Skip to content

2.6.0
Compare
Choose a tag to compare
@obelisk obelisk released this 24 Jul 23:38
· 2654 commits to master since this release
2.6.0
3cd26ac

This is the next stable build of osquery, ready for production. This release fixes many bugs in the Windows version vastly improving stability and some tables. The SQLite version was also bumped to 3.19.3 and improvements were made to inotify eventing on linux. The preferences table on Darwin has also been changed and it's core functionality moved to a new plist table. See (#3455) for more details as this may require updates to any scheduled queries that use this table. For more complete release notes, see the highlights below.

Several bug fixes pertaining to Windows:

  • (#3478) Fixed a crash in interface_details - If WMI data was empty, an invalid access occurred.
  • (#3481) Choco build output directory change - Building a package will now drop you in the directory you started in, not the build directory.
  • (#3475) Fixed worker respawn logic - Killed workers were not being respawned correctly due to a lack of early exit.
  • (#3470) system_info FQDN - The system_info table on Windows will now return the full FQDN, not just the host name.
  • (#3484) Additional install locations - The programs table checks more locations to find installed applications.
  • (#3431) Skip tests on Windows - It's now possible to skip building tests via a environment variable on Windows.
  • (#3444) Autoexec - Added a new table to find auto-executing programs.
  • (#3436) IE Extensions - Added a new table to list extensions installed in IE.

A few bug fixes to POSIX/macOS

  • (#3454) (#3473) (#3476) High Sierra related fixes - Fixed a bug where the local clang-format wasn't being used and instead of the system one was called. Also fixed a globbing bug caused by a new file ordering on APFS systems.
  • (#3480) Mount event on Darwin - FSEvents now also catches mount events and these alerts go through the same pub sub flow with the action "MOUNTED".

General Updates

  • (#3488) Changes to plugin failures - All plugins will now fail if one fails. This ensures plugins are in a good state when initialization finishes.
  • (#3485) Update to SQLite - SQLite version bumped to 3.19.3
  • (#3489) TSAN fixes - Some general TSAN issues addressed.
  • (#3487) Don't ignore SIGCHLD - Stop ignoring the SIGCHLD interrupt to exit faster.
  • (#3459) Updates to inotify - Logic improved around add/removing subscribers in the inotify eventer.
  • (#3469) Fix TLS Config Update - Fixes TLS update and sets the refresh period to one hour.
  • (#3457) Moved pid file - The osquery pid file is now in /var/run/ on Linux and FreeBSD system.
  • (#3378) Added epoch time to scheduled queries - To assist in keeping backend systems in sync with system state, an epoch decorator was added.
  • (#3455) Separated preferences and plist - Preferences was split into its own table and the functionality of plist parsing was moved to a new plist table.
  • (#3448) Watchdog issues resolved - There were some instances where certain flag usage would inadvertently disable the watchdog.
  • (#3390) Symlink column in file table - A new column containing information on if the file is a symlink.
Assets 2