From d6cecdf1ef09176828a7b3be6990a8d35f2e5606 Mon Sep 17 00:00:00 2001 From: Javier Marcos <1271349+javuto@users.noreply.github.com> Date: Sun, 10 Nov 2024 16:23:38 +0100 Subject: [PATCH] Support for osquery 5.14.1 --- .env.example | 2 +- .../workflows/build_and_test_main_merge.yml | 2 +- .github/workflows/build_and_test_pr.yml | 2 +- .github/workflows/create_tagged_releases.yml | 2 +- deploy/cicd/deb/generate-deb-package.sh | 2 +- deploy/docker/conf/dev/.env.example | 2 +- .../osquery/data/{5.13.1.json => 5.14.1.json} | 195 +++++++++--------- deploy/provision.sh | 2 +- tools/README.md | 4 +- tools/build-osctrl-deb.sh | 2 +- tools/build-osctrl-pkg.sh | 2 +- version/version.go | 2 +- version/version_test.go | 2 +- 13 files changed, 106 insertions(+), 115 deletions(-) rename deploy/osquery/data/{5.13.1.json => 5.14.1.json} (99%) diff --git a/.env.example b/.env.example index e6c39d9e..706bf1b3 100644 --- a/.env.example +++ b/.env.example @@ -1,5 +1,5 @@ OSCTRL_VERSION=0.4.1 -OSQUERY_VERSION=5.13.1 +OSQUERY_VERSION=5.14.1 NGINX_VERSION=1.21.6-alpine POSTGRES_VERSION=13.5-alpine POSTGRES_DB_NAME=osctrl diff --git a/.github/workflows/build_and_test_main_merge.yml b/.github/workflows/build_and_test_main_merge.yml index 1de0d3e9..d73c3702 100644 --- a/.github/workflows/build_and_test_main_merge.yml +++ b/.github/workflows/build_and_test_main_merge.yml @@ -7,7 +7,7 @@ on: env: GOLANG_VERSION: 1.23.0 - OSQUERY_VERSION: 5.13.1 + OSQUERY_VERSION: 5.14.1 jobs: build_and_test: diff --git a/.github/workflows/build_and_test_pr.yml b/.github/workflows/build_and_test_pr.yml index 2bb5f275..04c1df3d 100644 --- a/.github/workflows/build_and_test_pr.yml +++ b/.github/workflows/build_and_test_pr.yml @@ -4,7 +4,7 @@ on: [push, pull_request] env: GOLANG_VERSION: 1.23.0 - OSQUERY_VERSION: 5.13.1 + OSQUERY_VERSION: 5.14.1 jobs: build_and_test: diff --git a/.github/workflows/create_tagged_releases.yml b/.github/workflows/create_tagged_releases.yml index 5a2973c2..51af948c 100644 --- a/.github/workflows/create_tagged_releases.yml +++ b/.github/workflows/create_tagged_releases.yml @@ -8,7 +8,7 @@ on: env: GOLANG_VERSION: 1.23.0 - OSQUERY_VERSION: 5.13.1 + OSQUERY_VERSION: 5.14.1 jobs: build_and_test: diff --git a/deploy/cicd/deb/generate-deb-package.sh b/deploy/cicd/deb/generate-deb-package.sh index 6bf004ea..63defd72 100755 --- a/deploy/cicd/deb/generate-deb-package.sh +++ b/deploy/cicd/deb/generate-deb-package.sh @@ -5,7 +5,7 @@ set -e OSCTRL_USER="${VARIABLE:-osctrl}" OSCTRL_GROUP="${VARIABLE:-osctrl}" WORKING_DIR="${VARIABLE:-/etc/osctrl}" -OSQUERY_VESION="${VARIABLE:-5.13.1}" +OSQUERY_VESION="${VARIABLE:-5.14.1}" OSCTRL_VERSION="${VARIABLE:-0.0.0}" ###################################### Init DEB contents ###################################### diff --git a/deploy/docker/conf/dev/.env.example b/deploy/docker/conf/dev/.env.example index 219ba48c..f4553f2d 100644 --- a/deploy/docker/conf/dev/.env.example +++ b/deploy/docker/conf/dev/.env.example @@ -1,5 +1,5 @@ OSCTRL_VERSION=0.4.1 -OSQUERY_VERSION=5.13.1 +OSQUERY_VERSION=5.14.1 NGINX_VERSION=1.21.6-alpine POSTGRES_VERSION=13.5-alpine POSTGRES_DB_NAME=osctrl diff --git a/deploy/osquery/data/5.13.1.json b/deploy/osquery/data/5.14.1.json similarity index 99% rename from deploy/osquery/data/5.13.1.json rename to deploy/osquery/data/5.14.1.json index e72c094f..7c2d2a73 100644 --- a/deploy/osquery/data/5.13.1.json +++ b/deploy/osquery/data/5.14.1.json @@ -166,7 +166,7 @@ "columns":[ { "name":"allow_signed_enabled", - "description":"1 If allow signed mode is enabled else 0", + "description":"1 If allow signed mode is enabled else 0 (not supported on macOS 15+)", "type":"integer", "notes":"", "hidden":false, @@ -175,7 +175,7 @@ }, { "name":"firewall_unload", - "description":"1 If firewall unloading enabled else 0", + "description":"1 If firewall unloading enabled else 0 (not supported on macOS 15+)", "type":"integer", "notes":"", "hidden":false, @@ -202,7 +202,7 @@ }, { "name":"logging_option", - "description":"Firewall logging option", + "description":"Firewall logging option (not supported on macOS 15+)", "type":"integer", "notes":"", "hidden":false, @@ -243,7 +243,7 @@ "columns":[ { "name":"path", - "description":"Path to the executable that is excepted", + "description":"Path to the executable that is excepted. On macOS 15+ this can also be a bundle identifier", "type":"text", "notes":"", "hidden":false, @@ -252,7 +252,7 @@ }, { "name":"state", - "description":"Firewall exception state", + "description":"Firewall exception state. 