What's new in osquery 5.11.0
Mar 5, 2024
- Table Changes:
- Add new table vscode_extensions (#8150)
- Add support for additional Apple Silicon columns in secureboot table (#8215)
- Add Shortcut metadata parsing on Windows in the file table (#8143)
- Remove atom_packages table (#8181)
- Add additional chrome extensions paths (#8170) to pick up extensions for Chrome Beta, Chrome Dev, and Vivaldi.
- Under the Hood improvements:
- Add version collations to column definitions (#8222)
- Add support for additional collations in column definitions (#8214)
- Add version collate functions (#8168)
- Added cache and throttling for certificates, keychain_acls, and keychain_items tables (#8192). This is intended to reduce the occurrence of keychain corruption due to broken macOS APIs.
- process_open_sockets: Mark pid column as additional instead of index (#8191)
- Bug Fixes:
- Add stricter checks to JSON parsing (#8229)
- Fix signed/unsigned mismatch in powershell_events (#8225)
- Fix a crash in firefox_addons (#8227)
- Correct the aws_sts_region behavior (#8184)
- Documentation:
- Update building.md prereqs for Windows (#8216)
- Correct link to a PR in the 4.7.0 changelog (#8186)
- Call out in the CHANGELOG the format changes of the status logs decorations (#8174)
- Remove some duplicated lines from 5.8.1 changelog (#8172)
- Fix typo in table specs (#8163)
- Keychain cache and throttling documentation. (#8205)
- Changelog 5.10.2 (#8171)
- Build / Dependencies:
- Update libxml2 to v2.12.3 (#8223)
- Update zlib to 1.3 and ignore a CVE (#8218)
- Update openssl to 3.2.0 (#8212)
- Update nvdlib to use the latest NVD APIs (#8207)
- Fix Linux build (#8208)
- Correct job order (#8185)
- Re-enable tools_tests_testrelease (#8221)
- Enable client certificate verification in the TLS tests (#8211)
- Temporary workaround to build with XCode 15 (#8197)
New in osquery 5.10.2 (Dec 28, 2023)
- New Features:
- Add --enable_watchdog_debug flag and improve watchdog error messages (#8070)
- Add --aws_enforce_fips to enforce AWS FIPS endpoints (#8075)
- Add new AWS valid regions (#8110)
- Implement decorations_top_level flag for status logs (#8102)
- Table Changes:
- Add new macOS SIP config flags (#8101)
- Added cloud_id to ycloud_instance_metadata - the vm metadata table for Yandex Cloud (#8086)
- Allow querying of kernel and filesystem drivers (#8119)
- Update es_process_file_events adding support for open events, and for only triggering on file_paths (#8114)
- Update firefox_addons to use rapidjson to parse and don't block on read (#8089)
- Update macOS es_process_events table: quote spaces in command line and environment variables (#8054)
- Update linux disk_encryption to recursively query parent crypt status (#8052)
- Add, and revert, indexing on block_devices (#8037, #8151)
- Under the Hood improvements:
- Add warnings when an enrollment secret cannot be found (#8082)
- Avoid blocking when reading plist files (#8099)
- Fix named virtual table create statement (#8139)
- Remove forensicReadFile (#8085)
- Substitute the TEXT macro with SQL_TEXT in table code (#8091)
- Use JSON member iterator instead of rescanning (#8122)
- core: Avoid checking if a file exists before opening (#8087)
- improvement: Avoid unnecessary string conversions (#8093)
- watchdog: Use virtual cores to calculate CPU utilization limit (#8104)
- Bug Fixes:
- Always lock event_index_mutex when accessing event_index map (#8077)
- Check audit return values with
New in osquery 5.10.1 Pre-release (Oct 23, 2023)
- New Features:
- Add --enable_watchdog_logging flag and improve error messages (#8070)
- Add --aws_enforce_fips to enforce AWS FIPS endpoints (#8075)
- Add new AWS valid regions (#8110)
- Implement decorations_top_level flag for status logs (#8102)
- Table Changes:
- Add new macOS SIP config flags (#8101)
- Added cloud_id to ycloud_instance_metadata - the vm metadata table for Yandex Cloud (#8086)
- Allow querying of kernel and filesystem drivers (#8119)
- Update es_process_file_events adding support for open events, and for only triggering on file_paths (#8114)
- Update firefox_addons to use rapidjson to parse and don't block on read (#8089)
- Update macOS es_process_events table: quote spaces in command line and environment variables (#8054)
- Update linux disk_encryption to recursively query parent crypt status (#8052)
- Add, and revert, indexing on block_devices (#8037, #8151)
- Under the Hood improvements:
- Add warnings when an enrollment secret cannot be found (#8082)
- Avoid blocking when reading plist files (#8099)
- Fix named virtual table create statement (#8139)
- Remove forensicReadFile (#8085)
- Substitute the TEXT macro with SQL_TEXT in table code (#8091)
- Use JSON member iterator instead of rescanning (#8122)
- core: Avoid checking if a file exists before opening (#8087)
- improvement: Avoid unnecessary string conversions (#8093)
- watchdog: Use virtual cores to calculate CPU utilization limit (#8104)
- Bug Fixes:
- Always lock event_index_mutex when accessing event_index map (#8077)
- Check audit return values with
New in osquery 5.9.1 (Sep 3, 2023)
- New Features:
- Add support for Windows on Arm (#7918)
- logger: Add new string_batch request type to compliment existing string type (#8027)
- Table Changes:
- Add connected_displays table on macOS (#7946)
- Add windows_search table (#7990)
- Restore functionality of crashes table on macOS 12 and newer (#7819)
- Update keychain_items to include data about key types (#8002)
- Update os_version to include Apple RSR fields using native API (#8011)
- Update safari_extensions to handle the current app extensions pattern (#7991)
- Update system_info to include the nnumber of sockets (#8038)
- Update unified_log table to add predicate column and optimize timestamp constraint (#8019)
- Under the Hood improvements:
- Improving listDirectoriesInDirectory by using std::fs (#7974)
- Do not consider a 404 as an error in ec2-instance-metadata (#8025)
- Release objects and free memory obtained from COM (#7999)
- Do not pass wstring::c_str() to wstringToString function (#8000)
- Do not copy process arguments into vector for CreateProcess call (#7956)
- Bug Fixes:
- Fix version column in homebrew_packages (#8057)
- Improve extended_attributes implementation for Linux and macOS (#8046)
- Update event tables to mark time column as "additional" (#8020)
- Documentation:
- Update expired Slack invite (#8051)
- Update es_process_file_events.table description (#7978)
- CHANGELOG 5.8.2 (#7986)
- Build:
- cve: Update to openssl 1.1.1u (#8050)
- cmake: Add an option to disable shallow git clone operations (#8026)
- Fix the aarch64 workflow (#8036)
- test: Fix a leak in ExtendedAttributesTableTests SetUp function (#8045)
- cve: Update libxml2 to v2.11.2 (#8023)
- libs: Bring out LZ4 from rdkafka and update it to v1.9.4 (#7996)
- ci: Update python version and docs build tools (#7969)
- ci: Update aarch64 runner to Ubuntu 20.04 and update badges (#7984)
- Add few unit tests for the hashing component (#7993)
New in osquery 5.8.2 (Jun 9, 2023)
- Bug Fixes:
- Fix empty batch result set reporting (#7958)
- Fix COM security initialization by setting COM security per interface level (#7963)
- Fix username field in managed_policy table (#7944)
- Documentation:
- CHANGELOG 5.8.1 (#7957)
- Build:
- test: Do not always expect a row from the secureboot table (#7967)
- cmake: Only link against the experiments loader when needed (#7959)
- tests: Fix some tests becoming osquery shells (#7964)
- test: Fix SystemdUnitsTest missing the unit_file_state column (#7965)
- tests: Do not always build root tests on Linux (#7966)
New in osquery 5.8.1 (Mar 22, 2023)
- New Features:
- Record and send statistics for distributed queries (#7870)
- Table Changes:
- Add ETW-based process events table for Windows (#7821)
- Add pid_with_namespace for yara table (#7920)
- Add a new table kernel_keys to the Linux platform (#7876)
- Leave min_version empty in xprotect_meta when not specified (#7926)
- Port the secureboot table to macOS (#7692)
- Update docker_container_stats table to include cached_memory column (#7807)
- cpu_info: Port the table to macOS x86 and Apple Silicon (#7757)
- experiments: Implement a new bpf_process_events_v2 table (#7773)
- systemd_units: Add new unit_file_state column (#7895)
- Under the Hood improvements:
- Set counter consistently so zero always indicates all records (#7801)
- Support logging empty result set in batch format for initial runs (#7803)
- Support rollbacks of osquery when new versions introduce new column families (#7712)
- analysis.py: Add --pack flag to load queries from a pack file (#7935)
- profile.py: Log # of queries loaded and raise an error if 0 are loaded (#7934)
- Bug Fixes:
- Clear cached constraints and columns in xBestIndex (#7435)
- Fix assert fail for unverified WMI request result (#7921)
- Fix leaks in scheduled_tasks (#7903) (#7904)
- Flush console buffer during ungraceful exit (#7829)
- Propagate windows errors to the exit code (#7896)
- Relax osquery safe permissions check (#7763)
- Silence warnings for more builtin Chrome and Brave extensions (#7932)
- Workaround for hung routes table (#7916)
- dns_resolvers: fix typo in the name when spawning in namespace (#7875)
- test: Fix flaky test_daemon_sigint (#7888)
- Documentation:
- Add note about windows_security_products compatibility (#7880)
- CHANGELOG 5.7.0 (#7894)
- Docs: mention the recent adoption of automatic CVE scanning (#7878)
- Fix broken link in CODE_OF_CONDUCT.md (#7922)
- docs: Update the list of pages (#7866)
- docs: clarify that logger_plugin is set from CLI (#7917)
- Build:
- Do not catch table or registry exceptions when running tests (#7621)
- Fix and document discovery queries behavior on distributed queries and add tests (#7655)
- Try to free some disk space on the arm64 runners (#7950)
- ci: Automatically cancel old PR jobs (#7887)
- ci: Automatically cancel old PR jobs (#7887)
- ci: Improve error message when a library is missing from the manifest (#7899)
- ci: Improve error message when a library is missing from the manifest (#7899)
- ci: Remove Windows 32bit build (#7939)
- ci: Remove Windows 32bit build (#7939)
- ci: Update some actions to remove deprecation warnings (#7864)
- ci: Update some actions to remove deprecation warnings (#7864)
- ci: Workaround in the aarch64 runner to avoid out of space (#7941)
- ci: Workaround in the aarch64 runner to avoid out of space (#7941)
- cmake: Remove forced static libraries search for osquery-toolchain (#7881)
- cve: Ignore libcryptsetup cves (#7871)
- cve: Ignore libdpkg CVE-2022-1664 (#7872)
- cve: Ignore libgcrypt cves (#7873)
- cve: Ignore sqlite CVE-2022-46908 (#7911)
- cve: Ignore util-linux cves (#7929)
- cve: Update librpm to 4.18.0 (#7910)
- cve: Update openssl to 1.1.1t (#7937)
- cve: Update yara to 4.2.3 (#7912)
- git: Ignore compile_commands.json and pyrightconfig.json (#7885)
- libs: Fix libmagic build on macOS (#7915)
- libs: Fix system paths used by dbus (#7919)
- libs: Update dbus to 1.12.24 (#7905)
- libs: Update libarchive to 3.6.2 (#7877)
- libs: Update libxml2 to 2.10.3 (#7882)
- libs: Update popt to 1.19 (#7909)
- libs: Update util-linux to 2.35.2 (#7902)
- libs: Update zlib to 1.2.13 (#7874)
- libs: update Thrift to 0.17 (#7868)
- test: Add an option to run only selected python testcases (#7890)
- test: Speed up ec2InstanceMetadata.test_sanity (#7907)
New in osquery 5.7.0 (Feb 26, 2023)
- New Features:
- New table security_profile_info to retrieve security profile information on Windows (#7794)
- Table Changes:
- Add column to es_process_events for process codesigning flags (#7726)
- shimcache: Only check CurrentControlSet to avoid duplicate rows (#7832)
- processes: Fix the procfs memory unit kB, which is 1024 bytes not 1000 (#7818)
- Fix permissions on opening pipes for reading in pipes table (#7810)
- Fix the empty host column from logged_in_users table (#7685)
- docker_containers: Don't report finished_at for a container which is still running (#7783)
- processes: Stabilize the start_time column value on macOS and Linux (#7788)
- Bug Fixes:
