Skip to content

Version 2.4.1
Compare
Choose a tag to compare
@basepi basepi released this 02 Aug 22:51
· 2145 commits to develop since this release
v2.4.1
This tag was signed with the committer’s verified signature.
basepi Colton Myers
GPG key ID: 6EC5C787D71F663F
Verified
Learn about vigilant mode.
8f962f9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Fixes since 2.4.0

  • Fix an issue with merging the v2-style nebula queries using a top.nebula file

Version 2.4.x release notes

Major Features

New format for nebula queries

Allows for overriding on a per-query basis via topfiles. The new version of the nebula_osquery.py module now looks for nebula data in hubblestack_nebula_v2 in the fileserver. Please take note of this and migrate if you're not using our hubblestack_data repo.

Graylog GELF returners

Modeled after the logstash returners, but GELF-specific

Better error reporting and optional retries for splunk returners

Set returner_retry: True on a scheduled job that uses the splunk returners to enable retries (by default, 3 retries with 15 seconds between each). Additionally, errors from splunk requests will be more informative (instead of the existing "marked as bad" errors).

Persist transiently-available grains

If a grain is available at some point and then stops being generated later, we keep it across grain refreshes. This is to prevent us from losing useful grain data due to metadata server outages or issues.

Major fixes

Move daemonization to pre-grains

Daemonize earlier, so that long custom grains don't result in an unhappy service system

Fixes for lack of s3 timeouts

In some cases, hubble could hang with open sockets to s3. There were no timeouts specified in the underlying salt util module, so we include it ourselves now and have timeouts.

Upper limit for osquery runs

In some cases, osquery can hang due to network issues. Now hubble will eventually kill osquery and continue operations.

Upper limit for grains refreshes

We were worried about the potential for grains refreshes causing some of the uncommon hangs we were seeing, so we now use signals and timers to interrupt grains if they are taking too long.

Remove default file_roots setting

Some users were seeing issues due to conflicts with salt files on their system in /srv/salt. We now scrub those default paths from file_roots.

New osquery version

We've updated to a newer SHA of osquery for fixes and features there.

Assets 14
Loading