Release - 5.17.0 New release published by zwass ## 5.17.0 Git Commits ## What's Changed • Add

CHANGELOG.md

entry for 5.16.0 by @lucasmrod in #8548 • Add

symlink_target_path

to

files

tables by @DocEmmetBrown in #8502 • cve: Ignore libarchive CVE-2024-26256 by @Smjert in #8546 • Fixes in windows helpers by @zwass in #8549 • Align ES functions with documented macOS versions by @SilverPlate3 in #8338 • Fix include path in logger-plugins.md by @zwass in #8550 • Fix integration test name in Windows build instructions by @zwass in #8552 • Fix event expiration to prevent losing events by @zwass in #8535 • Update

shell_history

table to include ash by @jbeley in #8568 • Fix dicker container table disk/write metrics, compares "op" values with ignore case by @Kislaci90 in #8566 • Escape service binary path in manage-osqueryd.ps1 by @smithclay in #8569 • Update

docker_container_stats

table to include memory_inactive_file and memory_total_inactive_file by @kfnorbi in #8577 • Add

auto_update

and

app_name

column to

homebrew_packages

table by @DocEmmetBrown in #8520 • Add support for scheduled queries to run at startup by @Micah-Kolide in #8554 • Boost 1.87 compatibility by @carlsmedstad in #8533 • Pin macos python versions in CI to fix mismatch between builder and test runner by @scottvanta in #8559 • cve: Ignore util-linux CVE-2024-28085 by @Smjert in #8579 • build(deps): bump jinja2 from 3.1.5 to 3.1.6 by @dependabot in #8563 • Fix SMC reading values by @sgress454 in #8583 • Fixes network metrics by @Kislaci90 in #8567 • Implement yara_events table for Windows by @zwass in #8580 • Fix flaky mdfind test in CI by @zwass in #8589 • libs: openssl: 3.2.1 -> 3.4.1 by @LeSuisse in #8586 • Add support for DEB822-style apt sources by @dantecatalfamo in #8556 • Add support for msix packages by @ksykulev in #8585 • Implement dns_lookup_events table on Windows by @zwass in #8553 • Added UpgradeCode to programs table by @ksykulev in #8587 • libs: expat bump from 2.6.0 to 2.7.1 by @LeSuisse in #8595 • Update ubuntu runners to 22.04 by @zwass in #8592 • Refactor ETW helpers for unicode support by @zwass in #8596 • Fix/startup items parsing by @AndreaMarangoni in #8536 • Filter the Win32_Processor query to only required fields by @jaymzjulian in #8598 ## New Contributors • @DocEmmetBrown made their first contribution in #8502 • @jbeley made their first contribution in #8568 • @Kislaci90 made their first contribution in #8566 • @smithclay made their first contribution in #8569 • @kfnorbi made their first contribution in #8577 • @scottvanta made their first contribution in #8559 • @LeSuisse made their first contribution in #8586 • @dantecatalfamo made their first contribution in #8556 • @jaymzjulian made their first contribution in #8598 Full Changelog: 5.16.0...5.17.0 osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/182672a0728f26fd20424b69ecad8d4c453c9dd0|182672a0>

- [Performance Analysis] print stderr if exists (#8600) osquery/osquery

👋 One question about this doc: https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/

Do not use arbitrary category names under the

exclude_paths

node; only valid names are allowed.

• Valid categories - Categories referenced under the

file_paths

node. In the above example config,

homes

,

etc

and

tmp

are valid categories.

Other than

homes

,

etc

and

tmp

, are there any other valid categories? can I exclude a path like

/var/logs

and call the category

var

Thought I would ask. In the middle of porting my MacAgent off Python and into Swift. Is there a Swift Framework or Library already built to easy import OSQ?

Hi everyone, I'm working on integrating Sentry logging into the Kolide Launcher to capture runtime errors. I’ve added the Sentry logic and initialized the SDK in

main.go

. When I run

./launcher

directly, everything works fine and events show up in Sentry. However, when I install the launcher using the

.pkg

installer, the launcher runs successfully (I can see the computer appear in Fleet), but no logs are sent to Sentry. Has anyone here tried adding Sentry or another logging service to the launcher? Any idea ? Thanks in advance!

Hello, Are there query packs available for IT compliance? For example, ISO 27001, SOC 2, CMMC, NIST CSF etc.

Some advice for a noob please. Have been looking at Kolide (now 1password device trust) and Fleet DM which both built on osquery. Is it worth starting by learning osquery from scratch as both leverage it? There seems to be overlap in them I realise they were both once the same company.

Hello all, I'm currently configuring osquery with Fleet. I'm trying to use both BPF events and the Audit subsystem together to get complete coverage. Here's a snippet of my current flags configuration:

command_line_flags:
  disable_audit: false
  enable_bpf_events: true
  disable_events=false
  enable_file_events: true

When I check the osquery_events table, I can see that the audit publisher is now active, but I'm not seeing file events being generated when files in the monitored paths are modified, whereas I could see the bpf_process_events and bpf_socket_events. My questions: 1. Can BPF events and Audit subsystem be used together effectively, or do they conflict? 2. Is there a preferred approach for comprehensive monitoring that includes both FIM and process/socket monitoring? 3. Are there specific configurations needed to ensure FIM works properly with these settings? 4. Should I be using a specific publisher for FIM (inotify vs audit vs BPF)? Any guidance would be greatly appreciated!

