Changelog History
Page 1
-
v5.5.1 Changes
โก๏ธ Osquery 5.5.1 has some really exciting table updates! There is a much ๐ anticipated
unified_log
for macOS, this table is the replacement forasl
, and uses the current Apple APIs. Additionally, several tables ๐ have improved their cross-platform support.Representing commits from 14 contributors! Thank you all.
๐ New Features
- โ Add denylist mechanism to distributed queries (#7675)
Table Changes
- โ Add
cgroup_path
column toprocesses
table on Linux (#7728) - Add
firmware_type
column toplatform_info
table on Windows. (#7710) - โ Add
unified_log
table for macOS (UAL) (#7598, #7713) - ๐ Port
memory_devices
table to Windows (#7633) - Port
platform_info
table to M1 Macs (#7660) - ๐ Restore macOS
kernel_panics
table on modern macOS (#7585) - โก๏ธ Update
battery
table on macOS m1 with correct raw battery max and current capacity (#7721) - โก๏ธ Update
mdfind
query timeout to 30 seconds (#7725) - โก๏ธ Update macos
password_policy
table to use use-1
as sentinel value foruid
column (#7699) - โก๏ธ Update parsing of
authorized_keys
file (#7560) - โก๏ธ Update the
registry
table to be case insensitive forkey
(#7708)
Under the Hood improvements
- โ Add a mechanism to reduce memory retained on Linux (#7502)
- โ Add denylist mechanism to distributed queries (#7675)
- โ Add table spec support for
COLLATE NOCASE
(#7680) - ๐ Improve Pidfile handling (#7304)
- Prevent the audit event system from using too much memory (#7329)
- carves: use full pathnames while creating an archive (#7681)
๐ Bug Fixes
- ๐ Fix
GetMemorySize
for Windowsmemory_devices
table (#7711) - ๐ Fix
tpm_info
bug where values were out of date (#7686) - ๐ Fix a crash when parsing ATC config with no columns (#7693)
- ๐ Fix bug in GetHomeDirectories filesystem function (#7705)
๐ Documentation
- โ Add core to the type column description of osquery_extensions schema (#7716)
- โ Add documentation about 3rd-party dependency security (#7684)
- โ Add example for hostname form in
curl_certificate
table (#7706) - โ Adds info on how to use GTEST_FILTER on windows (#7696)
- ๐ Changelog 5.4.0 (#7678)
- Describe user-context-related caveat for screenlock table (#7649)
- Update schema for
process_open_sockets.state
(#7733) - โก๏ธ Update schema to reflect
platform_info
columns not available in Windows (#7732)
๐ Build
- โ Add validation integration test for memory_devices (#7722)
- โ Temporarily disable memory_devices integration test (#7717)
- โก๏ธ Update minimum macOS support from 10.12 to 10.14 (#7707)
- โก๏ธ ci: Update and temporarily disable the macOS Catalina test job (#7700)
- ๐ง cmake: Prevent defining some Linux only targets on other platforms (#7672)
- โก๏ธ libs: Update libxml2 to v2.9.14 (#7729)
- โก๏ธ libs: Update sqlite to version 3.39.2 (#7736)
- โ test: Fix Mdfind.test_sanity flakyness (#7701)
-
v5.4.0 Changes
Representing commits from 15 contributors! Thank you all.
๐ New Features
- ๐จ We're extending macOS Endpoint Security to include File Integrity monitoring. Check out the new
es_process_file_events
table. (#7579) - โ Add Docker build scripts and configuration (#7619)
๐ Deprecation Notices
Table Changes
- ๐จ New Table:
es_process_file_events
for macOS Endpoint Security based FIM (#7579) - ๐ New Table:
password_policy
table for macOS (#7594) - โก๏ธ New Table:
windows_update_history
(#7407) - ๐ง Add
memory_available
to linuxmemory_info
table (#7669) - ๐ง Port the
cpu_info
table to linux (#7499) - โ Remove the
lldp_neighbors
table (#7664) - โก๏ธ Update
deb_packages
table to not sisplay arch info in the package name (#7638) - Update
hardware_model
in thesystem_info
table on Apple M1 machines to report correctly (#7662) - Update
shared_resources
table to add type names, fix type/maximum_allowed handling (#7645)
Under the Hood improvements
- ๐ Expand env vars before trying to enumerate crashes in
