OSQuery changelog

Changelog History

Page 1

• v5.5.1 Changes

  Git Commits

  ⚡️ Osquery 5.5.1 has some really exciting table updates! There is a much 🍎 anticipated unified_log for macOS, this table is the replacement for asl, and uses the current Apple APIs. Additionally, several tables 👍 have improved their cross-platform support.

  Representing commits from 14 contributors! Thank you all.

  🆕 New Features

  • ➕ Add denylist mechanism to distributed queries (#7675)

  Table Changes

  • ➕ Add cgroup_path column to processes table on Linux (#7728)
  • Add firmware_type column to platform_info table on Windows. (#7710)
  • ➕ Add unified_log table for macOS (UAL) (#7598, #7713)
  • 🏁 Port memory_devices table to Windows (#7633)
  • Port platform_info table to M1 Macs (#7660)
  • 🍎 Restore macOS kernel_panics table on modern macOS (#7585)
  • ⚡️ Update battery table on macOS m1 with correct raw battery max and current capacity (#7721)
  • ⚡️ Update mdfind query timeout to 30 seconds (#7725)
  • ⚡️ Update macos password_policy table to use use -1 as sentinel value for uid column (#7699)
  • ⚡️ Update parsing of authorized_keys file (#7560)
  • ⚡️ Update the registry table to be case insensitive for key (#7708)

  Under the Hood improvements

  • ➕ Add a mechanism to reduce memory retained on Linux (#7502)
  • ➕ Add denylist mechanism to distributed queries (#7675)
  • ➕ Add table spec support for COLLATE NOCASE (#7680)
  • 👌 Improve Pidfile handling (#7304)
  • Prevent the audit event system from using too much memory (#7329)
  • carves: use full pathnames while creating an archive (#7681)

  🐛 Bug Fixes

  • 🛠 Fix GetMemorySize for Windows memory_devices table (#7711)
  • 🛠 Fix tpm_info bug where values were out of date (#7686)
  • 🛠 Fix a crash when parsing ATC config with no columns (#7693)
  • 🛠 Fix bug in GetHomeDirectories filesystem function (#7705)

  📚 Documentation

  • ➕ Add core to the type column description of osquery_extensions schema (#7716)
  • ➕ Add documentation about 3rd-party dependency security (#7684)
  • ➕ Add example for hostname form in curl_certificate table (#7706)
  • ➕ Adds info on how to use GTEST_FILTER on windows (#7696)
  • 🔄 Changelog 5.4.0 (#7678)
  • Describe user-context-related caveat for screenlock table (#7649)
  • Update schema for process_open_sockets.state (#7733)
  • ⚡️ Update schema to reflect platform_info columns not available in Windows (#7732)

  🏗 Build

  • ➕ Add validation integration test for memory_devices (#7722)
  • ✅ Temporarily disable memory_devices integration test (#7717)
  • ⚡️ Update minimum macOS support from 10.12 to 10.14 (#7707)
  • ⚡️ ci: Update and temporarily disable the macOS Catalina test job (#7700)
  • 🐧 cmake: Prevent defining some Linux only targets on other platforms (#7672)
  • ⚡️ libs: Update libxml2 to v2.9.14 (#7729)
  • ⚡️ libs: Update sqlite to version 3.39.2 (#7736)
  • ✅ test: Fix Mdfind.test_sanity flakyness (#7701)

• v5.4.0 Changes

  Git Commits

  Representing commits from 15 contributors! Thank you all.

  🆕 New Features

  • 🖨 We're extending macOS Endpoint Security to include File Integrity monitoring. Check out the new es_process_file_events table. (#7579)
  • ➕ Add Docker build scripts and configuration (#7619)

  🗄 Deprecation Notices

  • Prevent CLI_FLAGs to be set via config (#7561)
  • ✂ Remove the lldp_neighbors table (#7664)

  Table Changes

  • 🖨 New Table: es_process_file_events for macOS Endpoint Security based FIM (#7579)
  • 🆕 New Table: password_policy table for macOS (#7594)
  • ⚡️ New Table: windows_update_history (#7407)
  • 🐧 Add memory_available to linux memory_info table (#7669)
  • 🐧 Port the cpu_info table to linux (#7499)
  • ✂ Remove the lldp_neighbors table (#7664)
  • ⚡️ Update deb_packages table to not sisplay arch info in the package name (#7638)
  • Update hardware_model in the system_info table on Apple M1 machines to report correctly (#7662)
  • Update shared_resources table to add type names, fix type/maximum_allowed handling (#7645)

  Under the Hood improvements

  • 🏁 Expand env vars before trying to enumerate crashes in windows_crashes table (#7391)
  • Implement a split and trim function using std::string_view (#7636)
  • 👌 Improve scheduled query denylisting and scheduler shutdown (#7492)
  • Prevent CLI_FLAGs to be set via config (#7561)
  • ✂ Remove unnecessary string copy (#7625)

