Changelog History
Page 3
-
v4.0.1 Changes
September 10, 2019๐ This release has two major focuses. It is the first release since osquery transitioned to a Linux Foundation project.
๐ท It features a heavily reworked build system. This aims to provide flexibility and stability.
๐ New Features / Under the Hood improvements
- ๐ง Linux Audit
process_events
Implement support for fork/vfork/clone/execveat (#5701) - ๐ New SQLite function
regex_match
to match across columns (#5444) - LRU cache for syscall tracing (#5521)
- ๐ง Basic tracing via eBPF on Linux (#5403, #5386, #5384)
- ๐ง Experimental
kill
andsetuid
syscall tracing in Linux via eBPF (#5519) - ๐ New eventing (ev2) framework (#5401)
- ๐ Improved table performance profiles (#5187)
- ๐ macOS query pack: detect SearchAwesome malware (#5713)
- ๐ macOS query pack: detect when a process is tapping keyboard event (#5345)
๐ Build
- ๐จ Refactor CMake build (#5604, #5627, #5630, (#5618), (#5619))
- ๐จ Refactor third-party libraries to build from source on Linux (#5706)
- โ Add Azure Pipelines support for CI/CD (#5604, #5632, #5626, #5613, #5607, #5673, #5610)
- โ Add Buck as a build system (971bee44)
- ๐ Use
urllib2
to automatically handle HTTP 301/302 redirections (#5612) - โก๏ธ Update MSI package to install to
Program Files
on Windows (#5579) - ๐ง Linux custom toolchain integration (#5759)
Harderning
- ๐ Link binaries with Full RELRO on Linux (#5748)
- โ Remove FTS features from SQLite (#5703) (#5702)
- ๐ Fix SQLite API usage errors (#5551)
- ๐ Fix issues reported by ASAN (#5665)
- ๐ Handle bad FDs in
md_tables
(#5553) - ๐ Fix lock resource leak in events/syslog (#5552)
- Fix memory leak in macOS
keychain_items
andextended_attributes
tables (#5550, #5538) - ๐ Fix memory leak in
genLoggedInUsers
(Windows). UpdateWTSFreeMemoryEx
toWTSFreeMemory
(#5642) - ๐ Fix potential null dereferences in
smbios_tables
(#5332) - ๐ Fix osquery exiting with wrong status (3824c2e6)
- โ Add additional
install
anduninstall
flag incompatibility check (85eb77a0) - ๐ Fix warning with constants initialisation in
magic
(2a624f2f) - ๐ Fix sign compare warning in
file_compression
(b93069b3) - ๐จ Refactored
logical_drives
table on Windows (#5400) - ๐จ Refactored core/windows/wmi to use smart pointers (#5492)
- ๐ Fixed various potential crashes in the virtual table implementaion (6ade85a5)
- Increase the amount of
MaxRecvRetries
for Thrift sockets (#5390)
๐ Bug Fixes
- ๐ Fix the reading of the serial of a certificate (little-endian big int) (#5742)
- ๐ Fix bugs and update pathname variables in MSI package build script (#5733)
- ๐ Fix
registry
table exception closing an uninitialized key handle (#5718) - Config views are now recreated on startup (#5732)
- ๐ Change MSI Service Error handling on Windows (#5467)
- ๐ Allow mounting SQLite DBs using WAL journaling with ATC (#5525, #5633)
- ๐ Fix
mount
table interacting with direct autofs (#5635) - ๐ Fix HTTP Host Header to include port (#5576)
- ๐ Various fixes to the Windows
certificates
table and expansion to include Personal certificates (#5697), (#5696), (#5640), (#5631) - โ Add optimization back to macOS
users
andgroups
(#5684) - ๐ Do not return a row for macOS
battery
if no data is present (#5650) - ๐ Fix several integer conversions in
process_ops
(#5614) - Include weekends on the
kernel_panics
table (#5298) - ๐ Fix
key_strength
bug for Windowscertificates
table (#5304) - ๐ The
interface
column ofroutes
table could be empty on Windows (bcf0ab8e) - ๐ The
name
column ofprograms
table could be empty on Windows (7bceba4b) - ๐ Fix
disable_watcher
flag (08dc11b7) - Populate
path
column correctly infirefox_addons
table (#5462) - ๐ Fix numeric monitoring plugin not being registered (#5484)
- ๐ Fix wrong error code returned when querying the Windows registry (#5621)
- ๐ Fix
