub event in the osquery_events table.

New Tables

Table NameSupported OSDescription
seccomp_eventsLinuxTracks seccomp events
ip6tablesLinuxLinux IPV6 packet filtering and NAT tool
securebootLinux, WindowsSecure Boot UEFI Settings
audit_rulesLinuxAudit rules loaded in the kernel audit system
location_servicesMacThe status of the location services feature of the OS
system_extensionsMacIncludes a list of system extensions
shellbagsWindowsDisplays directories accessed via Windows Explorer
shortcut_filesWindowsDisplays data about Windows Shortcut files
tpm_infoWindowsIncludes the TPM information
process_open_filesWindowsIncludes a list of open files by a particular process ID
wmi_query_eventsWindowsIncludes a list of wmi queries fired by other processes
image_hooksWindowsIncludes a list of hooked APIs in DLLs loaded by a process
usb_devicesWindowsIncludes a list of usb_devices attached to a WIndows system
firewall_rulesWindowsIncludes a list of currently deployed firewall rules in Windows Firewall

Enhanced Tables

Table NameSupported OSImprovements
wmi_bios_infoWindowsFixed search capabilities and added WMI location for Dell bios_info
chrome_extensionsAllSupport to include all chromium-based browsers
curl_certificateAllAdded timeout and a timeout columns
disk_encryptionAllSupport for QueryContext
fileopsWindowsFixed memory issue
lastAllAdded utmp type name column
process_open_socketsMacFixed type error on Darwin
sudoersLinux, MacAdded the source column
  • Added event_time column for the dns_lookup_events table.
  • Enabled eBPF support for Debian 10 4.X kernels, Ubuntu 20.04 5.11 kernels.
  • eBPF utilizes BTF debug information to support Ubuntu 20.10 and later, Debian 11, Amazon Linux 2 5.X kernel, and Google Container-Optimized OS.
  • In-kernel DNS exclusion rule processing support for the ebpf_dns_lookup_events table.
  • Support for the containerscontainer_versioncontainer_imagescontainer_processes tables that include results from all container runtimes.
  • Support to always include container details in the process, socket, and FIM events.
  • Support for Amazon Graviton CPUs.
  • Support to run Docker containers on both x86 and Amazon Graviton CPUs.
  • Added the host_uid and gid columns to the usersgroups, and user_groups tables (for containers with their own user namespace)
  • Fixed timezone handling with container ages.
  • sleuthkit based forensics tables ported to Windows—device_filedevice_hashdevice_partitions.
  • Support for Windows defender tables—windows_defender_preferenceswindows_defender_statuswindows_defender_threats
  • A new column in the user_groups table to enumerate only top-level members and prevent recursive searching.
  • A new column in the logon_events table to indicate the IP address of the machine a remote user is logged in from.
  • Refactored processes table now uses underlying Windows system calls and does not depend on WMI anymore.
  • Support for the pid and script name in the powershell_events table.
  • Enriched user, process and process_image_path based telemetries in all the evented tables.
  • Support to initiate Windows Defender Scans.
  • Support to access events for Windows Registry.
  • Support for endpoint security-based FIM.
  • Fixed the empty platform_info table on M1 Macs.
  • Fixed missing local address for explicit bind.
  • Disabled checks for /etc/apt/trusted.gpg.d on RHEL7.
  • Support for filename_regex in the L0370, L0371, L0418, L0419 sections.
  • Fixed possible hang when running compliance scan on Amazon Graviton Arm CPUs.
  • Added containerd compliance checks.
  • Updated the param details for the L0411 and L0412 sections.
  • Support to control recursion for the L0411 and L0412 sections.
  • Additional description for non-generic checks.
  • Generic check support to validate network parameters using sysctl.
  • Custom parameter support for the RHEL8 3.2.6 check.
  • Support for additional NIST 800-53 macOS checks.
  • Support to include vulnerabilities when no fixed package is available.
  • Support to include vulnerabilities when binary packages have different names from source packages.
  • Fix for vulnerability scanning on Amazon Linux 1.
  • Disabled duplicate threat indicator data source.
  • Improved YARA rules error handling.
  • YARA signature-based FIM can now use file_events or process_file_events.
  • Improved FIM handling for syslinked /bin directories.
  • Added context-based columns to YARA events.
  • Support for diagnostic table osquery_yara_signatures to capture all YARA rules.
  • Enabled YARA FIM support inside running containers.
  • Support for additional process blocking policy rules on Windows endpoints.
  • Infrastructure to support future compliance auto-remediation.
  • Support to block interpreter scripts on macOS endpoints.
  • The initial release of Uptycs Protect Blocking & Remediation.