- Do not access the AWS SDK request content type if missing (#7834)
- Fix deadlock when logging happens during a database reset (#7798)
- Fix handling of some errors during an AWS HTTP request (#7811)
- Documentation:
- CHANGELOG 5.6.0 (#7804)
- Add link to official YARA docs (#7792)
- Fix typo in keychain_items (#7790)
- Packs:
- packs/incident_response: process_memory_map is also applicable to Darwin (#7789)
- Build:
- cve: Ignore zstd CVE-2021-24031 (#7865)
- ci: Add a job and helper scripts to periodically scan for CVEs (#7787)
- ci: Update how we set github workflow step outputs (#7791)
- ci: Fix python version when installing modules and testing on macos (#7813)
New in osquery 5.6.0 (Dec 7, 2022)
- Table Changes:
- Add firmware_type column to platform_info on macOS (#7727)
- Add additional vendor support for the windows wmi_bios_info table (#7631)
- Fix docker_container_processes on macOS (#7746)
- Fix process_file_events subscriber being incorrectly initialized (#7759)
- Fix secureboot on windows by acquire the necessary process privileges (#7743)
- Improve macOS mdfind -- Reduce table overhead and support interruption (#7738)
- Remove binary column from firefox_addons table (#7735)
- Remove is_running column from macOS running_apps table (#7774)
- Under the Hood improvements:
- Add notes field to the schema and associated json (#7747)
- Add extended platforms to the schema and associated json (#7760)
- Fix a leak and improve users and groups APIs on Windows (#7755)
- Have --tls_dump output body to stderr (#7715)
- Improvements to osquery AWS logic (#7714)
- Remove leftover FreeBSD related code and documentation (#7739)
- Documentation:
- CHANGELOG 5.5.1 (#7737)
- Correct the description on how to configure and use Yara signature urls (#7769)
- Document difference between yara and yara_events (#7744)
- Link to the slack archives (#7786)
- Update docs: _changes tables are not evented (#7762)
- Build:
- Delete temporary CTest files (#7782)
- Fix table tests for macOS running_apps (#7775)
- Fix table tests for windows platform_info (#7742)
- Migrate jobs from ubuntu-18.04 to ubuntu-20.04 (#7745)
- Remove unused find_packages modules and submodule (#7771)
New in osquery 5.5.1 (Oct 11, 2022)
- New Features:
- Add denylist mechanism to distributed queries (#7675)
- Table Changes:
- Add cgroup_path column to processes table on Linux (#7728)
- Add firmware_type column to platform_info table on Windows. (#7710)
- Add unified_log table for macOS (UAL) (#7598, #7713)
- Port memory_devices table to Windows (#7633)
- Port platform_info table to M1 Macs (#7660)
- Restore macOS kernel_panics table on modern macOS (#7585)
- Update battery table on macOS m1 with correct raw battery max and current capacity (#7721)
- Update mdfind query timeout to 30 seconds (#7725)
- Update macos password_policy table to use use -1 as sentinel value for uid column (#7699)
- Update parsing of authorized_keys file (#7560)
- Update the registry table to be case insensitive for key (#7708)
- Under the Hood improvements:
- Add a mechanism to reduce memory retained on Linux (#7502)
- Add denylist mechanism to distributed queries (#7675)
- Add table spec support for COLLATE NOCASE (#7680)
- Improve Pidfile handling (#7304)
- Prevent the audit event system from using too much memory (#7329)
- carves: use full pathnames while creating an archive (#7681)
- Bug Fixes:
- Fix GetMemorySize for Windows memory_devices table (#7711)
- Fix tpm_info bug where values were out of date (#7686)
- Fix a crash when parsing ATC config with no columns (#7693)
- Fix bug in GetHomeDirectories filesystem function (#7705)
- Documentation:
- Add core to the type column description of osquery_extensions schema (#7716)
- Add documentation about 3rd-party dependency security (#7684)
- Add example for hostname form in curl_certificate table (#7706)
- Adds info on how to use GTEST_FILTER on windows (#7696)
- Changelog 5.4.0 (#7678)
- Describe user-context-related caveat for screenlock table (#7649)
- Update schema for process_open_sockets.state (#7733)
- Update schema to reflect platform_info columns not available in Windows (#7732)
- Build:
- Add validation integration test for memory_devices (#7722)
- Temporarily disable memory_devices integration test (#7717)
- Update minimum macOS support from 10.12 to 10.14 (#7707)
- ci: Update and temporarily disable the macOS Catalina test job (#7700)
- cmake: Prevent defining some Linux only targets on other platforms (#7672)
- libs: Update libxml2 to v2.9.14 (#7729)
- libs: Update sqlite to version 3.39.2 (#7736)
- test: Fix Mdfind.test_sanity flakyness (#7701)
New in osquery 5.4.0 (Aug 14, 2022)
- New Features:
- We're extending macOS Endpoint Security to include File Integrity monitoring. Check out the new es_process_file_events table. (#7579)
- Add Docker build scripts and configuration (#7619)
- Deprecation Notices:
- Prevent CLI_FLAGs to be set via config (#7561)
- Remove the lldp_neighbors table (#7664)
- Table Changes:
- New Table: es_process_file_events for macOS Endpoint Security based FIM (#7579)
- New Table: password_policy table for macOS (#7594)
- New Table: windows_update_history (#7407)
- Add memory_available to linux memory_info table (#7669)
- Port the cpu_info table to linux (#7499)
- Remove the lldp_neighbors table (#7664)
- Update deb_packages table to not sisplay arch info in the package name (#7638)
- Update hardware_model in the system_info table on Apple M1 machines to report correctly (#7662)
- Update shared_resources table to add type names, fix type/maximum_allowed handling (#7645)
- Under the Hood improvements:
- Expand env vars before trying to enumerate crashes in windows_crashes table (#7391)
- Implement a split and trim function using std::string_view (#7636)
- Improve scheduled query denylisting and scheduler shutdown (#7492)
- Prevent CLI_FLAGs to be set via config (#7561)
- Remove unnecessary string copy (#7625)
- Bug Fixes:
- Add linwin to list of supported PLATFORM_DIRS (#7646)
- Fix AWS certificate verification failing on all services (#7652)
- Fix MBCS support on Windows (#7593)
- Fix local_timezone column in the time table on Windows (#7656)
- Fix system_info table to support unicode on Windows (#7626)
- Fix multiple Yara leaks (#7615)
- Fix std::bad_alloc on pci_devices on Apple Silicon macs (#7648)
- Fix tables spec files to specify linux and not posix (#7644)
- Fix thrift server shutting down when dropping privileges (#7639)
- Documentation
- CHANGELOG 5.3.0 (#7575)
- Exclude spec/example.table when generating documentation (#7647)
- Fix a UUID typo in the disk_encryption table (#7608)
- Fix spelling of the word "owned" (#7630)
- Fix typo in FIM docs for Windows (#7676)
- Update the "new release" issue template (#7607)
- clarify browser_plugins table is referencing basically unsupported CNPAPI tech (#7651)
- Build
- Add an option to build with the leak sanitizer (#7609)
- Fix check for PIE support (#7234)
- Fix SchedulerTests.test_scheduler_drift_accumulation flakyness (#7613)
- Improve config parsing and osqueryfuzz-config performance (#7635)
- Initialize users and groups services on all tests that need them (#7620)
- ci: Update osquery-packaging commit to the latest one (#7667)
- cmake: Add an option to enable or disable using ccache (#7671)
- libs: Update OpenSSL to version 1.1.1o (#7629)
- libs: Update OpenSSL to version 1.1.1q (#7674)
- libs: Update libarchive to version 3.6.1 (#7654)
- libs: Update sqlite to version 3.38.5 (#7628)
New in osquery 5.3.0 (Aug 14, 2022)
- Deprecation Notices:
- Deprecate unmaintainable legacy table, smart_drive_info #7464
- New Features:
- Add the option tls_disable_status_log to prevent status logs from being sent via TLS #7550
- Add SQLite function in_cidr_block to check if IPv4/v6 addresses are within the supplied CIDR block #7563
- Table Changes:
- Add the admindir column to the deb_packages table to parse package databases on different paths #7549
- Implement and fix wifi_networks on macOS Big Sur and newer #7503
- Add windows/darwin support to npm_packages #7536
- Move apt_sources and yum_sources tables to linux only #7537
- Add homebrew paths to the python_packages table #7535
- Mark wall_time column in osquery_schedule as hidden #7501
- Add new metrics and improve description of existing ones in osquery_schedule #7438
- Add the mirrorlist column in the table yum_sources #7479
- Implement output_size for osquery_schedule #7436
- deb_packages table: Use additional instead of index for the admindir column #7573
- certificates table: Add Linux support #7570
- Add translated column to processes table to indicate whether the process is running under Apple Rosetta #7507
- Add the "internet password" type to the macOS keychain_items table #7576
- Add original filename column to file table on Windows #7156
- Bug Fixes:
- Fix watchdog not killing unhealthy worker/extension fast enough #7474
- Fix the test_http_server.py --persist option #7497
- Updateprofile.py --leaks for python3 #7534
- Fixes osquery tls connections to aws kinesis when tls_server_certs is set #7450
- Fix parsing issue when a backslash as the last character on sudoers file line #7440
- Change the JSON of the results coming from an event scheduled query to an array #7434
- Fix globToRegex truncating UTF16 characters #7430
- Prevent hanging when the WMI server does not respond #7429
- Fix python_packages table so that it lists python packages from any user Python installations #7414
- Set string size limit on thrift protocol factory to prevent a crash #7484
- Fix driver image path in drivers table #7444
- Do not remove nonblocking flag when reading "special" files, to prevent hangs #7530
- Fix crash due to interaction between distributed and config plugin #7504
- bpf: Disable the BPF publisher in case of error #7500
- Warn about setting CLI_FLAGs in the config #7583
- Explicitly set context for the tables reading utmpx databases #7578
- bpf: Improve socket event handling #7446
- certificates: Refactor the OpenSSL utilities #7581
- Fix shared_resources accessing uninitialized variables #7600
- Under the Hood improvements:
- Implement a performant cache for users and groups on Windows #7516
- Replace WmiRequest constructor with static factory method to improve error handling and prevent crashes #7489
- Remove redundant string conversion #7603
- Build:
- Fix DebPackages.test_sanity test when the size column is empty #7569
- libs: Update libdpkg from version v1.19.0.5 to v1.21.7 #7549
- CI: Restore some release checks #7558
- Prevent ebpfpub linking against the system zlib #7557
- Fix mdfind.test_sanity flaky behavior #7533
- Enable fuzzing and Asan on Windows, enable Asan on macOS #7470
- Update cppcheck to version 2.6.3 and skip analysis for third party code #7455
- Change cpu_info test to expect at least one socket, not just one #7490
- Fix third party libraries flags leaking to osquery targets #7480
- Add third party libraries target #7467
- Do not run clang-tidy on third party libraries #7432
- CI: Create github workflow target to gate mergeability #7427
- Fix some warnings about unrecognized special characters in the Windows event log test #7478
- Change where the macOS Info.plist is generated #7566
- Add OSQUERY_ENABLE_THREAD_SANITIZER to optionally enable TSan #6997
- Add an option to specify a path to the openssl archive #7559
- packs: Update reverse shell query pack to check for a valid remote_port #7567
- Remove the test_daemon_sighup test #7584
- Documentation:
- docs: remove FreeBSD #7508
- Pin Jinja2 ReadTheDocs dependency to 3.0.3 #7533
- CHANGELOG 5.2.3 #7571
- CHANGELOG 5.2.2 #7447
- Bump mkdocs from 1.1.2 to 1.2.3 in /docs #7457
- Replace OS X with macOS in table specs #7587
- Update osquery.example.conf to omit the CLI only flags #7595
New in osquery 5.2.2 (Apr 6, 2022)
- Osquery 5.2.2 brings native Apple Silicon (M1) support to the macOS platform. It also represents a comprehensive review and update of our third-party dependencies. To support this work, the developer docs have been updated, as have several parts of the build system
- This release represents commits from 24 contributors! Thank you all.
