5.14.1

5.14.1

Git Commits

Representing commits from 13 contributors! Thank you all.

Windows codesigning note

Starting with Osquery 5.14, we have changed our codesigning. Henceforth our releases will be signed by an osquery specific signing key issued by Microsoft Azure.

New Features

• Add --yara_sigurl_authenticate flag (#8437)

Table Changes

• Add additional WMI data to deviceguard_status table (#8440)
• Fix linux groups table to handle larger group sets by increasing buffer size (#8387)
• Add support for Firefox addons for snap installations (#8374)
• Remove support for deprecated Safari Legacy Extensions (#8426)
• macOS 15 alf support (#8428)
• Update table alf_explicit_auths as not supported on macOS 15 (#8435)
• Update table alf_exceptions to support macOS 15 (#8434)
• Fix for windows_crashes missing information on user mode memory dumps (#8394)
• Fix: safari_extensions not returning results (#8427)
• Rename hvci_status to deviceguard_status to better reflect the data collected. (#8390)

Under the Hood improvements

• Add column optimization support to allow processing IN constraints all at once in xFilter (#8263)
• Minor improvements to the hashing logic (#8398)
• Refactor readFile (#8410)

Bug Fixes

• Fix unified_log handling of timestamp formats (#8451)
• Fixes crash with non-null-terminated values in registry enumeration (#8421)
• Fix: Check and free cert context creation in windows certificates table (#8420)
• fix: Handle strftime potential error in the time table (#8431)
• Fix crash in socket table parsing on windows (#8419)

Build

• Run tests on macos-15 (#8430)
• Update tests for unified_log table to work around slowness (#8450)
• tests: Ensure python http server is ready to serve (#8452)
• Extend timeout for test HTTP server (#8445)
• Upgrade GitHub Actions upload-artifact to v4 (#8423)
• Boost 1.86 compatibility (#8409)
• build: Cleanups and fixes for a newer clang toolchain (#8412)
• ci: Update the upload-artifact action to v4.4.0 (#8416)
• build: Silence deprecation warnings about non standard extensions on VS2022 (#8405)
• Add missing includes causing compilation error with Clang 18.1.8 (#8400)
• build(deps): bump actions/download-artifact from 2 to 4.1.7 in /.github/workflows (#8411)

5.13.1

5.13.1

Git Commits

Representing commits from 21 contributors! Thank you all.

Windows codesigning note

The Windows binaries and MSI package have been signed with the Fleet Device Management codesigning certificate as the osquery project is currently working on identity verification to get a new signing certificate.

Table Changes

• The Python manifest directories, .egg-info and .dist-info, contain flat file hierarchies (#8318)
• Table users on linux by default to return only users in /etc/passwd (#8342)
• Add sha256 hash to apparmor_profiles table (#8345)
• Add support for metalink and store repo config file name in yum_sources table (#8307)
• Update user_ssh_keys with additional details for OpenSSL-style keys (#8314)
• Fix table dns_resolvers dns-search bug with multiple search domains (#8329)
• Fix process_open_sockets to correctly displays family and protocol on macOS (#8315)
• Add missing SSH key types to authorized_keys that support FIDO2 authentication (#8319)

Under the Hood improvements

• Improve error message when required constraint missing (#8358)
• Add verbose logging when distributed requests fail and retry (#8321)

Bug Fixes

• Fix crash in rpm_packages table by upgrading librpm from 4.18.0 to 4.18.2 #8388
• Fix crash in linux file monitoring (related to NFS mounted directories) #8392
• Fix listDirectoriesInDirectory to check if symlinks point to directories (fixes inotify warnings flooded in logs) #8399
• Fix for Potential memory leak in class ServiceArgumentParser's Constructor (#8368)
• Fix for Crash in ServiceArgumentParser via ServiceMain (#8353)
• Fixing real precision by limiting precision to 15 digits (#8355 and #8302)
• Fix invalid memory access in curl_certificates table (#8339)
• Add pending state to ATC tables to avoid duplicate sql attaches (#8324) & revert ATC changes from (#8233) that caused a race condition and ATC table failure
• Fix crash when carve size is stored as string (#8297)

Documentation

• Updated Time Machine table documentation to require FDA (#8325)
• Update processes table spec and docs, to remove outdated column alias (#8363)
• Fill in missing column descriptions to spec for device_partitions (#8364)
• Improve explanation of required columns (#8365)
• Update package_receipts table example (#8326)
• Remove some duplicated words from code comments and strings (#8336)
• Update description for alf_explicit_auths #8371

