http://open-source-security-software.net/project/osquery/releases.atom 2024-05-05T13:04:43.923434+00:00 python-feedgen osquery 2.4.0 2017-04-06T23:02:28+00:00 ## New features in 2.4.0: ### Important changes #3073 The Windows `registry` table was refactored to have a look and feel like the `file` table. #3049 Distributed (ad-hoc) queries now support discovery queries. #3087 & #3091 Improve events tables performance and protect against multiple queries overwriting sliding window optimizations. #3100 Add globbing support to the Windows `registry` table. #3120 Add the `auid` column to all Audit-based tables. #3115 Add status logging to AWS-based logger plugins. ### Bug fixes #3065 Set a max size for RocksDB `MANIFEST` logs, this helps protect against very large transaction logs leading to massive on-disk files. #3098 Fix crash when sanitizing REG_NONE types from Windows registry. #3106 Return blank or `NULL` values for `sha`, `md5` and `sha256` when files cannot be hashed. #3116 Fix potential deadlock with periodic database reset. #3142 Fix reentry bug with our GLog logger sink leading to potential deadlocks. ### Config options / CLI flags changes `--logger_min_status VALUE` Minimum level for status log recording 1=INFO, 2=WARNING, 3=ERROR ### Table changes (from 2.3.4 to 2.4.0): Moved table `startup_items` from Darwin to All Platforms Added table `lldp_neighbors` to POSIX-compatible Plaforms Added table `python_packages` to POSIX-compatible Plaforms Added column `auid` (`BIGINT_TYPE`) to table `process_events` Added column `auid` (`BIGINT_TYPE`) to table `socket_events` Added column `auid` (`BIGINT_TYPE`) to table `user_events` Renamed table `syslog` to `syslog_events` on Ubuntu, CentOS (the alias `syslog` still exists) ### Breaking Table API changes Removed column `hive` (`TEXT_TYPE`) from table `registry` Removed column `subkey` (`TEXT_TYPE`) from table `registry` The `hive` and `subkey` columns have been combined into a `path` column. 2017-04-06T23:02:28+00:00 osquery 2.4.1 2017-04-21T23:11:53+00:00 2017-04-21T23:11:53+00:00 osquery 2.4.2 2017-04-24T19:19:54+00:00 ## New features in 2.4.2: ### Bug fixes #3157 Use poll over select in inotify (and auditd, udev) publisher #3169 Adding bounds checks and key checks for appcompat shims table #3170 Fixing stringToWstring crashes with wide character strings #3187 Drop permissions properly on Linux (fixes `rpm_packages` on CentOS7) #3179 Add database initialization retry ### Config options / CLI flags changes The `host_identifier` can now take a `specified` (explicit) identifier. `--host_identifier VALUE` Field used to identify the host running osquery (hostname, uuid, instance, ephemeral, specified) `--specified_identifier VALUE` Field used to specify the host_identifier when set to "specified" ### Table changes (from 2.4.0 to 2.4.2): Moved table `routes` to All Platforms Added table `event_taps` to Darwin (Apple OS X) Added table `time_machine_backups` to Darwin (Apple OS X) Added table `time_machine_destinations` to Darwin (Apple OS X) Added table `scheduled_tasks` to Microsoft Windows Added hidden column `eid` (`TEXT_TYPE`) to all `*_events` (used for testing) 2017-04-24T19:19:54+00:00 osquery 2.4.3 2017-05-01T19:45:56+00:00 This is a pre-release for FreeBSD's port. 2017-05-01T19:45:56+00:00 osquery 2.4.4 2017-05-12T23:50:25+00:00 ## New features in 2.4.4: #3267 New SQLite functions: `md5`, `sha1`, and `sha256` #2956 Augeas' lenses are now bundled with osquery packages #3226 External build systems can disable YARA, TSK, or LLDB with `SKIP_` environment variables. ### Bug fixes #3219 Fix extensions use of database during reset phase #3248 Submodules will now update correctly on Windows #3257 The IPv4 route gateways on Windows now work ### Table changes (from 2.4.2 to 2.4.4): Added column `args` (`TEXT_TYPE`) to table `startup_items` Added column `channel` (`INTEGER_TYPE`) to table `wifi_status` Added column `channel` (`INTEGER_TYPE`) to table `wifi_survey` Added table `pkg_packages` to FreeBSD Added table `docker_container_labels` to POSIX-compatible Plaforms Added table `docker_container_mounts` to POSIX-compatible Plaforms Added table `docker_container_networks` to POSIX-compatible Plaforms Added table `docker_container_ports` to POSIX-compatible Plaforms Added table `docker_container_processes` to POSIX-compatible Plaforms Added table `docker_container_stats` to POSIX-compatible Plaforms Added table `docker_containers` to POSIX-compatible Plaforms Added table `docker_image_labels` to POSIX-compatible Plaforms Added table `docker_images` to POSIX-compatible Plaforms Added table `docker_info` to POSIX-compatible Plaforms Added table `docker_network_labels` to POSIX-compatible Plaforms Added table `docker_networks` to POSIX-compatible Plaforms Added table `docker_version` to POSIX-compatible Plaforms Added table `docker_volume_labels` to POSIX-compatible Plaforms Added table `docker_volumes` to POSIX-compatible Plaforms 2017-05-12T23:50:25+00:00 osquery 2.4.5 2017-05-26T22:38:59+00:00 2017-05-26T22:38:59+00:00 osquery 2.4.6 2017-05-31T00:21:04+00:00 ## New features in 2.4.6: This release contains a 'Rebuild the World' release of third party dependencies with bumps in most of the libraries used by osquery. As a part of this bump in third party dependencies we now make use of Clang's ThinLTO to enhance the linking experience. This release further brings in fixes to our build process to facilitate using ASAN and TSAN frameworks. Lastly this release introduces the concept of views for osquery queries, as well as SQL to_base64 and from_base64 column functions. #3297 Windows `interface_addresses` now leverages native Win32 APIs as opposed to WMI #3312 Add base64 encode and decoding functions #3306 Adding a config block to create views ### Bug fixes #3307 Fix reading past the end of buffer in fileops tests #3308 Fix temperature sorting in darwin temperature_sensors table #3309 Fix crash caused by boost's unhandled exception in filesystem #3286 Fix sudoers path on FreeBSD, add fields to os_version #3291 Fix patchlevel reporting for FreeBSD #3322 Removing pretty printing from windows event log data #3335 Fix invalid control character in profile.py [Tidy] Fix all C99 warnings #3353 ### Table changes (from 2.4.4 to 2.4.6): Added table `fbsd_kmods` to FreeBSD Added column `device` (`TEXT_TYPE`) to table `disk_events` Added column `type` (`TEXT_TYPE`) to table `interface_addresses` Removed column `bsd_name` (`TEXT_TYPE`) from table `disk_events` 2017-05-31T00:21:04+00:00 osquery 2.4.7 2017-06-09T20:26:00+00:00 2017-06-09T20:26:00+00:00 osquery 2.5.0 2017-06-14T02:16:12+00:00 ## New features in 2.5.0: There are several new features and bug fixes. #3356 Only reconfigure event publishers if configuration content changes #3375 Add the "platform mask" to enrollment requests #3376 Allow Linux publishers to be interrupted (previously they would stop) #3360 Add a watchdog delay (60s) before enforcing limits to allow for log flushing #3402 Increase max `rpm_package_files` to 64k on Linux ### Table changes (from 2.4.6 to 2.5.0): Added table `virtual_memory_info` to Darwin (Apple OS X) Added table `load_average` to POSIX-compatible Plaforms Added column `local_hostname` (`TEXT_TYPE`) to table `system_info` Added and removed several columns from Window's `drivers` table 2017-06-14T02:16:12+00:00 osquery 2.11.3 2017-06-14T14:44:24+00:00 ## [2.11.3](https://github.com/CERT-BDF/TheHive/tree/2.11.3) (2017-06-14) [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/debian/2.11.2-2...2.11.3) **Fixed bugs:** - Unable to add tasks to case template [\#239](https://github.com/CERT-BDF/TheHive/issues/239) - Problem Start TheHive on Ubuntu 16.04 [\#238](https://github.com/CERT-BDF/TheHive/issues/238) - MISP synchronization doesn't retrieve all events [\#236](https://github.com/CERT-BDF/TheHive/issues/236) 2017-06-14T14:44:24+00:00 osquery 2.5.1 2017-06-19T21:25:36+00:00 2017-06-19T21:25:36+00:00 osquery 2.5.2 2017-06-30T21:46:13+00:00 2017-06-30T21:46:13+00:00 osquery 2.12.0 2017-07-05T08:34:42+00:00 ## [2.12.0](https://github.com/CERT-BDF/TheHive/tree/2.12.0) [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.11.3...2.12.0) **Implemented enhancements:** - Sort the analyzers list in observable details page [\#245](https://github.com/CERT-BDF/TheHive/issues/245) - More options to sort cases [\#243](https://github.com/CERT-BDF/TheHive/issues/243) - Alert Preview and management improvements [\#232](https://github.com/CERT-BDF/TheHive/issues/232) - Ability to Reopen Tasks [\#156](https://github.com/CERT-BDF/TheHive/issues/156) - Display short reports on the Observables tab [\#131](https://github.com/CERT-BDF/TheHive/issues/131) - Custom fields for case template [\#12](https://github.com/CERT-BDF/TheHive/issues/12) - Show case status and category \(FP, TP, IND\) in related cases [\#229](https://github.com/CERT-BDF/TheHive/issues/229) - Open External Links in New Tab [\#228](https://github.com/CERT-BDF/TheHive/issues/228) - Observable analyzers view reports. [\#191](https://github.com/CERT-BDF/TheHive/issues/191) - Specifying tags on statistics page or performing a search [\#186](https://github.com/CERT-BDF/TheHive/issues/186) - Choose case template while importing events from MISP [\#175](https://github.com/CERT-BDF/TheHive/issues/175) - Use local font files [\#250](https://github.com/CERT-BDF/TheHive/issues/250) **Fixed bugs:** - Fix case metrics malformed definitions [\#248](https://github.com/CERT-BDF/TheHive/issues/248) - Sorting alerts by severity fails [\#242](https://github.com/CERT-BDF/TheHive/issues/242) - Alerting Panel: Typo Correction [\#240](https://github.com/CERT-BDF/TheHive/issues/240) - files in alerts are limited to 32kB [\#237](https://github.com/CERT-BDF/TheHive/issues/237) - Alert can contain inconsistent data [\#234](https://github.com/CERT-BDF/TheHive/issues/234) - Search do not work with non-latin characters [\#223](https://github.com/CERT-BDF/TheHive/issues/223) - report status not updated after finish [\#212](https://github.com/CERT-BDF/TheHive/issues/212) - A locked user can use the API to create / delete / list cases \(and more\) [\#251](https://github.com/CERT-BDF/TheHive/issues/251) 2017-07-05T08:34:42+00:00 osquery 2.5.3 2017-07-18T07:28:40+00:00 2017-07-18T07:28:40+00:00 osquery 2.6.0 2017-07-24T23:38:41+00:00 This is the next stable build of osquery, ready for production. This release fixes many bugs in the Windows version vastly improving stability and some tables. The SQLite version was also bumped to 3.19.3 and improvements were made to inotify eventing on linux. The preferences table on Darwin has also been changed and it's core functionality moved to a new plist table. See (#3455) for more details as this may require updates to any scheduled queries that use this table. For more complete release notes, see the highlights below. **Several bug fixes pertaining to Windows:** * (#3478) Fixed a crash in interface_details - If WMI data was empty, an invalid access occurred. * (#3481) Choco build output directory change - Building a package will now drop you in the directory you started in, not the build directory. * (#3475) Fixed worker respawn logic - Killed workers were not being respawned correctly due to a lack of early exit. * (#3470) system_info FQDN - The system_info table on Windows will now return the full FQDN, not just the host name. * (#3484) Additional install locations - The programs table checks more locations to find installed applications. * (#3431) Skip tests on Windows - It's now possible to skip building tests via a environment variable on Windows. * (#3444) Autoexec - Added a new table to find auto-executing programs. * (#3436) IE Extensions - Added a new table to list extensions installed in IE. **A few bug fixes to POSIX/macOS** * (#3454) (#3473) (#3476) High Sierra related fixes - Fixed a bug where the local clang-format wasn't being used and instead of the system one was called. Also fixed a globbing bug caused by a new file ordering on APFS systems. * (#3480) Mount event on Darwin - FSEvents now also catches mount events and these alerts go through the same pub sub flow with the action "MOUNTED". **General Updates** * (#3488) Changes to plugin failures - All plugins will now fail if one fails. This ensures plugins are in a good state when initialization finishes. * (#3485) Update to SQLite - SQLite version bumped to 3.19.3 * (#3489) TSAN fixes - Some general TSAN issues addressed. * (#3487) Don't ignore SIGCHLD - Stop ignoring the SIGCHLD interrupt to exit faster. * (#3459) Updates to inotify - Logic improved around add/removing subscribers in the inotify eventer. * (#3469) Fix TLS Config Update - Fixes TLS update and sets the refresh period to one hour. * (#3457) Moved pid file - The osquery pid file is now in /var/run/ on Linux and FreeBSD system. * (#3378) Added epoch time to scheduled queries - To assist in keeping backend systems in sync with system state, an epoch decorator was added. * (#3455) Separated preferences and plist - Preferences was split into its own table and the functionality of plist parsing was moved to a new plist table. * (#3448) Watchdog issues resolved - There were some instances where certain flag usage would inadvertently disable the watchdog. * (#3390) Symlink column in file table - A new column containing information on if the file is a symlink. 2017-07-24T23:38:41+00:00 osquery 2.12.1 2017-08-01T08:41:55+00:00 ## [2.12.1](https://github.com/CERT-BDF/TheHive/tree/2.12.1) [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.12.0...2.12.1) **Implemented enhancements:** - Fix warnings in debian package [\#267](https://github.com/CERT-BDF/TheHive/issues/267) - Merging alert into existing case does not merge alert description into case description [\#255](https://github.com/CERT-BDF/TheHive/issues/255) **Fixed bugs:** - Case similarity reports merged cases [\#272](https://github.com/CERT-BDF/TheHive/issues/272) - Closing a case with an open task does not dismiss task in "My tasks" [\#269](https://github.com/CERT-BDF/TheHive/issues/269) - API: cannot create alert if one alert artifact contains the IOC field set [\#268](https://github.com/CERT-BDF/TheHive/issues/268) - Can't get logs of a task via API [\#259](https://github.com/CERT-BDF/TheHive/issues/259) - Add multiple attachments in a single task log doesn't work [\#257](https://github.com/CERT-BDF/TheHive/issues/257) - Cortex Connector Not Found [\#256](https://github.com/CERT-BDF/TheHive/issues/256) - TheHive doesn't send the file name to Cortex [\#254](https://github.com/CERT-BDF/TheHive/issues/254) - Renaming of users does not work [\#249](https://github.com/CERT-BDF/TheHive/issues/249) 2017-08-01T08:41:55+00:00 osquery 2.6.1 2017-08-04T01:40:47+00:00 2017-08-04T01:40:47+00:00 osquery 2.7.0 2017-08-22T19:02:56+00:00 ## New features in 2.7.0 #3506 FSEvents on macOS will monitor mount events within already-monitored directories #3503 OpenBSM events are monitored as `process_events` on macOS #3265 Add RapidJSON integration as a boost property tree replacement #3530 Implement excluded paths for FIM for Linux and macOS ### Bug fixes #3517 Wait for each extension before respawning #3553 and #3552 Fixing memory leaks in virtual tables #3534 Improve macOS process `start_time` column #3539 Fix sizes for `block_devices` on macOS and Linux #3574 Display correct UID for proceses for Domain Users on Windows #3580 Fix handling of multiple LIKE and GLOB predicates* * When using `LIKE` and `GLOB` with `OR` in query predicates the SQLite optimizer may replace `TEXT` fields with incorrect values, causing unexpected behavior for tables like `file` expecting globbing input for path names. ### Table changes (from 2.6.0 to 2.7.0) Added table `process_memory_map` to All Platforms (from POSIX) Added table `device_firmware` to Darwin (Apple OS X) Added table `gatekeeper` to Darwin (Apple OS X) Added table `gatekeeper_approved_apps` to Darwin (Apple OS X) Added table `shared_folders` to Darwin (Apple OS X) Added table `sharing_preferences` to Darwin (Apple OS X) Added table `certificates` to MacOS and Windows Added table `user_events` to POSIX-compatible Plaforms Added table `ec2_instance_metadata` to Ubuntu, CentOS Added table `ec2_instance_tags` to Ubuntu, CentOS Added column `block_size` (`INTEGER_TYPE`) to table `block_devices` Added column `cwd` (`TEXT_TYPE`) to table `process_events` Added column `status` (`BIGINT_TYPE`) to table `process_events` Added column `action` (`TEXT_TYPE`) to table `scheduled_tasks` Added column `class` (`TEXT_TYPE`) to table `usb_devices` Added column `protocol` (`TEXT_TYPE`) to table `usb_devices` Added column `subclass` (`TEXT_TYPE`) to table `usb_devices` 2017-08-22T19:02:56+00:00 osquery 2.13.0 2017-09-15T14:00:09+00:00 ## [2.13](https://github.com/CERT-BDF/TheHive/tree/2.13) (2017-09-15) [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.12.1...2.13) **Implemented enhancements:** - Group ownership in Docker image prevents running on OpenShift [\#307](https://github.com/CERT-BDF/TheHive/issues/307) - Improve the content of alert flow items [\#304](https://github.com/CERT-BDF/TheHive/issues/304) - Add a basic support for webhooks [\#293](https://github.com/CERT-BDF/TheHive/issues/293) - Add basic authentication to Stream API [\#291](https://github.com/CERT-BDF/TheHive/issues/291) - Add Support for Play 2.6.x and Elasticsearch 5.x [\#275](https://github.com/CERT-BDF/TheHive/issues/275) - Fine grained user permissions for API access [\#263](https://github.com/CERT-BDF/TheHive/issues/263) - Alert Pane: Catch Incorrect Keywords [\#241](https://github.com/CERT-BDF/TheHive/issues/241) - Specify multiple AD servers in TheHive configuration [\#231](https://github.com/CERT-BDF/TheHive/issues/231) - Export cases in MISP events [\#52](https://github.com/CERT-BDF/TheHive/issues/52) **Fixed bugs:** - Download attachment with non-latin filename [\#302](https://github.com/CERT-BDF/TheHive/issues/302) - Undefined threat level from MISP events becomes severity "4" [\#300](https://github.com/CERT-BDF/TheHive/issues/300) - File name is not displayed in observable conflict