0 if the application is configured to allow incoming connections, 2 if the application is configured to block incoming connections and 3 if the application is configuted to allow incoming connections but with additional restrictions.", "type":"integer", "notes":"", "hidden":false, @@ -263,7 +263,7 @@ }, { "name":"alf_explicit_auths", - "description":"ALF services explicitly allowed to perform networking.", + "description":"ALF services explicitly allowed to perform networking. Not supported on macOS 15+ (returns no results).", "url":"https://github.com/osquery/osquery/blob/master/specs/darwin/alf_explicit_auths.table", "platforms":[ "darwin" @@ -5744,6 +5744,83 @@ } ] }, + { + "name":"deviceguard_status", + "description":"Retrieve DeviceGuard info of the machine.", + "url":"https://github.com/osquery/osquery/blob/master/specs/windows/deviceguard_status.table", + "platforms":[ + "windows" + ], + "evented":false, + "cacheable":false, + "notes":"", + "examples":[], + "columns":[ + { + "name":"version", + "description":"The version number of the Device Guard build.", + "type":"text", + "notes":"", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"instance_identifier", + "description":"The instance ID of Device Guard.", + "type":"text", + "notes":"", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"vbs_status", + "description":"The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered.", + "type":"text", + "notes":"", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"code_integrity_policy_enforcement_status", + "description":"The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered.", + "type":"text", + "notes":"", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"configured_security_services", + "description":"The list of configured Device Guard services. Returns UNKNOWN if an error is encountered.", + "type":"text", + "notes":"", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"running_security_services", + "description":"The list of running Device Guard services. Returns UNKNOWN if an error is encountered.", + "type":"text", + "notes":"", + "hidden":false, + "required":false, + "index":false + }, + { + "name":"umci_policy_status", + "description":"The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered.", + "type":"text", + "notes":"", + "hidden":false, + "required":false, + "index":false + } + ] + }, { "name":"disk_encryption", "description":"Disk encryption status and information.", @@ -10430,65 +10507,6 @@ } ] }, - { - "name":"hvci_status", - "description":"Retrieve HVCI info of the machine.", - "url":"https://github.com/osquery/osquery/blob/master/specs/windows/hvci_status.table", - "platforms":[ - "windows" - ], - "evented":false, - "cacheable":false, - "notes":"", - "examples":[], - "columns":[ - { - "name":"version", - "description":"The version number of the Device Guard build.", - "type":"text", - "notes":"", - "hidden":false, - "required":false, - "index":false - }, - { - "name":"instance_identifier", - "description":"The instance ID of Device Guard.", - "type":"text", - "notes":"", - "hidden":false, - "required":false, - "index":false - }, - { - "name":"vbs_status", - "description":"The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered.", - "type":"text", - "notes":"", - "hidden":false, - "required":false, - "index":false - }, - { - "name":"code_integrity_policy_enforcement_status", - "description":"The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered.", - "type":"text", - "notes":"", - "hidden":false, - "required":false, - "index":false - }, - { - "name":"umci_policy_status", - "description":"The status of the User Mode Code Integrity security settings. Returns UNKNOWN if an error is