OSQuery v4.7.0 Release Notes
-
Commits from 21 contributors! Thank you all!
๐ New Features
- โ Add
concat
andconcat_ws
sql functions (#6927) - โก๏ธ Update the scheduler to log the query name at info level (#6934)
- โ Add support for SQLite RPM databases (#6939)
Table Changes
- โ Add
computer
column to Windows Eventlogs (#6952) - Add
docker_image_history
table (#6884) - Add
filevault_status
column to disk_encryption table (#6823) - โ Add
location_services
table on macOS (#6826) - โ Add
shellbags
table (#6949) - โ Add
system_extensions
table on macOS (#6863) - โ Add
systemd_units
table (#6593) - Add
ycloud_instance_metadata
table (#6961) - ๐ Fix loading of YARA rules on Windows (#6893)
- ๐ Fix macOS OpenDirectory attribute mismatch (#6816)
- โก๏ธ Update
augeas
table not to autoload system lenses (#6980) - โก๏ธ Update
chrome_extensions
table -- more browser support and tests (#6780) - โก๏ธ Update
office_mru
table to correct platforms (#6827) - โก๏ธ Update aws table to include macOS (#6817)
Under the Hood improvements
- โ Remove Azure Pipelines (#6953)
- ๐ Disable deprecated TLS versions 1.0, 1.1 (#6910)
- ๐ Use librpm bdb_ro backend and remove bdb (#6931)
- ๐ bpf: Improve execve/execveat tracing, add AArch64 build support (#6802)
- ๐ Use a distinct carver
request_id
and add this to the schema (#6959) - ๐ Initialize TLSLogForwarder before enrollment check (#6958)
- ๐ Put noisy thrift logs behind a flag (#6951)
- ๐ Fix bug in windows thrift, causing named pipe closing (#6937)
- โ Remove unused/experimental ebpf code (#6879)
- โ Remove unused ev2 code (#6878)
- ๐ Refactor the eventing framework to reduce disk IO and improve performance(#6610)
๐ Bug Fixes
- โ Add
journal_mode
to the sqlite authorizer PRAGMAs (#6999) - โ Add
table_info
to the sqlite authorizer PRAGMAs (#6814) - Always use BIGINT macro for
long long
data (#6986) - ๐ Copy JSON objects to avoid MemoryPool buildup (#6957)
- Do not call unconfigured subscribers errors (#6847)
- Do not ignore mountpoints that have the same mount path (#6871)
- โฑ Do not start scheduler when shutting down (#6960)
- ๐ง Don't mark scope and key columns as index in selinux_settings table (#6872)
- ๐ Fix
augeas
table output bug for non-path entries (#6981) - Fix
pids
column indocker_container_stats
table (#6965) - ๐ Fix additional relative path check in Yara for Windows (#6894)
- ๐ Fix config validation oom with duplicated keys (#6876)
- ๐ Fix data type macro used for 64-bit timestamp variables (#6897)
- Fix error in
process_open_files
inode need stoul, not stoi (#6983) - ๐ Fix leaks when a query fails from the shell (#6849)
- ๐ Fix mem leak regression with Windows sids API (#6984)
- ๐ Make Group ID columns consistent across Windows tables (#6987)
- When iterating /proc, use individual try/catch so catch partial failures (#6933)
- augeas: Clear aug pointer on error (#6973)
๐ Documentation
- โ Add 4.6.0 CHANGELOG (#6809)
- โ Add 4.7.0 CHANGELOG (#6985)
- โ Add docs for TLS enroll max attempts (#6888)
- ๐ Change reference about Azure Pipelines to GitHub Actions (#6988)
- ๐ Clarify FIM exclude category documentation (#6966)
- Document retrieval of available tables/columns via SQL (#6812)
- ๐ Fix Github Actions status badge in the README (#6908)
- ๐ Fix all broken or redirected URLs and references (#6835)
- ๐ Fix broken URL in docs (#6882)
- ๐ Fix incorrect Slack URLs (#6844)
- ๐ Fix packs discovery queries documentation (#6946)
- ๐ Fix reference to a Powershell script on Windows (#6936)
- ๐ Fix typos in source code (#6901)
- ๐ Improve explanations of event control flags (#6954)