- New Features:
- Apple Silicon support (#7330)
- Deprecation Notices:
- The cpuid table is x86 only. See #7462
- The smart_drive_info table has been deprecated, and is not included in the m1 builds. See #7464
- The lldp_neighbors table has been deprecated, and is not included in the m1 builds. See #7463
- Table Changes:
- Update time table to always reflect UTC values (#7276, #7460, #7437)
- Hide the deprecated antispyware column in windows_security_center (#7411)
- Add windows_firewall_rules table for windows (#7403)
- Bug Fixes:
- Update the ATC table path column check to be case insensitive (#7442)
- Fix a crash introduced by 5.2.0 when Yara uses its own strutils functions (#7439)
- Fix user_time and system_time unit in processes table on M1 (#7473)
- Documentation:
- Fix typos in documentation (#7443, #7412)
- CHANGELOG 5.1.0 (#7406)
- Build:
- Update sqlite to version 3.37.0 (#7426)
- Fix linking of thirdparty_sleuthkit (#7425)
- Fix how we disable tables in the fuzzer init method (#7419)
- Prevent running discovery queries when fuzzing (#7418)
- Add BOOST_USE_ASAN define when enabling Asan (#7469)
- Removing unnecessary macOS version check (#7451)
- Fix submodule cache for macOS CI runner (#7456)
- Add osquery version to macOS app bundle Info.plist (#7452)
- libs: Update OpenSSL to verion 1.1.1l (#7330)
- libs: Update augeas to version 1.12.0 (#7330)
- libs: Update aws-sdk to version 1.9.116 (#7330)
- libs: Update boost to version 1.77 (#7330)
- libs: Update gflags to 2.2.2 (#7330)
- libs: Update glog to version 0.5.0 (#7330)
- libs: Update googletest to version 1.11.0 (#7330)
- libs: Update libarchive to version 3.5.2 (#7330)
- libs: Update libcap to version 1.2.59 (#7330)
- libs: Update libmagic to version 5.40 (#7330)
- libs: Update librdkafka to version 1.8.0 (#7330)
- libs: Update libxml2 to version 2.9.12 (#7330)
- libs: Update linenoise-ng to the latest commit (#7330)
- libs: Update lzma to version 5.2.5 (#7330)
- libs: Update rocksdb to version 6.22.1 (#7330)
- libs: Update sleuthkit to version 4.11.0 (#7330)
- libs: Update ssdeep-cpp to the latest commit (d8705da) (#7330)
- libs: Update thrift to version 0.15.0 (#7330)
- libs: Update yara to version 4.1.3 (#7330)
- libs: Update zstd to version 1.4.0 (#7330)
New in osquery 5.1.0 (Jan 20, 2022)
- New Features:
- Allow custom cpu limit duration for the watchdog (#7348)
- Support custom endpoints for AWS Kinesis and Firehose. (#7317)
- Table Changes:
- Add docker_container_envs table for access to docker container environment (#7313)
- curl table now returns peer certificates even if the TLS handshake does not complete (#7349)
- Under the Hood improvements:
- Allow tests and SDK to reset dispatcher state (#7372)
- Avoid string copies when looping through cron search dirs (#7331)
- Respect read_max flag when hashing using ssdeep (#7367)
- Bug Fixes:
- Detect when an extension has not started correctly on Windows (#7355)
- Fix crash #7353 when osquery captures kill syscall when not subscribed to them (#7354)
- Fix crash in AuditdNetlinkReader::configureAuditService when audit_add_rule_data returns an error (#7337)
- Fix crash when windows_security_products errors out (#7401)
- Fix for #7394 where cleanup of some event tables never occures (#7395)
- Improve BPF publisher reliability (#7302)
- Lower log level of "executing distributed query" (#7386)
- Reduce excessive log messages from authorized_keys table implementation (#7318)
- Documentation:
- Add 5.0.1 CHANGELOG (#7284)
- Fix typo in Everything in SQL docs (#7338)
- Fix typo in SQL docs (#7376)
- Update GitHub issue templates (#7361, #7396)
- Update installation guide to use newer macOS paths (#7311)
- Update macOS ESF documentation (#7303)
- Packs:
- Add Forcepoint Endpoint Chrome Extension detection to packs (#7346)
- Add beurk rootkit detection to packs (#7345)
- Build:
- Allow tests to reset the restarting state (#7373)
- Build librpm with ndb support (#7294)
- Customizable installation logic (#7315)
- Fix ASL test on macOS 11 and later (#7320)
- Restore query packs in Windows packaging (#7388)
- Skip deprecated ASL test when targeting macOS 10.13+ SDK (#7358)
- Update packaging commit to fix Linux symlinks (#7404)
- Update the CI Linux Docker image (#7332)
New in osquery 5.0.1 (Dec 3, 2021)
- We now install into /opt/osquery on macOS and Linux for better portability.
- Our default and recommended installation for macOS uses an application bundle to support entitlement-based features.
- We now use Endpoint Security APIs for various event-based tables on macOS (more to come in the future!)
- We now use an osquery-organization macOS code signing certificate.
- There are several breaking changes:
- Installation paths have changes from /usr/local to /opt/osquery on macOS and Linux (symlinks to executables are provided).
- macOS codesigning is now done through the Osquery Foundation account.
- If you manage macOS full disk permission through a profile, you will need to update it.
- See docs
- We removed the deprecated blacklist key from the configuration (#7153)
- Search semantics on the augeas table have changed to be more performant, but do break the existing query API.