windows_crashes
table (#7391) - Implement a split and trim function using std::string_view (#7636)
- ๐ Improve scheduled query denylisting and scheduler shutdown (#7492)
- Prevent CLI_FLAGs to be set via config (#7561)
- โ Remove unnecessary string copy (#7625)
๐ Bug Fixes
- โ Add linwin to list of supported PLATFORM_DIRS (#7646)
- ๐ Fix AWS certificate verification failing on all services (#7652)
- ๐ Fix MBCS support on Windows (#7593)
- ๐ Fix
local_timezone
column in thetime
table on Windows (#7656) - ๐ Fix
system_info
table to support unicode on Windows (#7626) - ๐ Fix multiple Yara leaks (#7615)
- Fix std::bad_alloc on pci_devices on Apple Silicon macs (#7648)
- ๐ Fix tables spec files to specify
linux
and notposix
(#7644) - ๐ Fix thrift server shutting down when dropping privileges (#7639)
๐ Documentation
- ๐ CHANGELOG 5.3.0 (#7575)
- ๐ Exclude
spec/example.table
when generating documentation (#7647) - ๐ Fix a UUID typo in the
disk_encryption
table (#7608) - ๐ Fix spelling of the word "owned" (#7630)
- ๐ Fix typo in FIM docs for Windows (#7676)
- ๐ Update the "new release" issue template (#7607)
- ๐ clarify browser_plugins table is referencing basically unsupported CNPAPI tech (#7651)
๐ Build
- โ Add an option to build with the leak sanitizer (#7609)
- ๐ Fix check for PIE support (#7234)
- โฑ Fix SchedulerTests.test_scheduler_drift_accumulation flakyness (#7613)
- ๐ Improve config parsing and osqueryfuzz-config performance (#7635)
- ๐ Initialize users and groups services on all tests that need them (#7620)
- โก๏ธ ci: Update osquery-packaging commit to the latest one (#7667)
- cmake: Add an option to enable or disable using ccache (#7671)
- โก๏ธ libs: Update OpenSSL to version 1.1.1o (#7629)
- โก๏ธ libs: Update OpenSSL to version 1.1.1q (#7674)
- โก๏ธ libs: Update libarchive to version 3.6.1 (#7654)
- โก๏ธ libs: Update sqlite to version 3.38.5 (#7628)
- ๐จ We're extending macOS Endpoint Security to include File Integrity monitoring. Check out the new
-
v5.3.0 Changes
๐ osquery 5.3.0 brings several table improvements and bugfixes. Worth mentioning also the deprecation of the
smart_drive_info
table ๐ง and the new warning added when incorrectly configuring a CLI only flag ๐ via the config file. In the next release CLI only flags will not be ๐ง configurable through the config file or refresh anymore.๐ This release represents commits from 15 contributors! Thank you all.
๐ Deprecation Notices
๐ New Features
- Add the option
tls_disable_status_log
to prevent status logs from being sent via TLS #7550 - Add SQLite function
in_cidr_block
to check if IPv4/v6 addresses are within the supplied CIDR block #7563
Table Changes
- โ Add the
admindir
column to thedeb_packages
table to parse package databases on different paths #7549 - ๐ Implement and fix
wifi_networks
on macOS Big Sur and newer #7503 - โ Add windows/darwin support to
npm_packages
#7536 - Move
apt_sources
andyum_sources
tables to linux only #7537 - โ Add homebrew paths to the
python_packages
table #7535 - Mark
wall_time
column inosquery_schedule
as hidden #7501 - โ Add new metrics and improve description of existing ones in
osquery_schedule
#7438 - โ Add the
mirrorlist
column in the tableyum_sources
#7479 - Implement
output_size
forosquery_schedule
#7436 - ๐ฆ
deb_packages
table: Use additional instead of index for theadmindir
column #7573 - ๐ง
certificates
table: Add Linux support #7570 - โ Add
translated
column toprocesses
table to indicate whether the process is running under Apple Rosetta #7507 - โ Add the "internet password" type to the macOS
keychain_items
table #7576 - โ Add
original filename
column tofile
table on Windows #7156
๐ Bug Fixes
- ๐ Fix watchdog not killing unhealthy worker/extension fast enough #7474
- Fix the
test_http_server.py
--persist
option #7497 - โก๏ธ Update
profile.py --leaks