- Spellcheck and Markdown edits (#6899)
- ๐ Update README to include release process comment (#6877)
- ๐ Update documentation about denylist schedule key (#6922)
- โก๏ธ Update macOS OpenBSM configuration (#6916)
- โก๏ธ Update the Linux install steps and package listing (#6956)
- โก๏ธ Update the info about osquery's TLS version support (#6963)
๐ Build
- ๐ง CI: Add a RelWithDebInfo Linux job to generate packages (#6838)
- ๐ CI: Add support for GitHub Actions (#6885)
- โ CI: Add unit tests for RPM DB querying (#6919)
- โ CI: Fix ExtendedAttributesTableTests failing due to an unexpected attribute (#6942)
- โ CI: Fix StartupItemTest failing due to unexpected values (#6940)
- โ CI: Fix SystemControlsTest adding sunrpc as an expected subsystem (#6932)
- โ CI: Fix XattrTests failing due to unexpected attribute name (#6941)
- โ CI: Fix an incorrect check in StartupItems test (#6950)
- ๐ CI: Fix wifi_tests on macOS 10.15 and above (#6724)
- ๐ CI: Move cppcheck step after the tests (#6845)
- ๐ท CI: Permit running formatting earlier in the CI (#6836)
- โฌ๏ธ CI: Remove incorrect 2to3 symlink breaking Python brew upgrade (#6819)
- ๐ CI: Remove unused empty test file (#6918)
- ๐ CI: Remove unused tests for Rocksdb and Inmemory db plugins (#6900)
- โก๏ธ CI: Update XCode to 12.3 and Update min macOS version to 10.12 (#6896, #6913)
- โก๏ธ CI: Update macOS agent to 10.15 Catalina (#6680)
- CMake: Add -pthread compile option on posix platforms (#6909)
- ๐ CMake: Add Valgrind support (#6834)
- ๐ CMake: Add an option to disable building AWS tables and library (#6831)
- ๐ CMake: Add an option to disable building libdpkg tables and library (#6848)
- CMake: Detect missing headers during include namespace generation (#6855)
- CMake: Do not attempt to dllimport Thrift symbols (#6856)
- ๐ CMake: Do not compile Windows libraries with debug symbols (#6833)
- CMake: Explicitly set the MSVC runtime library (#6818)
- CMake: Fix amalgamated tables generation on change (#6832)
- CMake: Fix platformtablecontaineripc include namespace generation (#6853)
- CMake: Further fix amalgamation file gen on change (#6854)
- ๐จ CMake: Refactor and rename fuzzers build flag (#6829)
- ๐ง CMake: Significantly speed up configuration phase (#6914)
- ๐ CMake: Use make jobserver for OpenSSL on Linux and macOS (#6821)
- ๐ CPack: Remove extraneous lenses directory for augues on macOS (#6998)
- ๐ Change libdpkg submodule url to our own GitHub mirror (#6903)
- ๐ Disable incremental linking to reduce build size on Windows (#6898)
- โฑ GitHub Actions: Fix .deb artifacts, add scheduled builds (#6920)
- โ Remove
hash
andyara
table from fuzz harnesses (#6972) - libraries: Reduce the compilation units from libarchive (#6886)
- ๐ libraries: Remove the last usage of sqlite3 from sleuthkit (#6858)
- libraries: Rename yara str functions to avoid symbol collisions (#6917)
- โก๏ธ libraries: Update librpm to version 4.16.1.2 (#6850)
- โก๏ธ libraries: Update openssl to version 1.1.1i (#6820)
- โก๏ธ libraries: Update thrift to version 0.13.0 (#6822)
Hardening
- โก๏ธ Update CODEOWNERS to reflect existing teams (#6955, #6975)
- ๐ Restrict access to Thrift server pipe on Windows (#6875)
- ๐ Fix a leak in libdpkg when querying the
deb_packages
table (#6892) - ๐ Fix UB and dangerous casting in the pubsub framework (#6881)
- ๐ Fix heap-use-after-free in deregisterEventSubscriber (#6880)
- ๐ Thift patch to support security configuration (#6846)
- ๐ Improve config fuzzer dictionary creation script (#6860)
- Avoid running queries for views when fuzzing (#6859)
- ๐ Improve fuzzing speed and stack trace accuracy (#6851)
- โ Add