All Versions
25
Latest Version
Avg Release Cycle
57 days
Latest Release
-

Changelog History
Page 1

  • v5.5.1 Changes

    Git Commits

    โšก๏ธ Osquery 5.5.1 has some really exciting table updates! There is a much ๐ŸŽ anticipated unified_log for macOS, this table is the replacement for asl, and uses the current Apple APIs. Additionally, several tables ๐Ÿ‘ have improved their cross-platform support.

    Representing commits from 14 contributors! Thank you all.

    ๐Ÿ†• New Features

    • โž• Add denylist mechanism to distributed queries (#7675)

    Table Changes

    • โž• Add cgroup_path column to processes table on Linux (#7728)
    • Add firmware_type column to platform_info table on Windows. (#7710)
    • โž• Add unified_log table for macOS (UAL) (#7598, #7713)
    • ๐Ÿ Port memory_devices table to Windows (#7633)
    • Port platform_info table to M1 Macs (#7660)
    • ๐ŸŽ Restore macOS kernel_panics table on modern macOS (#7585)
    • โšก๏ธ Update battery table on macOS m1 with correct raw battery max and current capacity (#7721)
    • โšก๏ธ Update mdfind query timeout to 30 seconds (#7725)
    • โšก๏ธ Update macos password_policy table to use use -1 as sentinel value for uid column (#7699)
    • โšก๏ธ Update parsing of authorized_keys file (#7560)
    • โšก๏ธ Update the registry table to be case insensitive for key (#7708)

    Under the Hood improvements

    • โž• Add a mechanism to reduce memory retained on Linux (#7502)
    • โž• Add denylist mechanism to distributed queries (#7675)
    • โž• Add table spec support for COLLATE NOCASE (#7680)
    • ๐Ÿ‘Œ Improve Pidfile handling (#7304)
    • Prevent the audit event system from using too much memory (#7329)
    • carves: use full pathnames while creating an archive (#7681)

    ๐Ÿ› Bug Fixes

    • ๐Ÿ›  Fix GetMemorySize for Windows memory_devices table (#7711)
    • ๐Ÿ›  Fix tpm_info bug where values were out of date (#7686)
    • ๐Ÿ›  Fix a crash when parsing ATC config with no columns (#7693)
    • ๐Ÿ›  Fix bug in GetHomeDirectories filesystem function (#7705)

    ๐Ÿ“š Documentation

    • โž• Add core to the type column description of osquery_extensions schema (#7716)
    • โž• Add documentation about 3rd-party dependency security (#7684)
    • โž• Add example for hostname form in curl_certificate table (#7706)
    • โž• Adds info on how to use GTEST_FILTER on windows (#7696)
    • ๐Ÿ”„ Changelog 5.4.0 (#7678)
    • Describe user-context-related caveat for screenlock table (#7649)
    • Update schema for process_open_sockets.state (#7733)
    • โšก๏ธ Update schema to reflect platform_info columns not available in Windows (#7732)

    ๐Ÿ— Build

    • โž• Add validation integration test for memory_devices (#7722)
    • โœ… Temporarily disable memory_devices integration test (#7717)
    • โšก๏ธ Update minimum macOS support from 10.12 to 10.14 (#7707)
    • โšก๏ธ ci: Update and temporarily disable the macOS Catalina test job (#7700)
    • ๐Ÿง cmake: Prevent defining some Linux only targets on other platforms (#7672)
    • โšก๏ธ libs: Update libxml2 to v2.9.14 (#7729)
    • โšก๏ธ libs: Update sqlite to version 3.39.2 (#7736)
    • โœ… test: Fix Mdfind.test_sanity flakyness (#7701)

  • v5.4.0 Changes

    Git Commits

    Representing commits from 15 contributors! Thank you all.

    ๐Ÿ†• New Features

    • ๐Ÿ–จ We're extending macOS Endpoint Security to include File Integrity monitoring. Check out the new es_process_file_events table. (#7579)
    • โž• Add Docker build scripts and configuration (#7619)

    ๐Ÿ—„ Deprecation Notices

    • Prevent CLI_FLAGs to be set via config (#7561)
    • โœ‚ Remove the lldp_neighbors table (#7664)

    Table Changes

    • ๐Ÿ–จ New Table: es_process_file_events for macOS Endpoint Security based FIM (#7579)
    • ๐Ÿ†• New Table: password_policy table for macOS (#7594)
    • โšก๏ธ New Table: windows_update_history (#7407)
    • ๐Ÿง Add memory_available to linux memory_info table (#7669)
    • ๐Ÿง Port the cpu_info table to linux (#7499)
    • โœ‚ Remove the lldp_neighbors table (#7664)
    • โšก๏ธ Update deb_packages table to not sisplay arch info in the package name (#7638)
    • Update hardware_model in the system_info table on Apple M1 machines to report correctly (#7662)
    • Update shared_resources table to add type names, fix type/maximum_allowed handling (#7645)

    Under the Hood improvements

    • ๐Ÿ Expand env vars before trying to enumerate crashes in windows_crashes table (#7391)
    • Implement a split and trim function using std::string_view (#7636)
    • ๐Ÿ‘Œ Improve scheduled query denylisting and scheduler shutdown (#7492)
    • Prevent CLI_FLAGs to be set via config (#7561)
    • โœ‚ Remove unnecessary string copy (#7625)