for python3 #7534 - Fixes osquery tls connections to aws kinesis when tls_server_certs is set #7450
- ๐ Fix parsing issue when a backslash as the last character on sudoers file line #7440
- ๐ Change the JSON of the results coming from an event scheduled query to an array #7434
- ๐ Fix globToRegex truncating UTF16 characters #7430
- Prevent hanging when the WMI server does not respond #7429
- ๐ Fix
python_packages
table so that it lists python packages from any user Python installations #7414 - Set string size limit on thrift protocol factory to prevent a crash #7484
- ๐ Fix driver image path in
drivers
table #7444 - ๐ Do not remove nonblocking flag when reading "special" files, to prevent hangs #7530
- ๐ Fix crash due to interaction between distributed and config plugin #7504
- bpf: Disable the BPF publisher in case of error #7500
- Warn about setting CLI_FLAGs in the config #7583
- Explicitly set context for the tables reading utmpx databases #7578
- bpf: Improve socket event handling #7446
- ๐จ certificates: Refactor the OpenSSL utilities #7581
- ๐ Fix shared_resources accessing uninitialized variables #7600
Under the Hood improvements
- ๐ Implement a performant cache for users and groups on Windows #7516
- Replace WmiRequest constructor with static factory method to improve error handling and prevent crashes #7489
- โ Remove redundant string conversion #7603
๐ Build
- ๐ Fix DebPackages.test_sanity test when the
size
column is empty #7569 - โก๏ธ libs: Update libdpkg from version v1.19.0.5 to v1.21.7 #7549
- ๐ CI: Restore some release checks #7558
- Prevent ebpfpub linking against the system zlib #7557
- ๐ Fix mdfind.test_sanity flaky behavior #7533
- ๐ Enable fuzzing and Asan on Windows, enable Asan on macOS #7470
- โก๏ธ Update cppcheck to version 2.6.3 and skip analysis for third party code #7455
- โ
Change
cpu_info
test to expect at least one socket, not just one #7490 - ๐ Fix third party libraries flags leaking to osquery targets #7480
- โ Add third party libraries target #7467
- Do not run clang-tidy on third party libraries #7432
- ๐ CI: Create github workflow target to gate mergeability #7427
- ๐ Fix some warnings about unrecognized special characters in the Windows event log test #7478
- ๐ Change where the macOS Info.plist is generated #7566
- Add OSQUERY_ENABLE_THREAD_SANITIZER to optionally enable TSan #6997
- โ Add an option to specify a path to the openssl archive #7559
- โก๏ธ packs: Update reverse shell query pack to check for a valid remote_port #7567
- Remove the test_daemon_sighup test #7584
- ๐ Fix release tests for Linux aarch64 #7572
๐ Documentation
- ๐ docs: remove FreeBSD #7508
- ๐ Pin Jinja2 ReadTheDocs dependency to 3.0.3 #7533
- ๐ CHANGELOG 5.2.3 #7571
- ๐ CHANGELOG 5.2.2 #7447
- โฌ๏ธ Bump mkdocs from 1.1.2 to 1.2.3 in /docs #7457
- ๐ Replace OS X with macOS in table specs #7587
- โก๏ธ Update
osquery.example.conf
to omit the CLI only flags #7595 - ๐ Update documentation about users and groups service flags (#7596)
- โก๏ธ Update the TSC members (#7543)
- Add the option
-
v5.2.3 Changes
โก๏ธ Osquery 5.2.3 is a security update that focuses on updating some third-party libraries which contained CVEs that could affect osquery. โ Additionally some other third-party libraries and tables have been dropped, since they were not maintained or considered safe anymore.
๐ Deprecation Notices
- โ Remove the
shortcut_files
table (#7547) - โ Remove the ssdeep library and remove its support in the
hash
table (#7525) - โ Remove the libelfin library and elf parsing tables (#7524)
Hardening
- โ Remove the
-
v5.2.2 Changes
๐ Osquery 5.2.2 brings native Apple Silicon (M1) support to the macOS โก๏ธ platform. It also represents a comprehensive review and update of our ๐ third-party dependencies. To support this work, the developer docs โก๏ธ have been updated, as have several parts of the build system
