OSQuery v5.3.0 Release Notes
-
๐ osquery 5.3.0 brings several table improvements and bugfixes. Worth mentioning also the deprecation of the
smart_drive_info
table ๐ง and the new warning added when incorrectly configuring a CLI only flag ๐ via the config file. In the next release CLI only flags will not be ๐ง configurable through the config file or refresh anymore.๐ This release represents commits from 15 contributors! Thank you all.
๐ Deprecation Notices
๐ New Features
- Add the option
tls_disable_status_log
to prevent status logs from being sent via TLS #7550 - Add SQLite function
in_cidr_block
to check if IPv4/v6 addresses are within the supplied CIDR block #7563
Table Changes
- โ Add the
admindir
column to thedeb_packages
table to parse package databases on different paths #7549 - ๐ Implement and fix
wifi_networks
on macOS Big Sur and newer #7503 - โ Add windows/darwin support to
npm_packages
#7536 - Move
apt_sources
andyum_sources
tables to linux only #7537 - โ Add homebrew paths to the
python_packages
table #7535 - Mark
wall_time
column inosquery_schedule
as hidden #7501 - โ Add new metrics and improve description of existing ones in
osquery_schedule
#7438 - โ Add the
mirrorlist
column in the tableyum_sources
#7479 - Implement
output_size
forosquery_schedule
#7436 - ๐ฆ
deb_packages
table: Use additional instead of index for theadmindir
column #7573 - ๐ง
certificates
table: Add Linux support #7570 - โ Add
translated
column toprocesses
table to indicate whether the process is running under Apple Rosetta #7507 - โ Add the "internet password" type to the macOS
keychain_items
table #7576 - โ Add
original filename
column tofile
table on Windows #7156
๐ Bug Fixes
- ๐ Fix watchdog not killing unhealthy worker/extension fast enough #7474
- Fix the
test_http_server.py
--persist
option #7497 - โก๏ธ Update
profile.py --leaks
for python3 #7534 - Fixes osquery tls connections to aws kinesis when tls_server_certs is set #7450
- ๐ Fix parsing issue when a backslash as the last character on sudoers file line #7440
- ๐ Change the JSON of the results coming from an event scheduled query to an array #7434
- ๐ Fix globToRegex truncating UTF16 characters #7430
- Prevent hanging when the WMI server does not respond #7429
- ๐ Fix
python_packages
table so that it lists python packages from any user Python installations #7414 - Set string size limit on thrift protocol factory to prevent a crash #7484
- ๐ Fix driver image path in
drivers
table #7444 - ๐ Do not remove nonblocking flag when reading "special" files, to prevent hangs #7530
- ๐ Fix crash due to interaction between distributed and config plugin #7504
- bpf: Disable the BPF publisher in case of error #7500
- Warn about setting CLI_FLAGs in the config #7583
- Explicitly set context for the tables reading utmpx databases #7578
- bpf: Improve socket event handling #7446
- ๐จ certificates: Refactor the OpenSSL utilities #7581
- ๐ Fix shared_resources accessing uninitialized variables #7600
Under the Hood improvements
- ๐ Implement a performant cache for users and groups on Windows #7516
- Replace WmiRequest constructor with static factory method to improve error handling and prevent crashes #7489
- โ Remove redundant string conversion #7603
๐ Build
- ๐ Fix DebPackages.test_sanity test when the
size
column is empty #7569 - โก๏ธ libs: Update libdpkg from version v1.19.0.5 to v1.21.7 #7549
- ๐ CI: Restore some release checks #7558
- Prevent ebpfpub linking against the system zlib #7557
- ๐ Fix mdfind.test_sanity flaky behavior #7533
- ๐ Enable fuzzing and Asan on Windows, enable Asan on macOS #7470
- โก๏ธ Update cppcheck to version 2.6.3 and skip analysis for third party code #7455
- โ
Change
cpu_info
test to expect at least one socket, not just one #7490 - ๐ Fix third party libraries flags leaking to osquery targets #7480
- โ Add third party libraries target #7467
- Do not run clang-tidy on third party libraries #7432
- ๐ CI: Create github workflow target to gate mergeability #7427
- ๐ Fix some warnings about unrecognized special characters in the Windows event log test #7478
- ๐ Change where the macOS Info.plist is generated #7566
- Add OSQUERY_ENABLE_THREAD_SANITIZER to optionally enable TSan #6997
- โ Add an option to specify a path to the openssl archive #7559
- โก๏ธ packs: Update reverse shell query pack to check for a valid remote_port #7567
- Remove the test_daemon_sighup test #7584
- ๐ Fix release tests for Linux aarch64 #7572
๐ Documentation
- ๐ docs: remove FreeBSD #7508
- ๐ Pin Jinja2 ReadTheDocs dependency to 3.0.3 #7533
- ๐ CHANGELOG 5.2.3 #7571
- ๐ CHANGELOG 5.2.2 #7447
- โฌ๏ธ Bump mkdocs from 1.1.2 to 1.2.3 in /docs #7457
- ๐ Replace OS X with macOS in table specs #7587
- โก๏ธ Update
osquery.example.conf
to omit the CLI only flags #7595 - ๐ Update documentation about users and groups service flags (#7596)
- โก๏ธ Update the TSC members (#7543)
- Add the option