    ๐Ÿ› Bug Fixes

    • โž• Add linwin to list of supported PLATFORM_DIRS (#7646)
    • ๐Ÿ›  Fix AWS certificate verification failing on all services (#7652)
    • ๐Ÿ›  Fix MBCS support on Windows (#7593)
    • ๐Ÿ›  Fix local_timezone column in the time table on Windows (#7656)
    • ๐Ÿ›  Fix system_info table to support unicode on Windows (#7626)
    • ๐Ÿ›  Fix multiple Yara leaks (#7615)
    • Fix std::bad_alloc on pci_devices on Apple Silicon macs (#7648)
    • ๐Ÿ›  Fix tables spec files to specify linux and not posix (#7644)
    • ๐Ÿ›  Fix thrift server shutting down when dropping privileges (#7639)

    ๐Ÿ“š Documentation

    • ๐Ÿ”„ CHANGELOG 5.3.0 (#7575)
    • ๐Ÿ“š Exclude spec/example.table when generating documentation (#7647)
    • ๐Ÿ›  Fix a UUID typo in the disk_encryption table (#7608)
    • ๐Ÿ›  Fix spelling of the word "owned" (#7630)
    • ๐Ÿ›  Fix typo in FIM docs for Windows (#7676)
    • ๐Ÿš€ Update the "new release" issue template (#7607)
    • ๐Ÿ”Œ clarify browser_plugins table is referencing basically unsupported CNPAPI tech (#7651)

    ๐Ÿ— Build

    • โž• Add an option to build with the leak sanitizer (#7609)
    • ๐Ÿ›  Fix check for PIE support (#7234)
    • โฑ Fix SchedulerTests.test_scheduler_drift_accumulation flakyness (#7613)
    • ๐Ÿ‘Œ Improve config parsing and osqueryfuzz-config performance (#7635)
    • ๐ŸŽ‰ Initialize users and groups services on all tests that need them (#7620)
    • โšก๏ธ ci: Update osquery-packaging commit to the latest one (#7667)
    • cmake: Add an option to enable or disable using ccache (#7671)
    • โšก๏ธ libs: Update OpenSSL to version 1.1.1o (#7629)
    • โšก๏ธ libs: Update OpenSSL to version 1.1.1q (#7674)
    • โšก๏ธ libs: Update libarchive to version 3.6.1 (#7654)
    • โšก๏ธ libs: Update sqlite to version 3.38.5 (#7628)

  • v5.3.0 Changes

    Git Commits

    ๐Ÿ›  osquery 5.3.0 brings several table improvements and bugfixes. Worth mentioning also the deprecation of the smart_drive_info table ๐Ÿ”ง and the new warning added when incorrectly configuring a CLI only flag ๐Ÿš€ via the config file. In the next release CLI only flags will not be ๐Ÿ”ง configurable through the config file or refresh anymore.

    ๐Ÿš€ This release represents commits from 15 contributors! Thank you all.

    ๐Ÿ—„ Deprecation Notices

    • Deprecate unmaintainable legacy table, smart_drive_info (#7464, #7542)

    ๐Ÿ†• New Features

    • Add the option tls_disable_status_log to prevent status logs from being sent via TLS #7550
    • Add SQLite function in_cidr_block to check if IPv4/v6 addresses are within the supplied CIDR block #7563

    Table Changes

    • โž• Add the admindir column to the deb_packages table to parse package databases on different paths #7549
    • ๐ŸŽ Implement and fix wifi_networks on macOS Big Sur and newer #7503
    • โž• Add windows/darwin support to npm_packages #7536
    • Move apt_sources and yum_sources tables to linux only #7537
    • โž• Add homebrew paths to the python_packages table #7535
    • Mark wall_time column in osquery_schedule as hidden #7501
    • โž• Add new metrics and improve description of existing ones in osquery_schedule #7438
    • โž• Add the mirrorlist column in the table yum_sources #7479
    • Implement output_size for osquery_schedule #7436
    • ๐Ÿ“ฆ deb_packages table: Use additional instead of index for the admindir column #7573
    • ๐Ÿง certificates table: Add Linux support #7570
    • โž• Add translated column to processes table to indicate whether the process is running under Apple Rosetta #7507
    • โž• Add the "internet password" type to the macOS keychain_items table #7576
    • โž• Add original filename column to file table on Windows #7156

    ๐Ÿ› Bug Fixes

    • ๐Ÿ›  Fix watchdog not killing unhealthy worker/extension fast enough #7474
    • Fix the test_http_server.py --persist option #7497
    • โšก๏ธ Updateprofile.py --leaks for python3 #7534
    • Fixes osquery tls connections to aws kinesis when tls_server_certs is set #7450
    • ๐Ÿ›  Fix parsing issue when a backslash as the last character on sudoers file line #7440
    • ๐Ÿ”„ Change the JSON of the results coming from an event scheduled query to an array #7434
    • ๐Ÿ›  Fix globToRegex truncating UTF16 characters #7430
    • Prevent hanging when the WMI server does not respond #7429
    • ๐Ÿ›  Fix python_packages table so that it lists python packages from any user Python installations #7414
    • Set string size limit on thrift protocol factory to prevent a crash #7484
    • ๐Ÿ›  Fix driver image path in drivers table #7444
    • ๐Ÿšš Do not remove nonblocking flag when reading "special" files, to prevent hangs #7530
    • ๐Ÿ›  Fix crash due to interaction between distributed and config plugin #7504
    • bpf: Disable the BPF publisher in case of error #7500
    • Warn about setting CLI_FLAGs in the config #7583
    • Explicitly set context for the tables reading utmpx databases #7578
    • bpf: Improve socket event handling #7446
    • ๐Ÿ”จ certificates: Refactor the OpenSSL utilities #7581
    • ๐Ÿ›  Fix shared_resources accessing uninitialized variables #7600