Build

• Correct spec file name to macwin (#8311)
• Correct xz submodule url and openssl download url #8383
• Update Linux Docker image to Ubuntu 20.04 (#8369)
• Fix util-linux submodule url (#8303)
• Update macos builder to 14 and tester to 12 (#8359)
• Make fallthrough explicit in sqlite_encoding.cpp (#8361)
• Fix macOS python dependencies install step (#8308)
• Bump jinja2 from 3.1.3 to 3.1.4. (#8330)

5.12.2

Git Commits

This release is a hot fix. It reverts #8233, which had inadvertently broken ATC tables under some conditions.

Representing commits from 3 contributors! Thank you all.

Bug Fixes

• Revert Don't add ATC table name to registry until after sqlite DB initialization #8233 (#8334)

Build

• CI: Fix macOS python dependencies install step (#8308)

5.12.1

Git Commits

Representing commits from 11 contributors! Thank you all.

New Features

• New flag logger_tls_backoff_max to configure the retry backoff for TLS logger plugin (#8230)

Table Changes

• Port the battery table to Windows (#8267)
• Update homebrew_packages table to include Casks (#8276)
• Update cpu_info to include load_percentage on windows (#8275)
• Check path exists first in vscode_extensions (#8292)
• deb_packages to ignore non existent admindirs (#8288)
• Add missing path separator in Safari Extensions table generator (#8273)
• Add windows UBR to os_version table (#8265)

Under the Hood improvements

• Persist query performance stats (#8250)
• Deprecate worker_threads flag (#8278)
• Change message from warning to error when extension could not be loaded (#8260)
• Refactor macOS system profile report retrieval (#8251)
• Clear performance stats when modifying scheduled/pack query (#8239)

Bug Fixes

• Fix version collate returning incorrect value when last character is a delimiter (#8283)
• Fix a memory leak in unified_log (#8274)
• Don't add ATC table name to registry until after sqlite DB initialization (#8233)

Documentation

• Update Jinja dependency for docs (#8285)
• Remove Zercurity from fleet managers list (#8293)
• Fix missing spaces in kernel_keys column descriptions (#8289)
• Update description for amperage in battery table. (#8253)

Packs

• Fix packs to check for platform before including queries (#7461)

Build

• Downgrade sqlite to 3.42 to prevent a regression with required columns (#8295)
• cve: Remove libxml2 dependency (#8282)
• cve: Update libexpat to 2.6.0 (#8281)
• cve: Update sqlite to 3.45.0 (#8259)
• cve: Update openssl to 3.2.1 (#8262)
• ci: Use all available cores and print more stats (#8248)
• cmake: Pass the osquery python path to googletest (#8237)
• test: Fix vscodeExtensions.test_sanity test (#8236)
• cmake: Correct typo, semvar -> semver (#8234)

5.11.0

5.11.0

Git Commits

Representing commits from 11 contributors! Thank you all.

Table Changes

• Add new table vscode_extensions (#8150)
• Add support for additional Apple Silicon columns in secureboot table (#8215)
• Add Shortcut metadata parsing on Windows in the file table (#8143)
• Remove atom_packages table (#8181)
• Add additional chrome extensions paths (#8170) to pick up extensions for Chrome Beta, Chrome Dev, and Vivaldi.

Under the Hood improvements

• Add version collations to column definitions (#8222)
• Add support for additional collations in column definitions (#8214)
• Add version collate functions (#8168)
• Added cache and throttling for certificates, keychain_acls, and keychain_items tables (#8192). This is intended to reduce the occurrence of keychain corruption due to broken macOS APIs.
• process_open_sockets: Mark pid column as additional instead of index (#8191)

Bug Fixes

• Add stricter checks to JSON parsing (#8229)
• Fix signed/unsigned mismatch in powershell_events (#8225)
• Fix a crash in firefox_addons (#8227)
• Correct the aws_sts_region behavior (#8184)

Documentation

• Update building.md prereqs for Windows (#8216)
• Correct link to a PR in the 4.7.0 changelog (#8186)
• Call out in the CHANGELOG the format changes of the status logs decorations (#8174)
• Remove some duplicated lines from 5.8.1 changelog (#8172)
• Fix typo in table specs (#8163)
• Keychain cache and throttling documentation. (#8205)
• Changelog 5.10.2 (#8171)

