2.7.0

New features in 2.7.0

#3506 FSEvents on macOS will monitor mount events within already-monitored directories
#3503 OpenBSM events are monitored as process_events on macOS
#3265 Add RapidJSON integration as a boost property tree replacement
#3530 Implement excluded paths for FIM for Linux and macOS

Bug fixes

#3517 Wait for each extension before respawning
#3553 and #3552 Fixing memory leaks in virtual tables
#3534 Improve macOS process start_time column
#3539 Fix sizes for block_devices on macOS and Linux
#3574 Display correct UID for proceses for Domain Users on Windows
#3580 Fix handling of multiple LIKE and GLOB predicates*

• When using LIKE and GLOB with OR in query predicates the SQLite optimizer may replace TEXT fields with incorrect values, causing unexpected behavior for tables like file expecting globbing input for path names.

Table changes (from 2.6.0 to 2.7.0)

Added table process_memory_map to All Platforms (from POSIX)

Added table device_firmware to Darwin (Apple OS X)
Added table gatekeeper to Darwin (Apple OS X)
Added table gatekeeper_approved_apps to Darwin (Apple OS X)
Added table shared_folders to Darwin (Apple OS X)
Added table sharing_preferences to Darwin (Apple OS X)
Added table certificates to MacOS and Windows
Added table user_events to POSIX-compatible Plaforms
Added table ec2_instance_metadata to Ubuntu, CentOS
Added table ec2_instance_tags to Ubuntu, CentOS

Added column block_size (INTEGER_TYPE) to table block_devices
Added column cwd (TEXT_TYPE) to table process_events
Added column status (BIGINT_TYPE) to table process_events
Added column action (TEXT_TYPE) to table scheduled_tasks
Added column class (TEXT_TYPE) to table usb_devices
Added column protocol (TEXT_TYPE) to table usb_devices
Added column subclass (TEXT_TYPE) to table usb_devices