    Under the Hood improvements

    • ๐Ÿ Implement a performant cache for users and groups on Windows #7516
    • Replace WmiRequest constructor with static factory method to improve error handling and prevent crashes #7489
    • โœ‚ Remove redundant string conversion #7603

    ๐Ÿ— Build

    • ๐Ÿ›  Fix DebPackages.test_sanity test when the size column is empty #7569
    • โšก๏ธ libs: Update libdpkg from version v1.19.0.5 to v1.21.7 #7549
    • ๐Ÿš€ CI: Restore some release checks #7558
    • Prevent ebpfpub linking against the system zlib #7557
    • ๐Ÿ›  Fix mdfind.test_sanity flaky behavior #7533
    • ๐ŸŽ Enable fuzzing and Asan on Windows, enable Asan on macOS #7470
    • โšก๏ธ Update cppcheck to version 2.6.3 and skip analysis for third party code #7455
    • โœ… Change cpu_info test to expect at least one socket, not just one #7490
    • ๐Ÿ›  Fix third party libraries flags leaking to osquery targets #7480
    • โž• Add third party libraries target #7467
    • Do not run clang-tidy on third party libraries #7432
    • ๐Ÿ”€ CI: Create github workflow target to gate mergeability #7427
    • ๐Ÿ›  Fix some warnings about unrecognized special characters in the Windows event log test #7478
    • ๐Ÿ”„ Change where the macOS Info.plist is generated #7566
    • Add OSQUERY_ENABLE_THREAD_SANITIZER to optionally enable TSan #6997
    • โž• Add an option to specify a path to the openssl archive #7559
    • โšก๏ธ packs: Update reverse shell query pack to check for a valid remote_port #7567
    • Remove the test_daemon_sighup test #7584
    • ๐Ÿ›  Fix release tests for Linux aarch64 #7572

    ๐Ÿ“š Documentation

    • ๐Ÿ“„ docs: remove FreeBSD #7508
    • ๐Ÿ“Œ Pin Jinja2 ReadTheDocs dependency to 3.0.3 #7533
    • ๐Ÿ”„ CHANGELOG 5.2.3 #7571
    • ๐Ÿ”„ CHANGELOG 5.2.2 #7447
    • โฌ†๏ธ Bump mkdocs from 1.1.2 to 1.2.3 in /docs #7457
    • ๐ŸŽ Replace OS X with macOS in table specs #7587
    • โšก๏ธ Update osquery.example.conf to omit the CLI only flags #7595
    • ๐Ÿ“š Update documentation about users and groups service flags (#7596)
    • โšก๏ธ Update the TSC members (#7543)

  • v5.2.3 Changes

    Git Commits

    โšก๏ธ Osquery 5.2.3 is a security update that focuses on updating some third-party libraries which contained CVEs that could affect osquery. โž• Additionally some other third-party libraries and tables have been dropped, since they were not maintained or considered safe anymore.

    ๐Ÿ—„ Deprecation Notices

    • โœ‚ Remove the shortcut_files table (#7547)
    • โœ‚ Remove the ssdeep library and remove its support in the hash table (#7525)
    • โœ‚ Remove the libelfin library and elf parsing tables (#7524)

    Hardening

    • โšก๏ธ libs: Update OpenSSL from version 1.1.1l to 1.1.1n (#7506)
    • โšก๏ธ libs: Update zlib from v1.2.11 to v1.2.12 (#7548)
    • โšก๏ธ Update librpm to 4.17.0 (#7529)
    • โšก๏ธ libs: Update expat from version 2.2.10 to 2.4.7 (#7526)

  • v5.2.2 Changes

    Git Commits

    ๐ŸŽ Osquery 5.2.2 brings native Apple Silicon (M1) support to the macOS โšก๏ธ platform. It also represents a comprehensive review and update of our ๐Ÿ“„ third-party dependencies. To support this work, the developer docs โšก๏ธ have been updated, as have several parts of the build system

    ๐Ÿš€ This release represents commits from 24 contributors! Thank you all.

    ๐Ÿ†• New Features

    • ๐Ÿ‘ Apple Silicon support (#7330)

    ๐Ÿ—„ Deprecation Notices

    • ๐Ÿ‘€ The cpuid table is x86 only. See #7462
    • The smart_drive_info table has been deprecated, and is not included in the m1 builds. See #7464
    • ๐Ÿ— The lldp_neighbors table has been deprecated, and is not included in the m1 builds. See #7463

    Table Changes

    • โšก๏ธ Update time table to always reflect UTC values (#7276, #7460, #7437)
    • ๐Ÿ”’ Hide the deprecated antispyware column in windows_security_center (#7411)
    • Add windows_firewall_rules table for windows (#7403)

    ๐Ÿ› Bug Fixes

    • โšก๏ธ Update the ATC table path column check to be case insensitive (#7442)
    • ๐Ÿ›  Fix a crash introduced by 5.2.0 when Yara uses its own strutils functions (#7439)
    • Fix user_time and system_time unit in processes table on M1 (#7473)

    ๐Ÿ“š Documentation

    • ๐Ÿ›  Fix typos in documentation (#7443, #7412)
    • ๐Ÿ”„ CHANGELOG 5.1.0 (#7406)