๐ This release represents commits from 24 contributors! Thank you all.
๐ New Features
- ๐ Apple Silicon support (#7330)
๐ Deprecation Notices
- ๐ The
cpuid
table is x86 only. See #7462 - The
smart_drive_info
table has been deprecated, and is not included in the m1 builds. See #7464 - ๐ The
lldp_neighbors
table has been deprecated, and is not included in the m1 builds. See #7463
Table Changes
- โก๏ธ Update
time
table to always reflect UTC values (#7276, #7460, #7437) - ๐ Hide the deprecated
antispyware
column inwindows_security_center
(#7411) - Add
windows_firewall_rules
table for windows (#7403)
๐ Bug Fixes
- โก๏ธ Update the ATC table
path
column check to be case insensitive (#7442) - ๐ Fix a crash introduced by 5.2.0 when Yara uses its own strutils functions (#7439)
- Fix
user_time
andsystem_time
unit in processes table on M1 (#7473)
๐ Documentation
๐ Build
- โก๏ธ Update sqlite to version 3.37.0 (#7426)
- ๐ Fix linking of thirdparty_sleuthkit (#7425)
- ๐ Fix how we disable tables in the fuzzer init method (#7419)
- Prevent running discovery queries when fuzzing (#7418)
- ๐ Add BOOST_USE_ASAN define when enabling Asan (#7469)
- ๐ Removing unnecessary macOS version check (#7451)
- ๐ Fix submodule cache for macOS CI runner (#7456)
- โ Add osquery version to macOS app bundle Info.plist (#7452)
- โก๏ธ libs: Update OpenSSL to verion 1.1.1l (#7330)
- โก๏ธ libs: Update augeas to version 1.12.0 (#7330)
- โก๏ธ libs: Update aws-sdk to version 1.9.116 (#7330)
- โก๏ธ libs: Update boost to version 1.77 (#7330)
- โก๏ธ libs: Update gflags to 2.2.2 (#7330)
- โก๏ธ libs: Update glog to version 0.5.0 (#7330)
- โก๏ธ libs: Update googletest to version 1.11.0 (#7330)
- โก๏ธ libs: Update libarchive to version 3.5.2 (#7330)
- โก๏ธ libs: Update libcap to version 1.2.59 (#7330)
- โก๏ธ libs: Update libmagic to version 5.40 (#7330)
- โก๏ธ libs: Update librdkafka to version 1.8.0 (#7330)
- โก๏ธ libs: Update libxml2 to version 2.9.12 (#7330)
- โก๏ธ libs: Update linenoise-ng to the latest commit (#7330)
- โก๏ธ libs: Update lzma to version 5.2.5 (#7330)
- โก๏ธ libs: Update rocksdb to version 6.22.1 (#7330)
- โก๏ธ libs: Update sleuthkit to version 4.11.0 (#7330)
- โก๏ธ libs: Update ssdeep-cpp to the latest commit (d8705da) (#7330)
- โก๏ธ libs: Update thrift to version 0.15.0 (#7330)
- โก๏ธ libs: Update yara to version 4.1.3 (#7330)
- โก๏ธ libs: Update zstd to version 1.4.0 (#7330)
-
v5.1.0 Changes
Representing commits from 20 contributors! Thank you all.
๐ New Features
- ๐ Allow custom cpu limit duration for the watchdog (#7348)
- ๐ Support custom endpoints for AWS Kinesis and Firehose. (#7317)
Table Changes
- Add
docker_container_envs
table for access to docker container environment (#7313) curl
table now returns peer certificates even if the TLS handshake does not complete (#7349)
Under the Hood improvements
- ๐ Allow tests and SDK to reset dispatcher state (#7372)
- Avoid string copies when looping through cron search dirs (#7331)
- Respect
read_max
flag when hashing using ssdeep (#7367)
๐ Bug Fixes
- ๐ Detect when an extension has not started correctly on Windows (#7355)
- ๐ Fix crash #7353 when osquery captures kill syscall when not subscribed to them (#7354)
- โ Fix crash in AuditdNetlinkReader::configureAuditService when audit_add_rule_data returns an error (#7337)
- ๐ Fix crash when
windows_security_products
errors out (#7401) - ๐ Fix for #7394 where cleanup of some event tables never occures (#7395)
- ๐ Improve BPF publisher reliability (#7302)
- ๐ฒ Lower log level of "executing distributed query" (#7386)
- โฌ๏ธ Reduce excessive log messages from
authorized_keys
table implementation (#7318)
๐ Documentation
- โ Add 5.0.1 CHANGELOG (#7284)
- ๐ Fix typo in Everything in SQL docs (#7338)
- ๐ Fix typo in SQL docs (#7376)
- โก๏ธ Update GitHub issue templates (#7361, #7396)
- โก๏ธ Update installation guide to use newer macOS paths (#7311)
- ๐ Update macOS ESF documentation (#7303)
Packs
- โ Add Forcepoint Endpoint Chrome Extension detection to packs (#7346)
- โ Add
beurk
rootkit detection to packs (#7345)
๐ Build
- ๐ Allow tests to reset the restarting state (#7373)
- ๐ Build librpm with ndb support (#7294)
- Customizable installation logic (#7315)
- ๐ Fix ASL test on macOS 11 and later (#7320)
- ๐ Restore query packs in Windows packaging (#7388)
- ๐ Skip deprecated ASL test when targeting macOS 10.13+ SDK (#7358)
- โก๏ธ Update packaging commit to fix Linux symlinks (#7404)
- โก๏ธ Update the CI Linux Docker image (#7332)
-
v5.0.1 Changes
Representing commits from 21 contributors! Thank you all.
๐ osquery 5.0 is a tremendously exciting release!
- ๐ We now install into /opt/osquery on macOS and Linux for better portability.
- ๐ Our default and recommended installation for macOS uses an application bundle to support entitlement-based features.
- ๐ We now use Endpoint Security APIs for various event-based tables on macOS (more to come in the future!)
- ๐ We now use an osquery-organization macOS code signing certificate.