  🐛 Bug Fixes

  • ➕ Add linwin to list of supported PLATFORM_DIRS (#7646)
  • 🛠 Fix AWS certificate verification failing on all services (#7652)
  • 🛠 Fix MBCS support on Windows (#7593)
  • 🛠 Fix local_timezone column in the time table on Windows (#7656)
  • 🛠 Fix system_info table to support unicode on Windows (#7626)
  • 🛠 Fix multiple Yara leaks (#7615)
  • Fix std::bad_alloc on pci_devices on Apple Silicon macs (#7648)
  • 🛠 Fix tables spec files to specify linux and not posix (#7644)
  • 🛠 Fix thrift server shutting down when dropping privileges (#7639)

  📚 Documentation

  • 🔄 CHANGELOG 5.3.0 (#7575)
  • 📚 Exclude spec/example.table when generating documentation (#7647)
  • 🛠 Fix a UUID typo in the disk_encryption table (#7608)
  • 🛠 Fix spelling of the word "owned" (#7630)
  • 🛠 Fix typo in FIM docs for Windows (#7676)
  • 🚀 Update the "new release" issue template (#7607)
  • 🔌 clarify browser_plugins table is referencing basically unsupported CNPAPI tech (#7651)

  🏗 Build

  • ➕ Add an option to build with the leak sanitizer (#7609)
  • 🛠 Fix check for PIE support (#7234)
  • ⏱ Fix SchedulerTests.test_scheduler_drift_accumulation flakyness (#7613)
  • 👌 Improve config parsing and osqueryfuzz-config performance (#7635)
  • 🎉 Initialize users and groups services on all tests that need them (#7620)
  • ⚡️ ci: Update osquery-packaging commit to the latest one (#7667)
  • cmake: Add an option to enable or disable using ccache (#7671)
  • ⚡️ libs: Update OpenSSL to version 1.1.1o (#7629)
  • ⚡️ libs: Update OpenSSL to version 1.1.1q (#7674)
  • ⚡️ libs: Update libarchive to version 3.6.1 (#7654)
  • ⚡️ libs: Update sqlite to version 3.38.5 (#7628)

• v5.3.0 Changes

  Git Commits

  🛠 osquery 5.3.0 brings several table improvements and bugfixes. Worth mentioning also the deprecation of the smart_drive_info table 🔧 and the new warning added when incorrectly configuring a CLI only flag 🚀 via the config file. In the next release CLI only flags will not be 🔧 configurable through the config file or refresh anymore.

  🚀 This release represents commits from 15 contributors! Thank you all.

  🗄 Deprecation Notices

  • Deprecate unmaintainable legacy table, smart_drive_info (#7464, #7542)

  🆕 New Features

  • Add the option tls_disable_status_log to prevent status logs from being sent via TLS #7550
  • Add SQLite function in_cidr_block to check if IPv4/v6 addresses are within the supplied CIDR block #7563

  Table Changes

  • ➕ Add the admindir column to the deb_packages table to parse package databases on different paths #7549
  • 🍎 Implement and fix wifi_networks on macOS Big Sur and newer #7503
  • ➕ Add windows/darwin support to npm_packages #7536
  • Move apt_sources and yum_sources tables to linux only #7537
  • ➕ Add homebrew paths to the python_packages table #7535
  • Mark wall_time column in osquery_schedule as hidden #7501
  • ➕ Add new metrics and improve description of existing ones in osquery_schedule #7438
  • ➕ Add the mirrorlist column in the table yum_sources #7479
  • Implement output_size for osquery_schedule #7436
  • 📦 deb_packages table: Use additional instead of index for the admindir column #7573
  • 🐧 certificates table: Add Linux support #7570
  • ➕ Add translated column to processes table to indicate whether the process is running under Apple Rosetta #7507
  • ➕ Add the "internet password" type to the macOS keychain_items table #7576
  • ➕ Add original filename column to file table on Windows #7156

  🐛 Bug Fixes

  • 🛠 Fix watchdog not killing unhealthy worker/extension fast enough #7474
  • Fix the test_http_server.py --persist option #7497
  • ⚡️ Updateprofile.py --leaks for python3 #7534
  • Fixes osquery tls connections to aws kinesis when tls_server_certs is set #7450
  • 🛠 Fix parsing issue when a backslash as the last character on sudoers file line #7440
  • 🔄 Change the JSON of the results coming from an event scheduled query to an array #7434
  • 🛠 Fix globToRegex truncating UTF16 characters #7430
  • Prevent hanging when the WMI server does not respond #7429
  • 🛠 Fix python_packages table so that it lists python packages from any user Python installations #7414
  • Set string size limit on thrift protocol factory to prevent a crash #7484
  • 🛠 Fix driver image path in drivers table #7444
  • 🚚 Do not remove nonblocking flag when reading "special" files, to prevent hangs #7530
  • 🛠 Fix crash due to interaction between distributed and config plugin #7504
  • bpf: Disable the BPF publisher in case of error #7500
  • Warn about setting CLI_FLAGs in the config #7583
  • Explicitly set context for the tables reading utmpx databases #7578
  • bpf: Improve socket event handling #7446
  • 🔨 certificates: Refactor the OpenSSL utilities #7581
  • 🛠 Fix shared_resources accessing uninitialized variables #7600