    ๐Ÿ— Build

    • โšก๏ธ Update sqlite to version 3.37.0 (#7426)
    • ๐Ÿ›  Fix linking of thirdparty_sleuthkit (#7425)
    • ๐Ÿ›  Fix how we disable tables in the fuzzer init method (#7419)
    • Prevent running discovery queries when fuzzing (#7418)
    • ๐Ÿ‘‰ Add BOOST_USE_ASAN define when enabling Asan (#7469)
    • ๐ŸŽ Removing unnecessary macOS version check (#7451)
    • ๐Ÿ›  Fix submodule cache for macOS CI runner (#7456)
    • โž• Add osquery version to macOS app bundle Info.plist (#7452)
    • โšก๏ธ libs: Update OpenSSL to verion 1.1.1l (#7330)
    • โšก๏ธ libs: Update augeas to version 1.12.0 (#7330)
    • โšก๏ธ libs: Update aws-sdk to version 1.9.116 (#7330)
    • โšก๏ธ libs: Update boost to version 1.77 (#7330)
    • โšก๏ธ libs: Update gflags to 2.2.2 (#7330)
    • โšก๏ธ libs: Update glog to version 0.5.0 (#7330)
    • โšก๏ธ libs: Update googletest to version 1.11.0 (#7330)
    • โšก๏ธ libs: Update libarchive to version 3.5.2 (#7330)
    • โšก๏ธ libs: Update libcap to version 1.2.59 (#7330)
    • โšก๏ธ libs: Update libmagic to version 5.40 (#7330)
    • โšก๏ธ libs: Update librdkafka to version 1.8.0 (#7330)
    • โšก๏ธ libs: Update libxml2 to version 2.9.12 (#7330)
    • โšก๏ธ libs: Update linenoise-ng to the latest commit (#7330)
    • โšก๏ธ libs: Update lzma to version 5.2.5 (#7330)
    • โšก๏ธ libs: Update rocksdb to version 6.22.1 (#7330)
    • โšก๏ธ libs: Update sleuthkit to version 4.11.0 (#7330)
    • โšก๏ธ libs: Update ssdeep-cpp to the latest commit (d8705da) (#7330)
    • โšก๏ธ libs: Update thrift to version 0.15.0 (#7330)
    • โšก๏ธ libs: Update yara to version 4.1.3 (#7330)
    • โšก๏ธ libs: Update zstd to version 1.4.0 (#7330)

  • v5.1.0 Changes

    Git Commits

    Representing commits from 20 contributors! Thank you all.

    ๐Ÿ†• New Features

    • ๐Ÿ‘ Allow custom cpu limit duration for the watchdog (#7348)
    • ๐Ÿ‘Œ Support custom endpoints for AWS Kinesis and Firehose. (#7317)

    Table Changes

    • Add docker_container_envs table for access to docker container environment (#7313)
    • curl table now returns peer certificates even if the TLS handshake does not complete (#7349)

    Under the Hood improvements

    • ๐Ÿ‘ Allow tests and SDK to reset dispatcher state (#7372)
    • Avoid string copies when looping through cron search dirs (#7331)
    • Respect read_max flag when hashing using ssdeep (#7367)

    ๐Ÿ› Bug Fixes

    • ๐Ÿ Detect when an extension has not started correctly on Windows (#7355)
    • ๐Ÿ›  Fix crash #7353 when osquery captures kill syscall when not subscribed to them (#7354)
    • โž• Fix crash in AuditdNetlinkReader::configureAuditService when audit_add_rule_data returns an error (#7337)
    • ๐Ÿ”’ Fix crash when windows_security_products errors out (#7401)
    • ๐Ÿ›  Fix for #7394 where cleanup of some event tables never occures (#7395)
    • ๐Ÿ‘Œ Improve BPF publisher reliability (#7302)
    • ๐ŸŒฒ Lower log level of "executing distributed query" (#7386)
    • โฌ‡๏ธ Reduce excessive log messages from authorized_keys table implementation (#7318)

    ๐Ÿ“š Documentation

    • โž• Add 5.0.1 CHANGELOG (#7284)
    • ๐Ÿ›  Fix typo in Everything in SQL docs (#7338)
    • ๐Ÿ›  Fix typo in SQL docs (#7376)
    • โšก๏ธ Update GitHub issue templates (#7361, #7396)
    • โšก๏ธ Update installation guide to use newer macOS paths (#7311)
    • ๐Ÿ“š Update macOS ESF documentation (#7303)

    Packs

    • โž• Add Forcepoint Endpoint Chrome Extension detection to packs (#7346)
    • โž• Add beurk rootkit detection to packs (#7345)

    ๐Ÿ— Build

    • ๐Ÿ‘ Allow tests to reset the restarting state (#7373)
    • ๐Ÿ— Build librpm with ndb support (#7294)
    • Customizable installation logic (#7315)
    • ๐Ÿ›  Fix ASL test on macOS 11 and later (#7320)
    • ๐Ÿ Restore query packs in Windows packaging (#7388)
    • ๐ŸŽ Skip deprecated ASL test when targeting macOS 10.13+ SDK (#7358)
    • โšก๏ธ Update packaging commit to fix Linux symlinks (#7404)
    • โšก๏ธ Update the CI Linux Docker image (#7332)

  • v5.0.1 Changes

    Git Commits

    Representing commits from 21 contributors! Thank you all.

    ๐Ÿš€ osquery 5.0 is a tremendously exciting release!