dialog [\#295](https://github.com/CERT-BDF/TheHive/issues/295) - A colon punctuation mark in a search query results in 500 [\#285](https://github.com/CERT-BDF/TheHive/issues/285) - Previewing alerts fails with "too many substreams open" due to case similarity process [\#280](https://github.com/CERT-BDF/TheHive/issues/280) **Closed issues:** - Threat level/severity code inverted between The Hive and MISP [\#292](https://github.com/CERT-BDF/TheHive/issues/292) 2017-09-15T14:00:09+00:00 osquery 2.8.0 2017-09-19T03:47:29+00:00 # New features in 2.8.0 This release merges the osqueryi shell into the osqueryd daemon. Both binaries will still be shipped with all platforms packages and the osqueryi binary is simply a copy of osqueryd binary. The core logic of the shell meerly checks the name of the running executable, and if it's osqueryi we launch into the shell. This release also sees various changes to our third party dependencies. Firstly we have dropped snappy and LZ4 from our dependency chain in favor of ZSTD, so these packages will no longer be required for builds. Further we have upgraded all platforms to make use of Boost 1.65.0, and finally we have successfully seen Firehose/Kinesis logging brought to the Windows platform. Lastly a few hardening changes to the RocksDB interface will ensure a better and more robust interface with the local caching database and strive to recover from database corruption. #3635 RocksDB interface has been extended to include a 'backup' and recover feature #3641 Firehose/Kinesis logging is now supported on Windows ## Bug fixes #3613 Fixed boost 1.65.0 builds for macos #3599 Addressed an issue in the Kinesis/Firehose record size check #3628 Wrapped the Windows shutdown event logic in a Mutex #3651 New query counter added to ignore initial results for differential querying #3661 Fixed listening_ports table to use readlink instead of readpath #3663 Fixed RocksDB interface to avoid calling DB::Flush so often #3662 Fixed debug info breakage introduced via binary merging #3673 Fixed builds linking against shared objects #3671 Fixed bug which had changed enrollment tests path #3685 Use PackageKit to better enumerate package receipts on macos #3698 Address shutdown behavior on Windows to ensure safe service stop ## Table changes (from 2.7.0 to 2.8.0) Added table `python_packages` to All Platforms Added table `chocolatey_packages` to Microsoft Windows Added table `curl` to POSIX-compatible Plaforms Added column `friendly_name` (`TEXT_TYPE`) to table `interface_addresses` Added column `friendly_name` (`TEXT_TYPE`) to table `interface_details` Added column `host` (`TEXT_TYPE`) to table `preferences` Removed table `process_file_events` from Darwin (Apple OS X) Removed table `python_packages` from POSIX-compatible Plaforms 2017-09-19T03:47:29+00:00 osquery 2.8.1 2017-09-29T17:24:01+00:00 ## New features in 2.8.1 This is largely a break-fix release addressing an issue with Kinesis/Firehose logging format. This release also sees a few small changes to the newly designed website as well as a small overhaul to the filesystem abstraction to make use of boosts `path` objects. ## Bug fixes #3746 Check Crypt API values for `nullptr` before using in `disk_encryption` table #3743 Add newline character between loglines for Firehose/Kinesis ## Table changes (from 2.8.0 to 2.8.1) Added column `last_opened_time` (`DOUBLE_TYPE`) to table `apps` 2017-09-29T17:24:01+00:00 osquery 2.13.1 2017-10-03T08:24:46+00:00 [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.13.0...2.13.1) **Fixed bugs:** - Tasks Tab Elasticsearch exception: Fielddata is disabled on text fields by default. Set fielddata=true on \[title\] [\#311](https://github.com/CERT-BDF/TheHive/issues/311) 2017-10-03T08:24:46+00:00 osquery 2.9.0 2017-10-05T00:37:07+00:00 ## New features in 2.9.0 This is a security release, it includes fixes for weaknesses in several virtual tables. Please check out the new [`SECURITY.md`](https://github.com/facebook/osquery/blob/master/SECURITY.md) security issues tracker for more details. This release has updated several dependency formulas. The focus for those updates was also security related. While it is unclear if weaknesses in dependencies have an exact adverse effect on osquery, it is important to update them regardless. These updates mean a stronger and safer set of binary versions available on the https://osquery.io downloads page. ## Bug fixes #3785 (**CVE-2017-15026**) Use sanitized SQL for `ie_extensions` on Windows #3783 Drop temporary privileges to the intended user within `safari_extensions` #3782 (**CVE-2017-15027**) Use the owner of parent path in `dropToParent` event if the parent is a symlink #3781 (**CVE-2017-15028**) Drop temporary privileges to the intended user within `known_hosts` The notable dependency updates include: #3780 `libmagic` updated to 5.32 #3775 `libxml2` updated to 2.9.5 #3767 `augeas` updated to 1.8.1 #3770 `libarchive` updated to 3.3.3 2017-10-05T00:37:07+00:00 osquery 2.9.1 2017-10-17T06:31:31+00:00 2017-10-17T06:31:31+00:00 osquery 2.9.2 2017-10-21T21:54:01+00:00 2017-10-21T21:54:01+00:00 osquery 2.10.0 2017-10-24T18:45:28+00:00 ## New features in 2.10.0 We've ported our HTTP client to Boost Beast to allow for more meaningful TLS errors and support for HTTP proxies. #3623 Use Boost Beast as the HTTP client implementation (previously we used cpp-netlib) ## Bug fixes #3862 Lock access to individual SQL databases #3856 Fix extended_schema on Windows (previously all extended columns were HIDDEN) ## Table changes (from 2.9.0 to 2.10.0) Added table `key_events` to Darwin (Apple OS X) Added table `authenticode` to Microsoft Windows Added table `logical_drives` to Microsoft Windows Added table `physical_disk_performance` to Microsoft Windows Added column `version` (`TEXT_TYPE`) to table `usb_devices` 2017-10-24T18:45:28+00:00 osquery 2.10.1 2017-11-01T17:26:51+00:00 2017-11-01T17:26:51+00:00 osquery 2.10.2 2017-11-09T21:22:08+00:00 ## New features in 2.10.2 #3884 The macOS firewall exception URLs are now included in `alf_exceptions` The systemd service unit includes a post-init script to reload the units properly. ## Bug fixes #3892 Use better precision for calculating process start time on macOS #3917 Event tap publisher resource management fixes ## Table changes (from 2.10.0 to 2.10.2) Added table `curl` to All Platforms Added table `curl_certificate` to All Platforms Added table `pipes` to Microsoft Windows Added column `dst_port` (`TEXT_TYPE`) to table `iptables` Added column `src_port` (`TEXT_TYPE`) to table `iptables` 2017-11-09T21:22:08+00:00 osquery 2.10.3 2017-11-20T16:32:25+00:00 This is a pre-release for internal testing of extensions changes. 2017-11-20T16:32:25+00:00 osquery 2.10.4 2017-11-27T19:56:55+00:00 2017-11-27T19:56:55+00:00 osquery 2.13.2 2017-12-05T13:50:04+00:00 [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.13.1...2.13.2) **Fixed bugs:** - Security issue on Play 2.6.5 [\#356](https://github.com/CERT-BDF/TheHive/issues/356) - Incorrect stats: non-IOC observables counted as IOC and IOC word displayed twice [\#347](https://github.com/CERT-BDF/TheHive/issues/347) - Deleted Observables, Show up on the statistics tab under Observables by Type [\#343](https://github.com/CERT-BDF/TheHive/issues/343) - Statistics on metrics doesn't work [\#342](https://github.com/CERT-BDF/TheHive/issues/342) - Error on custom fields format when merging cases [\#331](https://github.com/CERT-BDF/TheHive/issues/331) 2017-12-05T13:50:04+00:00 osquery 3.0.1 2017-12-07T15:42:44+00:00 ## [3.0.1](https://github.com/CERT-BDF/TheHive/tree/3.0.1) (2017-12-07) [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/3.0.0...3.0.1) **Fixed bugs:** - MISP Event Export Error [\#387](https://github.com/CERT-BDF/TheHive/issues/387) - During migration, dashboards are not created [\#386](https://github.com/CERT-BDF/TheHive/issues/386) - Error when configuring multiple ElasticSearch nodes [\#383](https://github.com/CERT-BDF/TheHive/issues/383) 2017-12-07T15:42:44+00:00 osquery 2.11.0 2017-12-18T22:22:12+00:00 ## New features in 2.11.0 This version adds more features to osquery extensions. For a few examples, the Thrift API calls now enforce a 5 minutes maximum execution time to protect osquery from hung extensions (#3847); extension processes that are autoloaded, will respawn if they exit prematurely (#3944). We now depend on the newest `libaugeas` and have altered our integration to achieve much better performance (#3911). Several changes in the new Augeas version were designed for osquery's use cases. Finally, along with the bug and features below, this version adds more care to Windows Services and MSI packaging (#3927). #3921 Kafka SSL support #3814 Hash table cache #3887 Windows Event Log (as a logger plugin) support #4005 Non-blacklistable queries ## Bug fixes #3909 Print correct address family id for AF_UNIX sockets #3938 Remove 'removed' results correctly #3943 Stop renaming worker and extension argv[0] #3958 Fix header calculation with HTTP client and AWS Firehose #3979 Only daemon-reload if systemd is running #3985 Removing newline from Windows Event Log lines #4001 Remove invalid assumptions about status logging (refactor status logging) ## Table changes (from 2.10.2 to 2.11.0) Added table `groups` to All Platforms Added table `intel_me_info` to Linux and Windows Added table `shadow` to Linux Added column `blacklisted` (`INTEGER_TYPE`) to table `osquery_schedule` Added column `install_location` (`TEXT_TYPE`) to table `programs` Added column `type` (`TEXT_TYPE`) to table `users` Renamed table `key_events` to `user_interaction_events` on MacOS 2017-12-18T22:22:12+00:00 osquery 2.11.1 2017-12-24T06:16:56+00:00 This tag includes dependency changes to accommodate Homebrew builds. 2017-12-24T06:16:56+00:00 osquery 2.11.2 2017-12-30T20:34:49+00:00 This is a small release that adds mitigations for #3984. It also includes a new `crashes` table for Windows, a bugfix #4022 for `startup_items` not including non-existent paths, and upgraded our internal dependencies for boost (1.66) and thrift (0.11). This release is also the first using the new ASL2.0 and GPL2 dual license. 2017-12-30T20:34:49+00:00 osquery 3.0.0 2018-01-16T04:33:17+00:00 Welcome to the 3.0.0 series! In this series we'll be moving fast to incorporate new features that improve performance and safety. Minor releases will indicate new landed features. We'll highlight what to expect for compatibility in the release notes for each version. In this kick-off tag, we're ratcheting the build "runtime" that is installed with `make deps`. On macOS and Linux this is completely rebuilt to minimize the final binary size. We have also nitpicked compatibility options for macOS and believe this version is much safer for older versions, below 10.13. Finally, this version pays attention to OS and package manager maintainers. It will be a struggle to find the correct dependencies, but 3.0.0 supports a traditional `cmake` build if the `SKIP_DEPS` environment variable exists. 2018-01-16T04:33:17+00:00 osquery 3.1.0 2018-02-08T00:46:43+00:00 See the 3.0.0 release notes about the 3.0 series! This release includes the Linux Audit redesign. This redesign is faster, more reliable, and more extensible! 2018-02-08T00:46:43+00:00 osquery 3.2.0 2018-03-21T16:47:25+00:00 2018-03-21T16:47:25+00:00 osquery 3.0.2 2018-03-23T10:35:12+00:00 ## [3.0.2](https://github.com/TheHive-Project/TheHive/tree/3.0.2) (2017-12-20) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.1...3.0.2) **Implemented enhancements:** - Add multiline/multi entity graph to dashboards [\#399](https://github.com/TheHive-Project/TheHive/issues/399) - Can not configure ElasticSearch authentication [\#384](https://github.com/TheHive-Project/TheHive/issues/384) **Fixed bugs:** - "Mark as Sighted" Option not available for "File" observable type [\#400](https://github.com/TheHive-Project/TheHive/issues/400) 2018-03-23T10:35:12+00:00 osquery 3.0.3 2018-03-23T10:35:37+00:00 ## [3.0.3](https://github.com/TheHive-Project/TheHive/tree/3.0.3) (2018-01-10) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.2...3.0.3) **Fixed bugs:** - THP-SEC-ADV-2017-001: Privilege Escalation in all Versions of TheHive [\#408](https://github.com/TheHive-Project/TheHive/issues/408) 2018-03-23T10:35:37+00:00 osquery 3.0.4 2018-03-23T10:36:17+00:00 ## [3.0.4](https://github.com/TheHive-Project/TheHive/tree/3.0.4) (2018-02-05) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.3...3.0.4) **Implemented enhancements:** - Make alerts searchable through the global search field [\#456](https://github.com/TheHive-Project/TheHive/issues/456) - Make counts on Counter dashboard's widget clickable [\#455](https://github.com/TheHive-Project/TheHive/issues/455) - MISP feeds cause the growing of ES audit docs [\#450](https://github.com/TheHive-Project/TheHive/issues/450) - Case metrics sort [\#418](https://github.com/TheHive-Project/TheHive/issues/418) - Filter MISP Events Using MISP Tags & More Before Creating Alerts [\#370](https://github.com/TheHive-Project/TheHive/issues/370) - OAuth2 single sign-on implementation \(BE + FE\) [\#430](https://github.com/TheHive-Project/TheHive/pull/430) ([saibot94](https://github.com/saibot94)) **Fixed bugs:** - Remove uppercase filter on template name [\#464](https://github.com/TheHive-Project/TheHive/issues/464) - Fix the alert bulk update timeline message [\#463](https://github.com/TheHive-Project/TheHive/issues/463) - "too many substreams open" on alerts [\#462](https://github.com/TheHive-Project/TheHive/issues/462) - Fix MISP export error dialog column's wrap [\#460](https://github.com/TheHive-Project/TheHive/issues/460) - More than 20 users prevents assignment in tasks [\#459](https://github.com/TheHive-Project/TheHive/issues/459) - Type is not used when generating alert id [\#457](https://github.com/TheHive-Project/TheHive/issues/457) - Fix link to default report templates [\#454](https://github.com/TheHive-Project/TheHive/issues/454) - Make dashboard donuts clickable [\#453](https://github.com/TheHive-Project/TheHive/issues/453) - Refresh custom fields on open cases by background changes [\#440](https://github.com/TheHive-Project/TheHive/issues/440) - Bug: Case metrics not shown when creating case from template [\#417](https://github.com/TheHive-Project/TheHive/issues/417) - Observable report taxonomies bug [\#409](https://github.com/TheHive-Project/TheHive/issues/409) **Closed issues:** - GET request with Content-Type ends up in HTTP 400 [\#438](https://github.com/TheHive-Project/TheHive/issues/438) - Feature Request: Ability to bulk upload files as observables. [\#435](https://github.com/TheHive-Project/TheHive/issues/435) - Add metadata to MISP event when exporting case from TheHive [\#433](https://github.com/TheHive-Project/TheHive/issues/433) - How to limit by date amount of events pulled from MISP initially? [\#432](https://github.com/TheHive-Project/TheHive/issues/432) 2018-03-23T10:36:17+00:00 osquery 3.0.5 2018-03-23T10:36:36+00:00 ## [3.0.5](https://github.com/TheHive-Project/TheHive/tree/3.0.5) (2018-02-08) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.4...3.0.5) **Fixed bugs:** - Importing Template Button Non-Functional bug [\#404](https://github.com/TheHive-Project/TheHive/issues/404) - No reports available for "domain" type bug [\#409](https://github.com/TheHive-Project/TheHive/issues/409) 2018-03-23T10:36:36+00:00 osquery 3.2.1 2018-03-29T20:40:24+00:00 2018-03-29T20:40:24+00:00 osquery 3.2.2 2018-03-29T23:16:04+00:00 2018-03-29T23:16:04+00:00 osquery 3.0.7 2018-04-03T15:40:21+00:00 ## [3.0.7](https://github.com/TheHive-Project/TheHive/tree/3.0.7) (2018-03-29) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.6...3.0.7) **Implemented enhancements:** - Delete Case [\#100](https://github.com/TheHive-Project/TheHive/issues/100) **Fixed bugs:** - Display only cortex servers available for each analyzer, in observable details page [\#513](https://github.com/TheHive-Project/TheHive/issues/513) - Can't save case template in 3.0.6 [\#502](https://github.com/TheHive-Project/TheHive/issues/502) 2018-04-03T15:40:21+00:00 osquery 3.0.6 2018-04-03T15:41:06+00:00 ## [3.0.6](https://github.com/TheHive-Project/TheHive/tree/3.0.6) (2018-03-08) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.5...3.0.6) **Implemented enhancements:** - Add compatibility with Cortex 2 [\#466](https://github.com/TheHive-Project/TheHive/issues/466) **Fixed bugs:** - Tasks are stripped when merging cases [\#489](https://github.com/TheHive-Project/TheHive/issues/489) 2018-04-03T15:41:06+00:00 osquery 3.0.8 2018-04-13T13:32:33+00:00 ## [3.0.8](https://github.com/TheHive-Project/TheHive/tree/3.0.8) (2018-04-04) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.7...3.0.8) **Fixed bugs:** - Mini reports is not shown when Cortex 2 is used [\#526](https://github.com/TheHive-Project/TheHive/issues/526) - Session collision when TheHive & Cortex 2 share the same URL [\#525](https://github.com/TheHive-Project/TheHive/issues/525) - "Run all" in single observable context does not work [\#524](https://github.com/TheHive-Project/TheHive/issues/524) - Error on displaying analyzers name in report template admin page [\#523](https://github.com/TheHive-Project/TheHive/issues/523) - Job Analyzer is no longer named in 3.0.7 with Cortex2 [\#521](https://github.com/TheHive-Project/TheHive/issues/521) **Merged pull requests:** - Add ElasticSearch file descriptor limit to docker-compose.yml [\#505](https://github.com/TheHive-Project/TheHive/pull/505) ([flmsc](https://github.com/flmsc)) 2018-04-13T13:32:33+00:00 osquery 3.0.9 2018-04-13T13:32:55+00:00 ## [3.0.9](https://github.com/TheHive-Project/TheHive/tree/3.0.9) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.8...3.0.9) **Fixed bugs:** - Cortex connection can fail without any error log [\#543](https://github.com/TheHive-Project/TheHive/issues/543) - PhishTank Cortex Tag is transparent [\#535](https://github.com/TheHive-Project/TheHive/issues/535) - Naming inconsistencies in Live-Channel [\#531](https://github.com/TheHive-Project/TheHive/issues/531) - Error when trying