  Under the Hood improvements

  • 🏁 Implement a performant cache for users and groups on Windows #7516
  • Replace WmiRequest constructor with static factory method to improve error handling and prevent crashes #7489
  • ✂ Remove redundant string conversion #7603

  🏗 Build

  • 🛠 Fix DebPackages.test_sanity test when the size column is empty #7569
  • ⚡️ libs: Update libdpkg from version v1.19.0.5 to v1.21.7 #7549
  • 🚀 CI: Restore some release checks #7558
  • Prevent ebpfpub linking against the system zlib #7557
  • 🛠 Fix mdfind.test_sanity flaky behavior #7533
  • 🍎 Enable fuzzing and Asan on Windows, enable Asan on macOS #7470
  • ⚡️ Update cppcheck to version 2.6.3 and skip analysis for third party code #7455
  • ✅ Change cpu_info test to expect at least one socket, not just one #7490
  • 🛠 Fix third party libraries flags leaking to osquery targets #7480
  • ➕ Add third party libraries target #7467
  • Do not run clang-tidy on third party libraries #7432
  • 🔀 CI: Create github workflow target to gate mergeability #7427
  • 🛠 Fix some warnings about unrecognized special characters in the Windows event log test #7478
  • 🔄 Change where the macOS Info.plist is generated #7566
  • Add OSQUERY_ENABLE_THREAD_SANITIZER to optionally enable TSan #6997
  • ➕ Add an option to specify a path to the openssl archive #7559
  • ⚡️ packs: Update reverse shell query pack to check for a valid remote_port #7567
  • Remove the test_daemon_sighup test #7584
  • 🛠 Fix release tests for Linux aarch64 #7572

  📚 Documentation

  • 📄 docs: remove FreeBSD #7508
  • 📌 Pin Jinja2 ReadTheDocs dependency to 3.0.3 #7533
  • 🔄 CHANGELOG 5.2.3 #7571
  • 🔄 CHANGELOG 5.2.2 #7447
  • ⬆️ Bump mkdocs from 1.1.2 to 1.2.3 in /docs #7457
  • 🍎 Replace OS X with macOS in table specs #7587
  • ⚡️ Update osquery.example.conf to omit the CLI only flags #7595
  • 📚 Update documentation about users and groups service flags (#7596)
  • ⚡️ Update the TSC members (#7543)

• v5.2.3 Changes

  Git Commits

  ⚡️ Osquery 5.2.3 is a security update that focuses on updating some third-party libraries which contained CVEs that could affect osquery. ➕ Additionally some other third-party libraries and tables have been dropped, since they were not maintained or considered safe anymore.

  🗄 Deprecation Notices

  • ✂ Remove the shortcut_files table (#7547)
  • ✂ Remove the ssdeep library and remove its support in the hash table (#7525)
  • ✂ Remove the libelfin library and elf parsing tables (#7524)

  Hardening

  • ⚡️ libs: Update OpenSSL from version 1.1.1l to 1.1.1n (#7506)
  • ⚡️ libs: Update zlib from v1.2.11 to v1.2.12 (#7548)
  • ⚡️ Update librpm to 4.17.0 (#7529)
  • ⚡️ libs: Update expat from version 2.2.10 to 2.4.7 (#7526)

• v5.2.2 Changes

  Git Commits

  🍎 Osquery 5.2.2 brings native Apple Silicon (M1) support to the macOS ⚡️ platform. It also represents a comprehensive review and update of our 📄 third-party dependencies. To support this work, the developer docs ⚡️ have been updated, as have several parts of the build system

  🚀 This release represents commits from 24 contributors! Thank you all.

  🆕 New Features

  • 👍 Apple Silicon support (#7330)

  🗄 Deprecation Notices

  • 👀 The cpuid table is x86 only. See #7462
  • The smart_drive_info table has been deprecated, and is not included in the m1 builds. See #7464
  • 🏗 The lldp_neighbors table has been deprecated, and is not included in the m1 builds. See #7463

  Table Changes

  • ⚡️ Update time table to always reflect UTC values (#7276, #7460, #7437)
  • 🔒 Hide the deprecated antispyware column in windows_security_center (#7411)
  • Add windows_firewall_rules table for windows (#7403)

  🐛 Bug Fixes

  • ⚡️ Update the ATC table path column check to be case insensitive (#7442)
  • 🛠 Fix a crash introduced by 5.2.0 when Yara uses its own strutils functions (#7439)
  • Fix user_time and system_time unit in processes table on M1 (#7473)

  📚 Documentation

  • 🛠 Fix typos in documentation (#7443, #7412)
  • 🔄 CHANGELOG 5.1.0 (#7406)