    • ๐ŸŽ We now install into /opt/osquery on macOS and Linux for better portability.
    • ๐ŸŽ Our default and recommended installation for macOS uses an application bundle to support entitlement-based features.
    • ๐Ÿ”’ We now use Endpoint Security APIs for various event-based tables on macOS (more to come in the future!)
    • ๐ŸŽ We now use an osquery-organization macOS code signing certificate.

    There are several breaking changes:

    • ๐ŸŽ Installation paths have changes from /usr/local to /opt/osquery on macOS and Linux (symlinks to executables are provided).
    • ๐ŸŽ macOS codesigning is now down through the Osquery Foundation account
    • โšก๏ธ If you manage macOS full disk permission through a profile, you will need to update it. See docs
    • ๐Ÿ”ง We removed the deprecated blacklist key from the configuration (#7153)
    • Search semantics on the augeas table have changed to be more performant, but do break the existing query API.

    Table Changes

    • โž• Add secureboot table for Linux and Windows (#7202)
    • โž• Add tpm_info for Windows (#7107)
    • ๐Ÿ— Fix osquery_info build_platform column value on Linux (#7254)
    • Support pid_with_namespace in more tables (#7132)
    • โšก๏ธ Update augeas table to use native pattern matching (BREAKING) (#6982)
    • โšก๏ธ Update chrome_extensions to include Edge & EdgeBeta (#7170)
    • โšก๏ธ Update disk_encryption table to support QueryContext (#7209)
    • โšก๏ธ Update last to include utmp type name column (#7201)
    • โšก๏ธ Update sudoers table to support newer include syntax (#7185)
    • Update user_ssh_keys to detect encryption of ed25519 keys (#7168)

    Under the Hood Improvements

    • โž• Add ruby namespace to the thrift definition (#7191)
    • ๐ŸŽ Always initialize variable change in PerformanceChange (#7176)
    • โœ‚ Remove deprecated blacklist key (#7153)
    • ๐Ÿ Use total_size within watchdog on Windows (#7157)
    • ๐Ÿ‘Œ Support AF_PACKET sockets reporting on Linux (#7282)
    • ๐Ÿง socket_events improvements in Linux audit system (#7269)

    ๐Ÿ› Bug Fixes

    • โž• Add case sensitive pragma to the pragma/actions authorizer allow list (#7267)
    • โž• Add feature to skip denylist for event-based queries (#7158)
    • ๐Ÿ”„ Change logger_mode flag to be correctly interpreted as an octal (#7273)
    • Do not let osquery create multiple copies of the extension running at once (#7178)
    • ๐Ÿ›  Fix Linux audit rule removal upon osquery exit (#7221)
    • ๐Ÿ›  Fix broadcasting empty logs to logger plugins (#7183)
    • ๐Ÿ›  Fix issues applying ACLs during chocolatey deployment (#7166)
    • ๐Ÿ›  Fix memory issue in Windows fileops (#7179)
    • Fix process_open_sockets type error on darwin (#6546)
    • ๐Ÿšš Make sure that the file action MOVED_TO is tracked with yara events. (#7203)
    • Prevent osquery from killing itself when the --force flag is used (#7295)
    • ๐Ÿ‘ท Prevent race condition between shutdown and worker or extension launch (#7204)

    ๐Ÿ“š Documentation

    • โž• Add a security assurance case (#7048)
    • Bring the YARA wiki page up to date (#7172)
    • ๐Ÿ›  Spelling fixes (#7211, #7186)
    • โšก๏ธ Update uptime table description (#7270)
    • ๐Ÿ“š Update osquery installed artifacts paths in the documentation (#7286)

    ๐Ÿ— Build

    • โž• Add TimeoutStopSec to systemd service files (#7190)
    • ๐ŸŽ Correct macOS installed app bundle path in osqueryctl and doc (#7289)
    • ๐ŸŽ Create an macOS app bundle (#7263)
    • ๐Ÿ›  Fix choco packaging not failing when an error occurs during install or upgrade (#7182)
    • ๐Ÿ›  Fix path in macOS launchd plist (#7288)
    • ๐Ÿ“Œ Pin the packaging repo within GitHub workflows (#7208, #7255, #7279)
    • ๐Ÿš€ Update Windows deployment icon to png (#7163)
    • โšก๏ธ Update install paths, and remove deprecated Facebook naming (#7210)
    • โšก๏ธ Update macOS build to include app bundle related files (#7184)
    • โšก๏ธ Update osquery installed artifacts default paths in code (#7285)
    • โšก๏ธ Update the installation path on Linux (#7271)
    • libs: Add options to AWS Optionally enable debug option and restrict content-type header size for PUT req (#7216)
    • ๐ŸŽ libs: Enable and compile the YARA macho module on macOS (#7174)
    • โšก๏ธ libs: Update OpenSSL to version 1.1.1l (#7293)
    • โšก๏ธ libs: Update Strawberry Perl to 5.32.1.1, use HTTPS downloads (#7199)
    • โšก๏ธ libs: Update ebpfpub (#7173, #7219)

  • v4.9.0 Changes

    Git Commits

    Representing commits from 16 contributors! Thank you all.