There are several breaking changes:
- ๐ Installation paths have changes from
/usr/local
to/opt/osquery
on macOS and Linux (symlinks to executables are provided). - ๐ macOS codesigning is now down through the Osquery Foundation account
- โก๏ธ If you manage macOS full disk permission through a profile, you will need to update it. See docs
- ๐ง We removed the deprecated
blacklist
key from the configuration (#7153) - Search semantics on the augeas table have changed to be more performant, but do break the existing query API.
Table Changes
- โ Add
secureboot
table for Linux and Windows (#7202) - โ Add
tpm_info
for Windows (#7107) - ๐ Fix
osquery_info
build_platform column value on Linux (#7254) - Support
pid_with_namespace
in more tables (#7132) - โก๏ธ Update
augeas
table to use native pattern matching (BREAKING) (#6982) - โก๏ธ Update
chrome_extensions
to include Edge & EdgeBeta (#7170) - โก๏ธ Update
disk_encryption
table to support QueryContext (#7209) - โก๏ธ Update
last
to include utmp type name column (#7201) - โก๏ธ Update
sudoers
table to support newer include syntax (#7185) - Update
user_ssh_keys
to detect encryption of ed25519 keys (#7168)
Under the Hood Improvements
- โ Add ruby namespace to the thrift definition (#7191)
- ๐ Always initialize variable change in PerformanceChange (#7176)
- โ Remove deprecated
blacklist
key (#7153) - ๐ Use total_size within watchdog on Windows (#7157)
- ๐ Support AF_PACKET sockets reporting on Linux (#7282)
- ๐ง socket_events improvements in Linux audit system (#7269)
๐ Bug Fixes
- โ Add case sensitive pragma to the pragma/actions authorizer allow list (#7267)
- โ Add feature to skip denylist for event-based queries (#7158)
- ๐ Change logger_mode flag to be correctly interpreted as an octal (#7273)
- Do not let osquery create multiple copies of the extension running at once (#7178)
- ๐ Fix Linux audit rule removal upon osquery exit (#7221)
- ๐ Fix broadcasting empty logs to logger plugins (#7183)
- ๐ Fix issues applying ACLs during chocolatey deployment (#7166)
- ๐ Fix memory issue in Windows fileops (#7179)
- Fix
process_open_sockets
type error on darwin (#6546) - ๐ Make sure that the file action
MOVED_TO
is tracked with yara events. (#7203) - Prevent osquery from killing itself when the
--force
flag is used (#7295) - ๐ท Prevent race condition between shutdown and worker or extension launch (#7204)
๐ Documentation
- โ Add a security assurance case (#7048)
- Bring the YARA wiki page up to date (#7172)
- ๐ Spelling fixes (#7211, #7186)
- โก๏ธ Update
uptime
table description (#7270) - ๐ Update osquery installed artifacts paths in the documentation (#7286)
๐ Build
- โ Add TimeoutStopSec to systemd service files (#7190)
- ๐ Correct macOS installed app bundle path in osqueryctl and doc (#7289)
- ๐ Create an macOS app bundle (#7263)
- ๐ Fix choco packaging not failing when an error occurs during install or upgrade (#7182)
- ๐ Fix path in macOS launchd plist (#7288)
- ๐ Pin the packaging repo within GitHub workflows (#7208, #7255, #7279)
- ๐ Update Windows deployment icon to png (#7163)
- โก๏ธ Update install paths, and remove deprecated Facebook naming (#7210)
- โก๏ธ Update macOS build to include app bundle related files (#7184)
- โก๏ธ Update osquery installed artifacts default paths in code (#7285)
- โก๏ธ Update the installation path on Linux (#7271)
- libs: Add options to AWS Optionally enable debug option and restrict content-type header size for PUT req (#7216)
- ๐ libs: Enable and compile the YARA macho module on macOS (#7174)
- โก๏ธ libs: Update OpenSSL to version 1.1.1l (#7293)
- โก๏ธ libs: Update Strawberry Perl to 5.32.1.1, use HTTPS downloads (#7199)
- โก๏ธ libs: Update ebpfpub (#7173, #7219)
-
v4.9.0 Changes
Representing commits from 16 contributors! Thank you all.
