Releases
4.4.0
New Features / Under the Hood improvements
Implement container access from tables on Linux (#6209 , #6485 )
Update language to use 'allow list' and 'deny list' (#6489 , #6487 , #6488 , #6493 )
macos: Automatic configuration of the OpenBSM audit rules (#6447 )
macos: Add polling to OpenBSM publisher (#6436 )
Add messages to distributed query results (#6352 )
Implement event batching support for Windows tables (#6280 )
Table Changes
Add container access to the os_version table (#6413 )
Add container access to DEB, RPM, NPM packages tables (#6414 )
Add fields auid, fs{u,g}id, s{u,g}id to auditd based tables (#6362 )
Improve apt_sources resiliency (#6482 )
Make file and hash container columns hidden (#6486 )
Add 'maintainer', 'section', 'priority' columns to deb_packages (#6442 )
Add 'vendor', 'package_group' columns to rpm_packages (#6443 )
Add 'arch' column to os_version (#6444 )
Add 'board_xxx' columns to system_info table (#6398 )
Windows: omit non-interactive sessions from logged_in_users (#6375 )
Fixes to package_bom table (#6457 , #6461 )
Add chassis_info table for windows (#5282 )
Add Azure tables (#6507 )
Bug Fixes
Update hash cache inode number in query cache (#6440 )
Only explode registry key if it can be tokenized (#6474 )
Change ErrorBase::takeUnderlyingError to non const (#6483 )
Use RapidJSON to fix event format results and the Kafka Logger (#6449 )
Correct the 'cwd' and 'root' columns of processes table on Windows (#6459 )
Correct some SQLite types (#6392 )
Partial fix for md_devices issue (#6417 )
Fix the handling of empty args strings, on Windows (#6460 )
Refactor shutdown logging, and remove explicit syslog call (#6376 )
Change the Windows registry LIKE path constraint to filter recursively (#6448 )
Use sync resolve within http client (#6490 )
Fix typed_row table caching (#6508 )
Do not use system proxy for AWS local authority (#6512 )
Only populate table cache with star-like selects (#6513 )
Documentation
Update osquery security policy (#6425 )
Updating changelog for 4.3.0 release (#6387 )
Improve the new table tutorial (#6479 )
Add Auto Table Construction to docs (#6476 )
Add documentation for enabling socket_events on macOS (#6407 )
Update winbaseobj table description (#6429 )
Fixing the description of failed_login_count from account_policy_data (#6415 )
Remove references to brew in macOS install (#6494 )
Add note to bump the Homebrew cask (#6519 )
Updating docs on cpack usage to include Chocolatey (#6022 )
Changelog for 4.4.0 (#6492 , #6523 ))
Build
Fix Userassist.test_sanity test sometimes failing (#6396 )
Drop the facebook and source_migration layers (#6473 )
Move ssdeep-cpp to source_migration (#6464 )
Move smartmontools to source_migration (#6465 )
Build augeas from source on macOS (#6399 )
Build lldpd from source on macOS (#6406 )
Build linenoise-ng from source on macOS and Windows (#6412 )
Build sleuthkit from source on macOS (#6416 )
Build popt from source on macOS (#6409 )
Fix libelfin build on ossfuzz and LLVM/Clang 10 (#6472 )
Use the patched libelfin version (#6480 )
codegen: Port Jinja2 to Templite (#6470 )
Pass the minimum macOS SDK version to openssl only if explicitly set (#6471 )
Add git-lfs as dep for macOS build in documentation (#6384 )
Update openssl from 1.1.1f to 1.1.1g (#6432 )
Build openssl with the macOS SDK version taken from CMake (#6469 )
Do not install openssl docs (#6441 )
Update build configuration of ReadTheDocs (#6434 , #6456 )
Link librdkafka on Windows (#6454 )
Build sleuthkit on Windows (#6445 )
Add nupkg cpack build option and update Windows deployment script (#6262 )
Fix rpm and deb package name format (#6468 )
Fix atom_packages, processes, rpm_packages tests (#6518 )
Fixes and cleanup for Windows compiler flags (#6521 )
Correct macOS framework linking (#6522 )
Security Issues
Disable openssl compression support (#6433 )
Hardening
Use LOAD_LIBRARY_SEARCH_SYSTEM32 for LoadLibrary (#6458 )
You can’t perform that action at this time.