  🏗 Build

  • ⚡️ Update sqlite to version 3.37.0 (#7426)
  • 🛠 Fix linking of thirdparty_sleuthkit (#7425)
  • 🛠 Fix how we disable tables in the fuzzer init method (#7419)
  • Prevent running discovery queries when fuzzing (#7418)
  • 👉 Add BOOST_USE_ASAN define when enabling Asan (#7469)
  • 🍎 Removing unnecessary macOS version check (#7451)
  • 🛠 Fix submodule cache for macOS CI runner (#7456)
  • ➕ Add osquery version to macOS app bundle Info.plist (#7452)
  • ⚡️ libs: Update OpenSSL to verion 1.1.1l (#7330)
  • ⚡️ libs: Update augeas to version 1.12.0 (#7330)
  • ⚡️ libs: Update aws-sdk to version 1.9.116 (#7330)
  • ⚡️ libs: Update boost to version 1.77 (#7330)
  • ⚡️ libs: Update gflags to 2.2.2 (#7330)
  • ⚡️ libs: Update glog to version 0.5.0 (#7330)
  • ⚡️ libs: Update googletest to version 1.11.0 (#7330)
  • ⚡️ libs: Update libarchive to version 3.5.2 (#7330)
  • ⚡️ libs: Update libcap to version 1.2.59 (#7330)
  • ⚡️ libs: Update libmagic to version 5.40 (#7330)
  • ⚡️ libs: Update librdkafka to version 1.8.0 (#7330)
  • ⚡️ libs: Update libxml2 to version 2.9.12 (#7330)
  • ⚡️ libs: Update linenoise-ng to the latest commit (#7330)
  • ⚡️ libs: Update lzma to version 5.2.5 (#7330)
  • ⚡️ libs: Update rocksdb to version 6.22.1 (#7330)
  • ⚡️ libs: Update sleuthkit to version 4.11.0 (#7330)
  • ⚡️ libs: Update ssdeep-cpp to the latest commit (d8705da) (#7330)
  • ⚡️ libs: Update thrift to version 0.15.0 (#7330)
  • ⚡️ libs: Update yara to version 4.1.3 (#7330)
  • ⚡️ libs: Update zstd to version 1.4.0 (#7330)

• v5.1.0 Changes

  Git Commits

  Representing commits from 20 contributors! Thank you all.

  🆕 New Features

  • 👍 Allow custom cpu limit duration for the watchdog (#7348)
  • 👌 Support custom endpoints for AWS Kinesis and Firehose. (#7317)

  Table Changes

  • Add docker_container_envs table for access to docker container environment (#7313)
  • curl table now returns peer certificates even if the TLS handshake does not complete (#7349)

  Under the Hood improvements

  • 👍 Allow tests and SDK to reset dispatcher state (#7372)
  • Avoid string copies when looping through cron search dirs (#7331)
  • Respect read_max flag when hashing using ssdeep (#7367)

  🐛 Bug Fixes

  • 🏁 Detect when an extension has not started correctly on Windows (#7355)
  • 🛠 Fix crash #7353 when osquery captures kill syscall when not subscribed to them (#7354)
  • ➕ Fix crash in AuditdNetlinkReader::configureAuditService when audit_add_rule_data returns an error (#7337)
  • 🔒 Fix crash when windows_security_products errors out (#7401)
  • 🛠 Fix for #7394 where cleanup of some event tables never occures (#7395)
  • 👌 Improve BPF publisher reliability (#7302)
  • 🌲 Lower log level of "executing distributed query" (#7386)
  • ⬇️ Reduce excessive log messages from authorized_keys table implementation (#7318)

  📚 Documentation

  • ➕ Add 5.0.1 CHANGELOG (#7284)
  • 🛠 Fix typo in Everything in SQL docs (#7338)
  • 🛠 Fix typo in SQL docs (#7376)
  • ⚡️ Update GitHub issue templates (#7361, #7396)
  • ⚡️ Update installation guide to use newer macOS paths (#7311)
  • 📚 Update macOS ESF documentation (#7303)

  Packs

  • ➕ Add Forcepoint Endpoint Chrome Extension detection to packs (#7346)
  • ➕ Add beurk rootkit detection to packs (#7345)

  🏗 Build

  • 👍 Allow tests to reset the restarting state (#7373)
  • 🏗 Build librpm with ndb support (#7294)
  • Customizable installation logic (#7315)
  • 🛠 Fix ASL test on macOS 11 and later (#7320)
  • 🏁 Restore query packs in Windows packaging (#7388)
  • 🍎 Skip deprecated ASL test when targeting macOS 10.13+ SDK (#7358)
  • ⚡️ Update packaging commit to fix Linux symlinks (#7404)
  • ⚡️ Update the CI Linux Docker image (#7332)

• v5.0.1 Changes

  Git Commits

  Representing commits from 21 contributors! Thank you all.

  🚀 osquery 5.0 is a tremendously exciting release!

  • 🍎 We now install into /opt/osquery on macOS and Linux for better portability.
  • 🍎 Our default and recommended installation for macOS uses an application bundle to support entitlement-based features.
  • 🔒 We now use Endpoint Security APIs for various event-based tables on macOS (more to come in the future!)
  • 🍎 We now use an osquery-organization macOS code signing certificate.