    ๐Ÿ†• New Features

    • โž• Add filesystem logrotate feature (#7015)
    • โž• Add Non-Functional EndpointSecurity based process events to macOS (Requires updated codesigning due in 5.0) (#7046)

    Table Changes

    • Add mdm_managed column to system_extensions on macOS (#6915)
    • โž• Add prefetch table on Windows (#7076)
    • โž• Add support for IMDSv2 to AWS tables (#7084)
    • ๐Ÿณ Enable container stats on docker containers that don't have traditional networks (#7145)
    • โšก๏ธ Update homebrew_packages to include new prefix, and allow specifying alternate prefixes (#7117)
    • Update ntfs_acl_permissions to list all ACE entries (using GetAce()) (#7114)
    • โšก๏ธ Update processes table to display additional Windows attributes (secured, protected, virtual, elevated) (#7121)
    • Update how package_install_history identifies the packageIdentifiers key (#7099)
    • โšก๏ธ Update how identifier is calculated in chrome_extensions (#7124)

    Under the Hood improvements

    • ๐Ÿ‘Œ Improve speed of osquery shutdown procedure (#7077)
    • ๐Ÿ‘Œ Improve shutdown speed during initialization (#7106)
    • โšก๏ธ Update website generators (#7136)
    • CLI flag to allow osquery to keep retrying enrollment (instead of exiting) (#7125)
    • rocksdb: Do not fsync WAL writes (#7094)
    • ๐Ÿšš Move CPack packaging to a dedicated repository (#7059)
    • โช Restore thrift socket 5min timeout (#7072)
    • Consolidate syscalls to a single audit rule (#7063)

    ๐Ÿ› Bug Fixes

    • โž• Add current WMI location for Dell BIOS info (#7103)
    • ๐Ÿ–จ Correct RocksDB error code and subcode printing on open failure (#7069)
    • ๐Ÿ›  Fix pipe_channel not reading all data in a message (#7139)
    • ๐Ÿ›  Fix crash and deadlocks in recursive logging (#7127)
    • ๐Ÿ›  Fix custom curl_certificate timeouts (#7151)
    • ๐Ÿ›  Fix extensions crash on shutdown (#7075)
    • Handle updated paths on various macOS tables -- xprotect_entries, xprotect_meta, launchd (#7138, #7154)
    • Trigger event cleanup checks every 256 events (#7143)
    • โšก๏ธ Update generating an extension uuid to be thread safe (#7135)
    • ๐Ÿ‘ท Watchdog should wait for the worker to shutdown (#7116)

    ๐Ÿ“š Documentation

    • ๐Ÿ“š Update process auditing requirements documentation (#7102)
    • โšก๏ธ Update website docs indicating windows support for YARA tables (#7130)
    • โž• Add 4.9.0 CHANGELOG (#7152)

    ๐Ÿ— Build

    • โž• Add Apple provisioning profile for distribution (#7119)
    • โž• Add more tests for events expiration (#7071)
    • CI: Regenerate sccache cache when compiler version changes (#7081)
    • Fix flaky test test_daemon_sigint by waiting for pidfile (#7095)
    • ๐Ÿ›  Fix icon in Windows packaging (#7148)
    • Minor cleanup of unused variables (#7128)
    • ๐Ÿ–จ Print extension SDK minimum version required when failing to load (#7074)
    • โœ‚ Remove POSIX-only -fexceptions flag on Windows (#7126)
    • Remove duplicated osquery_utils_aws_tests-test (#7078)
    • โœ‚ Remove flaky test decorators for python tests (#7070)
    • โšก๏ธ Update SQLite to version 3.35.5 (#7090)
    • โšก๏ธ Update librdkafka to version 1.7.0 (#7134)
    • โšก๏ธ Update libyara to version 4.1.1 (#7133)

  • v4.8.0 Changes

    Git Commits

    Representing commits from 14 contributors! Thank you all.

    ๐Ÿ›  This version fixes a regression introduced in 4.7.0 related to events expiration optimization. Please read (#7055) for more information.

    ๐Ÿš€ This release upgrades openssl, as is general good practice. Osquery is ๐Ÿ”’ not known to be effected by any security issues in OpenSSL.

    ๐Ÿ†• New Features

    • shell: Add .connect meta command (#6944)

    Table Changes

    • โž• Add seccomp_events table for Linux (#7006)
    • โž• Add shortcut_files table for Windows (#6994)

    Under the Hood improvements

    • Removing Keyboard Event Taps from osx-attacks pack (#7023)
    • ๐Ÿ”จ Refactor watcher out of singleton pattern (#7042)
    • ๐Ÿ”จ Small events subscriber refactor to increase test coverage (#7050)
    • ๐Ÿ“ฆ Setting non-required deb_packages fields as optional in test (#7001)

    ๐Ÿ› Bug Fixes

    • ๐Ÿ– Handle events optimization edge cases (#7060)
    • ๐Ÿ›  Fix optimization for multiple queries using the same subscriber (#7055)
    • ๐Ÿ‘‰ Use epoch and counter for events-based queries (#7051)
    • Guard node key to prevent duplicate enrollments (#7052)
    • ๐Ÿ”„ Change windows calculation for physical_memory (#7028)
    • ๐Ÿ†“ Free using WTSFreeMemoryEx for WTSEnumerateSessionsExW (#7039)
    • ๐Ÿš€ Release variable in Windows data conversation (#7024)
    • ๐Ÿ”„ Change chrome_extensions warnings to verbose (#7032)
    • โž• Add transactions to the SQLite authorizer PRAGMAs (#7029)
    • ๐Ÿ”„ Change Windows messages to verbose (#7027)
    • ๐Ÿ›  Fix scheduler to print the correct number of elapsed seconds (#7016)

