ยซ Changelog History


OSQuery v5.0.1 Release Notes

  • Git Commits

    Representing commits from 21 contributors! Thank you all.

    ๐Ÿš€ osquery 5.0 is a tremendously exciting release!

    • ๐ŸŽ We now install into /opt/osquery on macOS and Linux for better portability.
    • ๐ŸŽ Our default and recommended installation for macOS uses an application bundle to support entitlement-based features.
    • ๐Ÿ”’ We now use Endpoint Security APIs for various event-based tables on macOS (more to come in the future!)
    • ๐ŸŽ We now use an osquery-organization macOS code signing certificate.

    There are several breaking changes:

    • ๐ŸŽ Installation paths have changes from /usr/local to /opt/osquery on macOS and Linux (symlinks to executables are provided).
    • ๐ŸŽ macOS codesigning is now down through the Osquery Foundation account
    • โšก๏ธ If you manage macOS full disk permission through a profile, you will need to update it. See docs
    • ๐Ÿ”ง We removed the deprecated blacklist key from the configuration (#7153)
    • Search semantics on the augeas table have changed to be more performant, but do break the existing query API.

    Table Changes

    • โž• Add secureboot table for Linux and Windows (#7202)
    • โž• Add tpm_info for Windows (#7107)
    • ๐Ÿ— Fix osquery_info build_platform column value on Linux (#7254)
    • Support pid_with_namespace in more tables (#7132)
    • โšก๏ธ Update augeas table to use native pattern matching (BREAKING) (#6982)
    • โšก๏ธ Update chrome_extensions to include Edge & EdgeBeta (#7170)
    • โšก๏ธ Update disk_encryption table to support QueryContext (#7209)
    • โšก๏ธ Update last to include utmp type name column (#7201)
    • โšก๏ธ Update sudoers table to support newer include syntax (#7185)
    • Update user_ssh_keys to detect encryption of ed25519 keys (#7168)

    Under the Hood Improvements

    • โž• Add ruby namespace to the thrift definition (#7191)
    • ๐ŸŽ Always initialize variable change in PerformanceChange (#7176)
    • โœ‚ Remove deprecated blacklist key (#7153)
    • ๐Ÿ Use total_size within watchdog on Windows (#7157)
    • ๐Ÿ‘Œ Support AF_PACKET sockets reporting on Linux (#7282)
    • ๐Ÿง socket_events improvements in Linux audit system (#7269)

    ๐Ÿ› Bug Fixes

    • โž• Add case sensitive pragma to the pragma/actions authorizer allow list (#7267)
    • โž• Add feature to skip denylist for event-based queries (#7158)
    • ๐Ÿ”„ Change logger_mode flag to be correctly interpreted as an octal (#7273)
    • Do not let osquery create multiple copies of the extension running at once (#7178)
    • ๐Ÿ›  Fix Linux audit rule removal upon osquery exit (#7221)
    • ๐Ÿ›  Fix broadcasting empty logs to logger plugins (#7183)
    • ๐Ÿ›  Fix issues applying ACLs during chocolatey deployment (#7166)
    • ๐Ÿ›  Fix memory issue in Windows fileops (#7179)
    • Fix process_open_sockets type error on darwin (#6546)
    • ๐Ÿšš Make sure that the file action MOVED_TO is tracked with yara events. (#7203)
    • Prevent osquery from killing itself when the --force flag is used (#7295)
    • ๐Ÿ‘ท Prevent race condition between shutdown and worker or extension launch (#7204)

    ๐Ÿ“š Documentation

    • โž• Add a security assurance case (#7048)
    • Bring the YARA wiki page up to date (#7172)
    • ๐Ÿ›  Spelling fixes (#7211, #7186)
    • โšก๏ธ Update uptime table description (#7270)
    • ๐Ÿ“š Update osquery installed artifacts paths in the documentation (#7286)

    ๐Ÿ— Build

    • โž• Add TimeoutStopSec to systemd service files (#7190)
    • ๐ŸŽ Correct macOS installed app bundle path in osqueryctl and doc (#7289)
    • ๐ŸŽ Create an macOS app bundle (#7263)
    • ๐Ÿ›  Fix choco packaging not failing when an error occurs during install or upgrade (#7182)
    • ๐Ÿ›  Fix path in macOS launchd plist (#7288)
    • ๐Ÿ“Œ Pin the packaging repo within GitHub workflows (#7208, #7255, #7279)
    • ๐Ÿš€ Update Windows deployment icon to png (#7163)
    • โšก๏ธ Update install paths, and remove deprecated Facebook naming (#7210)
    • โšก๏ธ Update macOS build to include app bundle related files (#7184)
    • โšก๏ธ Update osquery installed artifacts default paths in code (#7285)
    • โšก๏ธ Update the installation path on Linux (#7271)
    • libs: Add options to AWS Optionally enable debug option and restrict content-type header size for PUT req (#7216)
    • ๐ŸŽ libs: Enable and compile the YARA macho module on macOS (#7174)
    • โšก๏ธ libs: Update OpenSSL to version 1.1.1l (#7293)
    • โšก๏ธ libs: Update Strawberry Perl to 5.32.1.1, use HTTPS downloads (#7199)
    • โšก๏ธ libs: Update ebpfpub (#7173, #7219)