  There are several breaking changes:

  • 🍎 Installation paths have changes from /usr/local to /opt/osquery on macOS and Linux (symlinks to executables are provided).
  • 🍎 macOS codesigning is now down through the Osquery Foundation account
  • ⚡️ If you manage macOS full disk permission through a profile, you will need to update it. See docs
  • 🔧 We removed the deprecated blacklist key from the configuration (#7153)
  • Search semantics on the augeas table have changed to be more performant, but do break the existing query API.

  Table Changes

  • ➕ Add secureboot table for Linux and Windows (#7202)
  • ➕ Add tpm_info for Windows (#7107)
  • 🏗 Fix osquery_info build_platform column value on Linux (#7254)
  • Support pid_with_namespace in more tables (#7132)
  • ⚡️ Update augeas table to use native pattern matching (BREAKING) (#6982)
  • ⚡️ Update chrome_extensions to include Edge & EdgeBeta (#7170)
  • ⚡️ Update disk_encryption table to support QueryContext (#7209)
  • ⚡️ Update last to include utmp type name column (#7201)
  • ⚡️ Update sudoers table to support newer include syntax (#7185)
  • Update user_ssh_keys to detect encryption of ed25519 keys (#7168)

  Under the Hood Improvements

  • ➕ Add ruby namespace to the thrift definition (#7191)
  • 🐎 Always initialize variable change in PerformanceChange (#7176)
  • ✂ Remove deprecated blacklist key (#7153)
  • 🏁 Use total_size within watchdog on Windows (#7157)
  • 👌 Support AF_PACKET sockets reporting on Linux (#7282)
  • 🐧 socket_events improvements in Linux audit system (#7269)

  🐛 Bug Fixes

  • ➕ Add case sensitive pragma to the pragma/actions authorizer allow list (#7267)
  • ➕ Add feature to skip denylist for event-based queries (#7158)
  • 🔄 Change logger_mode flag to be correctly interpreted as an octal (#7273)
  • Do not let osquery create multiple copies of the extension running at once (#7178)
  • 🛠 Fix Linux audit rule removal upon osquery exit (#7221)
  • 🛠 Fix broadcasting empty logs to logger plugins (#7183)
  • 🛠 Fix issues applying ACLs during chocolatey deployment (#7166)
  • 🛠 Fix memory issue in Windows fileops (#7179)
  • Fix process_open_sockets type error on darwin (#6546)
  • 🚚 Make sure that the file action MOVED_TO is tracked with yara events. (#7203)
  • Prevent osquery from killing itself when the --force flag is used (#7295)
  • 👷 Prevent race condition between shutdown and worker or extension launch (#7204)

  📚 Documentation

  • ➕ Add a security assurance case (#7048)
  • Bring the YARA wiki page up to date (#7172)
  • 🛠 Spelling fixes (#7211, #7186)
  • ⚡️ Update uptime table description (#7270)
  • 📚 Update osquery installed artifacts paths in the documentation (#7286)

  🏗 Build

  • ➕ Add TimeoutStopSec to systemd service files (#7190)
  • 🍎 Correct macOS installed app bundle path in osqueryctl and doc (#7289)
  • 🍎 Create an macOS app bundle (#7263)
  • 🛠 Fix choco packaging not failing when an error occurs during install or upgrade (#7182)
  • 🛠 Fix path in macOS launchd plist (#7288)
  • 📌 Pin the packaging repo within GitHub workflows (#7208, #7255, #7279)
  • 🚀 Update Windows deployment icon to png (#7163)
  • ⚡️ Update install paths, and remove deprecated Facebook naming (#7210)
  • ⚡️ Update macOS build to include app bundle related files (#7184)
  • ⚡️ Update osquery installed artifacts default paths in code (#7285)
  • ⚡️ Update the installation path on Linux (#7271)
  • libs: Add options to AWS Optionally enable debug option and restrict content-type header size for PUT req (#7216)
  • 🍎 libs: Enable and compile the YARA macho module on macOS (#7174)
  • ⚡️ libs: Update OpenSSL to version 1.1.1l (#7293)
  • ⚡️ libs: Update Strawberry Perl to 5.32.1.1, use HTTPS downloads (#7199)
  • ⚡️ libs: Update ebpfpub (#7173, #7219)

• v4.9.0 Changes

  Git Commits

  Representing commits from 16 contributors! Thank you all.

