Merge pull request #566 from jmpsec/osquery-5.14.1

Support for osquery 5.14.1

.env.example

@@ -1,5 +1,5 @@
 OSCTRL_VERSION=0.4.1
-OSQUERY_VERSION=5.13.1
+OSQUERY_VERSION=5.14.1
 NGINX_VERSION=1.21.6-alpine
 POSTGRES_VERSION=13.5-alpine
 POSTGRES_DB_NAME=osctrl

.github/workflows/build_and_test_main_merge.yml

@@ -7,7 +7,7 @@ on:
 
 env:
   GOLANG_VERSION: 1.23.0
-  OSQUERY_VERSION: 5.13.1
+  OSQUERY_VERSION: 5.14.1
 
 jobs:
   build_and_test:

.github/workflows/build_and_test_pr.yml

@@ -4,7 +4,7 @@ on: [push, pull_request]
 
 env:
   GOLANG_VERSION: 1.23.0
-  OSQUERY_VERSION: 5.13.1
+  OSQUERY_VERSION: 5.14.1
 
 jobs:
   build_and_test:

.github/workflows/create_tagged_releases.yml

@@ -8,7 +8,7 @@ on:
 
 env:
   GOLANG_VERSION: 1.23.0
-  OSQUERY_VERSION: 5.13.1
+  OSQUERY_VERSION: 5.14.1
 
 jobs:
   build_and_test:

deploy/cicd/deb/generate-deb-package.sh

@@ -5,7 +5,7 @@ set -e
 OSCTRL_USER="${VARIABLE:-osctrl}"
 OSCTRL_GROUP="${VARIABLE:-osctrl}"
 WORKING_DIR="${VARIABLE:-/etc/osctrl}"
-OSQUERY_VESION="${VARIABLE:-5.13.1}"
+OSQUERY_VESION="${VARIABLE:-5.14.1}"
 OSCTRL_VERSION="${VARIABLE:-0.0.0}"
 
 ###################################### Init DEB contents ######################################

deploy/docker/conf/dev/.env.example

@@ -1,5 +1,5 @@
 OSCTRL_VERSION=0.4.1
-OSQUERY_VERSION=5.13.1
+OSQUERY_VERSION=5.14.1
 NGINX_VERSION=1.21.6-alpine
 POSTGRES_VERSION=13.5-alpine
 POSTGRES_DB_NAME=osctrl