logical_drives
boot partition detection (#5477) - ๐ Replace sync calls by async within the HTTP client implementation (#5606)
- ๐ Fix RocksDB crash related to
OptimizeForSmallDb
(a31d7582) - ๐ Fix bug in table column data validator (e3037331)
- ๐ Fix random port problem (a32ed7c4)
- ๐จ Refactor
battery
table and return information even if advanced information is missing (6a64e353)
Table Changes
- โ Added table
ibridge_info
on macOS (Notebooks only) (#5707) - โ Added table
running_apps
on macOS (#5216) - โ Added table
atom_packages
on macOS and Linux (6d159d40) - โ Remove EC2 tables on Windows (#5657)
- โ Added column
win_timestamp
totime
table on Windows (3bbe6c51) - โ Added column
is_hidded
tousers
andgroups
table on macOS (#5368) - โ Added column
profile
tochrome_extensions
table (#5213) - โ Added column
epoch
torpm_packages
table on Linux (#5248) - Added column
sid
tologged_in_users
table on Windows (#5454) - Added column
registry_hive
tologged_in_users
table on Windows (#5454) - โ Added column
sid
tocertificates
table on Windows (#5631) - โ Added column
store_location
tocertificates
table on Windows (#5631) - โ Added column
store
tocertificates
table on Windows (#5631) - โ Added column
username
tocertificates
table on Windows (#5631) - โ Added column
store_id
tocertificates
table on Windows (#5631) - โ Added column
product_version
tofile
table on Windows (#5431) - โ Added column
source
tosudoers
table on POSIX systems (#5350)
- ๐ง Linux Audit
-
v4.0.0 Changes
June 29, 2019๐ This is a pre-release for the new version of osquery, based on the really cool refactor done by Facebook's team in London.
๐ Changes between 3.4.0 and 4.0.0
๐ This prerelease mostly introduces CMake support, CI and packaging. The following are the commits that are not related to the build system:
๐ 1.
e6fe15e
: macos: Add hack for boost asio string_view detection (#5592) ๐ 2.597a0c6
: buck: Remove quotes from project/buck_out config826723c
: Fix boost asio string_view detection hack ๐ 4.ae25976
: Fixing port logic (bugfix for a small compatibility issue between remote::http_client and certain HTTP proxies)
๐ฒ Full changelog:
git fetch --tags && git log 214302bdeb38fbdb606774ae9165dd633b908604..4.0.0
๐ Build Requirements
๐ง Linux
๐ Ubuntu 18.04 or better
๐ macOS
Mojave
๐ Windows
๐ Windows 10 or Windows Server 2016
-
v3.4.0 Changes
May 23, 2019๐ osquery 3.4.0 Release Notes
๐ This tag is a Windows only release containing various bug and vulnerability fixes, as well as numerous improvements to performance. The processes table has been re-written to no longer make use of WMI and various aspects of the Windows build system has been re-written to make use of the new buck build system. A critical deadlocking bug has been addressed in the thread management system which will allow osquery to make use of the TLS plugins without deadlocking on service restart.
๐ Below are some of the highlights as they relate to the Windows release. This tag contains well over 250 commits, and there is considerably more content added than what is detailed below. Investigate the full commit history since our last tag for greater details on what has changed since the last tag.
๐ Security Vulnerabilities
๐ #5568 CVE-2019-3567 - osquery is now installed to Program Files to prevent a privilege escalation vulnerability
๐ Bug Fixes
๐ #5421 - addressing deadlock regression in windows dispatcher threads
#5304 - key_strength now correctly displays in certificates table๐ New Features
๐ #5431 - Add Windows product version information to file table
๐จ #5400 - logical_drives table has been drastically refactored
#5454 - sid and hive columns added to the logged_in_users table
#5293 - Processes table now selectively generates columns, no longer uses WMI -
v3.3.2
January 10, 2019 -
v3.3.1
September 19, 2018