- Table Changes:
- Add secureboot table for Linux and Windows (#7202)
- Add tpm_info for Windows (#7107)
- Fix osquery_info build_platform column value on Linux (#7254)
- Support pid_with_namespace in more tables (#7132)
- Update augeas table to use native pattern matching (BREAKING) (#6982)
- Update chrome_extensions to include Edge & EdgeBeta (#7170)
- Update disk_encryption table to support QueryContext (#7209)
- Update last to include utmp type name column (#7201)
- Update sudoers table to support newer include syntax (#7185)
- Update user_ssh_keys to detect encryption of ed25519 keys (#7168)
- Under the Hood Improvements:
- Add ruby namespace to the thrift definition (#7191)
- Always initialize variable change in PerformanceChange (#7176)
- Remove deprecated blacklist key (#7153)
- Use total_size within watchdog on Windows (#7157)
- Support AF_PACKET sockets reporting on Linux (#7282)
- socket_events improvements in Linux audit system (#7269)
- Bug Fixes:
- Add case sensitive pragma to the pragma/actions authorizer allow list (#7267)
- Add feature to skip denylist for event-based queries (#7158)
- Change logger_mode flag to be correctly interpreted as an octal (#7273)
- Do not let osquery create multiple copies of the extension running at once (#7178)
- Fix Linux audit rule removal upon osquery exit (#7221)
- Fix broadcasting empty logs to logger plugins (#7183)
- Fix issues applying ACLs during chocolatey deployment (#7166)
- Fix memory issue in Windows fileops (#7179)
- Fix process_open_sockets type error on darwin (#6546)
- Make sure that the file action MOVED_TO is tracked with yara events. (#7203)
- Prevent osquery from killing itself when the --force flag is used (#7295)
- Prevent race condition between shutdown and worker or extension launch (#7204)
- Documentation:
- Add a security assurance case (#7048)
- Bring the YARA wiki page up to date (#7172)
- Spelling fixes (#7211, #7186)
- Update uptime table description (#7270)
- Update osquery installed artifacts paths in the documentation (#7286)
- Build:
- Add TimeoutStopSec to systemd service files (#7190)
- Correct macOS installed app bundle path in osqueryctl and doc (#7289)
- Create an macOS app bundle (#7263)
- Fix choco packaging not failing when an error occurs during install or upgrade (#7182)
- Fix path in macOS launchd plist (#7288)
- Pin the packaging repo within GitHub workflows (#7208, #7255, #7279)
- Update Windows deployment icon to png (#7163)
- Update install paths, and remove deprecated Facebook naming (#7210)
- Update macOS build to include app bundle related files (#7184)
- Update osquery installed artifacts default paths in code (#7285)
- Update the installation path on Linux (#7271)
- libs: Add options to AWS Optionally enable debug option and restrict content-type header size for PUT req (#7216)
- libs: Enable and compile the YARA macho module on macOS (#7174)
- libs: Update OpenSSL to version 1.1.1l (#7293)
- libs: Update Strawberry Perl to 5.32.1.1, use HTTPS downloads (#7199)
- libs: Update ebpfpub (#7173, #7219)
New in osquery 4.9.0 (Aug 27, 2021)
- New Features:
- Add filesystem logrotate feature (#7015)
- Add Non-Functional EndpointSecurity based process events to macOS (Requires updated codesigning due in 5.0) (#7046)
- Table Changes:
- Add mdm_managed column to system_extensions on macOS (#6915)
- Add prefetch table on Windows (#7076)
- Add support for IMDSv2 to AWS tables (#7084)
- Enable container stats on docker containers that don't have traditional networks (#7145)
- Update homebrew_packages to include new prefix, and allow specifying alternate prefixes (#7117)
- Update ntfs_acl_permissions to list all ACE entries (using GetAce()) (#7114)
- Update processes table to display additional Windows attributes (secured, protected, virtual, elevated) (#7121)
- Update how package_install_history identifies the packageIdentifiers key (#7099)
- Update how identifier is calculated in chrome_extensions (#7124)
- Under the Hood improvements:
- Improve speed of osquery shutdown procedure (#7077)
- Improve shutdown speed during initialization (#7106)
- Update website generators (#7136)
- CLI flag to allow osquery to keep retrying enrollment (instead of exiting) (#7125)
- rocksdb: Do not fsync WAL writes (#7094)
- Move CPack packaging to a dedicated repository (#7059)
- Restore thrift socket 5min timeout (#7072)
- Consolidate syscalls to a single audit rule (#7063)
- Bug Fixes:
- Add current WMI location for Dell BIOS info (#7103)
- Correct RocksDB error code and subcode printing on open failure (#7069)
- Fix pipe_channel not reading all data in a message (#7139)
- Fix crash and deadlocks in recursive logging (#7127)
- Fix custom curl_certificate timeouts (#7151)
- Fix extensions crash on shutdown (#7075)
- Handle updated paths on various macOS tables -- xprotect_entries, xprotect_meta, launchd (#7138, #7154)
- Trigger event cleanup checks every 256 events (#7143)
- Update generating an extension uuid to be thread safe (#7135)
- Watchdog should wait for the worker to shutdown (#7116)
- Documentation:
- Update process auditing requirements documentation (#7102)
- Update website docs indicating windows support for YARA tables (#7130)
- Add 4.9.0 CHANGELOG (#7152)
- Build:
- Add Apple provisioning profile for distribution (#7119)
- Add more tests for events expiration (#7071)
- CI: Regenerate sccache cache when compiler version changes (#7081)
- Fix flaky test test_daemon_sigint by waiting for pidfile (#7095)
- Fix icon in Windows packaging (#7148)
- Minor cleanup of unused variables (#7128)
- Print extension SDK minimum version required when failing to load (#7074)
- Remove POSIX-only -fexceptions flag on Windows (#7126)
- Remove duplicated osquery_utils_aws_tests-test (#7078)
- Remove flaky test decorators for python tests (#7070)
- Update SQLite to version 3.35.5 (#7090)
- Update librdkafka to version 1.7.0 (#7134)
- Update libyara to version 4.1.1 (#7133)
New in osquery 4.8.0 (Jun 14, 2021)
- New Features:
- shell: Add .connect meta command (#6944)
- Table Changes:
- Add seccomp_events table for Linux (#7006)
- Add shortcut_files table for Windows (#6994)
- Under the Hood improvements:
- Removing Keyboard Event Taps from osx-attacks pack (#7023)
- Refactor watcher out of singleton pattern (#7042)
- Small events subscriber refactor to increase test coverage (#7050)
- Setting non-required deb_packages fields as optional in test (#7001)
- Bug Fixes:
- Handle events optimization edge cases (#7060)
- Fix optimization for multiple queries using the same subscriber (#7055)
- Use epoch and counter for events-based queries (#7051)
- Guard node key to prevent duplicate enrollments (#7052)
- Change windows calculation for physical_memory (#7028)
- Free using WTSFreeMemoryEx for WTSEnumerateSessionsExW (#7039)
- Release variable in Windows data conversation (#7024)
- Change chrome_extensions warnings to verbose (#7032)
- Add transactions to the SQLite authorizer PRAGMAs (#7029)
- Change Windows messages to verbose (#7027)
- Fix scheduler to print the correct number of elapsed seconds (#7016)
- Documentation:
- Fix tls_enroll_max_attempts flag name in the documentation (#7049)
- Improve docs on FIM, mention NTFS and Audit, etc. (#7036)
- config: Add docs for the events top-level-key (#7040)
- Add funding link on GitHub generated page (#7043)
- Correct the example in the windows_events table spec (#7035)
- Correct docs about OpenSSL and TLS behavior (#7033)
- Update docs to describe how to build for aarch64/arm64 (#6285) (#6970)
- Add a note on enabling Windows to build with CMake's long paths (#7010)
- Add 4.8.0 CHANGELOG (#7057)
- Build:
- Add an option to enable incremental linking on Windows (#7044)
- Remove Buck leftovers that supported building with old versions of OpenSSL (#7034)
- Add build_aarch64 workflow for push (#7014)
- Move CI to using docker from osquery (#7012)
- Update dockerfile to multiplatform (#7011)
- Run GH Actions workflows on all tags (#7004)
- Disable BPF events tests if OSQUERY_BUILD_BPF is false (#7002)
- libs: Update OpenSSL to version 1.1.1k (#7026)
New in osquery 4.6.0 (Mar 14, 2021)
- New Features:
- Initial implementations for BPF-based socket and process events tables (#6571)
- Support EC2 tables on Windows (#6756)
- Under the Hood improvements:
- BPF: Add container support to fork/vfork/clone (#6721)
- BPF: Additional improvements on the initial implementation (#6717)
- BPF: Fix the tests (#6783)
- BPF: Fix wrong d_type compare in filesystem classes (#6774)
- BPF: Implement additional syscalls to track file descriptor usage (#6723)
- Remove unused LTCG flag (#6769)
- Support TLS client certificate chains (#6753)
- Refactor carver to use the Scheduler (#6671)
- Add configuration flag to disable file_events by default (#6663)
- libs: Build x86_64 configurations on Ubuntu 14.04 (#6687)
- libs: Port the RocksDB Win7 compatibility patch to the MSBuild generator (#6765)
- libs: Update BPF libraries to support LLVM 11 (#6775)
- libs: Update RocksDB to version 6.14.5 (#6759)
- libs: Update bzip2 to version 1.0.8 (#6786)
- libs: Update ebpfpub to latest version (#6757)
- libs: Update sqlite to version 3.34.0 (#6804)
- libs: update aws-sdk to 1.7.230 (#6749)
- Adding support for pretty-printing JSON results in osqueryi (#6695)
- Table Changes:
- Add Yandex Browser support for chrome_extensions (#6735)
- Add additional file stat flags to Darwin (bsd_flags) (#6699)
- Add extended_attributes table to Linux, add support for Linux capabilities (#6195)
- Add indexed column support to Windows users table (#6782)
- Enable AWS Instance profile as credential provider on Windows (#6754)
- Add systemd support for startup_items on Linux (#6562)
- Bug Fixes:
- Do not use memset on VirtualTable, a non-POD type (#6760)
- Fix deadlock when registering two extensions (#6745)
- Fix last_connected column in wifi_networks on Catalina (#6669)
- Fix missing negations, duplicate rows in iptables table (#6713)
- Fix shadow table to detect empty passwords (#6696)
- Free memory allocated by ConvertStringSidToSid (#6714)
- PackageIdentifiers are optional in InstallHistory.plist (#6767)
- Removing PUNYCODE flag from windows string conversions (#6730)
- Fix memory leak in the dbus classes (#6773)
- Change the kernel_modules size column type to BIGINT (#6712)
- Documentation:
- Add a README.md to source-based libraries (#6686)
- Fix spelling typos (#6705)
- Journald Audit Logs Masking Documentation (#6748)
- Build:
- CI: Provide built packages as Azure artifacts (#6772)
- CI: Python installation improvements on Windows (#6764)
- CI: Update brew scripts (#6794)
- CMake: Disable BPF support if the LLVM libs are not compatible (#6746)
- CMake: Use CPACK_RPM_PACKAGE_RELEASE (#6805)
- CMake: Add max version limit to 3.18.0 on Linux (#6801)
- Change urls for submodules gpg-error, libgcrypt, libcap (#6768)
- Reduce linkage requirements for tests (#6715)
- Remove a Buck leftover (#6799)
- Remove boost workaround introduced in #5591 for string_view (#6771)
- Tests: Fix tests on Catalina (#6704)
- Update cmake_minum_required to 3.17.5 and pin version in CI (#6770)
- build: Fix Windows build on newer MSVC (#6732)
- extensions: Always compile examples to prevent them from breaking (#6747)
- Security Issues:
- Add SQLite authorizer to mitgate CVE-2020-26273 / GHSA-4g56-2482-x7q8 (c3f9a3d)
- Packs:
- Updated unwanted-chrome-extensions (#6720)
- Restrict the usb_devices pack to Posix (#6739)