Build / Dependencies

• Update libxml2 to v2.12.3 (#8223)
• Update zlib to 1.3 and ignore a CVE (#8218)
• Update openssl to 3.2.0 (#8212)
• Update nvdlib to use the latest NVD APIs (#8207)
• Fix Linux build (#8208)
• Correct job order (#8185)
• Re-enable tools_tests_testrelease (#8221)
• Enable client certificate verification in the TLS tests (#8211)
• Temporary workaround to build with XCode 15 (#8197)

5.10.2

5.10.2

Git Commits

This release has several updates and bugfixes. Several improvements to various tables, and their handling.

One potential breaking change, is in how the watchdog calculates CPU utilization.
Previously, this calculation was based on physical CPUs, now it is based on virtual cores. We believe this makes more sense with modern CPUs.

A second potential breaking change, is in PR #8102. In addition to allowing decorations to the top level of the status logs, this PR normalizes the decorations format to the results log. In practice, this means that the unixTime, severity and line JSON fields are now numbers instead of strings.

Representing commits from 18 contributors! Thank you all.

New Features

• Add --enable_watchdog_debug flag and improve watchdog error messages (#8070)
• Add --aws_enforce_fips to enforce AWS FIPS endpoints (#8075)
• Add new AWS valid regions (#8110)
• Implement decorations_top_level flag for status logs (#8102)

Table Changes

• Add new macOS SIP config flags (#8101)
• Added cloud_id to ycloud_instance_metadata - the vm metadata table for Yandex Cloud (#8086)
• Allow querying of kernel and filesystem drivers (#8119)
• Update es_process_file_events adding support for open events, and for only triggering on file_paths (#8114)
• Update firefox_addons to use rapidjson to parse and don't block on read (#8089)
• Update macOS es_process_events table: quote spaces in command line and environment variables (#8054)
• Update linux disk_encryption to recursively query parent crypt status (#8052)
• Add, and revert, indexing on block_devices (#8037, #8151)

Under the Hood improvements

• Add warnings when an enrollment secret cannot be found (#8082)
• Avoid blocking when reading plist files (#8099)
• Fix named virtual table create statement (#8139)
• Remove forensicReadFile (#8085)
• Substitute the TEXT macro with SQL_TEXT in table code (#8091)
• Use JSON member iterator instead of rescanning (#8122)
• core: Avoid checking if a file exists before opening (#8087)
• improvement: Avoid unnecessary string conversions (#8093)
• watchdog: Use virtual cores to calculate CPU utilization limit (#8104)

Bug Fixes

• Always lock event_index_mutex when accessing event_index map (#8077)
• Check audit return values with <= (#8125)
• Fix wifi_survey table not to crash if the ssid cannot be retrieved (#8153)
• Fix macOS EndpointSecurity FIM mute inversion for file paths (#8166)

Documentation

• Add a list of Osquery fleet managers (#7781)
• Add basic file carving documentation (#8118)
• Changelog for 5.9.1 (#8088)
• Changelog 5.10.1 (#8155)
• Fixed small doc error (#8147)
• Update Automatic Table Construction example (#8094)
• Update XCode version mentions to the proper one (#8128)
• Update the description of serial_number in connected_displays (#8113)

Build

• Fix openssl build arch for Windows ARM64 (#8134)
• Fix python test http server use SSLContext.wrap_socket() instead of deprecated ssl.wrap_socket() (#8169)
• GitHub Action to cleanup at stale ec2 runners (#8156)
• Ignore CVE-2023-30571 (#8065)
• Missing pragma/header guard for boottime.h (#8117)
• Permit cross compiling for x86_64 on Apple Silicon (#8136)
• build: update macos hosted github runner to macos-12 monterey (#8100)
• ci: Fix DistributedTests.test_run_queries_with_denylisted_query test (#8154)
• ci: Increase aarch64 available space by splitting the build (#8131)
• ci: Increase disk space on the Linux x86_64 runner (#8133)
• ci: Remove flakyness when removing unused packages on Linux (#8144)
• cve: Fix the expat product name in the libraries manifest (#8158)
• cve: Ignore dbus CVE-2023-34969 (#8126)
• cve: Ignore libcap CVE-2023-2603 (#8127)
• cve: Update expat to version 2.5.0 (#8159)
• cve: Update libmagic to 5.45 (#8142)
• cve: Update lzma to 5.4.4 (#8135)
• cve: Update openssl to 3.1.3 (#8141)
• libs: Fix openssl build on aarch64 (#8084)
• libs: Update openssl to 3.1.1 (#8081)
• libs: Update openssl to 3.1.2 (#8124)
• test: Fix leaks in inotify and rocksdb tests (#8080)

5.9.1

5.9.1

Git Commits

Big shoutout for the Windows Arm port!

