https://github.com/osquery/osquery logo
Join Slack
Powered by
# general
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/73123f921402c933de9b2f84ebc5e28a148b91ff|73123f92>
    - Fix/startup items parsing (#8536) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/1ab05a6e4a21b8a6b6531ed45ecc4a748b47f5d1|1ab05a6e>
    - Filter the Win32_Processor query to only required fields (#8598) osquery/osquery
  • g
    Release - 5.17.0 New release published by zwass ## 5.17.0 Git Commits ## What's Changed • Add 
    CHANGELOG.md
    entry for 5.16.0 by @lucasmrod in #8548 • Add 
    symlink_target_path
    to 
    files
    tables by @DocEmmetBrown in #8502 • cve: Ignore libarchive CVE-2024-26256 by @Smjert in #8546 • Fixes in windows helpers by @zwass in #8549 • Align ES functions with documented macOS versions by @SilverPlate3 in #8338 • Fix include path in logger-plugins.md by @zwass in #8550 • Fix integration test name in Windows build instructions by @zwass in #8552 • Fix event expiration to prevent losing events by @zwass in #8535 • Update 
    shell_history
    table to include ash by @jbeley in #8568 • Fix dicker container table disk/write metrics, compares "op" values with ignore case by @Kislaci90 in #8566 • Escape service binary path in manage-osqueryd.ps1 by @smithclay in #8569 • Update 
    docker_container_stats
    table to include memory_inactive_file and memory_total_inactive_file by @kfnorbi in #8577 • Add 
    auto_update
    and 
    app_name
    column to 
    homebrew_packages
    table by @DocEmmetBrown in #8520 • Add support for scheduled queries to run at startup by @Micah-Kolide in #8554 • Boost 1.87 compatibility by @carlsmedstad in #8533 • Pin macos python versions in CI to fix mismatch between builder and test runner by @scottvanta in #8559 • cve: Ignore util-linux CVE-2024-28085 by @Smjert in #8579 • build(deps): bump jinja2 from 3.1.5 to 3.1.6 by @dependabot in #8563 • Fix SMC reading values by @sgress454 in #8583 • Fixes network metrics by @Kislaci90 in #8567 • Implement yara_events table for Windows by @zwass in #8580 • Fix flaky mdfind test in CI by @zwass in #8589 • libs: openssl: 3.2.1 -> 3.4.1 by @LeSuisse in #8586 • Add support for DEB822-style apt sources by @dantecatalfamo in #8556 • Add support for msix packages by @ksykulev in #8585 • Implement dns_lookup_events table on Windows by @zwass in #8553 • Added UpgradeCode to programs table by @ksykulev in #8587 • libs: expat bump from 2.6.0 to 2.7.1 by @LeSuisse in #8595 • Update ubuntu runners to 22.04 by @zwass in #8592 • Refactor ETW helpers for unicode support by @zwass in #8596 • Fix/startup items parsing by @AndreaMarangoni in #8536 • Filter the Win32_Processor query to only required fields by @jaymzjulian in #8598 ## New Contributors • @DocEmmetBrown made their first contribution in #8502@jbeley made their first contribution in #8568@Kislaci90 made their first contribution in #8566@smithclay made their first contribution in #8569@kfnorbi made their first contribution in #8577@scottvanta made their first contribution in #8559@LeSuisse made their first contribution in #8586@dantecatalfamo made their first contribution in #8556@jaymzjulian made their first contribution in #8598 Full Changelog: 5.16.0...5.17.0 osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/182672a0728f26fd20424b69ecad8d4c453c9dd0|182672a0>
    - [Performance Analysis] print stderr if exists (#8600) osquery/osquery
  • l
    👋 One question about this doc: https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
    Do not use arbitrary category names under the 
    exclude_paths
    node; only valid names are allowed.
    Valid categories - Categories referenced under the 
    file_paths
    node. In the above example config, 
    homes
    , 
    etc
    and 
    tmp
    are valid categories.