deploy/osquery/data/5.13.1.json → deploy/osquery/data/5.14.1.json

@@ -166,7 +166,7 @@
     "columns":[
       {
         "name":"allow_signed_enabled",
-        "description":"1 If allow signed mode is enabled else 0",
+        "description":"1 If allow signed mode is enabled else 0 (not supported on macOS 15+)",
         "type":"integer",
         "notes":"",
         "hidden":false,
@@ -175,7 +175,7 @@
       },
       {
         "name":"firewall_unload",
-        "description":"1 If firewall unloading enabled else 0",
+        "description":"1 If firewall unloading enabled else 0 (not supported on macOS 15+)",
         "type":"integer",
         "notes":"",
         "hidden":false,
@@ -202,7 +202,7 @@
       },
       {
         "name":"logging_option",
-        "description":"Firewall logging option",
+        "description":"Firewall logging option (not supported on macOS 15+)",
         "type":"integer",
         "notes":"",
         "hidden":false,
@@ -243,7 +243,7 @@
     "columns":[
       {
         "name":"path",
-        "description":"Path to the executable that is excepted",
+        "description":"Path to the executable that is excepted. On macOS 15+ this can also be a bundle identifier",
         "type":"text",
         "notes":"",
         "hidden":false,
@@ -252,7 +252,7 @@
       },
       {
         "name":"state",
-        "description":"Firewall exception state",
+        "description":"Firewall exception state. 0 if the application is configured to allow incoming connections, 2 if the application is configured to block incoming connections and 3 if the application is configuted to allow incoming connections but with additional restrictions.",
         "type":"integer",
         "notes":"",
         "hidden":false,
@@ -263,7 +263,7 @@
   },
   {
     "name":"alf_explicit_auths",
-    "description":"ALF services explicitly allowed to perform networking.",
+    "description":"ALF services explicitly allowed to perform networking. Not supported on macOS 15+ (returns no results).",
     "url":"https://github.com/osquery/osquery/blob/master/specs/darwin/alf_explicit_auths.table",
     "platforms":[
       "darwin"
@@ -5744,6 +5744,83 @@
       }
     ]
   },
+  {
+    "name":"deviceguard_status",
+    "description":"Retrieve DeviceGuard info of the machine.",
+    "url":"https://github.com/osquery/osquery/blob/master/specs/windows/deviceguard_status.table",
+    "platforms":[
+      "windows"
+    ],
+    "evented":false,
+    "cacheable":false,
+    "notes":"",
+    "examples":[],
+    "columns":[
+      {
+        "name":"version",
+        "description":"The version number of the Device Guard build.",
+        "type":"text",
+        "notes":"",
+        "hidden":false,
+        "required":false,
+        "index":false
+      },
+      {
+        "name":"instance_identifier",
+        "description":"The instance ID of Device Guard.",
+        "type":"text",
+        "notes":"",
+        "hidden":false,
+        "required":false,
+        "index":false
+      },
+      {
+        "name":"vbs_status",
+        "description":"The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered.",
+        "type":"text",
+        "notes":"",
+        "hidden":false,
+        "required":false,
+        "index":false
+      },
+      {
+        "name":"code_integrity_policy_enforcement_status",
+        "description":"The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered.",
+        "type":"text",
+        "notes":"",
+        "hidden":false,
+        "required":false,
+        "index":false
+      },
+      {
+        "name":"configured_security_services",
+        "description":"The list of configured Device Guard services. Returns UNKNOWN if an error is encountered.",
+        "type":"text",
+        "notes":"",
+        "hidden":false,
+        "required":false,
+        "index":false
+      },
+      {
+        "name":"running_security_services",
+        "description":"The list of running Device Guard services. Returns UNKNOWN if an error is encountered.",
+        "type":"text",
+        "notes":"",
+        "hidden":false,
+        "required":false,
+        "index":false
+      },
+      {
+        "name":"umci_policy_status",
+        "description":"The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered.",
+        "type":"text",
+        "notes":"",
+        "hidden":false,
+        "required":false,
+        "index":false
+      }
+    ]
+  },
   {
     "name":"disk_encryption",
     "description":"Disk encryption status and information.",
@@ -10430,65 +10507,6 @@
       }
     ]
   },
-  {
-    "name":"hvci_status",
-    "description":"Retrieve HVCI info of the machine.",
-    "url":"https://github.com/osquery/osquery/blob/master/specs/windows/hvci_status.table",
-    "platforms":[
-      "windows"
-    ],
-    "evented":false,
-    "cacheable":false,
-    "notes":"",
-    "examples":[],
-    "columns":[
-      {
-        "name":"version",
-        "description":"The version number of the Device Guard build.",
-        "type":"text",
-        "notes":"",
-        "hidden":false,
-        "required":false,
-        "index":false
-      },
-      {
-        "name":"instance_identifier",
-        "description":"The instance ID of Device Guard.",
-        "type":"text",
-        "notes":"",
-        "hidden":false,
-        "required":false,
-        "index":false
-      },
-      {
-        "name":"vbs_status",
-        "description":"The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered.",
-        "type":"text",
-        "notes":"",
-        "hidden":false,
-        "required":false,
-        "index":false
-      },
-      {
-        "name":"code_integrity_policy_enforcement_status",
-        "description":"The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered.",
-        "type":"text",
-        "notes":"",
-        "hidden":false,
-        "required":false,
-        "index":false
-      },
-      {
-        "name":"umci_policy_status",
-        "description":"The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered.",
-        "type":"text",
-        "notes":"",
-        "hidden":false,
-        "required":false,
-        "index":false
-      }
-    ]
-  },
   {
     "name":"ibridge_info",
     "description":"Information about the Apple iBridge hardware controller.",
@@ -20644,33 +20662,6 @@
         "required":false,
         "index":false
       },
-      {
-        "name":"update_url",
-        "description":"Extension-supplied update URI",
-        "type":"text",
-        "notes":"",
-        "hidden":false,
-        "required":false,
-        "index":false
-      },
-      {
-        "name":"author",
-        "description":"Optional extension author",
-        "type":"text",
-        "notes":"",
-        "hidden":false,
-        "required":false,
-        "index":false
-      },
-      {
-        "name":"developer_id",
-        "description":"Optional developer identifier",
-        "type":"text",
-        "notes":"",
-        "hidden":false,
-        "required":false,
-        "index":false
-      },
       {
         "name":"description",
         "description":"Optional extension description text",
@@ -20682,7 +20673,7 @@
       },
       {
         "name":"path",
-        "description":"Path to extension XAR bundle",
+        "description":"Path to the Info.plist describing the extension",
         "type":"text",
         "notes":"",
         "hidden":false,
@@ -20706,15 +20697,6 @@
         "hidden":false,
         "required":false,
         "index":false
-      },
-      {
-        "name":"extension_type",
-        "description":"Extension Type: WebOrAppExtension or LegacyExtension",
-        "type":"text",
-        "notes":"",
-        "hidden":false,
-        "required":false,
-        "index":false
       }
     ]
   },
@@ -24031,6 +24013,15 @@
         "required":false,
         "index":false
       },
+      {
+        "name":"timestamp_double",
+        "description":"floating point timestamp associated with the entry",
+        "type":"text",
+        "notes":"",
+        "hidden":false,
+        "required":false,
+        "index":false
+      },
       {
         "name":"storage",
         "description":"the storage category for the entry",