Representing commits from 14 contributors! Thank you all.

New Features

• Add support for Windows on Arm (#7918)
• logger: Add new string_batch request type to compliment existing string type (#8027)

Table Changes

• Add connected_displays table on macOS (#7946)
• Add windows_search table (#7990)
• Restore functionality of crashes table on macOS 12 and newer (#7819)
• Update keychain_items to include data about key types (#8002)
• Update os_version to include Apple RSR fields using native API (#8011)
• Update safari_extensions to handle the current app extensions pattern (#7991)
• Update system_info to include the number of sockets (#8038)
• Update unified_log table to add predicate column and optimize timestamp constraint (#8019)

Under the Hood improvements

• Improving listDirectoriesInDirectory by using std::fs (#7974)
• Do not consider a 404 as an error in ec2-instance-metadata (#8025)
• Release objects and free memory obtained from COM (#7999)
• Do not pass wstring::c_str() to wstringToString function (#8000)
• Do not copy process arguments into vector for CreateProcess call (#7956)

Bug Fixes

• Fix version column in homebrew_packages (#8057)
• Improve extended_attributes implementation for Linux and macOS (#8046)
• Update event tables to mark time column as "additional" (#8020)

Documentation

• Update expired Slack invite (#8051)
• Update es_process_file_events.table description (#7978)
• CHANGELOG 5.8.2 (#7986)

Build

• cve: Update to openssl 1.1.1u (#8050)
• cmake: Add an option to disable shallow git clone operations (#8026)
• Fix the aarch64 workflow (#8036)
• test: Fix a leak in ExtendedAttributesTableTests SetUp function (#8045)
• cve: Update libxml2 to v2.11.2 (#8023)
• libs: Bring out LZ4 from rdkafka and update it to v1.9.4 (#7996)
• ci: Update python version and docs build tools (#7969)
• ci: Update aarch64 runner to Ubuntu 20.04 and update badges (#7984)
• Add few unit tests for the hashing component (#7993)

5.8.2

5.8.2

Git Commits

5.8.2 is a hotfix for how osquery's COM security initialization works See #7962 for details.

Representing commits from 6 contributors! Thank you all.

Bug Fixes

• Fix empty batch result set reporting (#7958)
• Fix COM security initialization by setting COM security per interface level (#7963)
• Fix username field in managed_policy table (#7944)

Documentation

• CHANGELOG 5.8.1 (#7957)

Build

• test: Do not always expect a row from the secureboot table (#7967)
• cmake: Only link against the experiments loader when needed (#7959)
• tests: Fix some tests becoming osquery shells (#7964)
• test: Fix SystemdUnitsTest missing the unit_file_state column (#7965)
• tests: Do not always build root tests on Linux (#7966)

5.8.1

5.8.1

Git Commits

Representing commits from 22 contributors! Thank you all.

New Features

• Record and send statistics for distributed queries (#7870)

Table Changes

• Add ETW-based process events table for Windows (#7821)
• Add pid_with_namespace for yara table (#7920)
• Add a new table kernel_keys to the Linux platform (#7876)
• Leave min_version empty in xprotect_meta when not specified (#7926)
• Port the secureboot table to macOS (#7692)
• Update docker_container_stats table to include cached_memory column (#7807)
• cpu_info: Port the table to macOS x86 and Apple Silicon (#7757)
• experiments: Implement a new bpf_process_events_v2 table (#7773)
• systemd_units: Add new unit_file_state column (#7895)

Under the Hood improvements

• Set counter consistently so zero always indicates all records (#7801)
• Support logging empty result set in batch format for initial runs (#7803)
• Support rollbacks of osquery when new versions introduce new column families (#7712)
• analysis.py: Add --pack flag to load queries from a pack file (#7935)
• profile.py: Log # of queries loaded and raise an error if 0 are loaded (#7934)

