Osquery 5.8 introduces process auditing on Windows, statistics for live queries, and additional tables. 🟣 Openness is a key Fleet value. We welcome contributions to Fleet and find ways to contribute to other open-source projects. When you support Fleet, you are also contributing to projects like osquery. Let’s take a look at the changes in this latest release.
Please note that osquery 5.8 has already been pushed to Fleet’s stable and edge auto-update channels.
process_etw_events
tableThis PR introduces POTE (Programmable OS Tracing Engine) framework + a new windows evented
table called etw_process_events
which is built on top of POTE. The primary purpose of this new evented
table is to audit process creation and termination on Windows. Having POTE in place will simplify the addition of future evented
tables as POTE provides a simplified mechanism to create ETW-based Event publishers.
The Windows process_etw_events
table brings osquery towards parity with System Monitor (Sysmon). Sysmon is a common add-on for Windows logging. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic. Sysmon is part of the Sysinternals package and is owned by Microsoft.
Fleetie, Marcos contributed this pull request to the osquery project.
This PR creates a new top-level stats
key when writing a distributed query response. This includes the data in QueryPerformance
class, indexed by the query ID in the server's read endpoint. A new stats JSON subkey exposes the stats
key in the distributed query response. Performance stats are not stored. When a query executes, the stats for that execution are returned.
The addition of stats
unlocks future work in Fleet that will enable performance stats for live queries and policies.
Fleetie, Artemis contributed this pull request to the osquery project.
pid_with_namespace
for yara
tableOn October 25, the OpenSSL project team announced a security fix for a critical vulnerability in OpenSSL version 3.x. The patch was released on November 1, 2022. Akamai released a blog post with a YARA-based rule, helping Sysadmins find processes running with vulnerable OpenSSL versions. OpenSSL process identification works well for processes on the host OS but breaks down for processes inside containers.
This change adds the pid_with_namespace
column to the YARA table in osquery, allowing for querying within containers using the yara
table.
Unit_file_state
column in systemd_units
tableThis change adds a new column to the systemd_units
table to determine if a systemd
service is in one of several enabled states, such as enabled
or masked
. This allows for discovering running processes that could have potential security implications. Previously, determining if a service was enabled was not possible in osquery.
Fleetie, Artemis contributed this pull request to the osquery project.
Bpf_process_events_v2
tableAn initial experiment has been included, called linuxevents
. This PR adds a new bpf_process_events_v2
table, a better, container-aware version of the built-in bpf_process_events
. The new functionality is considered experimental and must be explicitly enabled with --experiment_list=linuxevents
.
Key features:
secureboot
tableThis PR adds support for macOS (Intel-based) hardware that have a secure enclave and support secure boot. This PR extends the secureboot schema from boolean to the following: Secure mode for Intel-based macOS: 0 disabled, 1 full security, 2 medium security.
kernel_keys
tableThis PR adds a new table called kernel_keys
for Linux. This table exposes the content of the file /proc/keys,
this file exposes a list of the keys for which the reading thread has view permission, providing various information about each key.
docker_container_stats
The docker container memory usage is not in sync with docker CLI which subtracts the cached memory from the used memory. A new cached_memory
column has been added to docker_container_stats
to retrieve the cached container memory to provide more detailed information about container memory usage.