Osquery Release notes - Release 5.0.1
This osquery release includes the following features, enhancements, and bug fixes:
- Support for new tables and columns from open-source osquery 5.0.1.
- Synced the pci_devices table with open-source osquery 4.9.0.
- Refactored the chrome_extensions table to include all chromium-based browsers. Deprecated the opera_extensions table support.
- Support to log CPU time spent on each Pub/Sub event in the osquery_events table.
New Tables
| Table Name | Supported OS | Description |
|---|
| seccomp_events | Linux | Tracks seccomp events |
| ip6tables | Linux | Linux IPV6 packet filtering and NAT tool |
| secureboot | Linux, Windows | Secure Boot UEFI Settings |
| audit_rules | Linux | Audit rules loaded in the kernel audit system |
| location_services | Mac | The status of the location services feature of the OS |
| system_extensions | Mac | Includes a list of system extensions |
| shellbags | Windows | Displays directories accessed via Windows Explorer |
| shortcut_files | Windows | Displays data about Windows Shortcut files |
| tpm_info | Windows | Includes the TPM information |
| process_open_files | Windows | Includes a list of open files by a particular process ID |
| wmi_query_events | Windows | Includes a list of wmi queries fired by other processes |
| image_hooks | Windows | Includes a list of hooked APIs in DLLs loaded by a process |
| usb_devices | Windows | Includes a list of usb_devices attached to a WIndows system |
| firewall_rules | Windows | Includes a list of currently deployed firewall rules in Windows Firewall |
Enhanced Tables
| Table Name | Supported OS | Improvements |
|---|
| wmi_bios_info | Windows | Fixed search capabilities and added WMI location for Dell bios_info |
| chrome_extensions | All | Support to include all chromium-based browsers |
| curl_certificate | All | Added timeout and a timeout columns |
| disk_encryption | All | Support for QueryContext |
| fileops | Windows | Fixed memory issue |
| last | All | Added utmp type name column |
| process_open_sockets | Mac | Fixed type error on Darwin |
| sudoers | Linux, Mac | Added the source column |
- Added event_time column for the dns_lookup_events table.
- Enabled eBPF support for Debian 10 4.X kernels, Ubuntu 20.04 5.11 kernels.
- eBPF utilizes BTF debug information to support Ubuntu 20.10 and later, Debian 11, Amazon Linux 2 5.X kernel, and Google Container-Optimized OS.
- In-kernel DNS exclusion rule processing support for the ebpf_dns_lookup_events table.
- Support for the containers, container_version, container_images, container_processes tables that include results from all container runtimes.
- Support to always include container details in the process, socket, and FIM events.
- Support for Amazon Graviton CPUs.
- Support to run Docker containers on both x86 and Amazon Graviton CPUs.
- Added the host_uid and gid columns to the users, groups, and user_groups tables (for containers with their own user namespace)
- Fixed timezone handling with container ages.
- sleuthkit based forensics tables ported to Windows—device_file, device_hash, device_partitions.
- Support for Windows defender tables—windows_defender_preferences, windows_defender_status, windows_defender_threats
- A new column in the user_groups table to enumerate only top-level members and prevent recursive searching.
- A new column in the logon_events table to indicate the IP address of the machine a remote user is logged in from.
- Refactored processes table now uses underlying Windows system calls and does not depend on WMI anymore.
- Support for the pid and script name in the powershell_events table.
- Enriched user, process and process_image_path based telemetries in all the evented tables.
- Support to initiate Windows Defender Scans.
- Support to access events for Windows Registry.
- Support for endpoint security-based FIM.
- Fixed the empty platform_info table on M1 Macs.
- Fixed missing local address for explicit bind.
- Disabled checks for /etc/apt/trusted.gpg.d on RHEL7.
- Support for filename_regex in the L0370, L0371, L0418, L0419 sections.
- Fixed possible hang when running compliance scan on Amazon Graviton Arm CPUs.
- Added containerd compliance checks.
- Updated the param details for the L0411 and L0412 sections.
- Support to control recursion for the L0411 and L0412 sections.
- Additional description for non-generic checks.
- Generic check support to validate network parameters using sysctl.
- Custom parameter support for the RHEL8 3.2.6 check.
- Support for additional NIST 800-53 macOS checks.
- Support to include vulnerabilities when no fixed package is available.
- Support to include vulnerabilities when binary packages have different names from source packages.
- Fix for vulnerability scanning on Amazon Linux 1.
- Disabled duplicate threat indicator data source.
- Improved YARA rules error handling.
- YARA signature-based FIM can now use file_events or process_file_events.
- Improved FIM handling for syslinked /bin directories.
- Added context-based columns to YARA events.
- Support for diagnostic table osquery_yara_signatures to capture all YARA rules.
- Enabled YARA FIM support inside running containers.
- Support for additional process blocking policy rules on Windows endpoints.
- Infrastructure to support future compliance auto-remediation.
- Support to block interpreter scripts on macOS endpoints.
- The initial release of Uptycs Protect Blocking & Remediation.