๐ New Features
- โ Add filesystem logrotate feature (#7015)
- โ Add Non-Functional EndpointSecurity based process events to macOS (Requires updated codesigning due in 5.0) (#7046)
Table Changes
- Add
mdm_managed
column tosystem_extensions
on macOS (#6915) - โ Add
prefetch
table on Windows (#7076) - โ Add support for IMDSv2 to AWS tables (#7084)
- ๐ณ Enable container stats on docker containers that don't have traditional networks (#7145)
- โก๏ธ Update
homebrew_packages
to include new prefix, and allow specifying alternate prefixes (#7117) - Update
ntfs_acl_permissions
to list all ACE entries (usingGetAce()
) (#7114) - โก๏ธ Update
processes
table to display additional Windows attributes (secured
,protected
,virtual
,elevated
) (#7121) - Update how
package_install_history
identifies the packageIdentifiers key (#7099) - โก๏ธ Update how
identifier
is calculated inchrome_extensions
(#7124)
Under the Hood improvements
- ๐ Improve speed of osquery shutdown procedure (#7077)
- ๐ Improve shutdown speed during initialization (#7106)
- โก๏ธ Update website generators (#7136)
- CLI flag to allow osquery to keep retrying enrollment (instead of exiting) (#7125)
- rocksdb: Do not fsync WAL writes (#7094)
- ๐ Move CPack packaging to a dedicated repository (#7059)
- โช Restore thrift socket 5min timeout (#7072)
- Consolidate syscalls to a single audit rule (#7063)
๐ Bug Fixes
- โ Add current WMI location for Dell BIOS info (#7103)
- ๐จ Correct RocksDB error code and subcode printing on open failure (#7069)
- ๐ Fix
pipe_channel
not reading all data in a message (#7139) - ๐ Fix crash and deadlocks in recursive logging (#7127)
- ๐ Fix custom
curl_certificate
timeouts (#7151) - ๐ Fix extensions crash on shutdown (#7075)
- Handle updated paths on various macOS tables --
xprotect_entries
,xprotect_meta
,launchd
(#7138, #7154) - Trigger event cleanup checks every 256 events (#7143)
- โก๏ธ Update generating an extension uuid to be thread safe (#7135)
- ๐ท Watchdog should wait for the worker to shutdown (#7116)
๐ Documentation
- ๐ Update process auditing requirements documentation (#7102)
- โก๏ธ Update website docs indicating windows support for YARA tables (#7130)
- โ Add 4.9.0 CHANGELOG (#7152)
๐ Build
- โ Add Apple provisioning profile for distribution (#7119)
- โ Add more tests for events expiration (#7071)
- CI: Regenerate sccache cache when compiler version changes (#7081)
- Fix flaky test test_daemon_sigint by waiting for pidfile (#7095)
- ๐ Fix icon in Windows packaging (#7148)
- Minor cleanup of unused variables (#7128)
- ๐จ Print extension SDK minimum version required when failing to load (#7074)
- โ Remove POSIX-only
-fexceptions
flag on Windows (#7126) - Remove duplicated osquery_utils_aws_tests-test (#7078)
- โ Remove flaky test decorators for python tests (#7070)
- โก๏ธ Update SQLite to version 3.35.5 (#7090)
- โก๏ธ Update librdkafka to version 1.7.0 (#7134)
- โก๏ธ Update libyara to version 4.1.1 (#7133)
-
v4.8.0 Changes
Representing commits from 14 contributors! Thank you all.
๐ This version fixes a regression introduced in 4.7.0 related to events expiration optimization. Please read (#7055) for more information.
๐ This release upgrades openssl, as is general good practice. Osquery is ๐ not known to be effected by any security issues in OpenSSL.
๐ New Features
- shell: Add
.connect
meta command (#6944)
Table Changes
Under the Hood improvements
- Removing Keyboard Event Taps from osx-attacks pack (#7023)
- ๐จ Refactor watcher out of singleton pattern (#7042)
- ๐จ Small events subscriber refactor to increase test coverage (#7050)
- ๐ฆ Setting non-required
deb_packages
fields as optional in test (#7001)
๐ Bug Fixes
- ๐ Handle events optimization edge cases (#7060)
- ๐ Fix optimization for multiple queries using the same subscriber (#7055)
- ๐ Use epoch and counter for events-based queries (#7051)
- Guard node key to prevent duplicate enrollments (#7052)
- ๐ Change windows calculation for physical_memory (#7028)
- ๐ Free using WTSFreeMemoryEx for WTSEnumerateSessionsExW (#7039)
- ๐ Release variable in Windows data conversation (#7024)
- ๐ Change
chrome_extensions
warnings to verbose (#7032) - โ Add transactions to the SQLite authorizer PRAGMAs (#7029)
- ๐ Change Windows messages to verbose (#7027)
- ๐ Fix scheduler to print the correct number of elapsed seconds (#7016)
๐ Documentation
- Fix
tls_enroll_max_attempts
flag name in the documentation (#7049) - ๐ Improve docs on FIM, mention NTFS and Audit, etc. (#7036)
- ๐ config: Add docs for the events top-level-key (#7040)
- โ Add funding link on GitHub generated page (#7043)
- ๐ Correct the example in the
windows_events
table spec (#7035) - ๐ Correct docs about OpenSSL and TLS behavior (#7033)
- โก๏ธ Update docs to describe how to build for aarch64/arm64 (#6285) (#6970)
- โ Add a note on enabling Windows to build with CMake's long paths (#7010)
- โ Add 4.8.0 CHANGELOG (#7057)
๐ Build
- โ Add an option to enable incremental linking on Windows (#7044)
- โ Remove Buck leftovers that supported building with old versions of OpenSSL (#7034)
- โ Add build_aarch64 workflow for push (#7014)
- ๐ท Move CI to using docker from osquery (#7012)
- โก๏ธ Update dockerfile to multiplatform (#7011)
- โ Run GH Actions workflows on all tags (#7004)
- ๐ Disable BPF events tests if OSQUERY_BUILD_BPF is false (#7002)
- โก๏ธ libs: Update OpenSSL to version 1.1.1k (#7026)
- shell: Add
-
v4.7.0 Changes
Commits from 21 contributors! Thank you all!
