All Versions
Latest Version
Avg Release Cycle
57 days
Latest Release

Changelog History
Page 3

  • v4.0.1 Changes

    September 10, 2019

    ๐Ÿš€ This release has two major focuses. It is the first release since osquery transitioned to a Linux Foundation project.

    ๐Ÿ‘ท It features a heavily reworked build system. This aims to provide flexibility and stability.

    Git Commits

    ๐Ÿ†• New Features / Under the Hood improvements

    • ๐Ÿง Linux Audit process_events Implement support for fork/vfork/clone/execveat (#5701)
    • ๐Ÿ†• New SQLite function regex_match to match across columns (#5444)
    • LRU cache for syscall tracing (#5521)
    • ๐Ÿง Basic tracing via eBPF on Linux (#5403, #5386, #5384)
    • ๐Ÿง Experimental kill and setuid syscall tracing in Linux via eBPF (#5519)
    • ๐Ÿ†• New eventing (ev2) framework (#5401)
    • ๐Ÿ‘Œ Improved table performance profiles (#5187)
    • ๐ŸŽ macOS query pack: detect SearchAwesome malware (#5713)
    • ๐ŸŽ macOS query pack: detect when a process is tapping keyboard event (#5345)

    ๐Ÿ— Build

    • ๐Ÿ”จ Refactor CMake build (#5604, #5627, #5630, (#5618), (#5619))
    • ๐Ÿ”จ Refactor third-party libraries to build from source on Linux (#5706)
    • โž• Add Azure Pipelines support for CI/CD (#5604, #5632, #5626, #5613, #5607, #5673, #5610)
    • โž• Add Buck as a build system (971bee44)
    • ๐Ÿ‘‰ Use urllib2 to automatically handle HTTP 301/302 redirections (#5612)
    • โšก๏ธ Update MSI package to install to Program Files on Windows (#5579)
    • ๐Ÿง Linux custom toolchain integration (#5759)


    • ๐Ÿ”— Link binaries with Full RELRO on Linux (#5748)
    • โœ‚ Remove FTS features from SQLite (#5703) (#5702)
    • ๐Ÿ›  Fix SQLite API usage errors (#5551)
    • ๐Ÿ›  Fix issues reported by ASAN (#5665)
    • ๐Ÿ– Handle bad FDs in md_tables (#5553)
    • ๐Ÿ›  Fix lock resource leak in events/syslog (#5552)
    • Fix memory leak in macOS keychain_items and extended_attributes tables (#5550, #5538)
    • ๐Ÿ›  Fix memory leak in genLoggedInUsers (Windows). Update WTSFreeMemoryEx to WTSFreeMemory (#5642)
    • ๐Ÿ›  Fix potential null dereferences in smbios_tables (#5332)
    • ๐Ÿ›  Fix osquery exiting with wrong status (3824c2e6)
    • โž• Add additional install and uninstall flag incompatibility check (85eb77a0)
    • ๐Ÿ›  Fix warning with constants initialisation in magic (2a624f2f)
    • ๐Ÿ›  Fix sign compare warning in file_compression (b93069b3)
    • ๐Ÿ”จ Refactored logical_drives table on Windows (#5400)
    • ๐Ÿ”จ Refactored core/windows/wmi to use smart pointers (#5492)
    • ๐Ÿ›  Fixed various potential crashes in the virtual table implementaion (6ade85a5)
    • Increase the amount of MaxRecvRetries for Thrift sockets (#5390)

    ๐Ÿ› Bug Fixes

    • ๐Ÿ›  Fix the reading of the serial of a certificate (little-endian big int) (#5742)
    • ๐Ÿ›  Fix bugs and update pathname variables in MSI package build script (#5733)
    • ๐Ÿ›  Fix registry table exception closing an uninitialized key handle (#5718)
    • Config views are now recreated on startup (#5732)
    • ๐Ÿ”„ Change MSI Service Error handling on Windows (#5467)
    • ๐Ÿ‘ Allow mounting SQLite DBs using WAL journaling with ATC (#5525, #5633)
    • ๐Ÿ›  Fix mount table interacting with direct autofs (#5635)
    • ๐Ÿ›  Fix HTTP Host Header to include port (#5576)
    • ๐Ÿ Various fixes to the Windows certificates table and expansion to include Personal certificates (#5697), (#5696), (#5640), (#5631)
    • โž• Add optimization back to macOS users and groups (#5684)
    • ๐ŸŽ Do not return a row for macOS battery if no data is present (#5650)
    • ๐Ÿ›  Fix several integer conversions in process_ops (#5614)
    • Include weekends on the kernel_panics table (#5298)
    • ๐Ÿ›  Fix key_strength bug for Windows certificates table (#5304)
    • ๐Ÿ The interface column of routes table could be empty on Windows (bcf0ab8e)
    • ๐Ÿ The name column of programs table could be empty on Windows (7bceba4b)
    • ๐Ÿ›  Fix disable_watcher flag (08dc11b7)
    • Populate path column correctly in firefox_addons table (#5462)
    • ๐Ÿ›  Fix numeric monitoring plugin not being registered (#5484)
    • ๐Ÿ›  Fix wrong error code returned when querying the Windows registry (#5621)
    • ๐Ÿ›  Fix logical_drives boot partition detection (#5477)
    • ๐Ÿ”€ Replace sync calls by async within the HTTP client implementation (#5606)
    • ๐Ÿ›  Fix RocksDB crash related to OptimizeForSmallDb (a31d7582)
    • ๐Ÿ›  Fix bug in table column data validator (e3037331)
    • ๐Ÿ›  Fix random port problem (a32ed7c4)
    • ๐Ÿ”จ Refactor battery table and return information even if advanced information is missing (6a64e353)