deploy/provision.sh

@@ -172,7 +172,7 @@ BRANCH="main"
 SOURCE_PATH=~/osctrl
 DEST_PATH=/opt/osctrl
 ALL_HOST="127.0.0.1"
-OSQUERY_VERSION="5.13.1"
+OSQUERY_VERSION="5.14.1"
 
 # Backend values
 _DB_HOST="localhost"

tools/README.md

@@ -94,7 +94,7 @@ Options:
   -v          Enable verbose mode with 'set -x'
 
 Example:
-  ./tools/build-osctrl-deb.sh -i osquery_5.13.1-1.linux.amd64.deb -o osquery-osctrl_5.13.1-1_amd64.deb"
+  ./tools/build-osctrl-deb.sh -i osquery_5.14.1-1.linux.amd64.deb -o osquery-osctrl_5.14.1-1_amd64.deb"
 
 ```
 
@@ -118,6 +118,6 @@ Options:
   -v          Enable verbose mode with 'set -x'
 
 Example:
-  ./build-osctrl-pkg.sh -i osquery_5.13.1.pkg -o osquery-osctrl_5.13.1.pkg
+  ./build-osctrl-pkg.sh -i osquery_5.14.1.pkg -o osquery-osctrl_5.14.1.pkg
 
 ```

tools/build-osctrl-deb.sh

@@ -19,7 +19,7 @@ function usage() {
   echo "  -v          Enable verbose mode with 'set -x'"
   echo
   echo "Example:"
-  echo "  $0 -i osquery_5.13.1-1.linux.amd64.deb -o osquery-osctrl_5.13.1-1_amd64.deb"
+  echo "  $0 -i osquery_5.14.1-1.linux.amd64.deb -o osquery-osctrl_5.14.1-1_amd64.deb"
 }
 
 # Stop script on error

tools/build-osctrl-pkg.sh

@@ -19,7 +19,7 @@ function usage() {
   echo "  -v          Enable verbose mode with 'set -x'"
   echo
   echo "Example:"
-  echo "  $0 -i osquery_5.13.1.pkg -o osquery-osctrl_5.13.1.pkg"
+  echo "  $0 -i osquery_5.14.1.pkg -o osquery-osctrl_5.14.1.pkg"
 }
 
 # Stop script on error

version/version.go

@@ -4,5 +4,5 @@ const (
 	// OsctrlVersion to have the version for all components
 	OsctrlVersion = "0.4.1"
 	// OsqueryVersion to have the version for osquery defined
-	OsqueryVersion = "5.13.1"
+	OsqueryVersion = "5.14.1"
 )

version/version_test.go

@@ -7,7 +7,7 @@ import (
 )
 
 func TestOsqueryVersion(t *testing.T) {
-	assert.Equal(t, "5.13.1", OsqueryVersion)
+	assert.Equal(t, "5.14.1", OsqueryVersion)
 }
 
 func TestOsctrlVersion(t *testing.T) {