- Add Reptile rootkit to ossec-rootkit pack (#6703)
New in osquery 4.5.0 (Oct 6, 2020)
- New Features:
- ARM64/AARCH64 beta support for Linux (#6612)
- Windows 32bit support (#6543)
- Fix buildup of RocksDB SST files (#6606)
- Under the Hood improvements:
- Remove selectAllFrom from Linux process_events callback (#6638)
- Remove database read only concept (#6637)
- Move database initialization retry logic into DB API (#6633)
- Move osquery/include files into respective CMake targets (#6557)
- Memoize EventFactory::getType (#6555)
- Update schedule counter behavior (#6223)
- Define UNICODE and _UNICODE preprocessors for windows (#6338)
- Add WMI utility function to convert datetime to FILETIME (#5901)
- Move osquery shutdown logic outside of Initializer (#6530)
- Table Changes:
- Support for Windows Background Activity Moderator (#6585)
- Add apparmor_events table to Linux (#4982)
- Add sigurl column to get YARA signatures from an HTTPS server (#6607)
- Add sigrules column to pass YARA signatures within queries (#6568)
- Add non-evented table for querying windows_event_log (#6563)
- Improve chassis_types and security_breach columns within chassis_info (#6608)
- Fix bool type usage in powershell_events (#6584)
- Add FileVersionRaw column to file table for Windows (#5771)
- Enable YARA table on Windows (#6564)
- Add dns_cache table for Windows (#6505)
- Add support for processing KILL syscall (#6435)
- Add startup_items table for Linux (#6502)
- Add shimcache table (#6463)
- Refactor shell_history to use generators (it will use less memory) (#6541)
- Bug Fixes:
- Set thread names correctly on macOS and Linux (#6627)
- Apply --scheduler_timeout correctly (#6618)
- Add check for character_frequencies size (#6625)
- Fix race in removing external TablePlugins (#6623)
- Force shell to disable watchdog and logger (#6621)
- Return early within the shell if relative flags are used (#6605)
- Apply watcher delay each time the worker is started (#6604)
- Set global output function for Thrift (#6592)
- Fix incorrect readFile params in createPidFile (#6578)
- Fix call to LocalFree on deinit ptr inside getUidFromSid (#6579)
- Fix readFile to observe requested read size (#6569)
- Replace fstream within syslog_events with a custom non-blocking getline (#6539)
- Only fire events if a publisher exists (#6553)
- Fix Leak in psidToString (#6548)
- Fix memory leaks in rpm_package_files (#6544)
- Change "Symlink loop" message from warning to verbose (#6545)
- Documentation:
- Update process auditing docs schema link (#6645)
- Improve descriptions for the processes table (#6596)
- Replace slackin with Slack shared invite (#6617)
- Update copyright notices to osquery foundation (#6589, #6590)
- Build:
- Fix Windows build by removing non existing C11 conformance (#6629)
- Remove ExecStartPre from systemd service unit (#6586)
- Fix pip upgrade warning within CI (#6576)
- Detect MAJOR_IN_SYSMACROS/MKDEV for librpm in CMake (#6554)
- Add curl_certificate tests (#5281)
- Update YARA library to 4.0.2 (#6559)
- Improve testing assumptions and flush fsevents when stopping (#6552)
- Fix the test utility to allow Windows profiling (#6550)
- Support ASAN for boost coroutine2 using ucontext (#6531)
- Update instructions for CPack package building (#6529)
- Use specific RPM variables to set the package name (#6527)
- Update compiler version used to v142 within Azure (#6528)
- Hardening:
- Restore PIE support being dropped on Linux (#6611)
New in osquery 4.4.0 (Sep 14, 2020)
- New Features / Under the Hood improvements:
- Implement container access from tables on Linux (#6209, #6485)
- Update language to use 'allow list' and 'deny list' (#6489, #6487, #6488, #6493)
- macos: Automatic configuration of the OpenBSM audit rules (#6447)
- macos: Add polling to OpenBSM publisher (#6436)
- Add messages to distributed query results (#6352)
- Implement event batching support for Windows tables (#6280)
- Table Changes:
- Add container access to the os_version table (#6413)
- Add container access to DEB, RPM, NPM packages tables (#6414)
- Add fields auid, fs{u,g}id, s{u,g}id to auditd based tables (#6362)
- Improve apt_sources resiliency (#6482)
- Make file and hash container columns hidden (#6486)
- Add 'maintainer', 'section', 'priority' columns to deb_packages (#6442)
- Add 'vendor', 'package_group' columns to rpm_packages (#6443)
- Add 'arch' column to os_version (#6444)
- Add 'board_xxx' columns to system_info table (#6398)
- Windows: omit non-interactive sessions from logged_in_users (#6375)
- Fixes to package_bom table (#6457, #6461)
- Add chassis_info table for windows (#5282)
- Add Azure tables (#6507)
- Bug Fixes:
- Update hash cache inode number in query cache (#6440)
- Only explode registry key if it can be tokenized (#6474)
- Change ErrorBase::takeUnderlyingError to non const (#6483)
- Use RapidJSON to fix event format results and the Kafka Logger (#6449)
- Correct the 'cwd' and 'root' columns of processes table on Windows (#6459)
- Correct some SQLite types (#6392)
- Partial fix for md_devices issue (#6417)
- Fix the handling of empty args strings, on Windows (#6460)
- Refactor shutdown logging, and remove explicit syslog call (#6376)
- Change the Windows registry LIKE path constraint to filter recursively (#6448)
- Use sync resolve within http client (#6490)
- Fix typed_row table caching (#6508)
- Do not use system proxy for AWS local authority (#6512)
- Only populate table cache with star-like selects (#6513)
- Documentation:
- Update osquery security policy (#6425)
- Updating changelog for 4.3.0 release (#6387)
- Improve the new table tutorial (#6479)
- Add Auto Table Construction to docs (#6476)
- Add documentation for enabling socket_events on macOS (#6407)
- Update winbaseobj table description (#6429)
- Fixing the description of failed_login_count from account_policy_data (#6415)
- Remove references to brew in macOS install (#6494)
- Add note to bump the Homebrew cask (#6519)
- Updating docs on cpack usage to include Chocolatey (#6022)
- Changelog for 4.4.0 (#6492, #6523))
- Build:
- Fix Userassist.test_sanity test sometimes failing (#6396)
- Drop the facebook and source_migration layers (#6473)
- Move ssdeep-cpp to source_migration (#6464)
- Move smartmontools to source_migration (#6465)
- Build augeas from source on macOS (#6399)
- Build lldpd from source on macOS (#6406)
- Build linenoise-ng from source on macOS and Windows (#6412)
- Build sleuthkit from source on macOS (#6416)
- Build popt from source on macOS (#6409)
- Fix libelfin build on ossfuzz and LLVM/Clang 10 (#6472)
- Use the patched libelfin version (#6480)
- codegen: Port Jinja2 to Templite (#6470)
- Pass the minimum macOS SDK version to openssl only if explicitly set (#6471)
- Add git-lfs as dep for macOS build in documentation (#6384)
- Update openssl from 1.1.1f to 1.1.1g (#6432)
- Build openssl with the macOS SDK version taken from CMake (#6469)
- Do not install openssl docs (#6441)
- Update build configuration of ReadTheDocs (#6434, #6456)
- Link librdkafka on Windows (#6454)
- Build sleuthkit on Windows (#6445)
- Add nupkg cpack build option and update Windows deployment script (#6262)
- Fix rpm and deb package name format (#6468)
- Fix atom_packages, processes, rpm_packages tests (#6518)
- Fixes and cleanup for Windows compiler flags (#6521)
- Correct macOS framework linking (#6522)
- Security Issues:
- Disable openssl compression support (#6433)
- Hardening:
- Use LOAD_LIBRARY_SEARCH_SYSTEM32 for LoadLibrary (#6458)
New in osquery 4.3.0 (Jun 26, 2020)
- New Features / Under the Hood improvements:
- Change verbosity of scheduled query execution messages from INFO to verbose only (#6271)
- Updated the unwanted-chrome-extensions queries to include all users, not the osquery process owner only (#6265)
- Check for errors in the return status of the extension tables and report them (#6108)
- First steps to properly support UTF8 strings on Windows (#6190)
- Display the undelying API error string when udev monitoring fails (#6186)
- Add the path column to the ATC generate specs (#6278)
- Log a warning message if osquery fails to get the service description on Microsoft Windows (#6281)
- Make AWS kinesis status logging configurable (#6135)
- Add an integration test for the disk_info table (#6323)
- Use -1 for missing ppid in the process_events table (#6339)
- Remove error when converting empty numeric rows (#6371)
- Change verbosity from ERROR to INFO of access failures to system processes on Microsoft Windows (#6370)
- Make possible to get verbose messages from the dispatcher service management on Microsoft Windows too (#6369)
- Build:
- Fix codegen template for extension group (#6244)
- Update SQLite from 3.30.1-1 to 3.31.1 (#6252)
- Update the osquery-toolchain to version 1.1.0 which uses LLVM/Clang 9.0.1 (#6315)
- Update openssl to version 1.1.1f (#6302, #6359)
- Simplify formula-based third party libraries build (#6303)
- Removed the Buck build system (#6361)
- Add librdkafka to Windows build (#6095)
- Bug Fixes:
- Fix CFNumber conversion when the type was a Float64/32 instead of a Double (#6273)
- Fix duplicate results being returned by the chrome_extensions table (#6277)
- Fix flaky ProcessOpenFilesTest.test_sanity (#6185)
- Fix the --database_dump flag for RocksDB not outputting anything (#6272)
- Fix the pci_devices table pci ids extraction in non-existing paths (#6297)
- Fix parsing an invalid decorators config (#6317)
- Fix flaky TLSConfigTests.test_runner_and_scheduler (#6308)
- Fix chromeExtensions.test_sanity (#6324)
- Fix broken Unicode filename searches on Microsoft Windows (#6291)
- Fix a use-after-free when sqlite attempts to access the entire rows data at the end of a query (#6328)
- Keep proc instance for test_base and test_osqueryd (#6335)
- Fix osquery not exiting when given check or dump requests (#6334)
- Fix process table cmdline parsing (#6340)
- Fix a crash when parsing files with libmagic (#6363)
- Fix a sporadic readFile API failure when using non-blocking I/O (#6368)
- Fix the MSI package not always installing in the system drive by default (#6379)
- Ensure the extensions uuid is never 0 (#6377)
- Fix a race condition making the watcher act as a worker on Microsoft Windows (#6372)
- Fix extensions tables detaching which was sometimes failing (#6373)
- Fix an issue with extensions re-registration (#6374)
- Fix a crash due to a race condition in accessing the iokit port on Darwin (Apple OS X) (#6380)
- Hardening:
- Limit SQL functions regex_match and regex_split regex size (#6267)
- Prevent a stack overflow when parsing deeply nested configs (#6325)
- Table Changes:
- Added table chrome_extension_content_scripts to All Platforms (#6140)
- Added table docker_container_fs_changes to POSIX-compatible Plaforms (#6178)
- Added table windows_security_center to Microsoft Windows (#6256)
- Added many new tables to Linux to query lxd (#6249)
- Added table screenlock to Darwin (Apple OS X) (#6243)
- Added table userassist to Microsoft Windows (#5539)
- Added column status (TEXT) to table deb_packages (#6341)
- Added many new columns to the curl_certificate table (#6176)
- Added table socket_events to Darwin (Apple OS X) (#6028)
- Added table hvci_status, previously inadvertly left out from the build, to Microsoft Windows (6378)
New in osquery 4.2.0 (Apr 16, 2020)
- New Features / Under the Hood improvements:
- TLS Testing infrastructure has been overhauled (#6170)
- Boost regex has been replaced with std (#6236)