Hi all, I have a question related to

process_events

and the osqueryd. We have configured:

"non_https_network_connection": {
      "query":
 "SELECT p.pid, p.path, pr.path AS parent_process, p.cmdline,
se.local_port, se.remote_port, se.local_address, se.remote_address FROM
socket_events AS se INNER JOIN process_events AS p ON p.pid = se.pid
LEFT JOIN process_events AS pr ON pr.pid = p.parent WHERE
.........<rest of query>';",
      "interval": "60",
      "description": "."
    },

Now this work locally

osqueryi

and presents all the events. The problem is when we run this pack with the deamon only one event is returned every 60s, while you would suspect all the events to be returned of the last 60s. Are we missing something here. Is this an optimisation issue? happy to hear? Best regards.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by Smjert

<https://github.com/osquery/osquery/commit/e085e11838d4f921827cf4754184a05ef2c6f654|e085e118>

- libs: Update googletest (#8604) osquery/osquery

Hi everyone! I'm Irena, the new Apprentice at Fleet. Super excited to connect with you all ☺️

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/7c357da94e7a56ee3805a668672b4191cb702ec1|7c357da9>

- Fix parsing of Windows shortcut (.lnk) files in file table (#8601) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/54b0739e8adf74c7ab3a127c822cb47838623630|54b0739e>

- Fix Prefetch table for Windows 11 (#8615) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/45411df1568a75901892fdf0119d817431fc34c1|45411df1>

- Update Windows runner version in hosted_runners.yml (#8618) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/eb72d1c5d8a2e78d277ce134e5bb7848614bb14e|eb72d1c5>

- libs: libarchive: 3.6.2 -> 3.7.9 (#8605) osquery/osquery

Hello! I am a PM working at Elastic and I am doing some researching in Osquery and see how we can improve our integration. Not sure it this is the right channel but there are some forensics artifacts that would be useful from a DFIR perspective to be queried like: AmCache, Jumplists, LNK files, etc. We saw that there was an attempt to get amcache but got rejected https://github.com/osquery/osquery/pull/7261. Did anyone face this before and found a way or a workaround to query this data? We are willing to support and contribute to the community but we would like to understand what are the limitations, blockers, etc.

Also we would like to understand and leverage the option of building our own extensions. Does osquery perform any checks on those extensions? If so, can someone list which are those checks and requirements? Like for example, to verify if the extensions are safe to use and do not contain any malware?

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by getvictor

<https://github.com/osquery/osquery/commit/85c8389a333843b2d17e6d00f59ead3344ff1906|85c8389a>

- Fix hardware UUID caching (#8616) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/5959e3d28066ae9db3c0f9a3c56a25f53a3b0b1c|5959e3d2>

- Add detection for ARM CPUs when running in x86 emulation (#8572) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/84587188bee2cca76110e693a5256692ef5bd722|84587188>

- Reduce log noise for

hash

table (#8626) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/df36e386e601e614e3aabb17e47fffbcef7a416f|df36e386>

- Fix SQL example syntax in SQL introduction docs (#8620) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/2e1a79d65842f572732c526eedc7e998a75548b2|2e1a79d6>

- Added jetbrains_plugins table (#8623) osquery/osquery

Sharing for exposure.... osquery on RPi running Linux is sad panda.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/97f03d106064635ac83f8337ba848c9216f19a90|97f03d10>

- Add recent_files table on Windows (#8603) osquery/osquery

Release - 5.18.0 New release published by zwass ## What's Changed • [Performance Analysis] print stderr if exists by @lichao127 in #8600 • libs: Update googletest by @Smjert in #8604 • Fix parsing of Windows shortcut (.lnk) files in file table by @zwass in #8601 • Fix Prefetch table for Windows 11 by @zwass in #8615 • Update Windows runner version in hosted_runners.yml by @zwass in #8618 • libs: libarchive: 3.6.2 -> 3.7.9 by @LeSuisse in #8605 • Fix hardware UUID caching by @sgress454 in #8616 • Add detection for ARM CPUs when running in x86 emulation by @dantecatalfamo in #8572 • Reduce log noise for

hash

table by @lucasmrod in #8626 • Fix SQL example syntax in SQL introduction docs by @piotrgiedziun in #8620 • Added jetbrains_plugins table by @ksykulev in #8623 • Add recent_files table on Windows by @zwass in #8603 ## New Contributors • @piotrgiedziun made their first contribution in #8620 Full Changelog: 5.17.0...5.18.0 osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/12264c646c2a53fac8cf9fbbbf5b79b49d21ee85|12264c64>

- Upgrading zlib to 1.3.1 (#8625) osquery/osquery

Hey folks, osquery 5.18.0 is now in prerelease. Binaries are available on the release page. Please test and report any issues you find! Fleet will be pushing to our

edge

channel shortly.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by lucasmrod

<https://github.com/osquery/osquery/commit/355b2adc45edeaaac37eca9d50b4d05d98e2ee3e|355b2adc>

- Revert "Update Windows runner version in hosted_runners.yml (#8618)" (#8633) osquery/osquery

Release - 5.18.1 New release published by zwass Revert "Update Windows runner version in hosted_runners.yml (#8618)" (#8633) osquery/osquery

5.18.1 binaries are now available for testing. This should resolve the Windows ARM issue.