Maybe found my error. This is what I find hard about cmake. It’s a lot of the same boilerplate over and over again, and very easy to miss something.

5.8.1 Binaries are up for testing at https://github.com/osquery/osquery/releases/tag/5.8.1

Hello, is there something special that needs to be done in order for the extension on windows to run not just from within osqueryi.exe but also when called externally? When I run select from within osqueryi.exe, data is returned properly. When I run it from outside, it fails every single time: C:\Program Files\osquery>osqueryi.exe "SELECT * from rsop_policysetting;" Error: Extension socket not available: \\.\pipe\shell.em2243.17173

I know OSquery can get info/diffs of the Harddrives or PCI Devices infividually but does anyone know if theres be a way to get the entire Windows Hardware Hash or something similar for a windows system

Hrm. Some reports from 5.8.1 are the linux file_events are producing empty results.

"diffResults": {
        "removed": [],
        "added": []
    },

This looks to be coming off a fairly mundane looking:

"queries": {
        "file_events_linux": {
          "query": "SELECT * FROM file_events;",
          "removed": true,
          "version": "",
          "interval": 300,
          "platform": "linux",
          "description": ""
        }

Hrm. I wonder about https://github.com/osquery/osquery/pull/7803

I’m cutting 5.8.2, which has fixes for two bugs people found in 5.8.1

https://github.com/osquery/osquery/releases/tag/5.8.2 exists. @Marcos Oviedo @Brad Girardeau This mostly has your fixes;

5.8.2 is stable. 🔨

Anyone around who can thumb https://github.com/osquery/osquery-codesign/pull/40/files ?

My osquery status is online but Last fetched about 5 hours ago

everyone, please help me debug

Hello, when installing osquery on windows server 2022, the installing user can see it in Programs and Features, while others cannot.

my osquery stop long time and now start again. But I see many old tasks of scheduler run. How to remove/clean old task list?

please help

@seph do you have a changelog in progress for 5.8.2?

I do now! https://github.com/osquery/osquery/pull/7986

Hi Everyone 👋 , I'm working on my first osquery table

windows_search

that uses the windows search API, similar to the darwin mdfind table. I'm considering adding in support for specifying the item attribute names in the search. Since the attributes can be dynamic I would need to use and EAV style table so it might look something like this:

osquery> SELECT * FROM windows_search WHERE attributes = 'system.itempathdisplay,system.size' AND query = 'scope=''file:C:\Users\james\Pictures\Screenshots''';
+---------+------------------------+-------------------------------------------+-------------------------------------------------+
| entity | attribute              | value                                     | query                                            |
+--------+------------------------+-------------------------------------------+--------------------------------------------------+
| 0      | system.itempathdisplay | C:\Users\james\Pictures\Screenshots\0.png | scope='file:C:\Users\james\Pictures\Screenshots' |
| 0      | system.size            | 100000000                                 | scope='file:C:\Users\james\Pictures\Screenshots' |
| 1      | system.itempathdisplay | C:\Users\james\Pictures\Screenshots\1.png | scope='file:C:\Users\james\Pictures\Screenshots' |
| 1      | system.size            | 100000000                                 | scope='file:C:\Users\james\Pictures\Screenshots' |
+--------+------------------------+-------------------------------------------+--------------------------------------------------+

what do yall think?

On the openssl side, I did not check earlier, but we cannot upgrade it yet because there's no 1.1.1 release after the one we already have. Something else related is that the 1.x line will be deprecated this September, and osquery has to move to 3.x by then.

Thumbs for https://github.com/osquery/osquery-site/pull/277

Hey folks, may I propose we give @Marcos Oviedo commit access to the osquery and website repos? He's been doing quite a bit of development and review of Windows-related and other work.

Big oof. Sounds like my digicert cert expired. I think we are still using it for windows installs yeah? I’ll try and get on renewal asap.

I want to float the idea of including a

json

table in core osquery. We already have a

plist

table (https://osquery.io/schema/5.8.2/#plist) that I think has a similar level of privacy concern to what a

json

table would have. Thoughts?

Hello, can powershell be used to create/update osquery tables?

Yo just an FYI, I have the new windows code signing cert, working on getting it updated tonight, but just in case - please don't tag any new releases until it's in place :3

I should have it all fixed up in the next day or two. Hoping to have it done tonight, but just in case it doesn't work out >.>

Er nvm! That went a lot smoother than I remembered 🙂 The Windows code signing cert should be good to go

I watched the office hours, wanted to comment about the how the DEB and RPM repo work. So, at the base a DEB or RPM repo is just a tree of files exposed via HTTP (or FTP). There are some metadata files that list which files are present and where they are, plus optionally signing information. These are all things that could theoretically be done by a chain of other commands, so it doesn’t necessarily need a specific tool. There are text files, gzipped files, xml (maybe the most annoying), etc. Nonetheless as a helper to build the repo for DEB we use

freight

https://github.com/freight-team/freight and for RPM the more official

createrepo_c

https://github.com/rpm-software-management/createrepo_c

freight

does not seem to be developed anymore; I’m not sure if this is an issue right now. I think it was chosen mainly because with a command you tell it to add a new package file to the repo and it does everything for you, including signing the metadata of the repo (not the packages); this is configured in

freight.deb.conf

For RPM we use

createrepo_c

as mentioned before, which does something similar.

At Kolide, I’m starting to think about some updates to

osquery-go

. But as a project we have very few go people in our committers list. (I think probably just @zwass and I). How do people feel about creating a go-committers, and adding some folks? I could nominate someone from Kolide, maybe there’s a Fleet person, and maybe there are some people from the broader community around