- community_id_v1 added as a SQL function (#6211)
- Build:
- Fix format checking on Windows (#6188)
- Fix format folder exclusions for build checks (#6201)
- Fix the linking for extensions in build (#6219)
- Fix build to include windows optional features table (#6207)
- Security Issues:
- [CVE-2020-1887] osquery does not properly verify the SNI hostname (#6197)
- Bug Fixes:
- Carver no longer returns empty carves for hidden files (#6183)
- Address a race in the Dispatcher logic (#6145)
- Fix validation in 'last' table (#6147)
- Fix flaky logger testing (#6171)
- Fix JSON format assumptions in file_paths parsing (#6159)
- Fix windows WMI BSTR to be wstrings (#6175)
- Fix windows string wstring conversion functions (#6187)
- Enable more intelligent path expansion on Windows (#6153)
- Fix heap buffer overflow in callDoubleFunc and powerFunc (#6225)
- Table Changes:
- Added table firefox_addons to All Platforms (#6200)
- Added table ssh_configs to All Platforms (#6161)
- Added table user_ssh_keys to All Platforms (#6161)
- Added table mdls to Darwin (Apple OS X) (#4825)
- Added table hvci_status to Microsoft Windows (#5426)
- Added table ntfs_journal_events to Microsoft Windows (#5426)
- Added table docker_image_layers to POSIX-compatible Plaforms (#6154)
- Added table process_open_pipes to POSIX-compatible Plaforms (#6142)
- Added table apparmor_profiles to Ubuntu, CentOS (#6138)
- Added table selinux_settings to Ubuntu, CentOS (#6118)
- Added column lock_status (INTEGER_TYPE) to table bitlocker_info (#6155)
- Added column percentage_encrypted (INTEGER_TYPE) to table bitlocker_info (#6155)
- Added column version (INTEGER_TYPE) to table bitlocker_info (#6155)
- Added column optional_permissions (TEXT_TYPE) to table chrome_extensions (#6115)
- Removed table firefox_addons from POSIX-compatible Plaforms (#6200)
- Removed table ssh_configs from POSIX-compatible Plaforms (#6161)
- Removed table user_ssh_keys from POSIX-compatible Plaforms (#6161)
New in osquery 4.1.2 (Feb 14, 2020)
- New Features / Under the Hood improvements:
- Add more tests throughout the codebase (#5908), (#6071), (#6126)
- The chrome_extensions table now supports Chromium and Brave (#6126)
- Build:
- Require Python 3.5 and greater (#6081), (#6120)
- Prepare Python tests for CI (lots of effort!) (#6068)
- Restore osqueryd integration test (#6116)
- Bug Fixes:
- Continue to use com.facebook.osquery.plist for Launch Daemon configuration (#6093)
- Update systemd service to use KillMode=control-group (#6096)
- RPM and DEB packages both have post-install scripts to reload systemd (#6097)
- Update Windows package build script to include cert bundle (#6114)
- Update table specs to fix constraints passing (#6103), (#6104), (#6105), (#6106), (#6122)
- Table Changes:
- Added tables azure_instance_tags and azure_instance_metadata to Linux and Microsoft Windows (#5434)
- Added column install_time (INTEGER_TYPE) to table rpm_packages (#6113)
- Added column bsd_flags (TEST_TYPE) to table file on Darwin (#5981)
New in osquery 4.0.2 (Dec 18, 2019)
- Bug Fixes:
- Remove RocksDB optimization causing crash (#5797)
New in osquery 4.0.1 (Dec 18, 2019)
- New Features / Under the Hood improvements:
- Linux Audit process_events Implement support for fork/vfork/clone/execveat (#5701)
- New SQLite function regex_match to match across columns (#5444)
- LRU cache for syscall tracing (#5521)
- Basic tracing via eBPF on Linux (#5403, #5386, #5384)
- Experimental kill and setuid syscall tracing in Linux via eBPF (#5519)
- New eventing (ev2) framework (#5401)
- Improved table performance profiles (#5187)
- macOS query pack: detect SearchAwesome malware (#5713)
- macOS query pack: detect when a process is tapping keyboard event (#5345)
- Build:
- Refactor CMake build (#5604, #5627, #5630, (#5618), (#5619))
- Refactor third-party libraries to build from source on Linux (#5706)
- Add Azure Pipelines support for CI/CD (#5604, #5632, #5626, #5613, #5607, #5673, #5610)
- Add Buck as a build system (971bee44)
- Use urllib2 to automatically handle HTTP 301/302 redirections (#5612)
- Update MSI package to install to Program Files on Windows (#5579)
- Linux custom toolchain integration (#5759)
- Harderning:
- Link binaries with Full RELRO on Linux (#5748)
- Remove FTS features from SQLite (#5703) (#5702)
- Fix SQLite API usage errors (#5551)
- Fix issues reported by ASAN (#5665)
- Handle bad FDs in md_tables (#5553)
- Fix lock resource leak in events/syslog (#5552)
- Fix memory leak in macOS keychain_items and extended_attributes tables (#5550, #5538)
- Fix memory leak in genLoggedInUsers (Windows). Update WTSFreeMemoryEx to WTSFreeMemory (#5642)
- Fix potential null dereferences in smbios_tables (#5332)
- Fix osquery exiting with wrong status (3824c2e6)
- Add additional install and uninstall flag incompatibility check (85eb77a0)
- Fix warning with constants initialisation in magic (2a624f2f)
- Fix sign compare warning in file_compression (b93069b3)
- Refactored logical_drives table on Windows (#5400)
- Refactored core/windows/wmi to use smart pointers (#5492)
- Fixed various potential crashes in the virtual table implementaion (6ade85a5)
- Increase the amount of MaxRecvRetries for Thrift sockets (#5390)
- Bug Fixes:
- Fix the reading of the serial of a certificate (little-endian big int) (#5742)
- Fix bugs and update pathname variables in MSI package build script (#5733)
- Fix registry table exception closing an uninitialized key handle (#5718)
- Config views are now recreated on startup (#5732)
- Change MSI Service Error handling on Windows (#5467)
- Allow mounting SQLite DBs using WAL journaling with ATC (#5525, #5633)
- Fix mount table interacting with direct autofs (#5635)
- Fix HTTP Host Header to include port (#5576)
- Various fixes to the Windows certificates table and expansion to include Personal certificates (#5697), (#5696), (#5640), (#5631)
- Add optimization back to macOS users and groups (#5684)
- Do not return a row for macOS battery if no data is present (#5650)
- Fix several integer conversions in process_ops (#5614)
- Include weekends on the kernel_panics table (#5298)
- Fix key_strength bug for Windows certificates table (#5304)
- The interface column of routes table could be empty on Windows (bcf0ab8e)
- The name column of programs table could be empty on Windows (7bceba4b)
- Fix disable_watcher flag (08dc11b7)
- Populate path column correctly in firefox_addons table (#5462)
- Fix numeric monitoring plugin not being registered (#5484)
- Fix wrong error code returned when querying the Windows registry (#5621)
- Fix logical_drives boot partition detection (#5477)
- Replace sync calls by async within the HTTP client implementation (#5606)
- Fix RocksDB crash related to OptimizeForSmallDb (a31d7582)
- Fix bug in table column data validator (e3037331)
- Fix random port problem (a32ed7c4)
- Refactor battery table and return information even if advanced information is missing (6a64e353)
- Table Changes:
- Added table ibridge_info on macOS (Notebooks only) (#5707)
- Added table running_apps on macOS (#5216)
- Added table atom_packages on macOS and Linux (6d159d40)
- Remove EC2 tables on Windows (#5657)
- Added column win_timestamp to time table on Windows (3bbe6c51)
- Added column is_hidded to users and groups table on macOS (#5368)
- Added column profile to chrome_extensions table (#5213)
- Added column epoch to rpm_packages table on Linux (#5248)
- Added column sid to logged_in_users table on Windows (#5454)
- Added column registry_hive to logged_in_users table on Windows (#5454)
- Added column sid to certificates table on Windows (#5631)
- Added column store_location to certificates table on Windows (#5631)
- Added column store to certificates table on Windows (#5631)
- Added column username to certificates table on Windows (#5631)
- Added column store_id to certificates table on Windows (#5631)
- Added column product_version to file table on Windows (#5431)
- Added column source to sudoers table on POSIX systems (#5350)
New in osquery 2.11.2 (Jan 6, 2018)
- Adds mitigations for issue #3984: "Too many open files" from clients running OS X.
- This release is also the first using the new ASL2.0 and GPL2 dual license.
New in osquery 2.11.0 (Dec 20, 2017)
- New features:
- This version adds more features to osquery extensions. For a few examples, the Thrift API
- calls now enforce a 5 minutes maximum execution time to protect osquery from hung
- extensions (#3847); extension processes that are autoloaded, will respawn if they exit
- prematurely (#3944).
- We now depend on the newest libaugeas and have altered our integration to achieve
- much better performance (#3911). Several changes in the new Augeas version were designed for
- osquery's use cases.
- Finally, along with the bug and features below, this version adds more care to Windows
- Services and MSI packaging (#3927).
- #3921 Kafka SSL support
- #3814 Hash table cache
- #3887 Windows Event Log (as a logger plugin) support
- #4005 Non-blacklistable queries
- Bug fixes:
- #3909 Print correct address family id for AF_UNIX sockets
- #3938 Remove 'removed' results correctly
- #3943 Stop renaming worker and extension argv[0]
- #3958 Fix header calculation with HTTP client and AWS Firehose
- #3979 Only daemon-reload if systemd is running
- #3985 Removing newline from Windows Event Log lines
- #4001 Remove invalid assumptions about status logging (refactor status logging)
- Table changes (from 2.10.2 to 2.11.0):
- Added table groups to All Platforms
- Added table intel_me_info to Linux and Windows
- Added table shadow to Linux
- Added column blacklisted (INTEGER_TYPE) to table osquery_schedule
- Added column install_location (TEXT_TYPE) to table programs
- Added column type (TEXT_TYPE) to table users
- Renamed table key_events to user_interaction_events on MacOS
New in osquery 2.10.3 (Nov 20, 2017)
- Internal testing of extensions changes.
New in osquery 2.10.2 (Nov 20, 2017)
- New features in 2.10.2:
- #3884 The macOS firewall exception URLs are now included in alf_exceptions
- The systemd service unit includes a post-init script to reload the units properly.
- Bug fixes:
- #3892 Use better precision for calculating process start time on macOS
- #3917 Event tap publisher resource management fixes
- Table changes (from 2.10.0 to 2.10.2):
- Added table curl to All Platforms
- Added table curl_certificate to All Platforms
- Added table pipes to Microsoft Windows
- Added column dst_port (TEXT_TYPE) to table iptables
- Added column src_port (TEXT_TYPE) to table iptables
New in osquery 2.10.0 (Oct 29, 2017)
- New features:
- We've ported our HTTP client to Boost Beast to allow for more meaningful TLS errors and support for HTTP proxies.
- #3623 Use Boost Beast as the HTTP client implementation (previously we used cpp-netlib)
- Bug fixes:
- #3862 Lock access to individual SQL databases
- #3856 Fix extended_schema on Windows (previously all extended columns were HIDDEN)
- Table changes:
- Added table key_events to Darwin (Apple OS X)
- Added table authenticode to Microsoft Windows
- Added table logical_drives to Microsoft Windows
- Added table physical_disk_performance to Microsoft Windows
- Added column version (TEXT_TYPE) to table usb_devices
New in osquery 2.10.0 Pre-release (Oct 25, 2017)
- [Fix #3859] Lock every access to SQLiteDBInstance::db (#3883)
New in osquery 2.9.2 (Oct 24, 2017)
- [Fix #3861] build: adding checks to vswhere usage to find msbuild tools.