  🆕 New Features

  • ➕ Add filesystem logrotate feature (#7015)
  • ➕ Add Non-Functional EndpointSecurity based process events to macOS (Requires updated codesigning due in 5.0) (#7046)

  Table Changes

  • Add mdm_managed column to system_extensions on macOS (#6915)
  • ➕ Add prefetch table on Windows (#7076)
  • ➕ Add support for IMDSv2 to AWS tables (#7084)
  • 🐳 Enable container stats on docker containers that don't have traditional networks (#7145)
  • ⚡️ Update homebrew_packages to include new prefix, and allow specifying alternate prefixes (#7117)
  • Update ntfs_acl_permissions to list all ACE entries (using GetAce()) (#7114)
  • ⚡️ Update processes table to display additional Windows attributes (secured, protected, virtual, elevated) (#7121)
  • Update how package_install_history identifies the packageIdentifiers key (#7099)
  • ⚡️ Update how identifier is calculated in chrome_extensions (#7124)

  Under the Hood improvements

  • 👌 Improve speed of osquery shutdown procedure (#7077)
  • 👌 Improve shutdown speed during initialization (#7106)
  • ⚡️ Update website generators (#7136)
  • CLI flag to allow osquery to keep retrying enrollment (instead of exiting) (#7125)
  • rocksdb: Do not fsync WAL writes (#7094)
  • 🚚 Move CPack packaging to a dedicated repository (#7059)
  • ⏪ Restore thrift socket 5min timeout (#7072)
  • Consolidate syscalls to a single audit rule (#7063)

  🐛 Bug Fixes

  • ➕ Add current WMI location for Dell BIOS info (#7103)
  • 🖨 Correct RocksDB error code and subcode printing on open failure (#7069)
  • 🛠 Fix pipe_channel not reading all data in a message (#7139)
  • 🛠 Fix crash and deadlocks in recursive logging (#7127)
  • 🛠 Fix custom curl_certificate timeouts (#7151)
  • 🛠 Fix extensions crash on shutdown (#7075)
  • Handle updated paths on various macOS tables -- xprotect_entries, xprotect_meta, launchd (#7138, #7154)
  • Trigger event cleanup checks every 256 events (#7143)
  • ⚡️ Update generating an extension uuid to be thread safe (#7135)
  • 👷 Watchdog should wait for the worker to shutdown (#7116)

  📚 Documentation

  • 📚 Update process auditing requirements documentation (#7102)
  • ⚡️ Update website docs indicating windows support for YARA tables (#7130)
  • ➕ Add 4.9.0 CHANGELOG (#7152)

  🏗 Build

  • ➕ Add Apple provisioning profile for distribution (#7119)
  • ➕ Add more tests for events expiration (#7071)
  • CI: Regenerate sccache cache when compiler version changes (#7081)
  • Fix flaky test test_daemon_sigint by waiting for pidfile (#7095)
  • 🛠 Fix icon in Windows packaging (#7148)
  • Minor cleanup of unused variables (#7128)
  • 🖨 Print extension SDK minimum version required when failing to load (#7074)
  • ✂ Remove POSIX-only -fexceptions flag on Windows (#7126)
  • Remove duplicated osquery_utils_aws_tests-test (#7078)
  • ✂ Remove flaky test decorators for python tests (#7070)
  • ⚡️ Update SQLite to version 3.35.5 (#7090)
  • ⚡️ Update librdkafka to version 1.7.0 (#7134)
  • ⚡️ Update libyara to version 4.1.1 (#7133)

• v4.8.0 Changes

  Git Commits

  Representing commits from 14 contributors! Thank you all.

  🛠 This version fixes a regression introduced in 4.7.0 related to events expiration optimization. Please read (#7055) for more information.

  🚀 This release upgrades openssl, as is general good practice. Osquery is 🔒 not known to be effected by any security issues in OpenSSL.

  🆕 New Features

  • shell: Add .connect meta command (#6944)

  Table Changes

  • ➕ Add seccomp_events table for Linux (#7006)
  • ➕ Add shortcut_files table for Windows (#6994)

  Under the Hood improvements

  • Removing Keyboard Event Taps from osx-attacks pack (#7023)
  • 🔨 Refactor watcher out of singleton pattern (#7042)
  • 🔨 Small events subscriber refactor to increase test coverage (#7050)
  • 📦 Setting non-required deb_packages fields as optional in test (#7001)

  🐛 Bug Fixes

  • 🖐 Handle events optimization edge cases (#7060)
  • 🛠 Fix optimization for multiple queries using the same subscriber (#7055)
  • 👉 Use epoch and counter for events-based queries (#7051)
  • Guard node key to prevent duplicate enrollments (#7052)
  • 🔄 Change windows calculation for physical_memory (#7028)
  • 🆓 Free using WTSFreeMemoryEx for WTSEnumerateSessionsExW (#7039)
  • 🚀 Release variable in Windows data conversation (#7024)
  • 🔄 Change chrome_extensions warnings to verbose (#7032)
  • ➕ Add transactions to the SQLite authorizer PRAGMAs (#7029)
  • 🔄 Change Windows messages to verbose (#7027)
  • 🛠 Fix scheduler to print the correct number of elapsed seconds (#7016)