๐ New Features
- โ Add
concat
andconcat_ws
sql functions (#6927) - โก๏ธ Update the scheduler to log the query name at info level (#6934)
- โ Add support for SQLite RPM databases (#6939)
Table Changes
- โ Add
computer
column to Windows Eventlogs (#6952) - Add
docker_image_history
table (#6884) - Add
filevault_status
column to disk_encryption table (#6823) - โ Add
location_services
table on macOS (#6826) - โ Add
shellbags
table (#6949) - โ Add
system_extensions
table on macOS (#6863) - โ Add
systemd_units
table (#6593) - Add
ycloud_instance_metadata
table (#6961) - ๐ Fix loading of YARA rules on Windows (#6893)
- ๐ Fix macOS OpenDirectory attribute mismatch (#6816)
- โก๏ธ Update
augeas
table not to autoload system lenses (#6980) - โก๏ธ Update
chrome_extensions
table -- more browser support and tests (#6780) - โก๏ธ Update
office_mru
table to correct platforms (#6827) - โก๏ธ Update aws table to include macOS (#6817)
Under the Hood improvements
- โ Remove Azure Pipelines (#6953)
- ๐ Disable deprecated TLS versions 1.0, 1.1 (#6910)
- ๐ Use librpm bdb_ro backend and remove bdb (#6931)
- ๐ bpf: Improve execve/execveat tracing, add AArch64 build support (#6802)
- ๐ Use a distinct carver
request_id
and add this to the schema (#6959) - ๐ Initialize TLSLogForwarder before enrollment check (#6958)
- ๐ Put noisy thrift logs behind a flag (#6951)
- ๐ Fix bug in windows thrift, causing named pipe closing (#6937)
- โ Remove unused/experimental ebpf code (#6879)
- โ Remove unused ev2 code (#6878)
- ๐ Refactor the eventing framework to reduce disk IO and improve performance(#6610)
๐ Bug Fixes
- โ Add
journal_mode
to the sqlite authorizer PRAGMAs (#6999) - โ Add
table_info
to the sqlite authorizer PRAGMAs (#6814) - Always use BIGINT macro for
long long
data (#6986) - ๐ Copy JSON objects to avoid MemoryPool buildup (#6957)
- Do not call unconfigured subscribers errors (#6847)
- Do not ignore mountpoints that have the same mount path (#6871)
- โฑ Do not start scheduler when shutting down (#6960)
- ๐ง Don't mark scope and key columns as index in selinux_settings table (#6872)
- ๐ Fix
augeas
table output bug for non-path entries (#6981) - Fix
pids
column indocker_container_stats
table (#6965) - ๐ Fix additional relative path check in Yara for Windows (#6894)
- ๐ Fix config validation oom with duplicated keys (#6876)
- ๐ Fix data type macro used for 64-bit timestamp variables (#6897)
- Fix error in
process_open_files
inode need stoul, not stoi (#6983) - ๐ Fix leaks when a query fails from the shell (#6849)
- ๐ Fix mem leak regression with Windows sids API (#6984)
- ๐ Make Group ID columns consistent across Windows tables (#6987)
- When iterating /proc, use individual try/catch so catch partial failures (#6933)
- augeas: Clear aug pointer on error (#6973)
๐ Documentation
- โ Add 4.6.0 CHANGELOG (#6809)
- โ Add 4.7.0 CHANGELOG (#6985)
- โ Add docs for TLS enroll max attempts (#6888)
- ๐ Change reference about Azure Pipelines to GitHub Actions (#6988)
- ๐ Clarify FIM exclude category documentation (#6966)
- Document retrieval of available tables/columns via SQL (#6812)
- ๐ Fix Github Actions status badge in the README (#6908)
- ๐ Fix all broken or redirected URLs and references (#6835)
- ๐ Fix broken URL in docs (#6882)
- ๐ Fix incorrect Slack URLs (#6844)
- ๐ Fix packs discovery queries documentation (#6946)
- ๐ Fix reference to a Powershell script on Windows (#6936)
- ๐ Fix typos in source code (#6901)
- ๐ Improve explanations of event control flags (#6954)
- Spellcheck and Markdown edits (#6899)