    Other than 
    homes
    , 
    etc
    and 
    tmp
    , are there any other valid categories? can I exclude a path like 
    /var/logs
    and call the category 
    var
  • k
    Thought I would ask. In the middle of porting my MacAgent off Python and into Swift. Is there a Swift Framework or Library already built to easy import OSQ?
    m
    • 2
    • 2
  • s
    Hi everyone, I'm working on integrating Sentry logging into the Kolide Launcher to capture runtime errors. I’ve added the Sentry logic and initialized the SDK in 
    main.go
    . When I run 
    ./launcher
    directly, everything works fine and events show up in Sentry. However, when I install the launcher using the 
    .pkg
    installer, the launcher runs successfully (I can see the computer appear in Fleet), but no logs are sent to Sentry. Has anyone here tried adding Sentry or another logging service to the launcher? Any idea ? Thanks in advance!
  • a
    Hello, Are there query packs available for IT compliance? For example, ISO 27001, SOC 2, CMMC, NIST CSF etc.
    k
    d
    • 3
    • 4
  • k
    Some advice for a noob please. Have been looking at Kolide (now 1password device trust) and Fleet DM which both built on osquery. Is it worth starting by learning osquery from scratch as both leverage it? There seems to be overlap in them I realise they were both once the same company.
    k
    d
    s
    • 4
    • 6
  • t
    Hello all, I'm currently configuring osquery with Fleet. I'm trying to use both BPF events and the Audit subsystem together to get complete coverage. Here's a snippet of my current flags configuration:
    Copy code
    command_line_flags:
  disable_audit: false
  enable_bpf_events: true
  disable_events=false
  enable_file_events: true
    When I check the osquery_events table, I can see that the audit publisher is now active, but I'm not seeing file events being generated when files in the monitored paths are modified, whereas I could see the bpf_process_events and bpf_socket_events. My questions: 1. Can BPF events and Audit subsystem be used together effectively, or do they conflict? 2. Is there a preferred approach for comprehensive monitoring that includes both FIM and process/socket monitoring? 3. Are there specific configurations needed to ensure FIM works properly with these settings? 4. Should I be using a specific publisher for FIM (inotify vs audit vs BPF)? Any guidance would be greatly appreciated!
  • i
    Hi all, I have a question related to 
    process_events
    and the osqueryd. We have configured:
    Copy code
    "non_https_network_connection": {
      "query":
 "SELECT p.pid, p.path, pr.path AS parent_process, p.cmdline,
se.local_port, se.remote_port, se.local_address, se.remote_address FROM
socket_events AS se INNER JOIN process_events AS p ON p.pid = se.pid
LEFT JOIN process_events AS pr ON pr.pid = p.parent WHERE
.........<rest of query>';",
      "interval": "60",
      "description": "."
    },
    Now this work locally 
    osqueryi
    and presents all the events. The problem is when we run this pack with the deamon only one event is returned every 60s, while you would suspect all the events to be returned of the last 60s. Are we missing something here. Is this an optimisation issue? happy to hear? Best regards.
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by Smjert 
    <https://github.com/osquery/osquery/commit/e085e11838d4f921827cf4754184a05ef2c6f654|e085e118>
    - libs: Update googletest (#8604) osquery/osquery
  • i
    Hi everyone! I'm Irena, the new Apprentice at Fleet. Super excited to connect with you all ☺️
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/7c357da94e7a56ee3805a668672b4191cb702ec1|7c357da9>
    - Fix parsing of Windows shortcut (.lnk) files in file table (#8601) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/54b0739e8adf74c7ab3a127c822cb47838623630|54b0739e>
    - Fix Prefetch table for Windows 11 (#8615) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/45411df1568a75901892fdf0119d817431fc34c1|45411df1>
    - Update Windows runner version in hosted_runners.yml (#8618) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/eb72d1c5d8a2e78d277ce134e5bb7848614bb14e|eb72d1c5>
    - libs: libarchive: 3.6.2 -> 3.7.9 (#8605) osquery/osquery
  • r
    Hello! I am a PM working at Elastic and I am doing some researching in Osquery and see how we can improve our integration. Not sure it this is the right channel but there are some forensics artifacts that would be useful from a DFIR perspective to be queried like: AmCache, Jumplists, LNK files, etc. We saw that there was an attempt to get amcache but got rejected https://github.com/osquery/osquery/pull/7261. Did anyone face this before and found a way or a workaround to query this data? We are willing to support and contribute to the community but we would like to understand what are the limitations, blockers, etc.