Bug Fixes

• Clear cached constraints and columns in xBestIndex (#7435)
• Fix assert fail for unverified WMI request result (#7921)
• Fix leaks in scheduled_tasks (#7903) (#7904)
• Flush console buffer during ungraceful exit (#7829)
• Propagate windows errors to the exit code (#7896)
• Relax osquery safe permissions check (#7763)
• Silence warnings for more builtin Chrome and Brave extensions (#7932)
• Workaround for hung routes table (#7916)
• dns_resolvers: fix typo in the name when spawning in namespace (#7875)
• test: Fix flaky test_daemon_sigint (#7888)

Documentation

• Add note about windows_security_products compatibility (#7880)
• CHANGELOG 5.7.0 (#7894)
• Docs: mention the recent adoption of automatic CVE scanning (#7878)
• Fix broken link in CODE_OF_CONDUCT.md (#7922)
• docs: Update the list of pages (#7866)
• docs: clarify that logger_plugin is set from CLI (#7917)

Build

• Do not catch table or registry exceptions when running tests (#7621)
• Fix and document discovery queries behavior on distributed queries and add tests (#7655)
• Try to free some disk space on the arm64 runners (#7950)
• ci: Automatically cancel old PR jobs (#7887)
• ci: Improve error message when a library is missing from the manifest (#7899)
• ci: Remove Windows 32bit build (#7939)
• ci: Update some actions to remove deprecation warnings (#7864)
• ci: Workaround in the aarch64 runner to avoid out of space (#7941)
• cmake: Remove forced static libraries search for osquery-toolchain (#7881)
• cve: Ignore libcryptsetup cves (#7871)
• cve: Ignore libdpkg CVE-2022-1664 (#7872)
• cve: Ignore libgcrypt cves (#7873)
• cve: Ignore sqlite CVE-2022-46908 (#7911)
• cve: Ignore util-linux cves (#7929)
• cve: Update librpm to 4.18.0 (#7910)
• cve: Update openssl to 1.1.1t (#7937)
• cve: Update yara to 4.2.3 (#7912)
• git: Ignore compile_commands.json and pyrightconfig.json (#7885)
• libs: Fix libmagic build on macOS (#7915)
• libs: Fix system paths used by dbus (#7919)
• libs: Update dbus to 1.12.24 (#7905)
• libs: Update libarchive to 3.6.2 (#7877)
• libs: Update libxml2 to 2.10.3 (#7882)
• libs: Update popt to 1.19 (#7909)
• libs: Update util-linux to 2.35.2 (#7902)
• libs: Update zlib to 1.2.13 (#7874)
• libs: update Thrift to 0.17 (#7868)
• test: Add an option to run only selected python testcases (#7890)
• test: Speed up ec2InstanceMetadata.test_sanity (#7907)

5.7.0

5.7.0

Git Commits

Representing commits from 12 contributors! Thank you all.

CVEs

Addressed by updating a library:

Ignored due to not affecting osquery:

• libzstd CVE-2021-24031 via (#7865)

New Features

• New table security_profile_info to retrieve security profile information on Windows (#7794)

Table Changes

• Add column to es_process_events for process codesigning flags (#7726)
• shimcache: Only check CurrentControlSet to avoid duplicate rows (#7832)
• processes: Fix the procfs memory unit kB, which is 1024 bytes not 1000 (#7818)
• Fix permissions on opening pipes for reading in pipes table (#7810)
• Fix the empty host column from logged_in_users table (#7685)
• docker_containers: Don't report finished_at for a container which is still running (#7783)
• processes: Stabilize the start_time column value on macOS and Linux (#7788)

Bug Fixes

• Do not access the AWS SDK request content type if missing (#7834)
• Fix deadlock when logging happens during a database reset (#7798)
• Fix handling of some errors during an AWS HTTP request (#7811)

Documentation

• CHANGELOG 5.6.0 (#7804)
• Add link to official YARA docs (#7792)
• Fix typo in keychain_items (#7790)

Packs

• packs/incident_response: process_memory_map is also applicable to Darwin (#7789)

Build

• cve: Ignore zstd CVE-2021-24031 (#7865)
• ci: Add a job and helper scripts to periodically scan for CVEs (#7787)
• ci: Update how we set github workflow step outputs (#7791)
• ci: Fix python version when installing modules and testing on macos (#7813)