  📚 Documentation

  • Fix tls_enroll_max_attempts flag name in the documentation (#7049)
  • 👌 Improve docs on FIM, mention NTFS and Audit, etc. (#7036)
  • 📄 config: Add docs for the events top-level-key (#7040)
  • ➕ Add funding link on GitHub generated page (#7043)
  • 🏁 Correct the example in the windows_events table spec (#7035)
  • 📄 Correct docs about OpenSSL and TLS behavior (#7033)
  • ⚡️ Update docs to describe how to build for aarch64/arm64 (#6285) (#6970)
  • ➕ Add a note on enabling Windows to build with CMake's long paths (#7010)
  • ➕ Add 4.8.0 CHANGELOG (#7057)

  🏗 Build

  • ➕ Add an option to enable incremental linking on Windows (#7044)
  • ✂ Remove Buck leftovers that supported building with old versions of OpenSSL (#7034)
  • ➕ Add build_aarch64 workflow for push (#7014)
  • 👷 Move CI to using docker from osquery (#7012)
  • ⚡️ Update dockerfile to multiplatform (#7011)
  • ⚙ Run GH Actions workflows on all tags (#7004)
  • 🏗 Disable BPF events tests if OSQUERY_BUILD_BPF is false (#7002)
  • ⚡️ libs: Update OpenSSL to version 1.1.1k (#7026)

• v4.7.0 Changes

  Git Commits

  Commits from 21 contributors! Thank you all!

  🆕 New Features

  • ➕ Add concat and concat_ws sql functions (#6927)
  • ⚡️ Update the scheduler to log the query name at info level (#6934)
  • ➕ Add support for SQLite RPM databases (#6939)

  Table Changes

  • ➕ Add computer column to Windows Eventlogs (#6952)
  • Add docker_image_history table (#6884)
  • Add filevault_status column to disk_encryption table (#6823)
  • ➕ Add location_services table on macOS (#6826)
  • ➕ Add shellbags table (#6949)
  • ➕ Add system_extensions table on macOS (#6863)
  • ➕ Add systemd_units table (#6593)
  • Add ycloud_instance_metadata table (#6961)
  • 🛠 Fix loading of YARA rules on Windows (#6893)
  • 🛠 Fix macOS OpenDirectory attribute mismatch (#6816)
  • ⚡️ Update augeas table not to autoload system lenses (#6980)
  • ⚡️ Update chrome_extensions table -- more browser support and tests (#6780)
  • ⚡️ Update office_mru table to correct platforms (#6827)
  • ⚡️ Update aws table to include macOS (#6817)

  Under the Hood improvements

  • ✂ Remove Azure Pipelines (#6953)
  • 🗄 Disable deprecated TLS versions 1.0, 1.1 (#6910)
  • 🚚 Use librpm bdb_ro backend and remove bdb (#6931)
  • 🏗 bpf: Improve execve/execveat tracing, add AArch64 build support (#6802)
  • 👉 Use a distinct carver request_id and add this to the schema (#6959)
  • 🎉 Initialize TLSLogForwarder before enrollment check (#6958)
  • 🔊 Put noisy thrift logs behind a flag (#6951)
  • 🛠 Fix bug in windows thrift, causing named pipe closing (#6937)
  • ✂ Remove unused/experimental ebpf code (#6879)
  • ✂ Remove unused ev2 code (#6878)
  • 🐎 Refactor the eventing framework to reduce disk IO and improve performance(#6610)

  🐛 Bug Fixes

  • ➕ Add journal_mode to the sqlite authorizer PRAGMAs (#6999)
  • ➕ Add table_info to the sqlite authorizer PRAGMAs (#6814)
  • Always use BIGINT macro for long long data (#6986)
  • 🏗 Copy JSON objects to avoid MemoryPool buildup (#6957)
  • Do not call unconfigured subscribers errors (#6847)
  • Do not ignore mountpoints that have the same mount path (#6871)
  • ⏱ Do not start scheduler when shutting down (#6960)
  • 🐧 Don't mark scope and key columns as index in selinux_settings table (#6872)
  • 🛠 Fix augeas table output bug for non-path entries (#6981)
  • Fix pids column in docker_container_stats table (#6965)
  • 🛠 Fix additional relative path check in Yara for Windows (#6894)
  • 🛠 Fix config validation oom with duplicated keys (#6876)
  • 🛠 Fix data type macro used for 64-bit timestamp variables (#6897)
  • Fix error in process_open_files inode need stoul, not stoi (#6983)
  • 🛠 Fix leaks when a query fails from the shell (#6849)
  • 🛠 Fix mem leak regression with Windows sids API (#6984)
  • 🏁 Make Group ID columns consistent across Windows tables (#6987)
  • When iterating /proc, use individual try/catch so catch partial failures (#6933)
  • augeas: Clear aug pointer on error (#6973)