- ๐ Update README to include release process comment (#6877)
- ๐ Update documentation about denylist schedule key (#6922)
- โก๏ธ Update macOS OpenBSM configuration (#6916)
- โก๏ธ Update the Linux install steps and package listing (#6956)
- โก๏ธ Update the info about osquery's TLS version support (#6963)
๐ Build
- ๐ง CI: Add a RelWithDebInfo Linux job to generate packages (#6838)
- ๐ CI: Add support for GitHub Actions (#6885)
- โ CI: Add unit tests for RPM DB querying (#6919)
- โ CI: Fix ExtendedAttributesTableTests failing due to an unexpected attribute (#6942)
- โ CI: Fix StartupItemTest failing due to unexpected values (#6940)
- โ CI: Fix SystemControlsTest adding sunrpc as an expected subsystem (#6932)
- โ CI: Fix XattrTests failing due to unexpected attribute name (#6941)
- โ CI: Fix an incorrect check in StartupItems test (#6950)
- ๐ CI: Fix wifi_tests on macOS 10.15 and above (#6724)
- ๐ CI: Move cppcheck step after the tests (#6845)
- ๐ท CI: Permit running formatting earlier in the CI (#6836)
- โฌ๏ธ CI: Remove incorrect 2to3 symlink breaking Python brew upgrade (#6819)
- ๐ CI: Remove unused empty test file (#6918)
- ๐ CI: Remove unused tests for Rocksdb and Inmemory db plugins (#6900)
- โก๏ธ CI: Update XCode to 12.3 and Update min macOS version to 10.12 (#6896, #6913)
- โก๏ธ CI: Update macOS agent to 10.15 Catalina (#6680)
- CMake: Add -pthread compile option on posix platforms (#6909)
- ๐ CMake: Add Valgrind support (#6834)
- ๐ CMake: Add an option to disable building AWS tables and library (#6831)
- ๐ CMake: Add an option to disable building libdpkg tables and library (#6848)
- CMake: Detect missing headers during include namespace generation (#6855)
- CMake: Do not attempt to dllimport Thrift symbols (#6856)
- ๐ CMake: Do not compile Windows libraries with debug symbols (#6833)
- CMake: Explicitly set the MSVC runtime library (#6818)
- CMake: Fix amalgamated tables generation on change (#6832)
- CMake: Fix platformtablecontaineripc include namespace generation (#6853)
- CMake: Further fix amalgamation file gen on change (#6854)
- ๐จ CMake: Refactor and rename fuzzers build flag (#6829)
- ๐ง CMake: Significantly speed up configuration phase (#6914)
- ๐ CMake: Use make jobserver for OpenSSL on Linux and macOS (#6821)
- ๐ CPack: Remove extraneous lenses directory for augues on macOS (#6998)
- ๐ Change libdpkg submodule url to our own GitHub mirror (#6903)
- ๐ Disable incremental linking to reduce build size on Windows (#6898)
- โฑ GitHub Actions: Fix .deb artifacts, add scheduled builds (#6920)
- โ Remove
hash
andyara
table from fuzz harnesses (#6972) - libraries: Reduce the compilation units from libarchive (#6886)
- ๐ libraries: Remove the last usage of sqlite3 from sleuthkit (#6858)
- libraries: Rename yara str functions to avoid symbol collisions (#6917)
- โก๏ธ libraries: Update librpm to version 4.16.1.2 (#6850)
- โก๏ธ libraries: Update openssl to version 1.1.1i (#6820)
- โก๏ธ libraries: Update thrift to version 0.13.0 (#6822)
Hardening
- โก๏ธ Update CODEOWNERS to reflect existing teams (#6955, #6975)
- ๐ Restrict access to Thrift server pipe on Windows (#6875)
- ๐ Fix a leak in libdpkg when querying the
deb_packages
table (#6892) - ๐ Fix UB and dangerous casting in the pubsub framework (#6881)
- ๐ Fix heap-use-after-free in deregisterEventSubscriber (#6880)
- ๐ Thift patch to support security configuration (#6846)
- ๐ Improve config fuzzer dictionary creation script (#6860)
- Avoid running queries for views when fuzzing (#6859)
- ๐ Improve fuzzing speed and stack trace accuracy (#6851)
- โ Add