    ๐Ÿ“š Documentation

    • Fix tls_enroll_max_attempts flag name in the documentation (#7049)
    • ๐Ÿ‘Œ Improve docs on FIM, mention NTFS and Audit, etc. (#7036)
    • ๐Ÿ“„ config: Add docs for the events top-level-key (#7040)
    • โž• Add funding link on GitHub generated page (#7043)
    • ๐Ÿ Correct the example in the windows_events table spec (#7035)
    • ๐Ÿ“„ Correct docs about OpenSSL and TLS behavior (#7033)
    • โšก๏ธ Update docs to describe how to build for aarch64/arm64 (#6285) (#6970)
    • โž• Add a note on enabling Windows to build with CMake's long paths (#7010)
    • โž• Add 4.8.0 CHANGELOG (#7057)

    ๐Ÿ— Build

    • โž• Add an option to enable incremental linking on Windows (#7044)
    • โœ‚ Remove Buck leftovers that supported building with old versions of OpenSSL (#7034)
    • โž• Add build_aarch64 workflow for push (#7014)
    • ๐Ÿ‘ท Move CI to using docker from osquery (#7012)
    • โšก๏ธ Update dockerfile to multiplatform (#7011)
    • โš™ Run GH Actions workflows on all tags (#7004)
    • ๐Ÿ— Disable BPF events tests if OSQUERY_BUILD_BPF is false (#7002)
    • โšก๏ธ libs: Update OpenSSL to version 1.1.1k (#7026)

  • v4.7.0 Changes

    Git Commits

    Commits from 21 contributors! Thank you all!

    ๐Ÿ†• New Features

    • โž• Add concat and concat_ws sql functions (#6927)
    • โšก๏ธ Update the scheduler to log the query name at info level (#6934)
    • โž• Add support for SQLite RPM databases (#6939)

    Table Changes

    • โž• Add computer column to Windows Eventlogs (#6952)
    • Add docker_image_history table (#6884)
    • Add filevault_status column to disk_encryption table (#6823)
    • โž• Add location_services table on macOS (#6826)
    • โž• Add shellbags table (#6949)
    • โž• Add system_extensions table on macOS (#6863)
    • โž• Add systemd_units table (#6593)
    • Add ycloud_instance_metadata table (#6961)
    • ๐Ÿ›  Fix loading of YARA rules on Windows (#6893)
    • ๐Ÿ›  Fix macOS OpenDirectory attribute mismatch (#6816)
    • โšก๏ธ Update augeas table not to autoload system lenses (#6980)
    • โšก๏ธ Update chrome_extensions table -- more browser support and tests (#6780)
    • โšก๏ธ Update office_mru table to correct platforms (#6827)
    • โšก๏ธ Update aws table to include macOS (#6817)

    Under the Hood improvements

    • โœ‚ Remove Azure Pipelines (#6953)
    • ๐Ÿ—„ Disable deprecated TLS versions 1.0, 1.1 (#6910)
    • ๐Ÿšš Use librpm bdb_ro backend and remove bdb (#6931)
    • ๐Ÿ— bpf: Improve execve/execveat tracing, add AArch64 build support (#6802)
    • ๐Ÿ‘‰ Use a distinct carver request_id and add this to the schema (#6959)
    • ๐ŸŽ‰ Initialize TLSLogForwarder before enrollment check (#6958)
    • ๐Ÿ”Š Put noisy thrift logs behind a flag (#6951)
    • ๐Ÿ›  Fix bug in windows thrift, causing named pipe closing (#6937)
    • โœ‚ Remove unused/experimental ebpf code (#6879)
    • โœ‚ Remove unused ev2 code (#6878)
    • ๐ŸŽ Refactor the eventing framework to reduce disk IO and improve performance(#6610)

    ๐Ÿ› Bug Fixes

    • โž• Add journal_mode to the sqlite authorizer PRAGMAs (#6999)
    • โž• Add table_info to the sqlite authorizer PRAGMAs (#6814)
    • Always use BIGINT macro for long long data (#6986)
    • ๐Ÿ— Copy JSON objects to avoid MemoryPool buildup (#6957)
    • Do not call unconfigured subscribers errors (#6847)
    • Do not ignore mountpoints that have the same mount path (#6871)
    • โฑ Do not start scheduler when shutting down (#6960)
    • ๐Ÿง Don't mark scope and key columns as index in selinux_settings table (#6872)
    • ๐Ÿ›  Fix augeas table output bug for non-path entries (#6981)
    • Fix pids column in docker_container_stats table (#6965)
    • ๐Ÿ›  Fix additional relative path check in Yara for Windows (#6894)
    • ๐Ÿ›  Fix config validation oom with duplicated keys (#6876)
    • ๐Ÿ›  Fix data type macro used for 64-bit timestamp variables (#6897)
    • Fix error in process_open_files inode need stoul, not stoi (#6983)
    • ๐Ÿ›  Fix leaks when a query fails from the shell (#6849)
    • ๐Ÿ›  Fix mem leak regression with Windows sids API (#6984)
    • ๐Ÿ Make Group ID columns consistent across Windows tables (#6987)
    • When iterating /proc, use individual try/catch so catch partial failures (#6933)
    • augeas: Clear aug pointer on error (#6973)