encountered.", - "type":"text", - "notes":"", - "hidden":false, - "required":false, - "index":false - } - ] - }, { "name":"ibridge_info", "description":"Information about the Apple iBridge hardware controller.", @@ -20644,33 +20662,6 @@ "required":false, "index":false }, - { - "name":"update_url", - "description":"Extension-supplied update URI", - "type":"text", - "notes":"", - "hidden":false, - "required":false, - "index":false - }, - { - "name":"author", - "description":"Optional extension author", - "type":"text", - "notes":"", - "hidden":false, - "required":false, - "index":false - }, - { - "name":"developer_id", - "description":"Optional developer identifier", - "type":"text", - "notes":"", - "hidden":false, - "required":false, - "index":false - }, { "name":"description", "description":"Optional extension description text", @@ -20682,7 +20673,7 @@ }, { "name":"path", - "description":"Path to extension XAR bundle", + "description":"Path to the Info.plist describing the extension", "type":"text", "notes":"", "hidden":false, @@ -20706,15 +20697,6 @@ "hidden":false, "required":false, "index":false - }, - { - "name":"extension_type", - "description":"Extension Type: WebOrAppExtension or LegacyExtension", - "type":"text", - "notes":"", - "hidden":false, - "required":false, - "index":false } ] }, @@ -24031,6 +24013,15 @@ "required":false, "index":false }, + { + "name":"timestamp_double", + "description":"floating point timestamp associated with the entry", + "type":"text", + "notes":"", + "hidden":false, + "required":false, + "index":false + }, { "name":"storage", "description":"the storage category for the entry", diff --git a/deploy/provision.sh b/deploy/provision.sh index c3fa490d..9320c445 100755 --- a/deploy/provision.sh +++ b/deploy/provision.sh @@ -172,7 +172,7 @@ BRANCH="main" SOURCE_PATH=~/osctrl DEST_PATH=/opt/osctrl ALL_HOST="127.0.0.1" -OSQUERY_VERSION="5.13.1" +OSQUERY_VERSION="5.14.1" # Backend values _DB_HOST="localhost" diff --git a/tools/README.md b/tools/README.md index ea75adca..2c94f3ae 100644 --- a/tools/README.md +++ b/tools/README.md @@ -94,7 +94,7 @@ Options: -v Enable verbose mode with 'set -x' Example: - ./tools/build-osctrl-deb.sh -i osquery_5.13.1-1.linux.amd64.deb -o osquery-osctrl_5.13.1-1_amd64.deb" + ./tools/build-osctrl-deb.sh -i osquery_5.14.1-1.linux.amd64.deb -o osquery-osctrl_5.14.1-1_amd64.deb" ``` @@ -118,6 +118,6 @@ Options: -v Enable verbose mode with 'set -x' Example: - ./build-osctrl-pkg.sh -i osquery_5.13.1.pkg -o osquery-osctrl_5.13.1.pkg + ./build-osctrl-pkg.sh -i osquery_5.14.1.pkg -o osquery-osctrl_5.14.1.pkg ``` diff --git a/tools/build-osctrl-deb.sh b/tools/build-osctrl-deb.sh index 120fa15c..924aabbc 100755 --- a/tools/build-osctrl-deb.sh +++ b/tools/build-osctrl-deb.sh @@ -19,7 +19,7 @@ function usage() { echo " -v Enable verbose mode with 'set -x'" echo echo "Example:" - echo " $0 -i osquery_5.13.1-1.linux.amd64.deb -o osquery-osctrl_5.13.1-1_amd64.deb" + echo " $0 -i osquery_5.14.1-1.linux.amd64.deb -o osquery-osctrl_5.14.1-1_amd64.deb" } # Stop script on error diff --git a/tools/build-osctrl-pkg.sh b/tools/build-osctrl-pkg.sh index 6ba98392..bca81188 100755 --- a/tools/build-osctrl-pkg.sh +++ b/tools/build-osctrl-pkg.sh @@ -19,7 +19,7 @@ function usage() { echo " -v Enable verbose mode with 'set -x'" echo echo "Example:" - echo " $0 -i osquery_5.13.1.pkg -o osquery-osctrl_5.13.1.pkg" + echo " $0 -i osquery_5.14.1.pkg -o osquery-osctrl_5.14.1.pkg" } # Stop script on error diff --git a/version/version.go b/version/version.go index 28c0b962..c71ddfd7 100644 --- a/version/version.go +++ b/version/version.go @@ -4,5 +4,5 @@ const ( // OsctrlVersion to have the version for all components OsctrlVersion = "0.4.1" // OsqueryVersion to have the version for osquery defined - OsqueryVersion = "5.13.1" + OsqueryVersion = "5.14.1" ) diff --git a/version/version_test.go b/version/version_test.go index 73815207..3f260c36 100644 --- a/version/version_test.go +++ b/version/version_test.go @@ -7,7 +7,7 @@ import ( ) func TestOsqueryVersion(t *testing.T) { - assert.Equal(t, "5.13.1", OsqueryVersion) + assert.Equal(t, "5.14.1", OsqueryVersion) } func TestOsctrlVersion(t *testing.T) {