New in osquery 2.7.0 (Aug 25, 2017)
- New features:
- FSEvents on macOS will monitor mount events within already-monitored directories
- OpenBMC events are monitored as process_events on macOS
- Add RapidJSON integration as a boost property tree replacement
- Implement excluded paths for FIM for Linux and macOS
- Bug fixes:
- Wait for each extension before respawning
- and #3552 Fixing memory leaks in virtual tables
- Improve macOS process start_time column
- Fix sizes for block_devices on macOS and Linux
- Display correct UID for proceses for Domain Users on Windows
- Fix handling of multiple LIKE and GLOB predicates
- Table changes:
- Added table process_memory_map to All Platforms (from POSIX)
- Added table device_firmware to Darwin (Apple OS X)
- Added table gatekeeper to Darwin (Apple OS X)
- Added table gatekeeper_approved_apps to Darwin (Apple OS X)
- Added table shared_folders to Darwin (Apple OS X)
- Added table sharing_preferences to Darwin (Apple OS X)
- Added table certificates to MacOS and Windows
- Added table user_events to POSIX-compatible Plaforms
- Added table ec2_instance_metadata to Ubuntu, CentOS
- Added table ec2_instance_tags to Ubuntu, CentOS
- Added column block_size (INTEGER_TYPE) to table block_devices
- Added column cwd (TEXT_TYPE) to table process_events
- Added column status (BIGINT_TYPE) to table process_events
- Added column action (TEXT_TYPE) to table scheduled_tasks
- Added column class (TEXT_TYPE) to table usb_devices
- Added column protocol (TEXT_TYPE) to table usb_devices
- Added column subclass (TEXT_TYPE) to table usb_devices
New in osquery 2.6.0 (Jul 28, 2017)
- A few bug fixes to POSIX/macOS:
- (#3454) (#3473) (#3476) High Sierra related fixes - Fixed a bug where the local clang-format wasn't being used and instead of the system one was called. Also fixed a globbing bug caused by a new file ordering on APFS systems.
- (#3480) Mount event on Darwin - FSEvents now also catches mount events and these alerts go through the same pub sub flow with the action "MOUNTED".
- General Updates:
- (#3488) Changes to plugin failures - All plugins will now fail if one fails. This ensures plugins are in a good state when initialization finishes.
- (#3485) Update to SQLite - SQLite version bumped to 3.19.3
- (#3489) TSAN fixes - Some general TSAN issues addressed.
- (#3487) Don't ignore SIGCHLD - Stop ignoring the SIGCHLD interrupt to exit faster.
- (#3459) Updates to inotify - Logic improved around add/removing subscribers in the inotify eventer.
- (#3469) Fix TLS Config Update - Fixes TLS update and sets the refresh period to one hour.
- (#3457) Moved pid file - The osquery pid file is now in /var/run/ on Linux and FreeBSD system.
- (#3378) Added epoch time to scheduled queries - To assist in keeping backend systems in sync with system state, an epoch decorator was added.
- (#3455) Separated preferences and plist - Preferences was split into its own table and the functionality of plist parsing was moved to a new plist table.
- (#3448) Watchdog issues resolved - There were some instances where certain flag usage would inadvertently disable the watchdog.
- (#3390) Symlink column in file table - A new column containing information on if the file is a symlink.
New in osquery 2.5.2 (Jul 4, 2017)
- Adding URL Search hooks to ie_extensions table (#3452).
New in osquery 2.5.0 (Jun 27, 2017)
- tests: Record process start time in tests (#3405)
New in osquery 2.4.6 (Jun 1, 2017)
- [Tidy] Fix syscall deprecation on macOS (#3354)
New in osquery 2.4.4 (May 15, 2017)
- New features:
- #3267 New SQLite functions: md5, sha1, and sha256
- #2956 Augeas' lenses are now bundled with osquery packages
- #3226 External build systems can disable YARA, TSK, or LLDB with SKIP_ environment variables.
- Bug fixes:
- #3219 Fix extensions use of database during reset phase
- #3248 Submodules will now update correctly on Windows
- #3257 The IPv4 route gateways on Windows now work
- Table changes (from 2.4.2 to 2.4.4):
- Added column args (TEXT_TYPE) to table startup_items
- Added column channel (INTEGER_TYPE) to table wifi_status
- Added column channel (INTEGER_TYPE) to table wifi_survey
- Added table pkg_packages to FreeBSD
- Added table docker_container_labels to POSIX-compatible Plaforms
- Added table docker_container_mounts to POSIX-compatible Plaforms
- Added table docker_container_networks to POSIX-compatible Plaforms
- Added table docker_container_ports to POSIX-compatible Plaforms
- Added table docker_container_processes to POSIX-compatible Plaforms
- Added table docker_container_stats to POSIX-compatible Plaforms
- Added table docker_containers to POSIX-compatible Plaforms
- Added table docker_image_labels to POSIX-compatible Plaforms
- Added table docker_images to POSIX-compatible Plaforms
- Added table docker_info to POSIX-compatible Plaforms
- Added table docker_network_labels to POSIX-compatible Plaforms
- Added table docker_networks to POSIX-compatible Plaforms
- Added table docker_version to POSIX-compatible Plaforms
- Added table docker_volume_labels to POSIX-compatible Plaforms
- Added table docker_volumes to POSIX-compatible Plaforms
New in osquery 2.4.2 (Apr 25, 2017)
- Refactor Windows Service Table to use std::unique_ptr (#3203)
New in osquery 2.4.1 (Apr 24, 2017)
- deps: Add libarchive 3.2.2 bottles (#3193)
New in osquery 2.4.0 (Apr 13, 2017)
- Important changes:
- #3073 The Windows registry table was refactored to have a look and feel like the file table.
- #3049 Distributed (ad-hoc) queries now support discovery queries.
- #3087 & #3091 Improve events tables performance and protect against multiple queries overwriting sliding window optimizations.
- #3100 Add globbing support to the Windows registry table.
- #3120 Add the auid column to all Audit-based tables.
- #3115 Add status logging to AWS-based logger plugins.
- Bug fixes:
- #3065 Set a max size for RocksDB MANIFEST logs, this helps protect against very large transaction logs leading to massive on-disk files.
- #3098 Fix crash when sanitizing REG_NONE types from Windows registry.
- #3106 Return blank or NULL values for sha, md5 and sha256 when files cannot be hashed.
- #3116 Fix potential deadlock with periodic database reset.
- #3142 Fix reentry bug with our GLog logger sink leading to potential deadlocks.
- Config options / CLI flags changes:
- --logger_min_status VALUE Minimum level for status log recording 1=INFO, 2=WARNING, 3=ERROR
- Table changes (from 2.3.4 to 2.4.0):
- Moved table startup_items from Darwin to All Platforms
- Added table lldp_neighbors to POSIX-compatible Plaforms
- Added table python_packages to POSIX-compatible Plaforms
- Added column auid (BIGINT_TYPE) to table process_events
- Added column auid (BIGINT_TYPE) to table socket_events
- Added column auid (BIGINT_TYPE) to table user_events
- Renamed table syslog to syslog_events on Ubuntu, CentOS (the alias syslog still exists)
- Breaking Table API changes:
- Removed column hive (TEXT_TYPE) from table registry
- Removed column subkey (TEXT_TYPE) from table registry
- The hive and subkey columns have been combined into a path column.
New in osquery 2.4.0 Pre (Apr 7, 2017)
- logging: Allow Glog reentrancy (#3142)
New in osquery 2.3.4 (Mar 1, 2017)
- Add SMEP/SMAP and other CPUID features (#3024)
New in osquery 2.3.3 (Feb 17, 2017)
- darwin: Use boost shared_mutex for OS X (#3003)
New in osquery 2.3.2 (Feb 14, 2017)
- docs: Only support OS X 10.11 and 10.12 (#2994)
New in osquery 2.2.3 (Jan 22, 2017)
- Add stderr control to CLI docs (#2930)
New in osquery 2.2.1 (Dec 18, 2016)
- Fix OS X platform_info address column (#2880)
New in osquery 2.2.0 (Dec 15, 2016)
- Fix plist NSString raw pointer string conversion (#2865)
New in osquery 2.1.2 (Nov 6, 2016)
- [Fix #2704] Various distributed code cleanups (#2719)
New in osquery 2.1.1 (Nov 1, 2016)
- New features:
- This is a very small release, addressing some nice-to-haves from 2.1.0.
- To help improve some debugging scenarios we've added .features and .summary to osqueryi.
- #2695 Also adds some color to the osquery> prompt if your terminal emulator supports 256-color output.
- #2692 Extensions will activate their distributed plugin
- #2694 OS X's preferences table now supports LIKE
- #2693 Several Linux publishers are fixed to tearDown during destruction
New in osquery 2.0.0 (Oct 8, 2016)
- NEW FEATURES IN 2.0.0:
- This release introduces a new Brew-based build redesign (#2251) for Linux and OS X. This has enabled a variety of new CI features, including:
- clang-format checking to insure style uniformity.
- cppcheck to catch performance bugs via static-analysis.
- Version-pinned LLVM with sanitization frameworks for nightly dynamic-analysis and memory leak checking.
- zzuf for DIY fuzz testing via make fuzz.
- And of course, far-fewer dependency errors due to build host drift.
- As always, we hold performance as an essential feature and project goal. With 2.0 we are also including a user-experience focus. The most significant related change is to TablePlugins; we have added a column-attribute and table-attribute description language so SQLite and the osqueryi shell can make decisions based on how tables and columns are used. As a quick example, consider selecting from file-- in 2.0 if you do not include a path or directory the table will emit a warning; if you include an _events-based table in your schedule the set-difference calculations will be skipped.
- PLUGIN API CHANGES:
- #2412 Rename phys_footprint to total_size in the processes table.
- #2525 Promote host UUID to version 2 meaning Linux UUIDs become board UUIDs.
- #2527 Add extensions SDK incompatibility checking.
- Version 2.0.0 is backward compatible with extensions SDK to version 1.7.3. A warning will be emitted if an older extension is connected.
- IMPORTANT CHANGES:
- #2523 Refactor events and remove the 10/3600 indexes this yields ~4x speed improvement.
- #2500 Improve Thrift exit verbosity on all platforms by forwarding output to Glog.
- #2504 Change --utc to default as true.