  📚 Documentation

  • ➕ Add 4.6.0 CHANGELOG (#6809)
  • ➕ Add 4.7.0 CHANGELOG (#6985)
  • ➕ Add docs for TLS enroll max attempts (#6888)
  • 🔄 Change reference about Azure Pipelines to GitHub Actions (#6988)
  • 📚 Clarify FIM exclude category documentation (#6966)
  • Document retrieval of available tables/columns via SQL (#6812)
  • 🛠 Fix Github Actions status badge in the README (#6908)
  • 🛠 Fix all broken or redirected URLs and references (#6835)
  • 🛠 Fix broken URL in docs (#6882)
  • 🛠 Fix incorrect Slack URLs (#6844)
  • 🛠 Fix packs discovery queries documentation (#6946)
  • 🛠 Fix reference to a Powershell script on Windows (#6936)
  • 🛠 Fix typos in source code (#6901)
  • 👌 Improve explanations of event control flags (#6954)
  • Spellcheck and Markdown edits (#6899)
  • 🚀 Update README to include release process comment (#6877)
  • 📚 Update documentation about denylist schedule key (#6922)
  • ⚡️ Update macOS OpenBSM configuration (#6916)
  • ⚡️ Update the Linux install steps and package listing (#6956)
  • ⚡️ Update the info about osquery's TLS version support (#6963)

  🏗 Build

  • 🐧 CI: Add a RelWithDebInfo Linux job to generate packages (#6838)
  • 👍 CI: Add support for GitHub Actions (#6885)
  • ✅ CI: Add unit tests for RPM DB querying (#6919)
  • ✅ CI: Fix ExtendedAttributesTableTests failing due to an unexpected attribute (#6942)
  • ✅ CI: Fix StartupItemTest failing due to unexpected values (#6940)
  • ✅ CI: Fix SystemControlsTest adding sunrpc as an expected subsystem (#6932)
  • ✅ CI: Fix XattrTests failing due to unexpected attribute name (#6941)
  • ✅ CI: Fix an incorrect check in StartupItems test (#6950)
  • 🍎 CI: Fix wifi_tests on macOS 10.15 and above (#6724)
  • 🚚 CI: Move cppcheck step after the tests (#6845)
  • 👷 CI: Permit running formatting earlier in the CI (#6836)
  • ⬆️ CI: Remove incorrect 2to3 symlink breaking Python brew upgrade (#6819)
  • 🚚 CI: Remove unused empty test file (#6918)
  • 🚚 CI: Remove unused tests for Rocksdb and Inmemory db plugins (#6900)
  • ⚡️ CI: Update XCode to 12.3 and Update min macOS version to 10.12 (#6896, #6913)
  • ⚡️ CI: Update macOS agent to 10.15 Catalina (#6680)
  • CMake: Add -pthread compile option on posix platforms (#6909)
  • 👍 CMake: Add Valgrind support (#6834)
  • 🏗 CMake: Add an option to disable building AWS tables and library (#6831)
  • 🏗 CMake: Add an option to disable building libdpkg tables and library (#6848)
  • CMake: Detect missing headers during include namespace generation (#6855)
  • CMake: Do not attempt to dllimport Thrift symbols (#6856)
  • 🏁 CMake: Do not compile Windows libraries with debug symbols (#6833)
  • CMake: Explicitly set the MSVC runtime library (#6818)
  • CMake: Fix amalgamated tables generation on change (#6832)
  • CMake: Fix platformtablecontaineripc include namespace generation (#6853)
  • CMake: Further fix amalgamation file gen on change (#6854)
  • 🔨 CMake: Refactor and rename fuzzers build flag (#6829)
  • 🔧 CMake: Significantly speed up configuration phase (#6914)
  • 🍎 CMake: Use make jobserver for OpenSSL on Linux and macOS (#6821)
  • 🍎 CPack: Remove extraneous lenses directory for augues on macOS (#6998)
  • 🔄 Change libdpkg submodule url to our own GitHub mirror (#6903)
  • 🏁 Disable incremental linking to reduce build size on Windows (#6898)
  • ⏱ GitHub Actions: Fix .deb artifacts, add scheduled builds (#6920)
  • ✂ Remove hash and yara table from fuzz harnesses (#6972)
  • libraries: Reduce the compilation units from libarchive (#6886)
  • 🚚 libraries: Remove the last usage of sqlite3 from sleuthkit (#6858)
  • libraries: Rename yara str functions to avoid symbol collisions (#6917)
  • ⚡️ libraries: Update librpm to version 4.16.1.2 (#6850)
  • ⚡️ libraries: Update openssl to version 1.1.1i (#6820)
  • ⚡️ libraries: Update thrift to version 0.13.0 (#6822)

  Hardening

  • ⚡️ Update CODEOWNERS to reflect existing teams (#6955, #6975)
  • 🏁 Restrict access to Thrift server pipe on Windows (#6875)
  • 🛠 Fix a leak in libdpkg when querying the deb_packages table (#6892)
  • 🛠 Fix UB and dangerous casting in the pubsub framework (#6881)
  • 🛠 Fix heap-use-after-free in deregisterEventSubscriber (#6880)
  • 🔒 Thift patch to support security configuration (#6846)
  • 👌 Improve config fuzzer dictionary creation script (#6860)
  • Avoid running queries for views when fuzzing (#6859)
  • 👌 Improve fuzzing speed and stack trace accuracy (#6851)

• 1
• 2
• 3
• Next ›
• Last »