ยซ Changelog History


OSQuery v4.7.0 Release Notes

  • Git Commits

    Commits from 21 contributors! Thank you all!

    ๐Ÿ†• New Features

    • โž• Add concat and concat_ws sql functions (#6927)
    • โšก๏ธ Update the scheduler to log the query name at info level (#6934)
    • โž• Add support for SQLite RPM databases (#6939)

    Table Changes

    • โž• Add computer column to Windows Eventlogs (#6952)
    • Add docker_image_history table (#6884)
    • Add filevault_status column to disk_encryption table (#6823)
    • โž• Add location_services table on macOS (#6826)
    • โž• Add shellbags table (#6949)
    • โž• Add system_extensions table on macOS (#6863)
    • โž• Add systemd_units table (#6593)
    • Add ycloud_instance_metadata table (#6961)
    • ๐Ÿ›  Fix loading of YARA rules on Windows (#6893)
    • ๐Ÿ›  Fix macOS OpenDirectory attribute mismatch (#6816)
    • โšก๏ธ Update augeas table not to autoload system lenses (#6980)
    • โšก๏ธ Update chrome_extensions table -- more browser support and tests (#6780)
    • โšก๏ธ Update office_mru table to correct platforms (#6827)
    • โšก๏ธ Update aws table to include macOS (#6817)

    Under the Hood improvements

    • โœ‚ Remove Azure Pipelines (#6953)
    • ๐Ÿ—„ Disable deprecated TLS versions 1.0, 1.1 (#6910)
    • ๐Ÿšš Use librpm bdb_ro backend and remove bdb (#6931)
    • ๐Ÿ— bpf: Improve execve/execveat tracing, add AArch64 build support (#6802)
    • ๐Ÿ‘‰ Use a distinct carver request_id and add this to the schema (#6959)
    • ๐ŸŽ‰ Initialize TLSLogForwarder before enrollment check (#6958)
    • ๐Ÿ”Š Put noisy thrift logs behind a flag (#6951)
    • ๐Ÿ›  Fix bug in windows thrift, causing named pipe closing (#6937)
    • โœ‚ Remove unused/experimental ebpf code (#6879)
    • โœ‚ Remove unused ev2 code (#6878)
    • ๐ŸŽ Refactor the eventing framework to reduce disk IO and improve performance(#6610)

    ๐Ÿ› Bug Fixes

    • โž• Add journal_mode to the sqlite authorizer PRAGMAs (#6999)
    • โž• Add table_info to the sqlite authorizer PRAGMAs (#6814)
    • Always use BIGINT macro for long long data (#6986)
    • ๐Ÿ— Copy JSON objects to avoid MemoryPool buildup (#6957)
    • Do not call unconfigured subscribers errors (#6847)
    • Do not ignore mountpoints that have the same mount path (#6871)
    • โฑ Do not start scheduler when shutting down (#6960)
    • ๐Ÿง Don't mark scope and key columns as index in selinux_settings table (#6872)
    • ๐Ÿ›  Fix augeas table output bug for non-path entries (#6981)
    • Fix pids column in docker_container_stats table (#6965)
    • ๐Ÿ›  Fix additional relative path check in Yara for Windows (#6894)
    • ๐Ÿ›  Fix config validation oom with duplicated keys (#6876)
    • ๐Ÿ›  Fix data type macro used for 64-bit timestamp variables (#6897)
    • Fix error in process_open_files inode need stoul, not stoi (#6983)
    • ๐Ÿ›  Fix leaks when a query fails from the shell (#6849)
    • ๐Ÿ›  Fix mem leak regression with Windows sids API (#6984)
    • ๐Ÿ Make Group ID columns consistent across Windows tables (#6987)
    • When iterating /proc, use individual try/catch so catch partial failures (#6933)
    • augeas: Clear aug pointer on error (#6973)

    ๐Ÿ“š Documentation

    • โž• Add 4.6.0 CHANGELOG (#6809)
    • โž• Add 4.7.0 CHANGELOG (#6985)
    • โž• Add docs for TLS enroll max attempts (#6888)
    • ๐Ÿ”„ Change reference about Azure Pipelines to GitHub Actions (#6988)
    • ๐Ÿ“š Clarify FIM exclude category documentation (#6966)
    • Document retrieval of available tables/columns via SQL (#6812)
    • ๐Ÿ›  Fix Github Actions status badge in the README (#6908)
    • ๐Ÿ›  Fix all broken or redirected URLs and references (#6835)
    • ๐Ÿ›  Fix broken URL in docs (#6882)
    • ๐Ÿ›  Fix incorrect Slack URLs (#6844)
    • ๐Ÿ›  Fix packs discovery queries documentation (#6946)
    • ๐Ÿ›  Fix reference to a Powershell script on Windows (#6936)
    • ๐Ÿ›  Fix typos in source code (#6901)
    • ๐Ÿ‘Œ Improve explanations of event control flags (#6954)
    • Spellcheck and Markdown edits (#6899)
    • ๐Ÿš€ Update README to include release process comment (#6877)
    • ๐Ÿ“š Update documentation about denylist schedule key (#6922)
    • โšก๏ธ Update macOS OpenBSM configuration (#6916)
    • โšก๏ธ Update the Linux install steps and package listing (#6956)
    • โšก๏ธ Update the info about osquery's TLS version support (#6963)