- BUG FIXES:
- #2309 Fix race conditions in Linux inotify publisher configuration
- #2316 Add size check to package_bom variable address bounds checking
- #2320 Properly intialize BufferedLogForwarder for TLS output plugin
- #2345 Avoid constructor ambiguity in table headers for extensions
- #2348 Use seconds for --profile_delay precision
- #2416 Fix Linux memory_map printing and convert to using IOMEM-mappings
- #2417 Handle empty Linux pwd structures members
- #2422 Improve status logging when using multi-loggers
- #2447 Multiple bug fixes in the crashes virtual table
- #2455 Fix minor sandboxes virtual table performance issues and plist parsing exceptions
- #2457 Fix potential string casting issue in memory_info virtual table
- #2508 Remove time-override for events add API
- #2528 Correct config-loaded boolean meaning to become has-run-load
- #2529 Create temp directory for exceptional shell uses and fallback to home directories
- #2530 Initialize VirtualTableContent attributes for extesnions
- #2562 Fix memory leak within osqueryi when using the -A flag
- CONFIG OPTIONS / CLI FLAGS CHANGES:
- —install flag added for windows to install the daemon with the Windows Service Manager
- —uninstall flag added for windows to remove the daemon from the Windows Service Manager
- --aws_sts_arn_role AWS STS ARN role
- --aws_sts_region AWS STS region
- --aws_sts_session_name AWS STS session name
- --aws_sts_timeout AWS STS assume role credential validity in seconds (default 3600)
- TABLE CHANGES (FROM 1.8.2 TO 2.0.0):
- Added table carbon_black_info to All Platforms
- Added table etc_hosts to All Platforms
- Added table etc_protocols to All Platforms
- Added table kernel_panics to Darwin (Apple OS X)
- Added table apt_sources to Ubuntu, CentOS
- Added table deb_packages to Ubuntu, CentOS
- Added table rpm_package_files to Ubuntu, CentOS
- Added table rpm_packages to Ubuntu, CentOS
- Added table programs to Microsoft Windows
- Added table registry to Microsoft Windows
- Added table shared_resources to Microsoft Windows
- Added table wmi_cli_event_consumers to Microsoft Windows
- Added table wmi_event_filters to Microsoft Windows
- Added table wmi_filter_consumer_binding to Microsoft Windows
- Added table wmi_script_event_consumers to Microsoft Windows
- Renamed column phys_footprint to total_size (BIGINT_TYPE) in table processes
- Renamed column restarts to refreshes (INTEGER_TYPE) in table osquery_events
- Added column type (TEXT_TYPE) to table logged_in_users
- Added column name (TEXT_TYPE) to table memory_map
- Added column active (INTEGER_TYPE) to table osquery_packs
- Added column threads (INTEGER_TYPE) to table processes
- Added column datetime (TEXT_TYPE) to table syslog
- Removed column region (INTEGER_TYPE) from table memory_map
- Removed column type (TEXT_TYPE) from table memory_map
New in osquery 1.8.2 (Jul 31, 2016)
- New features in 1.8.2:
- This is a breakfix release for those using the AWS logger plugins on OS X.
- The firehose and kinesis logger plugins use the cpp-netlib TLS client libraries, which depend on ASIO, boost, and a TLS implementation provided by OpenSSL or LibreSSL. This release allows the plugins to take advantage of --tls_server_certs and other TLS-related configuration options. If you are using these logger plugins and receiving invalid certificate issue, you need to provide a PEM bundle using the aforementioned flag.
- Bug fixes:
- #2285 Fix 'off the end' potential bug in crashes table
- #2287 Use "UTC" for timezone when no timezone is present in the time table
- #2299 Use TLSTransport HTTPS client within AWS logger plugins
- Config options / CLI flags changes:
- --buffered_log_max Maximum number of logs in buffered output plugins (0 = unlimited)
New in osquery 1.8.2 Pre (Jul 29, 2016)
- New features in 1.8.2:
- This is a breakfix release for those using the AWS logger plugins on OS X.
- The firehose and kinesis logger plugins use the cpp-netlib TLS client libraries, which depend on ASIO, boost, and a TLS implementation provided by OpenSSL or LibreSSL. This release allows the plugins to take advantage of --tls_server_certs and other TLS-related configuration options. If you are using these logger plugins and receiving invalid certificate issue, you need to provide a PEM bundle using the aforementioned flag.
- Bug fixes:
- #2285 Fix 'off the end' potential bug in crashes table
- #2287 Use "UTC" for timezone when no timezone is present in the time table
- #2299 Use TLSTransport HTTPS client within AWS logger plugins
- Config options / CLI flags changes:
- --buffered_log_max Maximum number of logs in buffered output plugins (0 = unlimited)
New in osquery 1.8.1 Pre (Jul 22, 2016)
- Clean up verbose logging for OS X kernel extension (#2276).
New in osquery 1.8.0 (Jul 15, 2016)
- NEW FEATURES IN 1.8.0:
- There is an optional Thrift API change for extensions: the shutdown method.
- The osquery core, extension manager, will attempt to call this optionally-implemented method
- immediately before it shuts down. This request is blocking and allows an extension to perform
- cleanup before its watcher thread quits.
- PLUGIN API CHANGES:
- #2224 Add shutdown() method to extensions API
- #2229 The logger facilities now write catastrophic errors to syslog
- #2241 Distributed queries will log verbose events indicating their query requests
- BUG FIXES:
- #2205 Fix milli/micro conversion when waiting for active plugins (regression from 1.7.4)
- #2207 Restore extension respawn limits to 20s (regression from 1.7.4)
- #2217 Fix SQLite local access after ASIO URL usage (OS X)
- #2228 Force RocksDB to sync writes for non-event domains
- #2234 Fix various Linux process path parsing errors
- CONFIG OPTIONS / CLI FLAGS CHANGES:
- --decorations_top_level Add decorators as top level JSON objects
New in osquery 1.7.7 (Jun 28, 2016)
- Use noexcept boost::filesystem overloads (#2195).
New in osquery 1.7.5 (Jun 9, 2016)
- NEW FEATURES:
- #2077 Within-query caching allows for more efficient subqueries
- #2079 Remove the ::logHealth methods from logger plugins
- #2088 Add an optional ::logEvent API for logger plugins
- #2089 Add Ubuntu Xenial 16.04 build support
- #2093 Add --pack option to the osqueryi shell
- #2101 Introduce table options to represent keyed-columns in SQLite
- #2104 Introduce table aliases to support future deprecation of table names
- #2123 Add basic math functions to SQLite: pow, sqrt, log, floor, etc
- #2124 Add string splitting functions to SQLite: split, split_regex, etc
- #2137 Update SQLite to 3.14.0 to support combined LIKE and = in single predicates
- #2139 Update the AWS APIs to version 0.12.4
- BUG FIXES:
- The provision scripts (make deps) for several distributions have been improved.
- #2151 Fix autoloading of the osquery kernel extension on OS X
- #2135 Limit SMBIOS reads to the 1M-2M region
- #2116 Add ::removeService to the Dispatcher API to fix kernel tests
New in osquery 1.7.4 (May 9, 2016)
- Adding mobile device crash parsing and 'type' column to Crashes table:
- This commit adds mobile device crashes to the list of crash logs parsed by the Crashes table as well as adding a lamdba to improve code reuse. The commit also adds a 'type' column to the table to indicate what kind of log this crash log was.
New in osquery 1.7.3 (Mar 30, 2016)
- Merge pull request #1976 from theopolis/more_scheduler_tests
- Add test for SchedulerRunner
New in osquery 1.7.2 (Mar 24, 2016)
- New features in 1.7.2:
- The SQLite included in 1.7.2 includes support for IN and OR operators!
- RocksDB can now be swapped with SQLite as the backing store to help support new platforms.
- The certificates table on OS X now supports both DER and PEM formats.
- The use of boost::thread has been removed, as well as shared mutexes.
- TLS SNI support via cpp-netlib's 0.12-rc1 build.
- NULLs in results:
- NULL values are now allowed in column results.
- This means values which were NOT filled in for INTEGER, BIGINT, and DOUBLE types would previously, in error, return a -1. This was very confusing as we do not differentiate between signed/unsigned SQLite types so it was difficult to determine if the -1 indicated an error. Expect these values to return empty JSON strings in logs. Eventually table implementation will be able to explicitly return a null type, which will propagate into JSON.
- Bug fixes:
- #1888 OS X's process table would generate a result row for 'fake' pids if a pid was used in the query constraint
- #1893 libdevmapper is now built and linked statically for CentOS6/7 packages
- #1913 Process 'state' on Linux and OS X was overloaded and typed incorrectly
- #1936 Event expiring in 1.7.1 left stay events in the outer indexes
- #1944 TLS-based configuration could lead to a spurious final config request on shutdown
- #1946 The 'unsupported' Debian package build scripts were adding incorrect package dependencies
- Table changes (from 1.7.1 to 1.7.2):
- Added table asl to Darwin (Apple OS X)
- Added table cpu_time to Ubuntu, CentOS
- Added column name (TEXT_TYPE) to table fan_speed_sensors
- Added column authority (TEXT_TYPE) to table signature
- Added column cdhash (TEXT_TYPE) to table signature
- Added column team_identifier (TEXT_TYPE) to table signature
- Table API breaking changes in 1.7.2:
- Renamed column group to pgroup in table processes
New in osquery 1.7.2 Pre (Mar 22, 2016)
- This release marks a significant departure from several dependencies. It also introduces new library versions and features.
New in osquery 1.7.1 (Feb 26, 2016)
- Merge pull request #1873 from theopolis/bind_sql
- [#1816] Refactor DB instance management
New in osquery 1.7.0 (Feb 2, 2016)
- New features:
- Query packs can now include FIM categories and paths.
- OS X TLS-based plugins now require an explicit path to a certificate authority PEM bundle.
- The TLS-based plugins continue to receive performance and feature improvements.
- For CentOS and RHEL 7 builds the make packages macro will include a basic systemd unit.
- Notes:
- The OS X signature table now only reports success if the target path passes 'strict' code signing checks.
- This release marks the first release build built using 10.11, and the TLS implementation uses LibreSSL.
- For a short period between 1.6.3 and 1.6.4 the RocksDB options were not compatible with previous databases. There are no compatibility issues with 1.7.0 and previous releases.
- Bug fixes:
- #1796 Query constraints tracking support for multi-sub queries
- #1801 Fix ROWID constraint interpreted as a column index
- Plugin API change:
- #1581 Logger plugin logString methods are called once per logline
- Config options / CLI flags changes:
- --events_max=COUNT Maximum number of events per type to buffer
- --logger_tls_compress=False GZip compress TLS/HTTPS request body
- --logger_tls_max=COUNT Max size in bytes allowed per log line
- Table changes (from 1.6.3 to 1.7.0):
- Added table sip_config to Darwin (Apple OS X)
- Added table smc_keys to Darwin (Apple OS X)
- Added column key_strength (TEXT_TYPE) to table certificates
- Added column uid (TEXT_TYPE) to table disk_encryption
- Added column hardware_vendor (TEXT_TYPE) to table system_info
- Added column hardware_version (TEXT_TYPE) to table system_info
New in osquery 1.6.4 (Jan 21, 2016)
- Does not include binary packages, a brew commit, or change logs docs.
- This is used as a demarcation for building on OS X 10.11 for integration tests and packages.
New in osquery 1.6.3 (Jan 14, 2016)
- Bug fixes:
- #1735 Remove OPENED events from file_events
- #1736 Allow TLS endpoints to return node_invalid multiple times.
- Table changes (from 1.6.2 to 1.6.3):
- Added column issuer (TEXT_TYPE) to table certificates
- Added column self_signed (INTEGER_TYPE) to table certificates