    Table Changes

    • โž• Added table ibridge_info on macOS (Notebooks only) (#5707)
    • โž• Added table running_apps on macOS (#5216)
    • โž• Added table atom_packages on macOS and Linux (6d159d40)
    • โœ‚ Remove EC2 tables on Windows (#5657)
    • โž• Added column win_timestamp to time table on Windows (3bbe6c51)
    • โž• Added column is_hidded to users and groups table on macOS (#5368)
    • โž• Added column profile to chrome_extensions table (#5213)
    • โž• Added column epoch to rpm_packages table on Linux (#5248)
    • Added column sid to logged_in_users table on Windows (#5454)
    • Added column registry_hive to logged_in_users table on Windows (#5454)
    • โž• Added column sid to certificates table on Windows (#5631)
    • โž• Added column store_location to certificates table on Windows (#5631)
    • โž• Added column store to certificates table on Windows (#5631)
    • โž• Added column username to certificates table on Windows (#5631)
    • โž• Added column store_id to certificates table on Windows (#5631)
    • โž• Added column product_version to file table on Windows (#5431)
    • โž• Added column source to sudoers table on POSIX systems (#5350)
  • v4.0.0 Changes

    June 29, 2019

    ๐Ÿš€ This is a pre-release for the new version of osquery, based on the really cool refactor done by Facebook's team in London.

    ๐Ÿ”„ Changes between 3.4.0 and 4.0.0

    ๐Ÿš€ This prerelease mostly introduces CMake support, CI and packaging. The following are the commits that are not related to the build system:

    ๐ŸŽ 1. e6fe15e: macos: Add hack for boost asio string_view detection (#5592) ๐Ÿšš 2. 597a0c6: buck: Remove quotes from project/buck_out config

    1. 826723c: Fix boost asio string_view detection hack ๐Ÿ›  4. ae25976: Fixing port logic (bugfix for a small compatibility issue between remote::http_client and certain HTTP proxies)

    ๐ŸŒฒ Full changelog: git fetch --tags && git log 214302bdeb38fbdb606774ae9165dd633b908604..4.0.0

    ๐Ÿ— Build Requirements

    ๐Ÿง Linux

    ๐Ÿ‘ Ubuntu 18.04 or better

    ๐ŸŽ macOS


    ๐Ÿ Windows

    ๐Ÿ Windows 10 or Windows Server 2016

  • v3.4.0 Changes

    May 23, 2019

    ๐Ÿš€ osquery 3.4.0 Release Notes

    ๐Ÿš€ This tag is a Windows only release containing various bug and vulnerability fixes, as well as numerous improvements to performance. The processes table has been re-written to no longer make use of WMI and various aspects of the Windows build system has been re-written to make use of the new buck build system. A critical deadlocking bug has been addressed in the thread management system which will allow osquery to make use of the TLS plugins without deadlocking on service restart.

    ๐Ÿš€ Below are some of the highlights as they relate to the Windows release. This tag contains well over 250 commits, and there is considerably more content added than what is detailed below. Investigate the full commit history since our last tag for greater details on what has changed since the last tag.

    ๐Ÿ”’ Security Vulnerabilities

    ๐Ÿ”’ #5568 CVE-2019-3567 - osquery is now installed to Program Files to prevent a privilege escalation vulnerability

    ๐Ÿ› Bug Fixes

    ๐Ÿ #5421 - addressing deadlock regression in windows dispatcher threads
    #5304 - key_strength now correctly displays in certificates table

    ๐Ÿ†• New Features

    ๐Ÿ #5431 - Add Windows product version information to file table
    ๐Ÿ”จ #5400 - logical_drives table has been drastically refactored
    #5454 - sid and hive columns added to the logged_in_users table
    #5293 - Processes table now selectively generates columns, no longer uses WMI

  • v3.3.2

    January 10, 2019
  • v3.3.1

    September 19, 2018