    ๐Ÿ— Build

    • ๐Ÿง CI: Add a RelWithDebInfo Linux job to generate packages (#6838)
    • ๐Ÿ‘ CI: Add support for GitHub Actions (#6885)
    • โœ… CI: Add unit tests for RPM DB querying (#6919)
    • โœ… CI: Fix ExtendedAttributesTableTests failing due to an unexpected attribute (#6942)
    • โœ… CI: Fix StartupItemTest failing due to unexpected values (#6940)
    • โœ… CI: Fix SystemControlsTest adding sunrpc as an expected subsystem (#6932)
    • โœ… CI: Fix XattrTests failing due to unexpected attribute name (#6941)
    • โœ… CI: Fix an incorrect check in StartupItems test (#6950)
    • ๐ŸŽ CI: Fix wifi_tests on macOS 10.15 and above (#6724)
    • ๐Ÿšš CI: Move cppcheck step after the tests (#6845)
    • ๐Ÿ‘ท CI: Permit running formatting earlier in the CI (#6836)
    • โฌ†๏ธ CI: Remove incorrect 2to3 symlink breaking Python brew upgrade (#6819)
    • ๐Ÿšš CI: Remove unused empty test file (#6918)
    • ๐Ÿšš CI: Remove unused tests for Rocksdb and Inmemory db plugins (#6900)
    • โšก๏ธ CI: Update XCode to 12.3 and Update min macOS version to 10.12 (#6896, #6913)
    • โšก๏ธ CI: Update macOS agent to 10.15 Catalina (#6680)
    • CMake: Add -pthread compile option on posix platforms (#6909)
    • ๐Ÿ‘ CMake: Add Valgrind support (#6834)
    • ๐Ÿ— CMake: Add an option to disable building AWS tables and library (#6831)
    • ๐Ÿ— CMake: Add an option to disable building libdpkg tables and library (#6848)
    • CMake: Detect missing headers during include namespace generation (#6855)
    • CMake: Do not attempt to dllimport Thrift symbols (#6856)
    • ๐Ÿ CMake: Do not compile Windows libraries with debug symbols (#6833)
    • CMake: Explicitly set the MSVC runtime library (#6818)
    • CMake: Fix amalgamated tables generation on change (#6832)
    • CMake: Fix platformtablecontaineripc include namespace generation (#6853)
    • CMake: Further fix amalgamation file gen on change (#6854)
    • ๐Ÿ”จ CMake: Refactor and rename fuzzers build flag (#6829)
    • ๐Ÿ”ง CMake: Significantly speed up configuration phase (#6914)
    • ๐ŸŽ CMake: Use make jobserver for OpenSSL on Linux and macOS (#6821)
    • ๐ŸŽ CPack: Remove extraneous lenses directory for augues on macOS (#6998)
    • ๐Ÿ”„ Change libdpkg submodule url to our own GitHub mirror (#6903)
    • ๐Ÿ Disable incremental linking to reduce build size on Windows (#6898)
    • โฑ GitHub Actions: Fix .deb artifacts, add scheduled builds (#6920)
    • โœ‚ Remove hash and yara table from fuzz harnesses (#6972)
    • libraries: Reduce the compilation units from libarchive (#6886)
    • ๐Ÿšš libraries: Remove the last usage of sqlite3 from sleuthkit (#6858)
    • libraries: Rename yara str functions to avoid symbol collisions (#6917)
    • โšก๏ธ libraries: Update librpm to version 4.16.1.2 (#6850)
    • โšก๏ธ libraries: Update openssl to version 1.1.1i (#6820)
    • โšก๏ธ libraries: Update thrift to version 0.13.0 (#6822)

    Hardening

    • โšก๏ธ Update CODEOWNERS to reflect existing teams (#6955, #6975)
    • ๐Ÿ Restrict access to Thrift server pipe on Windows (#6875)
    • ๐Ÿ›  Fix a leak in libdpkg when querying the deb_packages table (#6892)
    • ๐Ÿ›  Fix UB and dangerous casting in the pubsub framework (#6881)
    • ๐Ÿ›  Fix heap-use-after-free in deregisterEventSubscriber (#6880)
    • ๐Ÿ”’ Thift patch to support security configuration (#6846)
    • ๐Ÿ‘Œ Improve config fuzzer dictionary creation script (#6860)
    • Avoid running queries for views when fuzzing (#6859)
    • ๐Ÿ‘Œ Improve fuzzing speed and stack trace accuracy (#6851)