Skip to content
Pre-release
Pre-release

@alessandrogario alessandrogario released this Sep 10, 2019 · 16 commits to master since this release

This release has two major focuses. It is the first release since osquery transitioned to a Linux Foundation project.

It features a heavily reworked build system. This aims to provide flexibility and stability.

Git Commits

New Features / Under the Hood improvements

  • Linux Audit process_events Implement support for fork/vfork/clone/execveat (#5701)
  • New SQLite function regex_match to match across columns (#5444)
  • LRU cache for syscall tracing (#5521)
  • Basic tracing via eBPF on Linux (#5403, #5386, #5384)
  • Experimental kill and setuid syscall tracing in Linux via eBPF (#5519)
  • New eventing (ev2) framework (#5401)
  • Improved table performance profiles (#5187)
  • macOS query pack: detect SearchAwesome malware (#5713)
  • macOS query pack: detect when a process is tapping keyboard event (#5345)

Build

Harderning

  • Link binaries with Full RELRO on Linux (#5748)
  • Remove FTS features from SQLite (#5703) (#5702)
  • Fix SQLite API usage errors (#5551)
  • Fix issues reported by ASAN (#5665)
  • Handle bad FDs in md_tables (#5553)
  • Fix lock resource leak in events/syslog (#5552)
  • Fix memory leak in macOS keychain_items and extended_attributes tables (#5550, #5538)
  • Fix memory leak in genLoggedInUsers (Windows). Update WTSFreeMemoryEx to WTSFreeMemory (#5642)
  • Fix potential null dereferences in smbios_tables (#5332)
  • Fix osquery exiting with wrong status (3824c2e6)
  • Add additional install and uninstall flag incompatibility check (85eb77a0)
  • Fix warning with constants initialisation in magic (2a624f2f)
  • Fix sign compare warning in file_compression (b93069b3)
  • Refactored logical_drives table on Windows (#5400)
  • Refactored core/windows/wmi to use smart pointers (#5492)
  • Fixed various potential crashes in the virtual table implementaion (6ade85a5)
  • Increase the amount of MaxRecvRetries for Thrift sockets (#5390)

Bug Fixes

  • Fix the reading of the serial of a certificate (little-endian big int) (#5742)
  • Fix bugs and update pathname variables in MSI package build script (#5733)
  • Fix registry table exception closing an uninitialized key handle (#5718)
  • Config views are now recreated on startup (#5732)
  • Change MSI Service Error handling on Windows (#5467)
  • Allow mounting SQLite DBs using WAL journaling with ATC (#5525, #5633)
  • Fix mount table interacting with direct autofs (#5635)
  • Fix HTTP Host Header to include port (#5576)
  • Various fixes to the Windows certificates table and expansion to include Personal certificates (#5697), (#5696), (#5640), (#5631)
  • Add optimization back to macOS users and groups (#5684)
  • Do not return a row for macOS battery if no data is present (#5650)
  • Fix several integer conversions in process_ops (#5614)
  • Include weekends on the kernel_panics table (#5298)
  • Fix key_strength bug for Windows certificates table (#5304)
  • The interface column of routes table could be empty on Windows (bcf0ab8e)
  • The name column of programs table could be empty on Windows (7bceba4b)
  • Fix disable_watcher flag (08dc11b7)
  • Populate path column correctly in firefox_addons table (#5462)
  • Fix numeric monitoring plugin not being registered (#5484)
  • Fix wrong error code returned when querying the Windows registry (#5621)
  • Fix logical_drives boot partition detection (#5477)
  • Replace sync calls by async within the HTTP client implementation (#5606)
  • Fix RocksDB crash related to OptimizeForSmallDb (a31d7582)
  • Fix bug in table column data validator (e3037331)
  • Fix random port problem (a32ed7c4)
  • Refactor battery table and return information even if advanced information is missing (6a64e353)

Table Changes

  • Added table ibridge_info on macOS (Notebooks only) (#5707)
  • Added table running_apps on macOS (#5216)
  • Added table atom_packages on macOS and Linux (6d159d40)
  • Remove EC2 tables on Windows (#5657)
  • Added column win_timestamp to time table on Windows (3bbe6c51)
  • Added column is_hidded to users and groups table on macOS (#5368)
  • Added column profile to chrome_extensions table (#5213)
  • Added column epoch to rpm_packages table on Linux (#5248)
  • Added column sid to logged_in_users table on Windows (#5454)
  • Added column registry_hive to logged_in_users table on Windows (#5454)
  • Added column sid to certificates table on Windows (#5631)
  • Added column store_location to certificates table on Windows (#5631)
  • Added column store to certificates table on Windows (#5631)
  • Added column username to certificates table on Windows (#5631)
  • Added column store_id to certificates table on Windows (#5631)
  • Added column product_version to file table on Windows (#5431)
  • Added column source to sudoers table on POSIX systems (#5350)
Assets 7
You can’t perform that action at this time.