to analyze a filename with the Hybrid Analysis analyzer [\#530](https://github.com/TheHive-Project/TheHive/issues/530) - Long Report isn't shown [\#527](https://github.com/TheHive-Project/TheHive/issues/527) - Artifacts' sighted flags are not merged when merging cases [\#518](https://github.com/TheHive-Project/TheHive/issues/518) - TheHive MISP cert validation, the trustAnchors parameter must be non-empty [\#452](https://github.com/TheHive-Project/TheHive/issues/452) **Closed issues:** - The Hive - MISP SSL configuration: General SSLEngine problem [\#544](https://github.com/TheHive-Project/TheHive/issues/544) - Dropdown menu for case templates doesnt have scroll [\#541](https://github.com/TheHive-Project/TheHive/issues/541) **Merged pull requests:** - Update spacing for elasticsearch section in docker-compose yml file [\#539](https://github.com/TheHive-Project/TheHive/pull/539) ([jbarlow-mcafee](https://github.com/jbarlow-mcafee)) 2018-04-13T13:32:55+00:00 osquery 3.2.3 2018-04-18T17:51:06+00:00 2018-04-18T17:51:06+00:00 osquery 3.2.4 2018-04-25T03:26:12+00:00 2018-04-25T03:26:12+00:00 osquery 3.2.5 2018-05-11T21:30:45+00:00 2018-05-11T21:30:45+00:00 osquery 3.2.6 2018-05-22T21:10:54+00:00 2018-05-22T21:10:54+00:00 osquery 3.0.10 2018-06-08T13:06:23+00:00 ## [3.0.10](https://github.com/TheHive-Project/TheHive/tree/3.0.10) (2018-05-29) [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.9...3.0.10) **Implemented enhancements:** - Rotate logs [\#579](https://github.com/TheHive-Project/TheHive/issues/579) - Send caseId to Cortex analyzer [\#564](https://github.com/TheHive-Project/TheHive/issues/564) - Poll for connectors status and display [\#563](https://github.com/TheHive-Project/TheHive/issues/563) - Sort related cases by related artifacts amount [\#548](https://github.com/TheHive-Project/TheHive/issues/548) - Time Calculation for individual tasks [\#546](https://github.com/TheHive-Project/TheHive/issues/546) **Fixed bugs:** - Wrong error message when creating a observable with invalid data [\#592](https://github.com/TheHive-Project/TheHive/issues/592) - Analyzer name not reflected in modal view of mini-reports [\#586](https://github.com/TheHive-Project/TheHive/issues/586) - Invalid searches lead to read error messages [\#584](https://github.com/TheHive-Project/TheHive/issues/584) - Merge case by ID brings red error message if not a number in textfield [\#583](https://github.com/TheHive-Project/TheHive/issues/583) - Open cases not listed after deletion of merged case in UI [\#557](https://github.com/TheHive-Project/TheHive/issues/557) - Making dashboards private makes them "invisible" [\#555](https://github.com/TheHive-Project/TheHive/issues/555) - MISP Synchronisation error [\#522](https://github.com/TheHive-Project/TheHive/issues/522) - Short Report is not shown on observables \(3.0.8\) [\#512](https://github.com/TheHive-Project/TheHive/issues/512) - Artifacts reports are not merged when merging cases [\#446](https://github.com/TheHive-Project/TheHive/issues/446) **Closed issues:** - Max Age Filter Not Working? [\#577](https://github.com/TheHive-Project/TheHive/issues/577) - Support X-Pack authentication/encryption for elastic [\#570](https://github.com/TheHive-Project/TheHive/issues/570) - Order the cases list by custom field \[Feature Request\] [\#567](https://github.com/TheHive-Project/TheHive/issues/567) - Using Postman to test the API, getting "No CSRF token found in headers" [\#549](https://github.com/TheHive-Project/TheHive/issues/549) 2018-06-08T13:06:23+00:00 osquery 3.2.7 2018-06-11T21:04:32+00:00 2018-06-11T21:04:32+00:00 osquery 3.2.8 2018-06-13T20:53:05+00:00 2018-06-13T20:53:05+00:00 osquery 3.2.9 2018-06-19T22:49:38+00:00 2018-06-19T22:49:38+00:00 osquery 3.1.0-RC1 2018-07-31T12:29:50+00:00 [Full Changelog](https://github.com/TheHive-Project/TheHive/compare/3.0.10...3.1.0-RC1) **Implemented enhancements:** - Display drop-down for custom fields sorted alphabetically [\#653](https://github.com/TheHive-Project/TheHive/issues/653) - Custom fields in Alerts? [\#635](https://github.com/TheHive-Project/TheHive/issues/635) - Check Cortex authentication in status page [\#625](https://github.com/TheHive-Project/TheHive/issues/625) - Revamp the search section capabilities [\#620](https://github.com/TheHive-Project/TheHive/issues/620) - New TheHive-Project repository [\#618](https://github.com/TheHive-Project/TheHive/issues/618) - Add PAP to case to indicate which kind of action is allowed [\#616](https://github.com/TheHive-Project/TheHive/issues/616) - Ability to execute active response on any element of TheHive [\#609](https://github.com/TheHive-Project/TheHive/issues/609) - Consider providing checksums for the release files [\#590](https://github.com/TheHive-Project/TheHive/issues/590) - Start Task - Button [\#540](https://github.com/TheHive-Project/TheHive/issues/540) - Handling malware as zip protected file [\#538](https://github.com/TheHive-Project/TheHive/issues/538) - Auto-refresh for Dashboards [\#476](https://github.com/TheHive-Project/TheHive/issues/476) - Assign Tasks to users from the Tasks tab [\#426](https://github.com/TheHive-Project/TheHive/issues/426) - Make The Hive MISP integration sharing vs pull configurable [\#374](https://github.com/TheHive-Project/TheHive/issues/374) - MISP Sharing Improvements [\#366](https://github.com/TheHive-Project/TheHive/issues/366) - Output of analyzer as new observable [\#246](https://github.com/TheHive-Project/TheHive/issues/246) - Ability to have nested tasks [\#148](https://github.com/TheHive-Project/TheHive/issues/148) - Single-Sign On support [\#354](https://github.com/TheHive-Project/TheHive/issues/354) **Fixed bugs:** - Default value of custom fields are not saved [\#649](https://github.com/TheHive-Project/TheHive/issues/649) - Attachments with character "\#" in the filename are wrongly proceesed [\#645](https://github.com/TheHive-Project/TheHive/issues/645) - Session does not expire correctly [\#640](https://github.com/TheHive-Project/TheHive/issues/640) - Dashboards contain analyzer IDs instead of correct names [\#608](https://github.com/TheHive-Project/TheHive/issues/608) - Error with Single Sign-On on TheHive with X.509 Certificates [\#600](https://github.com/TheHive-Project/TheHive/issues/600) - Entity case XXXXXXXXXX not found - After deleting case [\#534](https://github.com/TheHive-Project/TheHive/issues/534) - Artifacts reports are not merged when merging cases [\#446](https://github.com/TheHive-Project/TheHive/issues/446) - If cortex modules fails in some way, it is permanently repolled by TheHive [\#324](https://github.com/TheHive-Project/TheHive/issues/324) - Previewing alerts fails with "too many substreams open" due to case similarity process [\#280](https://github.com/TheHive-Project/TheHive/issues/280) - File upload when /tmp is full [\#321](https://github.com/TheHive-Project/TheHive/issues/321) - StreamSrv: Unexpected message : StreamNotFound [\#414](https://github.com/TheHive-Project/TheHive/issues/414) **Merged pull requests:** - fix bug in AlertListCtrl [\#642](https://github.com/TheHive-Project/TheHive/pull/642) ([billmurrin](https://github.com/billmurrin)) - flag for Windows env [\#641](https://github.com/TheHive-Project/TheHive/pull/641) ([billmurrin](https://github.com/billmurrin)) - 426 - assign tasks to users from tasks tab [\#628](https://github.com/TheHive-Project/TheHive/pull/628) ([billmurrin](https://github.com/billmurrin)) - Fix installation links [\#603](https://github.com/TheHive-Project/TheHive/pull/603) ([Viltaria](https://github.com/Viltaria)) 2018-07-31T12:29:50+00:00 osquery 3.3.0 2018-08-06T17:27:49+00:00 2018-08-06T17:27:49+00:00 osquery 3.3.1 2018-09-19T17:48:50+00:00 2018-09-19T17:48:50+00:00 osquery 3.3.2 2019-01-10T01:17:06+00:00 2019-01-10T01:17:06+00:00 osquery 3.4.0 2019-05-23T00:07:24+00:00 This is a **Windows only** release, intended to address critical bugs and performance issues with the osquery agent on Windows systems. The release notes are temporarily left as a "Todo", and will be drafted soon! 2019-05-23T00:07:24+00:00 osquery 4.0.0 2019-06-29T00:10:47+00:00 This is a pre-release for the new version of osquery, based on the really cool refactor done by the Facebook's team in London. This initial version introduces CMake support, CI and packaging. # Requirements ## Linux Ubuntu 18.04 or better ## macOS Mojave ## Windows Windows 10 or Windows Server 2016 2019-06-29T00:10:47+00:00 osquery 4.0.1 2019-09-10T01:14:41+00:00 This release has two major focuses. It is the first release since [osquery transitioned to a Linux Foundation project](https://www.linuxfoundation.org/press-release/2019/06/the-linux-foundation-announces-intent-to-form-new-foundation-to-support-osquery-community/). It features a heavily reworked build system. This aims to provide flexibility and stability. [Git Commits](https://github.com/osquery/osquery/compare/3.3.2...4.0.1) ### New Features / Under the Hood improvements - Linux Audit `process_events` Implement support for fork/vfork/clone/execveat ([#5701](https://github.com/osquery/osquery/pull/5701)) - New SQLite function `regex_match` to match across columns ([#5444](https://github.com/osquery/osquery/pull/5444)) - LRU cache for syscall tracing ([#5521](https://github.com/osquery/osquery/pull/5521)) - Basic tracing via eBPF on Linux ([#5403](https://github.com/osquery/osquery/pull/5403), [#5386](https://github.com/osquery/osquery/pull/5386), [#5384](https://github.com/osquery/osquery/pull/5384)) - Experimental `kill` and `setuid` syscall tracing in Linux via eBPF ([#5519](https://github.com/osquery/osquery/pull/5519)) - New eventing (ev2) framework ([#5401](https://github.com/osquery/osquery/pull/5401)) - Improved table performance profiles ([#5187](https://github.com/osquery/osquery/pull/5187)) - macOS query pack: detect SearchAwesome malware ([#5713](https://github.com/osquery/osquery/pull/5713)) - macOS query pack: detect when a process is tapping keyboard event ([#5345](https://github.com/osquery/osquery/pull/5345)) ### Build - Refactor CMake build ([#5604](https://github.com/osquery/osquery/pull/5604), [#5627](https://github.com/osquery/osquery/pull/5627), [#5630](https://github.com/osquery/osquery/pull/5630), ([#5618](https://github.com/osquery/osquery/pull/5618)), ([#5619](https://github.com/osquery/osquery/pull/5619))) - Refactor third-party libraries to build from source on Linux ([#5706](https://github.com/osquery/osquery/pull/5706)) - Add Azure Pipelines support for CI/CD ([#5604](https://github.com/osquery/osquery/pull/5604), [#5632](https://github.com/osquery/osquery/pull/5632), [#5626](https://github.com/osquery/osquery/pull/5626), [#5613](https://github.com/osquery/osquery/pull/5613), [#5607](https://github.com/osquery/osquery/pull/5607), [#5673](https://github.com/osquery/osquery/pull/5673), [#5610](https://github.com/osquery/osquery/pull/5610)) - Add Buck as a build system ([971bee44](https://github.com/osquery/osquery/commit/971bee44)) - Use `urllib2` to automatically handle HTTP 301/302 redirections ([#5612](https://github.com/osquery/osquery/pull/5612)) - Update MSI package to install to `Program Files` on Windows ([#5579](https://github.com/osquery/osquery/pull/54579)) - Linux custom toolchain integration ([#5759](https://github.com/osquery/osquery/pull/5759)) ### Harderning - Link binaries with Full RELRO on Linux ([#5748](https://github.com/osquery/osquery/pull/5748)) - Remove FTS features from SQLite ([#5703](https://github.com/osquery/osquery/pull/5703)) ([#5702](https://github.com/osquery/osquery/issues/5702)) - Fix SQLite API usage errors ([#5551](https://github.com/osquery/osquery/pull/5551)) - Fix issues reported by ASAN ([#5665](https://github.com/osquery/osquery/pull/5665)) - Handle bad FDs in `md_tables` ([#5553](https://github.com/osquery/osquery/pull/5533)) - Fix lock resource leak in events/syslog ([#5552](https://github.com/osquery/osquery/pull/5552)) - Fix memory leak in macOS `keychain_items` and `extended_attributes` tables ([#5550](https://github.com/osquery/osquery/pull/5550), [#5538](https://github.com/osquery/osquery/pull/5538)) - Fix memory leak in `genLoggedInUsers` (Windows). Update `WTSFreeMemoryEx` to `WTSFreeMemory` ([#5642](https://github.com/osquery/osquery/pull/5642)) - Fix potential null dereferences in `smbios_tables` ([#5332](https://github.com/osquery/osquery/pull/5332)) - Fix osquery exiting with wrong status ([3824c2e6](https://github.com/osquery/osquery/commit/3824c2e6)) - Add additional `install` and `uninstall` flag incompatibility check ([85eb77a0](https://github.com/osquery/osquery/commit/85eb77a0)) - Fix warning with constants initialisation in `magic` ([2a624f2f](https://github.com/osquery/osquery/commit/2a624f2f)) - Fix sign compare warning in `file_compression` ([b93069b3](https://github.com/osquery/osquery/commit/b93069b3)) - Refactored `logical_drives` table on Windows ([#5400](https://github.com/osquery/osquery/pull/5400)) - Refactored core/windows/wmi to use smart pointers ([#5492](https://github.com/osquery/osquery/pull/5492)) - Fixed various potential crashes in the virtual table implementaion ([6ade85a5](https://github.com/osquery/osquery/commit/6ade85a5)) - Increase the amount of `MaxRecvRetries` for Thrift sockets ([#5390](https://github.com/osquery/osquery/pull/5390)) ### Bug Fixes - Fix the reading of the serial of a certificate (little-endian big int) ([#5742](https://github.com/osquery/osquery/pull/5742)) - Fix bugs and update pathname variables in MSI package build script ([#5733](https://github.com/osquery/osquery/pull/5733)) - Fix `registry` table exception closing an uninitialized key handle ([#5718](https://github.com/osquery/osquery/pull/5718)) - Config views are now recreated on startup ([#5732](https://github.com/osquery/osquery/pull/5732)) - Change MSI Service Error handling on Windows ([#5467](https://github.com/osquery/osquery/pull/5467)) - Allow mounting SQLite DBs using WAL journaling with ATC ([#5525](https://github.com/osquery/osquery/issues/5225), [#5633](https://github.com/osquery/osquery/pull/5633)) - Fix `mount` table interacting with direct autofs ([#5635](https://github.com/osquery/osquery/pull/5635)) - Fix HTTP Host Header to include port ([#5576](https://github.com/osquery/osquery/pull/5576)) - Various fixes to the Windows `certificates` table and expansion to include Personal certificates ([#5697](https://github.com/osquery/osquery/pull/5697)), ([#5696](https://github.com/osquery/osquery/pull/5696)), ([#5640](https://github.com/osquery/osquery/pull/5640)), ([#5631](https://github.com/osquery/osquery/pull/5631)) - Add optimization back to macOS `users` and `groups` ([#5684](https://github.com/osquery/osquery/pull/5684)) - Do not return a row for macOS `battery` if no data is present ([#5650](https://github.com/osquery/osquery/pull/5650)) - Fix several integer conversions in `process_ops` ([#5614](https://github.com/osquery/osquery/pull/5614)) - Include weekends on the `kernel_panics` table ([#5298](https://github.com/osquery/osquery/pull/5298)) - Fix `key_strength` bug for Windows `certificates` table ([#5304](https://github.com/osquery/osquery/pull/5304)) - The `interface` column of `routes` table could be empty on Windows ([bcf0ab8e](https://github.com/osquery/osquery/commit/bcf0ab8e)) - The `name` column of `programs` table could be empty on Windows ([7bceba4b](https://github.com/osquery/osquery/commit/7bceba4b)) - Fix `disable_watcher` flag ([08dc11b7](https://github.com/osquery/osquery/commit/08dc11b7)) - Populate `path` column correctly in `firefox_addons` table ([#5462](https://github.com/osquery/osquery/pull/5462)) - Fix numeric monitoring plugin not being registered ([#5484](https://github.com/osquery/osquery/pull/5484)) - Fix wrong error code returned when querying the Windows registry ([#5621](https://github.com/osquery/osquery/pull/5621)) - Fix `logical_drives` boot partition detection ([#5477](https://github.com/osquery/osquery/pull/5477)) - Replace sync calls by async within the HTTP client implementation ([#5606](https://github.com/osquery/osquery/pull/5606)) - Fix RocksDB crash related to `OptimizeForSmallDb` ([a31d7582](https://github.com/osquery/osquery/commit/a31d7582)) - Fix bug in table column data validator ([e3037331](https://github.com/osquery/osquery/commit/e3037331)) - Fix random port problem ([a32ed7c4](https://github.com/osquery/osquery/commit/a32ed7c4)) - Refactor `battery` table and return information even if advanced information is missing ([6a64e353](https://github.com/osquery/osquery/commit/6a64e353)) ### Table Changes - Added table `ibridge_info` on macOS (Notebooks only) ([#5707](https://github.com/osquery/osquery/pull/5707)) - Added table `running_apps` on macOS ([#5216](https://github.com/osquery/osquery/pull/5216)) - Added table `atom_packages` on macOS and Linux ([6d159d40](https://github.com/osquery/osquery/commit/6d159d40)) - Remove EC2 tables on Windows ([#5657](https://github.com/osquery/osquery/pull/5657)) - Added column `win_timestamp` to `time` table on Windows ([3bbe6c51](https://github.com/osquery/osquery/commit/3bbe6c51)) - Added column `is_hidded` to `users` and `groups` table on macOS ([#5368](https://github.com/osquery/osquery/pull/5368)) - Added column `profile` to `chrome_extensions` table ([#5213](https://github.com/osquery/osquery/pull/5213)) - Added column `epoch` to `rpm_packages` table on Linux ([#5248](https://github.com/osquery/osquery/pull/5248)) - Added column `sid` to `logged_in_users` table on Windows ([#5454](https://github.com/osquery/osquery/pull/5454)) - Added column `registry_hive` to `logged_in_users` table on Windows ([#5454](https://github.com/osquery/osquery/pull/5454)) - Added column `sid` to `certificates` table on Windows ([#5631](https://github.com/osquery/osquery/pull/5631)) - Added column `store_location` to `certificates` table on Windows ([#5631](https://github.com/osquery/osquery/pull/5631)) - Added column `store` to `certificates` table on Windows ([#5631](https://github.com/osquery/osquery/pull/5631)) - Added column `username` to `certificates` table on Windows ([#5631](https://github.com/osquery/osquery/pull/5631)) - Added column `store_id` to `certificates` table on Windows ([#5631](https://github.com/osquery/osquery/pull/5631)) - Added column `product_version` to `file` table on Windows ([#5431](https://github.com/osquery/osquery/pull/5431)) - Added column `source` to `sudoers` table on POSIX systems ([#5350](https://github.com/osquery/osquery/pull/5350)) 2019-09-10T01:14:41+00:00 osquery 4.0.2 2019-09-12T22:37:08+00:00 2019-09-12T22:37:08+00:00 osquery 4.1.0 2019-11-03T15:55:26+00:00 ### New Features / Under the Hood improvements - Restore extension SDK and build support ([#5851](https://github.com/osquery/osquery/pull/5851)) - Documentation improvements ([#5860](https://github.com/osquery/osquery/pull/5860)), ([#5852](https://github.com/osquery/osquery/pull/5852)), ([#5912](https://github.com/osquery/osquery/pull/5912)), ([#5954](https://github.com/osquery/osquery/pull/5954)) - Add more tests throughout the codebase ([#5837](https://github.com/osquery/osquery/pull/5837)), ([#5832](https://github.com/osquery/osquery/pull/5832)), ([#5857](https://github.com/osquery/osquery/pull/5857)), ([#5864](https://github.com/osquery/osquery/pull/5864)), ([#5855](https://github.com/osquery/osquery/pull/5855)), ([#5869](https://github.com/osquery/osquery/pull/5869)), ([#5871](https://github.com/osquery/osquery/pull/5871)), ([#5885](https://github.com/osquery/osquery/pull/5885)), ([#5903](https://github.com/osquery/osquery/pull/5903)), ([#5879](https://github.com/osquery/osquery/pull/5879)), ([#5914](https://github.com/osquery/osquery/pull/5914)), ([#5941](https://github.com/osquery/osquery/pull/5941)), ([#5957](https://github.com/osquery/osquery/pull/5957)) - Allow configuration more Linux Audit settings using flags ([#5953](https://github.com/osquery/osquery/pull/5953)) - Add logger_tls_max_lines flag ([#5956](https://github.com/osquery/osquery/pull/5956)) - Add AWS Session Token support ([#5944](https://github.com/osquery/osquery/pull/5944)) ### Build - Lots of work on CPack-based packaging ([#5809](https://github.com/osquery/osquery/pull/5809)), ([#5822](https://github.com/osquery/osquery/pull/5822)), ([#5823](https://github.com/osquery/osquery/pull/5823)), ([#5827](https://github.com/osquery/osquery/pull/5827)), ([#5780](https://github.com/osquery/osquery/pull/5780)), ([#5850](https://github.com/osquery/osquery/pull/5850)), ([#5843](https://github.com/osquery/osquery/pull/5843)), ([#5881](https://github.com/osquery/osquery/pull/5881)), ([#5825](https://github.com/osquery/osquery/pull/5825)), ([#5940](https://github.com/osquery/osquery/pull/5940)), ([#5951](https://github.com/osquery/osquery/pull/5951)), ([#5936](https://github.com/osquery/osquery/pull/5936)) - Lots of work porting Python2 to Python3 ([#5846](https://github.com/osquery/osquery/pull/5846)) - Upgrade OpenSSL to 1.0.2t on all platforms ([#5928](https://github.com/osquery/osquery/pull/5928)) - Use SQLite 3.29.0 on Windows and macOS ([#5810](https://github.com/osquery/osquery/pull/5810)) - Use aws-sdk-cpp source-builds on Windows and macOS ([#5889](https://github.com/osquery/osquery/pull/5889)) - Add various code quality checks and utilities ([#5834](https://github.com/osquery/osquery/pull/5834)), ([#5730](https://github.com/osquery/osquery/pull/5730)), ([#5872](https://github.com/osquery/osquery/pull/5872)) ### Harderning - Restore fuzzing harness and use oss-fuzz ([#5844](https://github.com/osquery/osquery/pull/5844)), ([#5886](https://github.com/osquery/osquery/pull/5886)), ([#5910](https://github.com/osquery/osquery/pull/5910)), ([#5915](https://github.com/osquery/osquery/pull/5915)), ([#5923](https://github.com/osquery/osquery/pull/5923)), ([#5955](https://github.com/osquery/osquery/pull/5955)), ([#5963](https://github.com/osquery/osquery/pull/5963)) - Use newer RapidJSON and switch to safer iterative parsing ([#5893](https://github.com/osquery/osquery/pull/5893)), ([#5913](https://github.com/osquery/osquery/pull/5913)) ### Bug Fixes - Set Windows MSI ErrorControl to normal instead of critical ([#5818](https://github.com/osquery/osquery/pull/5818)) - Wrap flagfile with quotes for Windows install flag ([#5824](https://github.com/osquery/osquery/pull/5824)) - Improve submodule usages in CMake ([#5850](https://github.com/osquery/osquery/pull/5850)), ([#5880](https://github.com/osquery/osquery/pull/5880)), ([#5892](https://github.com/osquery/osquery/pull/5892)), ([#5897](https://github.com/osquery/osquery/pull/5897)), ([#5907](https://github.com/osquery/osquery/pull/5907)) - Improve locking support in internal APIS ([#5841](https://github.com/osquery/osquery/pull/5841)), ([#5906](https://github.com/osquery/osquery/pull/5906)), ([#5943](https://github.com/osquery/osquery/pull/5943)), ([#5944](https://github.com/osquery/osquery/pull/5944)) - Fixes for macOS application layer firewall tables ([#5378](https://github.com/osquery/osquery/pull/5378)) - Fixes within BPF event tables ([#5874](https://github.com/osquery/osquery/pull/5874)) - Refactor and improve PCI device tables on Linux ([#5446](https://github.com/osquery/osquery/pull/5446)) - Implement PID indexing on Windows `processes` table ([#5919](https://github.com/osquery/osquery/pull/5919)) - Improve `WHERE IN()` performance ([#5924](https://github.com/osquery/osquery/pull/5924)), ([#5938](https://github.com/osquery/osquery/pull/5938)) - Improve the internal HTTP client ([#5891](https://github.com/osquery/osquery/pull/5891)), ([#5946](https://github.com/osquery/osquery/pull/5946)), ([#5947](https://github.com/osquery/osquery/pull/5947)) - Fix Windows version codename lookup ([#5887](https://github.com/osquery/osquery/pull/5887)) ### Table Changes - Added table `alf_services` to Darwin (Apple OS X) ([#5378](https://github.com/osquery/osquery/pull/5378)) - Added table `connectivity` to Microsoft Windows ([#5500](https://github.com/osquery/osquery/pull/5500)) - Added table `default_environment` to Microsoft Windows ([#5441](https://github.com/osquery/osquery/pull/5441)) - Added table `windows_security_products` to Microsoft Windows ([#5479](https://github.com/osquery/osquery/pull/5479)) - Added column `platform_mask` (`INTEGER_TYPE`) to table `osquery_info` ([#5898](https://github.com/osquery/osquery/pull/5898)) 2019-11-03T15:55:26+00:00 osquery 4.1.1 2019-11-19T17:58:55+00:00 ### New Features / Under the Hood improvements - Improve `nvram` table to use input variable names ([#6053](https://github.com/osquery/osquery/pull/6053)) - Improve `apt_sources` source detection ([#6047](https://github.com/osquery/osquery/pull/6047)) - Change `atom_packages` to use user constraints ([#6052](https://github.com/osquery/osquery/pull/6052)) - Re-enable required-column warning messages ([#6038](https://github.com/osquery/osquery/pull/6038)) ### Build - Migrate several libraries to the CMake source layer ([#5902](https://github.com/osquery/osquery/pull/5902)), ([#6023](https://github.com/osquery/osquery/pull/6023)) - Update SQLite from 3.29.0-3 to 3.30.1-1 ([#6020](https://github.com/osquery/osquery/pull/6020)) - Recommend building with MacOS 10.11 SDK ([#6000](https://github.com/osquery/osquery/pull/6000)) ### Hardening ### Bug Fixes - Fix Linux audit incorrect read and handle leak ([#5959](https://github.com/osquery/osquery/pull/5959)) - Change "logNumericsAsNumbers" to "numerics" logger top-level key ([#6002](https://github.com/osquery/osquery/pull/6002)) - Restore INDEX behavior for extensions ([#6006](https://github.com/osquery/osquery/pull/6006)) - Fix potential JSON parsing issues in ATC plugin ([#6029](https://github.com/osquery/osquery/pull/6029)) - Avoid scanning special files with YARA ([#5971](https://github.com/osquery/osquery/pull/5971)) - Fix use-after-move in YARA subscriber ([#6054](https://github.com/osquery/osquery/pull/6054)) - Handle relative redirects in internal HTTP clients ([#6049](https://github.com/osquery/osquery/pull/6049)) - Apply options config parsing before others ([#6050](https://github.com/osquery/osquery/pull/6050)) ### Table Changes - Added table `windows_optional_features` to Microsoft Windows [#5991](https://github.com/osquery/osquery/pull/5991)) 2019-11-19T17:58:55+00:00 osquery 4.1.2 2019-12-17T15:11:23+00:00 ## [4.1.2](https://github.com/osquery/osquery/releases/tag/4.1.2) [Git Commits](https://github.com/osquery/osquery/compare/4.1.1...4.1.2) ### New Features / Under the Hood improvements - Add more tests throughout the codebase ([#5908](https://github.com/osquery/osquery/pull/5908)), ([#6071](https://github.com/osquery/osquery/pull/6071)), ([#6126](https://github.com/osquery/osquery/pull/6126)) - The `chrome_extensions` table now supports Chromium and Brave ([#6126](https://github.com/osquery/osquery/pull/6126)) ### Build - Require Python 3.5 and greater ([#6081](https://github.com/osquery/osquery/pull/6081)), ([#6120](https://github.com/osquery/osquery/pull/6120)) - Prepare Python tests for CI (lots of effort!) ([#6068](https://github.com/osquery/osquery/pull/6068)) - Restore osqueryd integration test ([#6116](https://github.com/osquery/osquery/pull/6116)) ### Bug Fixes - Continue to use `com.facebook.osquery.plist` for Launch Daemon configuration ([#6093](https://github.com/osquery/osquery/pull/6093)) - Update systemd service to use KillMode=control-group ([#6096](https://github.com/osquery/osquery/pull/6096)) - RPM and DEB packages both have post-install scripts to reload systemd ([#6097](https://github.com/osquery/osquery/pull/6097)) - Update Windows package build script to include cert bundle ([#6114](https://github.com/osquery/osquery/pull/6114)) - Update table specs to fix constraints passing ([#6103](https://github.com/osquery/osquery/pull/6103)), ([#6104](https://github.com/osquery/osquery/pull/6104)), ([#6105](https://github.com/osquery/osquery/pull/6105)), ([#6106](https://github.com/osquery/osquery/pull/6106)), ([#6122](https://github.com/osquery/osquery/pull/6122)) ### Table Changes - Added tables `azure_instance_tags` and `azure_instance_metadata` to Linux and Microsoft Windows ([#5434](https://github.com/osquery/osquery/pull/5434)) - Added column `install_time` (`INTEGER_TYPE`) to table `rpm_packages` ([#6113](https://github.com/osquery/osquery/pull/6113)) - Added column `bsd_flags` (`TEST_TYPE`) to table `file` on Darwin ([#5981](https://github.com/osquery/osquery/pull/5981)) 2019-12-17T15:11:23+00:00 osquery 4.2.0 2020-02-13T17:03:57+00:00 ### New Features / Under the Hood improvements - TLS Testing infrastructure has been overhauled ([#6170](https://github.com/osquery/osquery/pull/6170)) - Boost regex has been replaced with std ([#6236](https://github.com/osquery/osquery/pull/6236)) - `community_id_v1` added as a SQL function ([#6211](https://github.com/osquery/osquery/pull/6211)) ### Build - Fix format checking on Windows ([#6188](https://github.com/osquery/osquery/pull/6188)) - Fix format folder exclusions for build checks ([#6201](https://github.com/osquery/osquery/pull/6201)) - Fix the linking for extensions in build ([#6219](https://github.com/osquery/osquery/pull/6219)) - Fix build to include windows optional features table ([#6207](https://github.com/osquery/osquery/pull/6207)) ### Security Issues - [CVE-2020-1887] osquery does not properly verify the SNI hostname ([#6197](https://github.com/osquery/osquery/pull/6197)) ### Bug Fixes - Carver no longer returns empty carves for hidden files ([#6183](https://github.com/osquery/osquery/pull/6183)) - Address a race in the Dispatcher logic ([#6145](https://github.com/osquery/osquery/pull/6145)) - Fix validation in 'last' table ([#6147](https://github.com/osquery/osquery/pull/6147)) - Fix flaky logger testing ([#6171](https://github.com/osquery/osquery/pull/6171)) - Fix JSON format assumptions in file_paths parsing ([#6159](https://github.com/osquery/osquery/pull/6159)) - Fix windows WMI BSTR to be wstrings ([#6175](https://github.com/osquery/osquery/pull/6175)) - Fix windows string <-> wstring conversion functions ([#6187](https://github.com/osquery/osquery/pull/6187)) - Enable more intelligent path expansion on Windows ([#6153](https://github.com/osquery/osquery/pull/6153)) - Fix heap buffer overflow in callDoubleFunc and powerFunc ([#6225](https://github.com/osquery/osquery/pull/6225)) ### Table Changes - Added table `firefox_addons` to All Platforms ([#6200](https://github.com/osquery/osquery/pull/6200)) - Added table `ssh_configs` to All Platforms ([#6161](https://github.com/osquery/osquery/pull/6161)) - Added table `user_ssh_keys` to All Platforms ([#6161](https://github.com/osquery/osquery/pull/6161)) - Added table `mdls` to Darwin (Apple OS X) ([#4825](https://github.com/osquery/osquery/pull/4825)) - Added table `hvci_status` to Microsoft Windows ([#5426](https://github.com/osquery/osquery/pull/5426)) - Added table `ntfs_journal_events` to Microsoft Windows ([#5426](https://github.com/osquery/osquery/pull/5426)) - Added table `docker_image_layers` to POSIX-compatible Plaforms ([#6154](https://github.com/osquery/osquery/pull/6154)) - Added table `process_open_pipes` to POSIX-compatible Plaforms ([#6142](https://github.com/osquery/osquery/pull/6142)) - Added table `apparmor_profiles` to Ubuntu, CentOS ([#6138](https://github.com/osquery/osquery/pull/6138)) - Added table `selinux_settings` to Ubuntu, CentOS ([#6118](https://github.com/osquery/osquery/pull/6118)) - Added column `lock_status` (`INTEGER_TYPE`) to table `bitlocker_info` ([#6155](https://github.com/osquery/osquery/pull/6155)) - Added column `percentage_encrypted` (`INTEGER_TYPE`) to table `bitlocker_info` ([#6155](https://github.com/osquery/osquery/pull/6155)) - Added column `version` (`INTEGER_TYPE`) to table `bitlocker_info` ([#6155](https://github.com/osquery/osquery/pull/6155)) - Added column `optional_permissions` (`TEXT_TYPE`) to table `chrome_extensions` ([#6115](https://github.com/osquery/osquery/pull/6115)) - Removed table `firefox_addons` from POSIX-compatible Plaforms ([#6200](https://github.com/osquery/osquery/pull/6200)) - Removed table `ssh_configs` from POSIX-compatible Plaforms ([#6161](https://github.com/osquery/osquery/pull/6161)) - Removed table `user_ssh_keys` from POSIX-compatible Plaforms ([#6161](https://github.com/osquery/osquery/pull/6161)) 2020-02-13T17:03:57+00:00 osquery 4.3.0 2020-04-14T15:04:31+00:00 ### New Features / Under the Hood improvements - Change verbosity of scheduled query execution messages from INFO to verbose only ([#6271](https://github.com/osquery/osquery/pull/6271)) - Updated the unwanted-chrome-extensions queries to include all users, not the osquery process owner only ([#6265](https://github.com/osquery/osquery/pull/6265)) - Check for errors in the return status of the extension tables and report them ([#6108](https://github.com/osquery/osquery/pull/6108)) - First steps to properly support UTF8 strings on Windows ([#6190](https://github.com/osquery/osquery/pull/6190)) - Display the undelying API error string when udev monitoring fails ([#6186](https://github.com/osquery/osquery/pull/6186)) - Add the `path` column to the ATC generate specs ([#6278](https://github.com/osquery/osquery/pull/6278)) - Log a warning message if osquery fails to get the service description on Microsoft Windows ([#6281](https://github.com/osquery/osquery/pull/6281)) - Make AWS kinesis status logging configurable ([#6135](https://github.com/osquery/osquery/pull/6135)) - Add an integration test for the `disk_info` table ([#6323](https://github.com/osquery/osquery/pull/6323)) - Use -1 for missing `ppid` in the `process_events` table ([#6339](https://github.com/osquery/osquery/pull/6339)) - Remove error when converting empty numeric rows ([#6371](https://github.com/osquery/osquery/pull/6371)) - Change verbosity from ERROR to INFO of access failures to system processes on Microsoft Windows ([#6370](https://github.com/osquery/osquery/pull/6370)) - Make possible to get verbose messages from the dispatcher service management on Microsoft Windows too ([#6369](https://github.com/osquery/osquery/pull/6369)) ### Build - Fix codegen template for extension group ([#6244](https://github.com/osquery/osquery/pull/6244)) - Update SQLite from 3.30.1-1 to 3.31.1 ([#6252](https://github.com/osquery/osquery/pull/6252)) - Update the osquery-toolchain to version 1.1.0 which uses LLVM/Clang 9.0.1 ([#6315](https://github.com/osquery/osquery/pull/6315)) - Update openssl to version 1.1.1f ([#6302](https://github.com/osquery/osquery/pull/6302), [#6359](https://github.com/osquery/osquery/pull/6359)) - Simplify formula-based third party libraries build ([#6303](https://github.com/osquery/osquery/pull/6303)) - Removed the Buck build system ([#6361](https://github.com/osquery/osquery/pull/6361)) - Add librdkafka to Windows build ([#6095](https://github.com/osquery/osquery/pull/6095)) ### Bug Fixes - Fix CFNumber conversion when the type was a Float64/32 instead of a Double ([#6273](https://github.com/osquery/osquery/pull/6273)) - Fix duplicate results being returned by the chrome_extensions table ([#6277](https://github.com/osquery/osquery/pull/6277)) - Fix flaky ProcessOpenFilesTest.test_sanity ([#6185](https://github.com/osquery/osquery/pull/6185)) - Fix the `--database_dump` flag for RocksDB not outputting anything ([#6272](https://github.com/osquery/osquery/pull/6272)) - Fix the `pci_devices` table pci ids extraction in non-existing paths ([#6297](https://github.com/osquery/osquery/pull/6297)) - Fix parsing an invalid decorators config ([#6317](https://github.com/osquery/osquery/pull/6317)) - Fix flaky TLSConfigTests.test_runner_and_scheduler ([#6308](https://github.com/osquery/osquery/pull/6308)) - Fix chromeExtensions.test_sanity ([#6324](https://github.com/osquery/osquery/pull/6324)) - Fix broken Unicode filename searches on Microsoft Windows ([#6291](https://github.com/osquery/osquery/pull/6291)) - Fix a use-after-free when sqlite attempts to access the entire rows data at the end of a query ([#6328](https://github.com/osquery/osquery/pull/6328)) - Keep proc instance for test_base and test_osqueryd ([#6335](https://github.com/osquery/osquery/pull/6335)) - Fix osquery not exiting when given check or dump requests ([#6334](https://github.com/osquery/osquery/pull/6334)) - Fix `process` table `cmdline` parsing ([#6340](https://github.com/osquery/osquery/pull/6340)) - Fix a crash when parsing files with libmagic ([#6363](https://github.com/osquery/osquery/pull/6363)) - Fix a sporadic readFile API failure when using non-blocking I/O ([#6368](https://github.com/osquery/osquery/pull/6368)) - Fix the MSI package not always installing in the system drive by default ([#6379](https://github.com/osquery/osquery/pull/6379)) - Ensure the extensions uuid is never 0 ([#6377](https://github.com/osquery/osquery/pull/6377)) - Fix a race condition making the watcher act as a worker on Microsoft Windows ([#6372](https://github.com/osquery/osquery/pull/6372)) - Fix extensions tables detaching which was sometimes failing ([#6373](https://github.com/osquery/osquery/pull/6373)) - Fix an issue with extensions re-registration ([#6374](https://github.com/osquery/osquery/pull/6374)) - Fix a crash due to a race condition in accessing the iokit port on Darwin (Apple OS X) ([#6380](https://github.com/osquery/osquery/pull/6380)) ### Hardening - Limit SQL functions regex_match and regex_split regex size ([#6267](https://github.com/osquery/osquery/pull/6267)) - Prevent a stack overflow when parsing deeply nested configs ([#6325](https://github.com/osquery/osquery/pull/6325)) ### Table Changes - Added table `chrome_extension_content_scripts` to All Platforms ([#6140](https://github.com/osquery/osquery/pull/6140)) - Added table `docker_container_fs_changes` to POSIX-compatible Plaforms ([#6178](https://github.com/osquery/osquery/pull/6178)) - Added table `windows_security_center` to Microsoft Windows ([#6256](https://github.com/osquery/osquery/pull/6256)) - Added many new tables to Linux to query `lxd` ([#6249](https://github.com/osquery/osquery/pull/6249)) - Added table `screenlock` to Darwin (Apple OS X) ([#6243](https://github.com/osquery/osquery/pull/6243)) - Added table `userassist` to Microsoft Windows ([#5539](https://github.com/osquery/osquery/pull/5539)) - Added column `status` (`TEXT`) to table `deb_packages` ([#6341](https://github.com/osquery/osquery/pull/6341)) - Added many new columns to the `curl_certificate` table ([#6176](https://github.com/osquery/osquery/pull/6176)) - Added table `socket_events` to Darwin (Apple OS X) ([#6028](https://github.com/osquery/osquery/pull/6028)) - Added table `hvci_status`, previously inadvertly left out from the build, to Microsoft Windows ([6378](https://github.com/osquery/osquery/pull/6378)) 2020-04-14T15:04:31+00:00 osquery 4.4.0 2020-06-25T19:06:51+00:00 ### New Features / Under the Hood improvements - Implement container access from tables on Linux ([#6209](https://github.com/osquery/osquery/pull/6209), [#6485](https://github.com/osquery/osquery/pull/6485)) - Update language to use 'allow list' and 'deny list' ([#6489](https://github.com/osquery/osquery/pull/6489), [#6487](https://github.com/osquery/osquery/pull/6487), [#6488](https://github.com/osquery/osquery/pull/6488), [#6493](https://github.com/osquery/osquery/pull/6493)) - macos: Automatic configuration of the OpenBSM audit rules ([#6447](https://github.com/osquery/osquery/pull/6447)) - macos: Add polling to OpenBSM publisher ([#6436](https://github.com/osquery/osquery/pull/6436)) - Add messages to distributed query results ([#6352](https://github.com/osquery/osquery/pull/6352)) - Implement event batching support for Windows tables ([#6280](https://github.com/osquery/osquery/pull/6280)) ### Table Changes - Add container access to the os_version table ([#6413](https://github.com/osquery/osquery/pull/6413)) - Add container access to DEB, RPM, NPM packages tables ([#6414](https://github.com/osquery/osquery/pull/6414)) - Add fields auid, fs{u,g}id, s{u,g}id to auditd based tables ([#6362](https://github.com/osquery/osquery/pull/6362)) - Improve apt_sources resiliency ([#6482](https://github.com/osquery/osquery/pull/6482)) - Make file and hash container columns hidden ([#6486](https://github.com/osquery/osquery/pull/6486)) - Add 'maintainer', 'section', 'priority' columns to deb_packages ([#6442](https://github.com/osquery/osquery/pull/6442)) - Add 'vendor', 'package_group' columns to rpm_packages ([#6443](https://github.com/osquery/osquery/pull/6443)) - Add 'arch' column to os_version ([#6444](https://github.com/osquery/osquery/pull/6444)) - Add 'board_xxx' columns to system_info table ([#6398](https://github.com/osquery/osquery/pull/6398)) - Windows: omit non-interactive sessions from logged_in_users ([#6375](https://github.com/osquery/osquery/pull/6375)) - Fixes to package_bom table ([#6457](https://github.com/osquery/osquery/pull/6457), [#6461](https://github.com/osquery/osquery/pull/6461)) - Add chassis_info table for windows ([#5282](https://github.com/osquery/osquery/pull/5282)) - Add Azure tables ([#6507](https://github.com/osquery/osquery/pull/6507)) ### Bug Fixes - Update hash cache inode number in query cache ([#6440](https://github.com/osquery/osquery/pull/6440)) - Only explode registry key if it can be tokenized ([#6474](https://github.com/osquery/osquery/pull/6474)) - Change ErrorBase::takeUnderlyingError to non const ([#6483](https://github.com/osquery/osquery/pull/6483)) - Use RapidJSON to fix event format results and the Kafka Logger ([#6449](https://github.com/osquery/osquery/pull/6449)) - Correct the 'cwd' and 'root' columns of processes table on Windows ([#6459](https://github.com/osquery/osquery/pull/6459)) - Correct some SQLite types ([#6392](https://github.com/osquery/osquery/pull/6392)) - Partial fix for md_devices issue ([#6417](https://github.com/osquery/osquery/pull/6417)) - Fix the handling of empty args strings, on Windows ([#6460](https://github.com/osquery/osquery/pull/6460)) - Refactor shutdown logging, and remove explicit syslog call ([#6376](https://github.com/osquery/osquery/pull/6376)) - Change the Windows registry LIKE path constraint to filter recursively ([#6448](https://github.com/osquery/osquery/pull/6448)) - Use sync resolve within http client ([#6490](https://github.com/osquery/osquery/pull/6490)) - Fix typed_row table caching ([#6508](https://github.com/osquery/osquery/pull/6508)) - Do not use system proxy for AWS local authority ([#6512](https://github.com/osquery/osquery/pull/6512)) - Only populate table cache with star-like selects ([#6513](https://github.com/osquery/osquery/pull/6513)) ### Documentation - Update osquery security policy ([#6425](https://github.com/osquery/osquery/pull/6425)) - Updating changelog for 4.3.0 release ([#6387](https://github.com/osquery/osquery/pull/6387)) - Improve the new table tutorial ([#6479](https://github.com/osquery/osquery/pull/6479)) - Add Auto Table Construction to docs ([#6476](https://github.com/osquery/osquery/pull/6476)) - Add documentation for enabling socket_events on macOS ([#6407](https://github.com/osquery/osquery/pull/6407)) - Update winbaseobj table description ([#6429](https://github.com/osquery/osquery/pull/6429)) - Fixing the description of failed_login_count from account_policy_data ([#6415](https://github.com/osquery/osquery/pull/6415)) - Remove references to brew in macOS install ([#6494](https://github.com/osquery/osquery/pull/6494)) - Add note to bump the Homebrew cask ([#6519](https://github.com/osquery/osquery/pull/6519)) - Updating docs on cpack usage to include Chocolatey ([#6022](https://github.com/osquery/osquery/pull/6022)) - Changelog for 4.4.0 ([#6492](https://github.com/osquery/osquery/pull/6492), [#6523](https://github.com/osquery/osquery/pull/6523))) ### Build - Fix Userassist.test_sanity test sometimes failing ([#6396](https://github.com/osquery/osquery/pull/6396)) - Drop the facebook and source_migration layers ([#6473](https://github.com/osquery/osquery/pull/6473)) - Move ssdeep-cpp to source_migration ([#6464](https://github.com/osquery/osquery/pull/6464)) - Move smartmontools to source_migration ([#6465](https://github.com/osquery/osquery/pull/6465)) - Build augeas from source on macOS ([#6399](https://github.com/osquery/osquery/pull/6399)) - Build lldpd from source on macOS ([#6406](https://github.com/osquery/osquery/pull/6406)) - Build linenoise-ng from source on macOS and Windows ([#6412](https://github.com/osquery/osquery/pull/6412)) - Build sleuthkit from source on macOS ([#6416](https://github.com/osquery/osquery/pull/6416)) - Build popt from source on macOS ([#6409](https://github.com/osquery/osquery/pull/6409)) - Fix libelfin build on ossfuzz and LLVM/Clang 10 ([#6472](https://github.com/osquery/osquery/pull/6472)) - Use the patched libelfin version ([#6480](https://github.com/osquery/osquery/pull/6480)) - codegen: Port Jinja2 to Templite ([#6470](https://github.com/osquery/osquery/pull/6470)) - Pass the minimum macOS SDK version to openssl only if explicitly set ([#6471](https://github.com/osquery/osquery/pull/6471)) - Add git-lfs as dep for macOS build in documentation ([#6384](https://github.com/osquery/osquery/pull/6384)) - Update openssl from 1.1.1f to 1.1.1g ([#6432](https://github.com/osquery/osquery/pull/6432)) - Build openssl with the macOS SDK version taken from CMake ([#6469](https://github.com/osquery/osquery/pull/6469)) - Do not install openssl docs ([#6441](https://github.com/osquery/osquery/pull/6441)) - Update build configuration of ReadTheDocs ([#6434](https://github.com/osquery/osquery/pull/6434), [#6456](https://github.com/osquery/osquery/pull/6456)) - Link librdkafka on Windows ([#6454](https://github.com/osquery/osquery/pull/6454)) - Build sleuthkit on Windows ([#6445](https://github.com/osquery/osquery/pull/6445)) - Add nupkg cpack build option and update Windows deployment script ([#6262](https://github.com/osquery/osquery/pull/6262)) - Fix rpm and deb package name format ([#6468](https://github.com/osquery/osquery/pull/6468)) - Fix atom_packages, processes, rpm_packages tests ([#6518](https://github.com/osquery/osquery/pull/6518)) - Fixes and cleanup for Windows compiler flags ([#6521](https://github.com/osquery/osquery/pull/6521)) - Correct macOS framework linking ([#6522](https://github.com/osquery/osquery/pull/6522)) ### Security Issues - Disable openssl compression support ([#6433](https://github.com/osquery/osquery/pull/6433)) ### Hardening - Use LOAD_LIBRARY_SEARCH_SYSTEM32 for LoadLibrary ([#6458](https://github.com/osquery/osquery/pull/6458)) 2020-06-25T19:06:51+00:00 osquery 4.5.0 2020-09-12T23:18:58+00:00 We would like to thank all of the contributors working on bootstrapping the ARM64/AARCH64 support and Windows 32bit support. Additionally, we want to thank those working on Unicode support and all the bug fixes, documentation improvements, and new features. Thank you! :clap: ### New Features - ARM64/AARCH64 beta support for Linux ([#6612](https://github.com/osquery/osquery/pull/6612)) - Windows 32bit support ([#6543](https://github.com/osquery/osquery/pull/6543)) - Fix buildup of RocksDB SST files ([#6606](https://github.com/osquery/osquery/pull/6606)) ### Under the Hood improvements - Remove selectAllFrom from Linux `process_events` callback ([#6638](https://github.com/osquery/osquery/pull/6638)) - Remove database read only concept ([#6637](https://github.com/osquery/osquery/pull/6637)) - Move database initialization retry logic into DB API ([#6633](https://github.com/osquery/osquery/pull/6633)) - Move osquery/include files into respective CMake targets ([#6557](https://github.com/osquery/osquery/pull/6557)) - Memoize `EventFactory::getType` ([#6555](https://github.com/osquery/osquery/pull/6555)) - Update schedule counter behavior ([#6223](https://github.com/osquery/osquery/pull/6223)) - Define `UNICODE` and `_UNICODE` preprocessors for windows ([#6338](https://github.com/osquery/osquery/pull/6338)) - Add WMI utility function to convert datetime to FILETIME ([#5901](https://github.com/osquery/osquery/pull/5901)) - Move osquery shutdown logic outside of `Initialize`r ([#6530](https://github.com/osquery/osquery/pull/6530)) ### Table Changes - Support for Windows Background Activity Moderator ([#6585](https://github.com/osquery/osquery/pull/6585)) - Add `apparmor_events` table to Linux ([#4982](https://github.com/osquery/osquery/pull/4982)) - Add `sigurl` column to get YARA signatures from an HTTPS server ([#6607](https://github.com/osquery/osquery/pull/6607)) - Add `sigrules` column to pass YARA signatures within queries ([#6568](https://github.com/osquery/osquery/pull/6568)) - Add non-evented table for querying `windows_event_log` ([#6563](https://github.com/osquery/osquery/pull/6563)) - Improve `chassis_types` and `security_breach` columns within `chassis_info` ([#6608](https://github.com/osquery/osquery/pull/6608)) - Fix bool type usage in `powershell_events` ([#6584](https://github.com/osquery/osquery/pull/6584)) - Add `FileVersionRaw` column to `file` table for Windows ([#5771](https://github.com/osquery/osquery/pull/5771)) - Enable YARA table on Windows ([#6564](https://github.com/osquery/osquery/pull/6564)) - Add `dns_cache` table for Windows ([#6505](https://github.com/osquery/osquery/pull/6505)) - Add support for processing KILL syscall ([#6435](https://github.com/osquery/osquery/pull/6435)) - Add `startup_item`s table for Linux ([#6502](https://github.com/osquery/osquery/pull/6502)) - Add `shimcache` table ([#6463](https://github.com/osquery/osquery/pull/6463)) - Refactor `shell_history` to use generators (it will use less memory) ([#6541](https://github.com/osquery/osquery/pull/6541)) ### Bug Fixes - Set thread names correctly on macOS and Linux ([#6627](https://github.com/osquery/osquery/pull/6627)) - Apply `--scheduler_timeout` correctly ([#6618](https://github.com/osquery/osquery/pull/6618)) - Add check for `character_frequencies` size ([#6625](https://github.com/osquery/osquery/pull/6625)) - Fix race in removing external `TablePlugins` ([#6623](https://github.com/osquery/osquery/pull/6623)) - Force shell to disable watchdog and logger ([#6621](https://github.com/osquery/osquery/pull/6621)) - Return early within the shell if relative flags are used ([#6605](https://github.com/osquery/osquery/pull/6605)) - Apply watcher delay each time the worker is started ([#6604](https://github.com/osquery/osquery/pull/6604)) - Set global output function for Thrift ([#6592](https://github.com/osquery/osquery/pull/6592)) - Fix incorrect `readFile` params in `createPidFile` ([#6578](https://github.com/osquery/osquery/pull/6578)) - Fix call to `LocalFree` on deinit ptr inside `getUidFromSid` ([#6579](https://github.com/osquery/osquery/pull/6579)) - Fix `readFile` to observe requested read size ([#6569](https://github.com/osquery/osquery/pull/6569)) - Replace fstream within `syslog_event`s with a custom non-blocking getline ([#6539](https://github.com/osquery/osquery/pull/6539)) - Only fire events if a publisher exists ([#6553](https://github.com/osquery/osquery/pull/6553)) - Fix Leak in `psidToString` ([#6548](https://github.com/osquery/osquery/pull/6548)) - Fix memory leaks in `rpm_package_files` ([#6544](https://github.com/osquery/osquery/pull/6544)) - Change "Symlink loop" message from warning to verbose ([#6545](https://github.com/osquery/osquery/pull/6545)) ### Documentation - Update process auditing docs schema link ([#6645](https://github.com/osquery/osquery/pull/6645)) - Improve descriptions for the `processes` table ([#6596](https://github.com/osquery/osquery/pull/6596)) - Replace slackin with Slack shared invite ([#6617](https://github.com/osquery/osquery/pull/6617)) - Update copyright notices to osquery foundation ([#6589](https://github.com/osquery/osquery/pull/6589), [#6590](https://github.com/osquery/osquery/pull/6590)) ### Build - Fix Windows build by removing non existing C11 conformance ([#6629](https://github.com/osquery/osquery/pull/6629)) - Remove `ExecStartPre` from systemd service unit ([#6586](https://github.com/osquery/osquery/pull/6586)) - Fix pip upgrade warning within CI ([#6576](https://github.com/osquery/osquery/pull/6576)) - Detect `MAJOR_IN_SYSMACROS`/`MKDEV` for librpm in CMake ([#6554](https://github.com/osquery/osquery/pull/6554)) - Add `curl_certificate` tests ([#5281](https://github.com/osquery/osquery/pull/5281)) - Update YARA library to 4.0.2 ([#6559](https://github.com/osquery/osquery/pull/6559)) - Improve testing assumptions and flush fsevents when stopping ([#6552](https://github.com/osquery/osquery/pull/6552)) - Fix the test utility to allow Windows profiling ([#6550](https://github.com/osquery/osquery/pull/6550)) - Support ASAN for boost coroutine2 using ucontext ([#6531](https://github.com/osquery/osquery/pull/6531)) - Update instructions for CPack package building ([#6529](https://github.com/osquery/osquery/pull/6529)) - Use specific RPM variables to set the package name ([#6527](https://github.com/osquery/osquery/pull/6527)) - Update compiler version used to v142 within Azure ([#6528](https://github.com/osquery/osquery/pull/6528)) ### Hardening - Restore PIE support being dropped on Linux ([#6611](https://github.com/osquery/osquery/pull/6611)) 2020-09-12T23:18:58+00:00 osquery 4.5.1 2020-10-05T17:06:19+00:00 # osquery Changelog <a name="4.5.1"></a> ## [4.5.1](https://github.com/osquery/osquery/releases/tag/4.5.1) [Git Commits](https://github.com/osquery/osquery/compare/4.5.0...4.5.1) ### Under the Hood improvements - Improve carver tests by faking `postCarve` ([#6659](https://github.com/osquery/osquery/pull/6659)) - Emit an error during carving, if the `carve` SQL function is disabled ([#6658](https://github.com/osquery/osquery/pull/6658)) - Update `carves` specs to allow full scan ([#6657](https://github.com/osquery/osquery/pull/6657)) - Update `carves` table to use JSON ([#6656](https://github.com/osquery/osquery/pull/6656)) - Improve performance and accuracy of Windows `registry` querying ([#6647](https://github.com/osquery/osquery/pull/6647)) - Refactor `ephemeral` database plugin into core and simplify tests ([#6648](https://github.com/osquery/osquery/pull/6648)) ### Table Changes - Support for Office MRU (most recently used) entries ([#6587](https://github.com/osquery/osquery/pull/6587)) - Implement configurable timeout through WHERE clause on `curl_certificate` ([#6641](https://github.com/osquery/osquery/pull/6641)) - Add `atom_packages` table spec to window ([#6649](https://github.com/osquery/osquery/pull/6649)) - Add signature information to `authenticode` table on windows ([#6677](https://github.com/osquery/osquery/pull/6677)) - Add additional AWS regions ([#6666](https://github.com/osquery/osquery/pull/6666)) ### Bug Fixes - Fix container overflow in `curl_certificate` ([#6664](https://github.com/osquery/osquery/pull/6664)) - Fix handling of invalid array bound error with `EvtNext` function ([#6660](https://github.com/osquery/osquery/pull/6660)) - Fix `wmi_bios_info` table searching ([#5246](https://github.com/osquery/osquery/pull/5246)) - Fix `image` column within `drivers` table on Windows ([#6652](https://github.com/osquery/osquery/pull/6652)) - Fix windows `dirPathsAreEqual` to use the documented way ([#6690](https://github.com/osquery/osquery/pull/6690)) - Fix incorrect `stat()` return checking within process_events ([#6694](https://github.com/osquery/osquery/pull/6694)) - Always flush `stdout` when called with `--help` ([#6693](https://github.com/osquery/osquery/pull/6693)) ### Documentation - Document max scheduled query interval ([#6683](https://github.com/osquery/osquery/pull/6683)) - Update documentation around build steps ([#6681](https://github.com/osquery/osquery/pull/6681)) - Documentation copy editing ([#6676](https://github.com/osquery/osquery/pull/6676), [#6665](https://github.com/osquery/osquery/pull/6665), [#6662](https://github.com/osquery/osquery/pull/6662)) - Add 4.5.0 CHANGELOG ([#6646](https://github.com/osquery/osquery/pull/6646)) - Add 4.5.1 CHANGELOG ([#6692](https://github.com/osquery/osquery/pull/6692)) ### Build - Improve flaky python test handling ([#6654](https://github.com/osquery/osquery/pull/6654)) - Restore `test_osqueryi` ([#6631](https://github.com/osquery/osquery/pull/6631)) - Limit `osqueryd` CPU usage to 20% in systemd unit file ([#6644](https://github.com/osquery/osquery/pull/6644)) - Improve flaky `test_osqueryi` ([#6688](https://github.com/osquery/osquery/pull/6688)) - Add `cppcheck` support to macOS ([#6685](https://github.com/osquery/osquery/pull/6685)) ### Hardening - Add exception catching for table execution ([#6689](https://github.com/osquery/osquery/pull/6689)) 2020-10-05T17:06:19+00:00 osquery 4.6.0 2020-12-15T04:28:40+00:00 ## [4.6.0](https://github.com/osquery/osquery/releases/tag/4.6.0) [Git Commits](https://github.com/osquery/osquery/compare/4.5.1...4.6.0) ### New Features - Initial implementations for BPF-based socket and process events tables ([#6571](https://github.com/osquery/osquery/pull/6571)) - Support EC2 tables on Windows ([#6756](https://github.com/osquery/osquery/pull/6756)) ### Under the Hood improvements - BPF: Add container support to fork/vfork/clone ([#6721](https://github.com/osquery/osquery/pull/6721)) - BPF: Additional improvements on the initial implementation ([#6717](https://github.com/osquery/osquery/pull/6717)) - BPF: Fix the tests ([#6783](https://github.com/osquery/osquery/pull/6783)) - BPF: Fix wrong d_type compare in filesystem classes ([#6774](https://github.com/osquery/osquery/pull/6774)) - BPF: Implement additional syscalls to track file descriptor usage ([#6723](https://github.com/osquery/osquery/pull/6723)) - Remove unused LTCG flag ([#6769](https://github.com/osquery/osquery/pull/6769)) - Support TLS client certificate chains ([#6753](https://github.com/osquery/osquery/pull/6753)) - Refactor carver to use the Scheduler ([#6671](https://github.com/osquery/osquery/pull/6671)) - Add configuration flag to disable file_events by default ([#6663](https://github.com/osquery/osquery/pull/6663)) - libs: Build x86_64 configurations on Ubuntu 14.04 ([#6687](https://github.com/osquery/osquery/pull/6687)) - libs: Port the RocksDB Win7 compatibility patch to the MSBuild generator ([#6765](https://github.com/osquery/osquery/pull/6765)) - libs: Update BPF libraries to support LLVM 11 ([#6775](https://github.com/osquery/osquery/pull/6775)) - libs: Update RocksDB to version 6.14.5 ([#6759](https://github.com/osquery/osquery/pull/6759)) - libs: Update bzip2 to version 1.0.8 ([#6786](https://github.com/osquery/osquery/pull/6786)) - libs: Update ebpfpub to latest version ([#6757](https://github.com/osquery/osquery/pull/6757)) - libs: Update sqlite to version 3.34.0 ([#6804](https://github.com/osquery/osquery/pull/6804)) - libs: update aws-sdk to 1.7.230 ([#6749](https://github.com/osquery/osquery/pull/6749)) - Adding support for pretty-printing JSON results in osqueryi ([#6695](https://github.com/osquery/osquery/pull/6695)) ### Table Changes - Add Yandex Browser support for chrome_extensions ([#6735](https://github.com/osquery/osquery/pull/6735)) - Add additional file stat flags to Darwin (bsd_flags) ([#6699](https://github.com/osquery/osquery/pull/6699)) - Add extended_attributes table to Linux, add support for Linux capabilities ([#6195](https://github.com/osquery/osquery/pull/6195)) - Add indexed column support to Windows users table ([#6782](https://github.com/osquery/osquery/pull/6782)) - Enable AWS Instance profile as credential provider on Windows ([#6754](https://github.com/osquery/osquery/pull/6754)) - Add systemd support for startup_items on Linux ([#6562](https://github.com/osquery/osquery/pull/6562)) ### Bug Fixes - Do not use memset on VirtualTable, a non-POD type ([#6760](https://github.com/osquery/osquery/pull/6760)) - Fix deadlock when registering two extensions ([#6745](https://github.com/osquery/osquery/pull/6745)) - Fix last_connected column in wifi_networks on Catalina ([#6669](https://github.com/osquery/osquery/pull/6669)) - Fix missing negations, duplicate rows in iptables table ([#6713](https://github.com/osquery/osquery/pull/6713)) - Fix shadow table to detect empty passwords ([#6696](https://github.com/osquery/osquery/pull/6696)) - Free memory allocated by ConvertStringSidToSid ([#6714](https://github.com/osquery/osquery/pull/6714)) - PackageIdentifiers are optional in InstallHistory.plist ([#6767](https://github.com/osquery/osquery/pull/6767)) - Removing PUNYCODE flag from windows string conversions ([#6730](https://github.com/osquery/osquery/pull/6730)) - Fix memory leak in the dbus classes ([#6773](https://github.com/osquery/osquery/pull/6773)) - Change the kernel_modules size column type to BIGINT ([#6712](https://github.com/osquery/osquery/pull/6712)) ### Documentation - Add a README.md to source-based libraries ([#6686](https://github.com/osquery/osquery/pull/6686)) - Fix spelling typos ([#6705](https://github.com/osquery/osquery/pull/6705)) - Journald Audit Logs Masking Documentation ([#6748](https://github.com/osquery/osquery/pull/6748)) ### Build - CI: Provide built packages as Azure artifacts ([#6772](https://github.com/osquery/osquery/pull/6772)) - CI: Python installation improvements on Windows ([#6764](https://github.com/osquery/osquery/pull/6764)) - CI: Update brew scripts ([#6794](https://github.com/osquery/osquery/pull/6794)) - CMake: Disable BPF support if the LLVM libs are not compatible ([#6746](https://github.com/osquery/osquery/pull/6746)) - CMake: Use CPACK_RPM_PACKAGE_RELEASE ([#6805](https://github.com/osquery/osquery/pull/6805)) - CMake: Add max version limit to 3.18.0 on Linux ([#6801](https://github.com/osquery/osquery/pull/6801)) - Change urls for submodules gpg-error, libgcrypt, libcap ([#6768](https://github.com/osquery/osquery/pull/6768)) - Reduce linkage requirements for tests ([#6715](https://github.com/osquery/osquery/pull/6715)) - Remove a Buck leftover ([#6799](https://github.com/osquery/osquery/pull/6799)) - Remove boost workaround introduced in #5591 for string_view ([#6771](https://github.com/osquery/osquery/pull/6771)) - Tests: Fix tests on Catalina ([#6704](https://github.com/osquery/osquery/pull/6704)) - Update cmake_minum_required to 3.17.5 and pin version in CI ([#6770](https://github.com/osquery/osquery/pull/6770)) - build: Fix Windows build on newer MSVC ([#6732](https://github.com/osquery/osquery/pull/6732)) - extensions: Always compile examples to prevent them from breaking ([#6747](https://github.com/osquery/osquery/pull/6747)) ### Security Issues - Add SQLite authorizer to mitgate CVE-2020-26273 / GHSA-4g56-2482-x7q8 (https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c) ### Packs - Updated unwanted-chrome-extensions ([#6720](https://github.com/osquery/osquery/pull/6720)) - Restrict the usb_devices pack to Posix ([#6739](https://github.com/osquery/osquery/pull/6739)) - Add Reptile rootkit to ossec-rootkit pack ([#6703](https://github.com/osquery/osquery/pull/6703)) 2020-12-15T04:28:40+00:00 osquery 4.7.0 2021-03-12T19:03:02+00:00 Commits from 21 contributors! Thank you all! ### New Features - Add `concat` and `concat_ws` sql functions ([#6927](https://github.com/osquery/osquery/pull/6927)) - Update the scheduler to log the query name at info level ([#6934](https://github.com/osquery/osquery/pull/6934)) - Add support for SQLite RPM databases ([#6939](https://github.com/osquery/osquery/pull/6939)) ### Table Changes - Add `computer` column to Windows Eventlogs ([#6952](https://github.com/osquery/osquery/pull/6952)) - Add `docker_image_history` table ([#6884](https://github.com/osquery/osquery/pull/6884)) - Add `filevault_status` column to disk_encryption table ([#6823](https://github.com/osquery/osquery/pull/6823)) - Add `location_services` table on macOS ([#6826](https://github.com/osquery/osquery/pull/6826)) - Add `shellbags` table ([#6949](https://github.com/osquery/osquery/pull/6949)) - Add `system_extensions` table on macOS ([#6863](https://github.com/osquery/osquery/pull/6863)) - Add `systemd_units` table ([#6593](https://github.com/osquery/osquery/pull/6593)) - Add `ycloud_instance_metadata` table ([#6961](https://github.com/osquery/osquery/pull/6961)) - Fix loading of YARA rules on Windows ([#6893](https://github.com/osquery/osquery/pull/6893)) - Fix macOS OpenDirectory attribute mismatch ([#6816](https://github.com/osquery/osquery/pull/6816)) - Update `augeas` table not to autoload system lenses ([#6980](https://github.com/osquery/osquery/pull/6980)) - Update `chrome_extensions` table -- more browser support and tests ([#6780](https://github.com/osquery/osquery/pull/6780)) - Update `office_mru` table to correct platforms ([#6827](https://github.com/osquery/osquery/pull/6827)) - Update aws table to include macOS ([#6817](https://github.com/osquery/osquery/pull/6817)) ### Under the Hood improvements - Remove Azure Pipelines ([#6953](https://github.com/osquery/osquery/pull/6953)) - Disable deprecated TLS versions 1.0, 1.1 ([#6910](https://github.com/osquery/osquery/pull/6910)) - Use librpm bdb_ro backend and remove bdb ([#6931](https://github.com/osquery/osquery/pull/6931)) - bpf: Improve execve/execveat tracing, add AArch64 build support ([#6802](https://github.com/osquery/osquery/pull/6802)) - Use a distinct carver `request_id` and add this to the schema ([#6959](https://github.com/osquery/osquery/pull/6959)) - Initialize TLSLogForwarder before enrollment check ([#6958](https://github.com/osquery/osquery/pull/6958)) - Put noisy thrift logs behind a flag ([#6951](https://github.com/osquery/osquery/pull/6951)) - Fix bug in windows thrift, causing named pipe closing ([#6937](https://github.com/osquery/osquery/pull/6937)) - Remove unused/experimental ebpf code ([#6879](https://github.com/osquery/osquery/pull/6879)) - Remove unused ev2 code ([#6878](https://github.com/osquery/osquery/pull/6878)) - Refactor the eventing framework to reduce disk IO and improve performance([#6610](https://github.com/osquery/osquery/pull/6610)) ### Bug Fixes - Add `journal_mode` to the sqlite authorizer PRAGMAs ([#6999](https://github.com/osquery/osquery/pull/6999)) - Add `table_info` to the sqlite authorizer PRAGMAs ([#6814](https://github.com/osquery/osquery/pull/6814)) - Always use BIGINT macro for `long long` data ([#6986](https://github.com/osquery/osquery/pull/6986)) - Copy JSON objects to avoid MemoryPool buildup ([#6957](https://github.com/osquery/osquery/pull/6957)) - Do not call unconfigured subscribers errors ([#6847](https://github.com/osquery/osquery/pull/6847)) - Do not ignore mountpoints that have the same mount path ([#6871](https://github.com/osquery/osquery/pull/6871)) - Do not start scheduler when shutting down ([#6960](https://github.com/osquery/osquery/pull/6960)) - Don't mark scope and key columns as index in selinux_settings table ([#6872](https://github.com/osquery/osquery/pull/6872)) - Fix `augeas` table output bug for non-path entries ([#6981](https://github.com/osquery/osquery/pull/6981)) - Fix `pids` column in `docker_container_stats` table ([#6965](https://github.com/osquery/osquery/pull/6965)) - Fix additional relative path check in Yara for Windows ([#6894](https://github.com/osquery/osquery/pull/6894)) - Fix config validation oom with duplicated keys ([#6876](https://github.com/osquery/osquery/pull/6876)) - Fix data type macro used for 64-bit timestamp variables ([#6897](https://github.com/osquery/osquery/pull/6897)) - Fix error in `process_open_files` inode need stoul, not stoi ([#6983](https://github.com/osquery/osquery/pull/6983)) - Fix leaks when a query fails from the shell ([#6849](https://github.com/osquery/osquery/pull/6849)) - Fix mem leak regression with Windows sids API ([#6984](https://github.com/osquery/osquery/pull/6984)) - Make Group ID columns consistent across Windows tables ([#6987](https://github.com/osquery/osquery/pull/6987)) - When iterating /proc, use individual try/catch so catch partial failures ([#6933](https://github.com/osquery/osquery/pull/6933)) - augeas: Clear aug pointer on error ([#6973](https://github.com/osquery/osquery/pull/6973)) ### Documentation - Add 4.6.0 CHANGELOG ([#6809](https://github.com/osquery/osquery/pull/6809)) - Add 4.7.0 CHANGELOG ([#6985](#https://github.com/osquery/osquery/pull/6985)) - Add docs for TLS enroll max attempts ([#6888](https://github.com/osquery/osquery/pull/6888)) - Change reference about Azure Pipelines to GitHub Actions ([#6988](https://github.com/osquery/osquery/pull/6988)) - Clarify FIM exclude category documentation ([#6966](https://github.com/osquery/osquery/pull/6966)) - Document retrieval of available tables/columns via SQL ([#6812](https://github.com/osquery/osquery/pull/6812)) - Fix Github Actions status badge in the README ([#6908](https://github.com/osquery/osquery/pull/6908)) - Fix all broken or redirected URLs and references ([#6835](https://github.com/osquery/osquery/pull/6835)) - Fix broken URL in docs ([#6882](https://github.com/osquery/osquery/pull/6882)) - Fix incorrect Slack URLs ([#6844](https://github.com/osquery/osquery/pull/6844)) - Fix packs discovery queries documentation ([#6946](https://github.com/osquery/osquery/pull/6946)) - Fix reference to a Powershell script on Windows ([#6936](https://github.com/osquery/osquery/pull/6936)) - Fix typos in source code ([#6901](https://github.com/osquery/osquery/pull/6901)) - Improve explanations of event control flags ([#6954](https://github.com/osquery/osquery/pull/6954)) - Spellcheck and Markdown edits ([#6899](https://github.com/osquery/osquery/pull/6899)) - Update README to include release process comment ([#6877](https://github.com/osquery/osquery/pull/6877)) - Update documentation about denylist schedule key ([#6922](https://github.com/osquery/osquery/pull/6922)) - Update macOS OpenBSM configuration ([#6916](https://github.com/osquery/osquery/pull/6916)) - Update the Linux install steps and package listing ([#6956](https://github.com/osquery/osquery/pull/6956)) - Update the info about osquery's TLS version support ([#6963](https://github.com/osquery/osquery/pull/6963)) ### Build - Fix reference to a Powershell script on Windows ([#6936](https://github.com/osquery/osquery/pull/6936)) - Fix typos in source code ([#6901](https://github.com/osquery/osquery/pull/6901)) - Improve explanations of event control flags ([#6954](https://github.com/osquery/osquery/pull/6954)) - Spellcheck and Markdown edits ([#6899](https://github.com/osquery/osquery/pull/6899)) - Update README to include release process comment ([#6877](https://github.com/osquery/osquery/pull/6877)) - Update documentation about denylist schedule key ([#6922](https://github.com/osquery/osquery/pull/6922)) - Update macOS OpenBSM configuration ([#6916](https://github.com/osquery/osquery/pull/6916)) - Update the Linux install steps and package listing ([#6956](https://github.com/osquery/osquery/pull/6956)) - Update the info about osquery's TLS version support ([#6963](https://github.com/osquery/osquery/pull/6963)) ### Build - CI: Add a RelWithDebInfo Linux job to generate packages ([#6838](https://github.com/osquery/osquery/pull/6838)) - CI: Add support for GitHub Actions ([#6885](https://github.com/osquery/osquery/pull/6885)) - CI: Add unit tests for RPM DB querying ([#6919](https://github.com/osquery/osquery/pull/6919)) - CI: Fix ExtendedAttributesTableTests failing due to an unexpected attribute ([#6942](https://github.com/osquery/osquery/pull/6942)) - CI: Fix StartupItemTest failing due to unexpected values ([#6940](https://github.com/osquery/osquery/pull/6940)) - CI: Fix SystemControlsTest adding sunrpc as an expected subsystem ([#6932](https://github.com/osquery/osquery/pull/6932)) - CI: Fix XattrTests failing due to unexpected attribute name ([#6941](https://github.com/osquery/osquery/pull/6941)) - CI: Fix an incorrect check in StartupItems test ([#6950](https://github.com/osquery/osquery/pull/6950)) - CI: Fix wifi_tests on macOS 10.15 and above ([#6724](https://github.com/osquery/osquery/pull/6724)) - CI: Move cppcheck step after the tests ([#6845](https://github.com/osquery/osquery/pull/6845)) - CI: Permit running formatting earlier in the CI ([#6836](https://github.com/osquery/osquery/pull/6836)) - CI: Remove incorrect 2to3 symlink breaking Python brew upgrade ([#6819](https://github.com/osquery/osquery/pull/6819)) - CI: Remove unused empty test file ([#6918](https://github.com/osquery/osquery/pull/6918)) - CI: Remove unused tests for Rocksdb and Inmemory db plugins ([#6900](https://github.com/osquery/osquery/pull/6900)) - CI: Update XCode to 12.3 and Update min macOS version to 10.12 ([#6896](https://github.com/osquery/osquery/pull/6896), [#6913](https://github.com/osquery/osquery/pull/6913)) - CI: Update macOS agent to 10.15 Catalina ([#6680](https://github.com/osquery/osquery/pull/6680)) - CMake: Add -pthread compile option on posix platforms ([#6909](https://github.com/osquery/osquery/pull/6909)) - CMake: Add Valgrind support ([#6834](https://github.com/osquery/osquery/pull/6834)) - CMake: Add an option to disable building AWS tables and library ([#6831](https://github.com/osquery/osquery/pull/6831)) - CMake: Add an option to disable building libdpkg tables and library ([#6848](https://github.com/osquery/osquery/pull/6848)) - CMake: Detect missing headers during include namespace generation ([#6855](https://github.com/osquery/osquery/pull/6855)) - CMake: Do not attempt to dllimport Thrift symbols ([#6856](https://github.com/osquery/osquery/pull/6856)) - CMake: Do not compile Windows libraries with debug symbols ([#6833](https://github.com/osquery/osquery/pull/6833)) - CMake: Explicitly set the MSVC runtime library ([#6818](https://github.com/osquery/osquery/pull/6818)) - CMake: Fix amalgamated tables generation on change ([#6832](https://github.com/osquery/osquery/pull/6832)) - CMake: Fix platformtablecontaineripc include namespace generation ([#6853](https://github.com/osquery/osquery/pull/6853)) - CMake: Further fix amalgamation file gen on change ([#6854](https://github.com/osquery/osquery/pull/6854)) - CMake: Refactor and rename fuzzers build flag ([#6829](https://github.com/osquery/osquery/pull/6829)) - CMake: Significantly speed up configuration phase ([#6914](https://github.com/osquery/osquery/pull/6914)) - CMake: Use make jobserver for OpenSSL on Linux and macOS ([#6821](https://github.com/osquery/osquery/pull/6821)) - CPack: Remove extraneous lenses directory for augues on macOS ([#6998](https://github.com/osquery/osquery/pull/6998)) - Change libdpkg submodule url to our own GitHub mirror ([#6903](https://github.com/osquery/osquery/pull/6903)) - Disable incremental linking to reduce build size on Windows ([#6898](https://github.com/osquery/osquery/pull/6898)) - GitHub Actions: Fix .deb artifacts, add scheduled builds ([#6920](https://github.com/osquery/osquery/pull/6920)) - Remove `hash` and `yara` table from fuzz harnesses ([#6972](https://github.com/osquery/osquery/pull/6972)) - libraries: Reduce the compilation units from libarchive ([#6886](https://github.com/osquery/osquery/pull/6886)) - libraries: Remove the last usage of sqlite3 from sleuthkit ([#6858](https://github.com/osquery/osquery/pull/6858)) - libraries: Rename yara str functions to avoid symbol collisions ([#6917](https://github.com/osquery/osquery/pull/6917)) - libraries: Update librpm to version 4.16.1.2 ([#6850](https://github.com/osquery/osquery/pull/6850)) - libraries: Update openssl to version 1.1.1i ([#6820](https://github.com/osquery/osquery/pull/6820)) - libraries: Update thrift to version 0.13.0 ([#6822](https://github.com/osquery/osquery/pull/6822)) ### Hardening - Update CODEOWNERS to reflect existing teams ([#6955](https://github.com/osquery/osquery/pull/6955), [#6975](https://github.com/osquery/osquery/pull/6975)) - Restrict access to Thrift server pipe on Windows ([#6875](https://github.com/osquery/osquery/pull/6875)) - Fix a leak in libdpkg when querying the `deb_packages` table ([#6892](https://github.com/osquery/osquery/pull/6892)) - Fix UB and dangerous casting in the pubsub framework ([#6881](https://github.com/osquery/osquery/pull/6881)) - Fix heap-use-after-free in deregisterEventSubscriber ([#6880](https://github.com/osquery/osquery/pull/6880)) - Thift patch to support security configuration ([#6846](https://github.com/osquery/osquery/pull/6846)) - Improve config fuzzer dictionary creation script ([#6860](https://github.com/osquery/osquery/pull/6860)) - Avoid running queries for views when fuzzing ([#6859](https://github.com/osquery/osquery/pull/6859)) 2021-03-12T19:03:02+00:00 osquery 0.0.2 2021-04-15T11:48:17+00:00 2021-04-15T11:48:17+00:00 osquery 4.8.0 2021-04-19T02:42:24+00:00 ## [4.8.0](https://github.com/osquery/osquery/releases/tag/4.8.0) [Git Commits](https://github.com/osquery/osquery/compare/4.7.0...4.8.0) Representing commits from 14 contributors! Thank you all. This version fixes a regression introduced in 4.7.0 related to events expiration optimization. Please read ([#7055](https://github.com/osquery/osquery/pull/7055)) for more information. This release upgrades openssl, as is general good practice. Osquery is not known to be effected by any security issues in OpenSSL. ### New Features - shell: Add `.connect` meta command ([#6944](https://github.com/osquery/osquery/pull/6944)) ### Table Changes - Add `seccomp_events` table for Linux ([#7006](https://github.com/osquery/osquery/pull/7006)) - Add `shortcut_files` table for Windows ([#6994](https://github.com/osquery/osquery/pull/6994)) ### Under the Hood improvements - Removing Keyboard Event Taps from osx-attacks pack ([#7023](https://github.com/osquery/osquery/pull/7023)) - Refactor watcher out of singleton pattern ([#7042](https://github.com/osquery/osquery/pull/7042)) - Small events subscriber refactor to increase test coverage ([#7050](https://github.com/osquery/osquery/pull/7050)) - Setting non-required `deb_packages` fields as optional in test ([#7001](https://github.com/osquery/osquery/pull/7001)) ### Bug Fixes - Handle events optimization edge cases ([#7060](https://github.com/osquery/osquery/pull/7060)) - Fix optimization for multiple queries using the same subscriber ([#7055](https://github.com/osquery/osquery/pull/7055)) - Use epoch and counter for events-based queries ([#7051](https://github.com/osquery/osquery/pull/7051)) - Guard node key to prevent duplicate enrollments ([#7052](https://github.com/osquery/osquery/pull/7052)) - Change windows calculation for physical_memory ([#7028](https://github.com/osquery/osquery/pull/7028)) - Free using WTSFreeMemoryEx for WTSEnumerateSessionsExW ([#7039](https://github.com/osquery/osquery/pull/7039)) - Release variable in Windows data conversation ([#7024](https://github.com/osquery/osquery/pull/7024)) - Change `chrome_extensions` warnings to verbose ([#7032](https://github.com/osquery/osquery/pull/7032)) - Add transactions to the SQLite authorizer PRAGMAs ([#7029](https://github.com/osquery/osquery/pull/7029)) - Change Windows messages to verbose ([#7027](https://github.com/osquery/osquery/pull/7027)) - Fix scheduler to print the correct number of elapsed seconds ([#7016](https://github.com/osquery/osquery/pull/7016)) ### Documentation - Fix `tls_enroll_max_attempts` flag name in the documentation ([#7049](https://github.com/osquery/osquery/pull/7049)) - Improve docs on FIM, mention NTFS and Audit, etc. ([#7036](https://github.com/osquery/osquery/pull/7036)) - config: Add docs for the events top-level-key ([#7040](https://github.com/osquery/osquery/pull/7040)) - Add funding link on GitHub generated page ([#7043](https://github.com/osquery/osquery/pull/7043)) - Correct the example in the `windows_events` table spec ([#7035](https://github.com/osquery/osquery/pull/7035)) - Correct docs about OpenSSL and TLS behavior ([#7033](https://github.com/osquery/osquery/pull/7033)) - Update docs to describe how to build for aarch64/arm64 (#6285) ([#6970](https://github.com/osquery/osquery/pull/6970)) - Add a note on enabling Windows to build with CMake's long paths ([#7010](https://github.com/osquery/osquery/pull/7010)) - Add 4.8.0 CHANGELOG ([#7057](https://github.com/osquery/osquery/pull/7057)) ### Build - Add an option to enable incremental linking on Windows ([#7044](https://github.com/osquery/osquery/pull/7044)) - Remove Buck leftovers that supported building with old versions of OpenSSL ([#7034](https://github.com/osquery/osquery/pull/7034)) - Add build_aarch64 workflow for push ([#7014](https://github.com/osquery/osquery/pull/7014)) - Move CI to using docker from osquery ([#7012](https://github.com/osquery/osquery/pull/7012)) - Update dockerfile to multiplatform ([#7011](https://github.com/osquery/osquery/pull/7011)) - Run GH Actions workflows on all tags ([#7004](https://github.com/osquery/osquery/pull/7004)) - Disable BPF events tests if OSQUERY_BUILD_BPF is false ([#7002](https://github.com/osquery/osquery/pull/7002)) - libs: Update OpenSSL to version 1.1.1k ([#7026](https://github.com/osquery/osquery/pull/7026)) 2021-04-19T02:42:24+00:00 osquery 4.9.0 2021-06-14T14:39:45+00:00 Representing commits from 16 contributors! Thank you all. ### New Features - Add filesystem logrotate feature ([#7015](https://github.com/osquery/osquery/pull/7015)) - Add Non-Functional EndpointSecurity based process events to macOS (Requires updated codesigning due in 5.0) ([#7046](https://github.com/osquery/osquery/pull/7046)) ### Table Changes - Add `mdm_managed` column to `system_extensions` on macOS ([#6915](https://github.com/osquery/osquery/pull/6915)) - Add `prefetch` table on Windows ([#7076](https://github.com/osquery/osquery/pull/7076)) - Add support for IMDSv2 to AWS tables ([#7084](https://github.com/osquery/osquery/pull/7084)) - Enable container stats on docker containers that don't have traditional networks ([#7145](https://github.com/osquery/osquery/pull/7145)) - Update `homebrew_packages` to include new prefix, and allow specifying alternate prefixes ([#7117](https://github.com/osquery/osquery/pull/7117)) - Update `ntfs_acl_permissions` to list all ACE entries (using `GetAce()`) ([#7114](https://github.com/osquery/osquery/pull/7114)) - Update `processes` table to display additional Windows attributes (`secured`, `protected`, `virtual`, `elevated`) ([#7121](https://github.com/osquery/osquery/pull/7121)) - Update how `package_install_history` identifies the packageIdentifiers key ([#7099](https://github.com/osquery/osquery/pull/7099)) - Update how `identifier` is calculated in `chrome_extensions` ([#7124](https://github.com/osquery/osquery/pull/7124)) ### Under the Hood improvements - Improve speed of osquery shutdown procedure ([#7077](https://github.com/osquery/osquery/pull/7077)) - Improve shutdown speed during initialization ([#7106](https://github.com/osquery/osquery/pull/7106)) - Update website generators ([#7136](https://github.com/osquery/osquery/pull/7136)) - CLI flag to allow osquery to keep retrying enrollment (instead of exiting) ([#7125](https://github.com/osquery/osquery/pull/7125)) - rocksdb: Do not fsync WAL writes ([#7094](https://github.com/osquery/osquery/pull/7094)) - Move CPack packaging to a dedicated repository ([#7059](https://github.com/osquery/osquery/pull/7059)) - Restore thrift socket 5min timeout ([#7072](https://github.com/osquery/osquery/pull/7072)) - Consolidate syscalls to a single audit rule ([#7063](https://github.com/osquery/osquery/pull/7063)) ### Bug Fixes - Add current WMI location for Dell BIOS info ([#7103](https://github.com/osquery/osquery/pull/7103)) - Correct RocksDB error code and subcode printing on open failure ([#7069](https://github.com/osquery/osquery/pull/7069)) - Fix `pipe_channel` not reading all data in a message ([#7139](https://github.com/osquery/osquery/pull/7139)) - Fix crash and deadlocks in recursive logging ([#7127](https://github.com/osquery/osquery/pull/7127)) - Fix custom `curl_certificate` timeouts ([#7151](https://github.com/osquery/osquery/pull/7151)) - Fix extensions crash on shutdown ([#7075](https://github.com/osquery/osquery/pull/7075)) - Handle updated paths on various macOS tables -- `xprotect_entries`, `xprotect_meta`, `launchd` ([#7138](https://github.com/osquery/osquery/pull/7138), [#7154](https://github.com/osquery/osquery/pull/7154)) - Trigger event cleanup checks every 256 events ([#7143](https://github.com/osquery/osquery/pull/7143)) - Update generating an extension uuid to be thread safe ([#7135](https://github.com/osquery/osquery/pull/7135)) - Watchdog should wait for the worker to shutdown ([#7116](https://github.com/osquery/osquery/pull/7116)) ### Documentation - Update process auditing requirements documentation ([#7102](https://github.com/osquery/osquery/pull/7102)) - Update website docs indicating windows support for YARA tables ([#7130](https://github.com/osquery/osquery/pull/7130)) - Add 4.9.0 CHANGELOG ([#7152](https://github.com/osquery/osquery/pull/7152)) ### Build - Add Apple provisioning profile for distribution ([#7119](https://github.com/osquery/osquery/pull/7119)) - Add more tests for events expiration ([#7071](https://github.com/osquery/osquery/pull/7071)) - CI: Regenerate sccache cache when compiler version changes ([#7081](https://github.com/osquery/osquery/pull/7081)) - Fix flaky test test_daemon_sigint by waiting for pidfile ([#7095](https://github.com/osquery/osquery/pull/7095)) - Fix icon in Windows packaging ([#7148](https://github.com/osquery/osquery/pull/7148)) - Minor cleanup of unused variables ([#7128](https://github.com/osquery/osquery/pull/7128)) - Print extension SDK minimum version required when failing to load ([#7074](https://github.com/osquery/osquery/pull/7074)) - Remove POSIX-only `-fexceptions` flag on Windows ([#7126](https://github.com/osquery/osquery/pull/7126)) - Remove duplicated osquery_utils_aws_tests-test ([#7078](https://github.com/osquery/osquery/pull/7078)) - Remove flaky test decorators for python tests ([#7070](https://github.com/osquery/osquery/pull/7070)) - Update SQLite to version 3.35.5 ([#7090](https://github.com/osquery/osquery/pull/7090)) - Update librdkafka to version 1.7.0 ([#7134](https://github.com/osquery/osquery/pull/7134)) - Update libyara to version 4.1.1 ([#7133](https://github.com/osquery/osquery/pull/7133)) 2021-06-14T14:39:45+00:00 osquery 5.0.0 2021-08-26T18:25:13+00:00 Initial draft of the 5.0. This release may be deleted! 2021-08-26T18:25:13+00:00 osquery 5.0.1 2021-09-03T03:39:13+00:00 Next 5.0 beta! Moving along 2021-09-03T03:39:13+00:00 osquery 5.1.0 2021-12-03T15:06:13+00:00 5.1.0 notes coming soon! 2021-12-03T15:06:13+00:00 osquery 5.2.0 2021-12-29T02:28:52+00:00 Apple M1 Support! Release notes coming soon 2021-12-29T02:28:52+00:00 osquery 5.2.1 2022-01-18T18:47:56+00:00 yara bug fix 2022-01-18T18:47:56+00:00 osquery 5.2.2 2022-02-04T16:30:54+00:00 Native M1 Support. Very Exciting. Release notes coming soon 2022-02-04T16:30:54+00:00 osquery 5.2.3 2022-04-05T22:05:20+00:00 Full Commits: https://github.com/osquery/osquery/compare/5.2.2...5.2.3 2022-04-05T22:05:20+00:00 osquery 5.3.0 2022-05-24T20:33:25+00:00 <a name="5.3.0"></a> ## [5.3.0](https://github.com/osquery/osquery/releases/tag/5.3.0) [Git Commits](https://github.com/osquery/osquery/compare/5.2.3...5.3.0) osquery 5.3.0 brings several table improvements and bugfixes. Worth mentioning also the deprecation of the `smart_drive_info` table and the new warning added when incorrectly configuring a CLI only flag via the config file. In the next release CLI only flags will not be configurable through the config file or refresh anymore. This release represents commits from 15 contributors! Thank you all. ### Deprecation Notices - Deprecate unmaintainable legacy table, `smart_drive_info` [#7464](https://github.com/osquery/osquery/issues/7464) ### New Features - Add the option `tls_disable_status_log` to prevent status logs from being sent via TLS [#7550](https://github.com/osquery/osquery/pull/7550) - Add SQLite function `in_cidr_block` to check if IPv4/v6 addresses are within the supplied CIDR block [#7563](https://github.com/osquery/osquery/pull/7563) ### Table Changes - Add the `admindir` column to the `deb_packages` table to parse package databases on different paths [#7549](https://github.com/osquery/osquery/pull/7549) - Implement and fix `wifi_networks` on macOS Big Sur and newer [#7503](https://github.com/osquery/osquery/pull/7503) - Add windows/darwin support to `npm_packages` [#7536](https://github.com/osquery/osquery/pull/7536) - Move `apt_sources` and `yum_sources` tables to linux only [#7537](https://github.com/osquery/osquery/pull/7537) - Add homebrew paths to the `python_packages` table [#7535](https://github.com/osquery/osquery/pull/7535) - Mark `wall_time` column in `osquery_schedule` as hidden [#7501](https://github.com/osquery/osquery/pull/7501) - Add new metrics and improve description of existing ones in `osquery_schedule` [#7438](https://github.com/osquery/osquery/pull/7438) - Add the `mirrorlist` column in the table `yum_sources` [#7479](https://github.com/osquery/osquery/pull/7479) - Implement `output_size` for `osquery_schedule` [#7436](https://github.com/osquery/osquery/pull/7436) - `deb_packages` table: Use additional instead of index for the `admindir` column [#7573](https://github.com/osquery/osquery/pull/7573) - `certificates` table: Add Linux support [#7570](https://github.com/osquery/osquery/pull/7570) - Add `translated` column to `processes` table to indicate whether the process is running under Apple Rosetta [#7507](https://github.com/osquery/osquery/pull/7507) - Add the "internet password" type to the macOS `keychain_items` table [#7576](https://github.com/osquery/osquery/pull/7576) - Add `original filename` column to `file` table on Windows [#7156](https://github.com/osquery/osquery/pull/7156) ### Bug Fixes - Fix watchdog not killing unhealthy worker/extension fast enough [#7474](https://github.com/osquery/osquery/pull/7474) - Fix the `test_http_server.py` `--persist` option [#7497](https://github.com/osquery/osquery/pull/7497) - Update`profile.py --leaks` for python3 [#7534](https://github.com/osquery/osquery/pull/7534) - Fixes osquery tls connections to aws kinesis when tls_server_certs is set [#7450](https://github.com/osquery/osquery/pull/7450) - Fix parsing issue when a backslash as the last character on sudoers file line [#7440](https://github.com/osquery/osquery/pull/7440) - Change the JSON of the results coming from an event scheduled query to an array [#7434](https://github.com/osquery/osquery/pull/7434) - Fix globToRegex truncating UTF16 characters [#7430](https://github.com/osquery/osquery/pull/7430) - Prevent hanging when the WMI server does not respond [#7429](https://github.com/osquery/osquery/pull/7429) - Fix `python_packages` table so that it lists python packages from any user Python installations [#7414](https://github.com/osquery/osquery/pull/7414) - Set string size limit on thrift protocol factory to prevent a crash [#7484](https://github.com/osquery/osquery/pull/7484) - Fix driver image path in `drivers` table [#7444](https://github.com/osquery/osquery/pull/7444) - Do not remove nonblocking flag when reading "special" files, to prevent hangs [#7530](https://github.com/osquery/osquery/pull/7530) - Fix crash due to interaction between distributed and config plugin [#7504](https://github.com/osquery/osquery/pull/7504) - bpf: Disable the BPF publisher in case of error [#7500](https://github.com/osquery/osquery/pull/7500) - Warn about setting CLI_FLAGs in the config [#7583](https://github.com/osquery/osquery/pull/7583) - Explicitly set context for the tables reading utmpx databases [#7578](https://github.com/osquery/osquery/pull/7578) - bpf: Improve socket event handling [#7446](https://github.com/osquery/osquery/pull/7446) - certificates: Refactor the OpenSSL utilities [#7581](https://github.com/osquery/osquery/pull/7581) - Fix shared_resources accessing uninitialized variables [#7600](https://github.com/osquery/osquery/pull/7600) ### Under the Hood improvements - Implement a performant cache for users and groups on Windows [#7516](https://github.com/osquery/osquery/pull/7516) - Replace WmiRequest constructor with static factory method to improve error handling and prevent crashes [#7489](https://github.com/osquery/osquery/pull/7489) - Remove redundant string conversion [#7603](https://github.com/osquery/osquery/pull/7603) ### Build - Fix DebPackages.test_sanity test when the `size` column is empty [#7569](https://github.com/osquery/osquery/pull/7569) - libs: Update libdpkg from version v1.19.0.5 to v1.21.7 [#7549](https://github.com/osquery/osquery/pull/7549) - CI: Restore some release checks [#7558](https://github.com/osquery/osquery/pull/7558) - Prevent ebpfpub linking against the system zlib [#7557](https://github.com/osquery/osquery/pull/7557) - Fix mdfind.test_sanity flaky behavior [#7533](https://github.com/osquery/osquery/pull/7533) - Enable fuzzing and Asan on Windows, enable Asan on macOS [#7470](https://github.com/osquery/osquery/pull/7470) - Update cppcheck to version 2.6.3 and skip analysis for third party code [#7455](https://github.com/osquery/osquery/pull/7455) - Change `cpu_info` test to expect *at least* one socket, not just one [#7490](https://github.com/osquery/osquery/pull/7490) - Fix third party libraries flags leaking to osquery targets [#7480](https://github.com/osquery/osquery/pull/7480) - Add third party libraries target [#7467](https://github.com/osquery/osquery/pull/7467) - Do not run clang-tidy on third party libraries [#7432](https://github.com/osquery/osquery/pull/7432) - CI: Create github workflow target to gate mergeability [#7427](https://github.com/osquery/osquery/pull/7427) - Fix some warnings about unrecognized special characters in the Windows event log test [#7478](https://github.com/osquery/osquery/pull/7478) - Change where the macOS Info.plist is generated [#7566](https://github.com/osquery/osquery/pull/7566) - Add OSQUERY_ENABLE_THREAD_SANITIZER to optionally enable TSan [#6997](https://github.com/osquery/osquery/pull/6997) - Add an option to specify a path to the openssl archive [#7559](https://github.com/osquery/osquery/pull/7559) - packs: Update reverse shell query pack to check for a valid remote_port [#7567](https://github.com/osquery/osquery/pull/7567) - Remove the test_daemon_sighup test [#7584](https://github.com/osquery/osquery/pull/7584) ### Documentation - docs: remove FreeBSD [#7508](https://github.com/osquery/osquery/pull/7508) - Pin Jinja2 ReadTheDocs dependency to 3.0.3 [#7533](https://github.com/osquery/osquery/pull/7533) - CHANGELOG 5.2.3 [#7571](https://github.com/osquery/osquery/pull/7571) - CHANGELOG 5.2.2 [#7447](https://github.com/osquery/osquery/pull/7447) - Bump mkdocs from 1.1.2 to 1.2.3 in /docs [#7457](https://github.com/osquery/osquery/pull/7457) - Replace OS X with macOS in table specs [#7587](https://github.com/osquery/osquery/pull/7587) - Update `osquery.example.conf` to omit the CLI only flags [#7595](https://github.com/osquery/osquery/pull/7595) 2022-05-24T20:33:25+00:00 osquery 5.4.0 2022-07-06T21:20:21+00:00 2022-07-06T21:20:21+00:00 osquery 5.5.0 2022-08-12T17:47:19+00:00 draft 2022-08-12T17:47:19+00:00 osquery 5.5.1 2022-08-18T13:24:43+00:00 Draft! (think 5.5.0 plus sqlite) 2022-08-18T13:24:43+00:00 osquery 5.6.0 2022-10-10T16:57:28+00:00 Draft! 2022-10-10T16:57:28+00:00 osquery 5.7.0 2022-12-06T19:00:16+00:00 Draft 2022-12-06T19:00:16+00:00 osquery 5.8.0 2023-02-24T19:25:29+00:00 2023-02-24T19:25:29+00:00 osquery 5.8.1 2023-03-01T20:45:27+00:00 2023-03-01T20:45:27+00:00 osquery 5.8.2 2023-03-22T11:59:16+00:00 2023-03-22T11:59:16+00:00 osquery 5.9.0 2023-06-08T21:07:50+00:00 _Draft_ 2023-06-08T21:07:50+00:00 osquery 5.9.1 2023-06-16T15:16:33+00:00 Draft 2023-06-16T15:16:33+00:00 osquery 5.10.1 2023-10-07T12:02:38+00:00 [Git Commits](https://github.com/osquery/osquery/compare/5.9.1...5.10.1) This release has several updates and bugfixes. Several improvements to various tables, and their handling. One potential breaking change, is in how [the watchdog calculates CPU utilization](https://github.com/osquery/osquery/pull/8104). Previously, this calculation was based on physical CPUs, now it is based on virtual cores. We believe this makes more sense with modern CPUs. Representing commits from 18 contributors! Thank you all. ### New Features - Add `--enable_watchdog_logging` flag and improve error messages ([#8070](https://github.com/osquery/osquery/pull/8070)) - Add `--aws_enforce_fips` to enforce AWS FIPS endpoints ([#8075](https://github.com/osquery/osquery/pull/8075)) - Add new AWS valid regions ([#8110](https://github.com/osquery/osquery/pull/8110)) - Implement `decorations_top_level` flag for status logs ([#8102](https://github.com/osquery/osquery/pull/8102)) ### Table Changes - Add new macOS SIP config flags ([#8101](https://github.com/osquery/osquery/pull/8101)) - Added `cloud`_id to `ycloud_instance_metadata` - the vm metadata table for Yandex Cloud ([#8086](https://github.com/osquery/osquery/pull/8086)) - Allow querying of kernel and filesystem drivers ([#8119](https://github.com/osquery/osquery/pull/8119)) - Update `es_process_file_events` adding support for open events, and for only triggering on `file_paths` ([#8114](https://github.com/osquery/osquery/pull/8114)) - Update `firefox_addons` to use rapidjson to parse and don't block on read ([#8089](https://github.com/osquery/osquery/pull/8089)) - Update macOS `es_process_events` table: quote spaces in command line and environment variables ([#8054](https://github.com/osquery/osquery/pull/8054)) - Update linux `disk_encryption` to recursively query parent crypt status ([#8052](https://github.com/osquery/osquery/pull/8052)) - Add, and revert, indexing on `block_devices` ([#8037](https://github.com/osquery/osquery/pull/8037), [#8151](https://github.com/osquery/osquery/pull/8151)) ### Under the Hood improvements - Add warnings when an enrollment secret cannot be found ([#8082](https://github.com/osquery/osquery/pull/8082)) - Avoid blocking when reading plist files ([#8099](https://github.com/osquery/osquery/pull/8099)) - Fix named virtual table create statement ([#8139](https://github.com/osquery/osquery/pull/8139)) - Remove forensicReadFile ([#8085](https://github.com/osquery/osquery/pull/8085)) - Substitute the TEXT macro with SQL_TEXT in table code ([#8091](https://github.com/osquery/osquery/pull/8091)) - Use JSON member iterator instead of rescanning ([#8122](https://github.com/osquery/osquery/pull/8122)) - core: Avoid checking if a file exists before opening ([#8087](https://github.com/osquery/osquery/pull/8087)) - improvement: Avoid unnecessary string conversions ([#8093](https://github.com/osquery/osquery/pull/8093)) - watchdog: Use virtual cores to calculate CPU utilization limit ([#8104](https://github.com/osquery/osquery/pull/8104)) ### Bug Fixes - Always lock event_index_mutex when accessing event_index map ([#8077](https://github.com/osquery/osquery/pull/8077)) - Check audit return values with <= ([#8125](https://github.com/osquery/osquery/pull/8125)) - Fix `wifi_survey` table not to crash if the ssid cannot be retrieved ([#8153](https://github.com/osquery/osquery/pull/8153)) ### Documentation - Add a list of Osquery fleet managers ([#7781](https://github.com/osquery/osquery/pull/7781)) - Add basic file carving documentation ([#8118](https://github.com/osquery/osquery/pull/8118)) - Changelog for 5.9.1 ([#8088](https://github.com/osquery/osquery/pull/8088)) - Fixed small doc error ([#8147](https://github.com/osquery/osquery/pull/8147)) - Update Automatic Table Construction example ([#8094](https://github.com/osquery/osquery/pull/8094)) - Update XCode version mentions to the proper one ([#8128](https://github.com/osquery/osquery/pull/8128)) - Update the description of `serial_number` in `connected_displays` ([#8113](https://github.com/osquery/osquery/pull/8113)) ### Build - Fix openssl build arch for Windows ARM64 ([#8134](https://github.com/osquery/osquery/pull/8134)) - Ignore CVE-2023-30571 ([#8065](https://github.com/osquery/osquery/pull/8065)) - Missing pragma/header guard for boottime.h ([#8117](https://github.com/osquery/osquery/pull/8117)) - Permit cross compiling for x86_64 on Apple Silicon ([#8136](https://github.com/osquery/osquery/pull/8136)) - build: update macos hosted github runner to macos-12 monterey ([#8100](https://github.com/osquery/osquery/pull/8100)) - ci: Fix DistributedTests.test_run_queries_with_denylisted_query test ([#8154](https://github.com/osquery/osquery/pull/8154)) - ci: Increase aarch64 available space by splitting the build ([#8131](https://github.com/osquery/osquery/pull/8131)) - ci: Increase disk space on the Linux x86_64 runner ([#8133](https://github.com/osquery/osquery/pull/8133)) - ci: Remove flakyness when removing unused packages on Linux ([#8144](https://github.com/osquery/osquery/pull/8144)) - cve: Ignore dbus CVE-2023-34969 ([#8126](https://github.com/osquery/osquery/pull/8126)) - cve: Ignore libcap CVE-2023-2603 ([#8127](https://github.com/osquery/osquery/pull/8127)) - cve: Update libmagic to 5.45 ([#8142](https://github.com/osquery/osquery/pull/8142)) - cve: Update lzma to 5.4.4 ([#8135](https://github.com/osquery/osquery/pull/8135)) - cve: Update openssl to 3.1.3 ([#8141](https://github.com/osquery/osquery/pull/8141)) - libs: Fix openssl build on aarch64 ([#8084](https://github.com/osquery/osquery/pull/8084)) - libs: Update openssl to 3.1.1 ([#8081](https://github.com/osquery/osquery/pull/8081)) - libs: Update openssl to 3.1.2 ([#8124](https://github.com/osquery/osquery/pull/8124)) - test: Fix leaks in inotify and rocksdb tests ([#8080](https://github.com/osquery/osquery/pull/8080)) 2023-10-07T12:02:38+00:00 osquery 5.10.2 2023-10-22T19:38:25+00:00 ## [5.10.2](https://github.com/osquery/osquery/releases/tag/5.10.2) [Git Commits](https://github.com/osquery/osquery/compare/5.9.1...5.10.2) This release has several updates and bugfixes. Several improvements to various tables, and their handling. One potential breaking change, is in how [the watchdog calculates CPU utilization](https://github.com/osquery/osquery/pull/8104). Previously, this calculation was based on physical CPUs, now it is based on virtual cores. We believe this makes more sense with modern CPUs. A second potential breaking change, is in PR [#8102](https://github.com/osquery/osquery/pull/8102). In addition to allowing decorations to the top level of the status logs, this PR normalizes the decorations format to the results log. In practice, this means that the `unixTime`, `severity` and `line` JSON fields are now numbers instead of strings. Representing commits from 18 contributors! Thank you all. ### New Features - Add `--enable_watchdog_debug` flag and improve watchdog error messages ([#8070](https://github.com/osquery/osquery/pull/8070)) - Add `--aws_enforce_fips` to enforce AWS FIPS endpoints ([#8075](https://github.com/osquery/osquery/pull/8075)) - Add new AWS valid regions ([#8110](https://github.com/osquery/osquery/pull/8110)) - Implement `decorations_top_level` flag for status logs ([#8102](https://github.com/osquery/osquery/pull/8102)) ### Table Changes - Add new macOS SIP config flags ([#8101](https://github.com/osquery/osquery/pull/8101)) - Added `cloud`_id to `ycloud_instance_metadata` - the vm metadata table for Yandex Cloud ([#8086](https://github.com/osquery/osquery/pull/8086)) - Allow querying of kernel and filesystem drivers ([#8119](https://github.com/osquery/osquery/pull/8119)) - Update `es_process_file_events` adding support for open events, and for only triggering on `file_paths` ([#8114](https://github.com/osquery/osquery/pull/8114)) - Update `firefox_addons` to use rapidjson to parse and don't block on read ([#8089](https://github.com/osquery/osquery/pull/8089)) - Update macOS `es_process_events` table: quote spaces in command line and environment variables ([#8054](https://github.com/osquery/osquery/pull/8054)) - Update linux `disk_encryption` to recursively query parent crypt status ([#8052](https://github.com/osquery/osquery/pull/8052)) - Add, and revert, indexing on `block_devices` ([#8037](https://github.com/osquery/osquery/pull/8037), [#8151](https://github.com/osquery/osquery/pull/8151)) ### Under the Hood improvements - Add warnings when an enrollment secret cannot be found ([#8082](https://github.com/osquery/osquery/pull/8082)) - Avoid blocking when reading plist files ([#8099](https://github.com/osquery/osquery/pull/8099)) - Fix named virtual table create statement ([#8139](https://github.com/osquery/osquery/pull/8139)) - Remove forensicReadFile ([#8085](https://github.com/osquery/osquery/pull/8085)) - Substitute the TEXT macro with SQL_TEXT in table code ([#8091](https://github.com/osquery/osquery/pull/8091)) - Use JSON member iterator instead of rescanning ([#8122](https://github.com/osquery/osquery/pull/8122)) - core: Avoid checking if a file exists before opening ([#8087](https://github.com/osquery/osquery/pull/8087)) - improvement: Avoid unnecessary string conversions ([#8093](https://github.com/osquery/osquery/pull/8093)) - watchdog: Use virtual cores to calculate CPU utilization limit ([#8104](https://github.com/osquery/osquery/pull/8104)) ### Bug Fixes - Always lock event_index_mutex when accessing event_index map ([#8077](https://github.com/osquery/osquery/pull/8077)) - Check audit return values with <= ([#8125](https://github.com/osquery/osquery/pull/8125)) - Fix `wifi_survey` table not to crash if the ssid cannot be retrieved ([#8153](https://github.com/osquery/osquery/pull/8153)) - Fix macOS EndpointSecurity FIM mute inversion for file paths ([#8166](https://github.com/osquery/osquery/pull/8166)) ### Documentation - Add a list of Osquery fleet managers ([#7781](https://github.com/osquery/osquery/pull/7781)) - Add basic file carving documentation ([#8118](https://github.com/osquery/osquery/pull/8118)) - Changelog for 5.9.1 ([#8088](https://github.com/osquery/osquery/pull/8088)) - Changelog 5.10.1 ([#8155](https://github.com/osquery/osquery/pull/8155)) - Fixed small doc error ([#8147](https://github.com/osquery/osquery/pull/8147)) - Update Automatic Table Construction example ([#8094](https://github.com/osquery/osquery/pull/8094)) - Update XCode version mentions to the proper one ([#8128](https://github.com/osquery/osquery/pull/8128)) - Update the description of `serial_number` in `connected_displays` ([#8113](https://github.com/osquery/osquery/pull/8113)) ### Build - Fix openssl build arch for Windows ARM64 ([#8134](https://github.com/osquery/osquery/pull/8134)) - Fix python test http server use `SSLContext.wrap_socket()` instead of deprecated `ssl.wrap_socket()` ([#8169](https://github.com/osquery/osquery/pull/8169)) - GitHub Action to cleanup at stale ec2 runners ([#8156](https://github.com/osquery/osquery/pull/8156)) - Ignore CVE-2023-30571 ([#8065](https://github.com/osquery/osquery/pull/8065)) - Missing pragma/header guard for boottime.h ([#8117](https://github.com/osquery/osquery/pull/8117)) - Permit cross compiling for x86_64 on Apple Silicon ([#8136](https://github.com/osquery/osquery/pull/8136)) - build: update macos hosted github runner to macos-12 monterey ([#8100](https://github.com/osquery/osquery/pull/8100)) - ci: Fix DistributedTests.test_run_queries_with_denylisted_query test ([#8154](https://github.com/osquery/osquery/pull/8154)) - ci: Increase aarch64 available space by splitting the build ([#8131](https://github.com/osquery/osquery/pull/8131)) - ci: Increase disk space on the Linux x86_64 runner ([#8133](https://github.com/osquery/osquery/pull/8133)) - ci: Remove flakyness when removing unused packages on Linux ([#8144](https://github.com/osquery/osquery/pull/8144)) - cve: Fix the expat product name in the libraries manifest ([#8158](https://github.com/osquery/osquery/pull/8158)) - cve: Ignore dbus CVE-2023-34969 ([#8126](https://github.com/osquery/osquery/pull/8126)) - cve: Ignore libcap CVE-2023-2603 ([#8127](https://github.com/osquery/osquery/pull/8127)) - cve: Update expat to version 2.5.0 ([#8159](https://github.com/osquery/osquery/pull/8159)) - cve: Update libmagic to 5.45 ([#8142](https://github.com/osquery/osquery/pull/8142)) - cve: Update lzma to 5.4.4 ([#8135](https://github.com/osquery/osquery/pull/8135)) - cve: Update openssl to 3.1.3 ([#8141](https://github.com/osquery/osquery/pull/8141)) - libs: Fix openssl build on aarch64 ([#8084](https://github.com/osquery/osquery/pull/8084)) - libs: Update openssl to 3.1.1 ([#8081](https://github.com/osquery/osquery/pull/8081)) - libs: Update openssl to 3.1.2 ([#8124](https://github.com/osquery/osquery/pull/8124)) - test: Fix leaks in inotify and rocksdb tests ([#8080](https://github.com/osquery/osquery/pull/8080)) 2023-10-22T19:38:25+00:00 osquery 5.11.0 2023-12-27T22:55:41+00:00 Draft 2023-12-27T22:55:41+00:00