    m
    • 2
    • 2
  • r
    Also we would like to understand and leverage the option of building our own extensions. Does osquery perform any checks on those extensions? If so, can someone list which are those checks and requirements? Like for example, to verify if the extensions are safe to use and do not contain any malware?
    c
    s
    • 3
    • 3
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by getvictor 
    <https://github.com/osquery/osquery/commit/85c8389a333843b2d17e6d00f59ead3344ff1906|85c8389a>
    - Fix hardware UUID caching (#8616) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/5959e3d28066ae9db3c0f9a3c56a25f53a3b0b1c|5959e3d2>
    - Add detection for ARM CPUs when running in x86 emulation (#8572) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/84587188bee2cca76110e693a5256692ef5bd722|84587188>
    - Reduce log noise for 
    hash
    table (#8626) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/df36e386e601e614e3aabb17e47fffbcef7a416f|df36e386>
    - Fix SQL example syntax in SQL introduction docs (#8620) osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/2e1a79d65842f572732c526eedc7e998a75548b2|2e1a79d6>
    - Added jetbrains_plugins table (#8623) osquery/osquery
  • s
    Sharing for exposure.... osquery on RPi running Linux is sad panda.
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/97f03d106064635ac83f8337ba848c9216f19a90|97f03d10>
    - Add recent_files table on Windows (#8603) osquery/osquery
  • g
    Release - 5.18.0 New release published by zwass ## What's Changed • [Performance Analysis] print stderr if exists by @lichao127 in #8600 • libs: Update googletest by @Smjert in #8604 • Fix parsing of Windows shortcut (.lnk) files in file table by @zwass in #8601 • Fix Prefetch table for Windows 11 by @zwass in #8615 • Update Windows runner version in hosted_runners.yml by @zwass in #8618 • libs: libarchive: 3.6.2 -> 3.7.9 by @LeSuisse in #8605 • Fix hardware UUID caching by @sgress454 in #8616 • Add detection for ARM CPUs when running in x86 emulation by @dantecatalfamo in #8572 • Reduce log noise for 
    hash
    table by @lucasmrod in #8626 • Fix SQL example syntax in SQL introduction docs by @piotrgiedziun in #8620 • Added jetbrains_plugins table by @ksykulev in #8623 • Add recent_files table on Windows by @zwass in #8603 ## New Contributors • @piotrgiedziun made their first contribution in #8620 Full Changelog: 5.17.0...5.18.0 osquery/osquery
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass 
    <https://github.com/osquery/osquery/commit/12264c646c2a53fac8cf9fbbbf5b79b49d21ee85|12264c64>
    - Upgrading zlib to 1.3.1 (#8625) osquery/osquery
    l
    • 2
    • 1
  • z
    Hey folks, osquery 5.18.0 is now in prerelease. Binaries are available on the release page. Please test and report any issues you find! Fleet will be pushing to our 
    edge
    channel shortly.
  • g
    1 new commit pushed to 
    <https://github.com/osquery/osquery/tree/master|master>
    by lucasmrod 
    <https://github.com/osquery/osquery/commit/355b2adc45edeaaac37eca9d50b4d05d98e2ee3e|355b2adc>
    - Revert "Update Windows runner version in hosted_runners.yml (#8618)" (#8633) osquery/osquery