    ๐Ÿ“š Documentation

    • โž• Add 4.6.0 CHANGELOG (#6809)
    • โž• Add 4.7.0 CHANGELOG (#6985)
    • โž• Add docs for TLS enroll max attempts (#6888)
    • ๐Ÿ”„ Change reference about Azure Pipelines to GitHub Actions (#6988)
    • ๐Ÿ“š Clarify FIM exclude category documentation (#6966)
    • Document retrieval of available tables/columns via SQL (#6812)
    • ๐Ÿ›  Fix Github Actions status badge in the README (#6908)
    • ๐Ÿ›  Fix all broken or redirected URLs and references (#6835)
    • ๐Ÿ›  Fix broken URL in docs (#6882)
    • ๐Ÿ›  Fix incorrect Slack URLs (#6844)
    • ๐Ÿ›  Fix packs discovery queries documentation (#6946)
    • ๐Ÿ›  Fix reference to a Powershell script on Windows (#6936)
    • ๐Ÿ›  Fix typos in source code (#6901)
    • ๐Ÿ‘Œ Improve explanations of event control flags (#6954)
    • Spellcheck and Markdown edits (#6899)
    • ๐Ÿš€ Update README to include release process comment (#6877)
    • ๐Ÿ“š Update documentation about denylist schedule key (#6922)
    • โšก๏ธ Update macOS OpenBSM configuration (#6916)
    • โšก๏ธ Update the Linux install steps and package listing (#6956)
    • โšก๏ธ Update the info about osquery's TLS version support (#6963)

    ๐Ÿ— Build

    • ๐Ÿง CI: Add a RelWithDebInfo Linux job to generate packages (#6838)
    • ๐Ÿ‘ CI: Add support for GitHub Actions (#6885)
    • โœ… CI: Add unit tests for RPM DB querying (#6919)
    • โœ… CI: Fix ExtendedAttributesTableTests failing due to an unexpected attribute (#6942)
    • โœ… CI: Fix StartupItemTest failing due to unexpected values (#6940)
    • โœ… CI: Fix SystemControlsTest adding sunrpc as an expected subsystem (#6932)
    • โœ… CI: Fix XattrTests failing due to unexpected attribute name (#6941)
    • โœ… CI: Fix an incorrect check in StartupItems test (#6950)
    • ๐ŸŽ CI: Fix wifi_tests on macOS 10.15 and above (#6724)
    • ๐Ÿšš CI: Move cppcheck step after the tests (#6845)
    • ๐Ÿ‘ท CI: Permit running formatting earlier in the CI (#6836)
    • โฌ†๏ธ CI: Remove incorrect 2to3 symlink breaking Python brew upgrade (#6819)
    • ๐Ÿšš CI: Remove unused empty test file (#6918)
    • ๐Ÿšš CI: Remove unused tests for Rocksdb and Inmemory db plugins (#6900)
    • โšก๏ธ CI: Update XCode to 12.3 and Update min macOS version to 10.12 (#6896, #6913)
    • โšก๏ธ CI: Update macOS agent to 10.15 Catalina (#6680)
    • CMake: Add -pthread compile option on posix platforms (#6909)
    • ๐Ÿ‘ CMake: Add Valgrind support (#6834)
    • ๐Ÿ— CMake: Add an option to disable building AWS tables and library (#6831)
    • ๐Ÿ— CMake: Add an option to disable building libdpkg tables and library (#6848)
    • CMake: Detect missing headers during include namespace generation (#6855)
    • CMake: Do not attempt to dllimport Thrift symbols (#6856)
    • ๐Ÿ CMake: Do not compile Windows libraries with debug symbols (#6833)
    • CMake: Explicitly set the MSVC runtime library (#6818)
    • CMake: Fix amalgamated tables generation on change (#6832)
    • CMake: Fix platformtablecontaineripc include namespace generation (#6853)
    • CMake: Further fix amalgamation file gen on change (#6854)
    • ๐Ÿ”จ CMake: Refactor and rename fuzzers build flag (#6829)
    • ๐Ÿ”ง CMake: Significantly speed up configuration phase (#6914)
    • ๐ŸŽ CMake: Use make jobserver for OpenSSL on Linux and macOS (#6821)
    • ๐ŸŽ CPack: Remove extraneous lenses directory for augues on macOS (#6998)
    • ๐Ÿ”„ Change libdpkg submodule url to our own GitHub mirror (#6903)
    • ๐Ÿ Disable incremental linking to reduce build size on Windows (#6898)
    • โฑ GitHub Actions: Fix .deb artifacts, add scheduled builds (#6920)
    • โœ‚ Remove hash and yara table from fuzz harnesses (#6972)
    • libraries: Reduce the compilation units from libarchive (#6886)
    • ๐Ÿšš libraries: Remove the last usage of sqlite3 from sleuthkit (#6858)
    • libraries: Rename yara str functions to avoid symbol collisions (#6917)
    • โšก๏ธ libraries: Update librpm to version 4.16.1.2 (#6850)
    • โšก๏ธ libraries: Update openssl to version 1.1.1i (#6820)
    • โšก๏ธ libraries: Update thrift to version 0.13.0 (#6822)

    Hardening

    • โšก๏ธ Update CODEOWNERS to reflect existing teams (#6955, #6975)
    • ๐Ÿ Restrict access to Thrift server pipe on Windows (#6875)
    • ๐Ÿ›  Fix a leak in libdpkg when querying the deb_packages table (#6892)
    • ๐Ÿ›  Fix UB and dangerous casting in the pubsub framework (#6881)
    • ๐Ÿ›  Fix heap-use-after-free in deregisterEventSubscriber (#6880)
    • ๐Ÿ”’ Thift patch to support security configuration (#6846)
    • ๐Ÿ‘Œ Improve config fuzzer dictionary creation script (#6860)
    • Avoid running queries for views when fuzzing (#6859)
    • ๐Ÿ‘Œ Improve fuzzing speed and stack trace accuracy (#6851)