4.7.0
Commits from 21 contributors! Thank you all!
New Features
- Add
concat
andconcat_ws
sql functions (#6927) - Update the scheduler to log the query name at info level (#6934)
- Add support for SQLite RPM databases (#6939)
Table Changes
- Add
computer
column to Windows Eventlogs (#6952) - Add
docker_image_history
table (#6884) - Add
filevault_status
column to disk_encryption table (#6823) - Add
location_services
table on macOS (#6826) - Add
shellbags
table (#6949) - Add
system_extensions
table on macOS (#6863) - Add
systemd_units
table (#6593) - Add
ycloud_instance_metadata
table (#6961) - Fix loading of YARA rules on Windows (#6893)
- Fix macOS OpenDirectory attribute mismatch (#6816)
- Update
augeas
table not to autoload system lenses (#6980) - Update
chrome_extensions
table -- more browser support and tests (#6780) - Update
office_mru
table to correct platforms (#6827) - Update aws table to include macOS (#6817)
Under the Hood improvements
- Remove Azure Pipelines (#6953)
- Disable deprecated TLS versions 1.0, 1.1 (#6910)
- Use librpm bdb_ro backend and remove bdb (#6931)
- bpf: Improve execve/execveat tracing, add AArch64 build support (#6802)
- Use a distinct carver
request_id
and add this to the schema (#6959) - Initialize TLSLogForwarder before enrollment check (#6958)
- Put noisy thrift logs behind a flag (#6951)
- Fix bug in windows thrift, causing named pipe closing (#6937)
- Remove unused/experimental ebpf code (#6879)
- Remove unused ev2 code (#6878)
- Refactor the eventing framework to reduce disk IO and improve performance(#6610)
Bug Fixes
- Add
journal_mode
to the sqlite authorizer PRAGMAs (#6999) - Add
table_info
to the sqlite authorizer PRAGMAs (#6814) - Always use BIGINT macro for
long long
data (#6986) - Copy JSON objects to avoid MemoryPool buildup (#6957)
- Do not call unconfigured subscribers errors (#6847)
- Do not ignore mountpoints that have the same mount path (#6871)
- Do not start scheduler when shutting down (#6960)
- Don't mark scope and key columns as index in selinux_settings table (#6872)
- Fix
augeas
table output bug for non-path entries (#6981) - Fix
pids
column indocker_container_stats
table (#6965) - Fix additional relative path check in Yara for Windows (#6894)
- Fix config validation oom with duplicated keys (#6876)
- Fix data type macro used for 64-bit timestamp variables (#6897)
- Fix error in
process_open_files
inode need stoul, not stoi (#6983) - Fix leaks when a query fails from the shell (#6849)
- Fix mem leak regression with Windows sids API (#6984)
- Make Group ID columns consistent across Windows tables (#6987)
- When iterating /proc, use individual try/catch so catch partial failures (#6933)
- augeas: Clear aug pointer on error (#6973)
Documentation
- Add 4.6.0 CHANGELOG (#6809)
- Add 4.7.0 CHANGELOG (#6985)
- Add docs for TLS enroll max attempts (#6888)
- Change reference about Azure Pipelines to GitHub Actions (#6988)
- Clarify FIM exclude category documentation (#6966)
- Document retrieval of available tables/columns via SQL (#6812)
- Fix Github Actions status badge in the README (#6908)
- Fix all broken or redirected URLs and references (#6835)
- Fix broken URL in docs (#6882)
- Fix incorrect Slack URLs (#6844)
- Fix packs discovery queries documentation (#6946)
- Fix reference to a Powershell script on Windows (#6936)
- Fix typos in source code (#6901)
- Improve explanations of event control flags (#6954)
- Spellcheck and Markdown edits (#6899)
- Update README to include release process comment (#6877)
- Update documentation about denylist schedule key (#6922)
- Update macOS OpenBSM configuration (#6916)
- Update the Linux install steps and package listing (#6956)
- Update the info about osquery's TLS version support (#6963)
Build
- Fix reference to a Powershell script on Windows (#6936)
- Fix typos in source code (#6901)
- Improve explanations of event control flags (#6954)
- Spellcheck and Markdown edits (#6899)
- Update README to include release process comment (#6877)
- Update documentation about denylist schedule key (#6922)
- Update macOS OpenBSM configuration (#6916)
- Update the Linux install steps and package listing (#6956)
- Update the info about osquery's TLS version support (#6963)
Build
- CI: Add a RelWithDebInfo Linux job to generate packages (#6838)
- CI: Add support for GitHub Actions (#6885)
- CI: Add unit tests for RPM DB querying (#6919)
- CI: Fix ExtendedAttributesTableTests failing due to an unexpected attribute (#6942)
- CI: Fix StartupItemTest failing due to unexpected values (#6940)
- CI: Fix SystemControlsTest adding sunrpc as an expected subsystem (#6932)
- CI: Fix XattrTests failing due to unexpected attribute name (#6941)
- CI: Fix an incorrect check in StartupItems test (#6950)
- CI: Fix wifi_tests on macOS 10.15 and above (#6724)
- CI: Move cppcheck step after the tests (#6845)
- CI: Permit running formatting earlier in the CI (#6836)
- CI: Remove incorrect 2to3 symlink breaking Python brew upgrade (#6819)
- CI: Remove unused empty test file (#6918)
- CI: Remove unused tests for Rocksdb and Inmemory db plugins (#6900)
- CI: Update XCode to 12.3 and Update min macOS version to 10.12 (#6896, #6913)
- CI: Update macOS agent to 10.15 Catalina (#6680)
- CMake: Add -pthread compile option on posix platforms (#6909)
- CMake: Add Valgrind support (#6834)
- CMake: Add an option to disable building AWS tables and library (#6831)
- CMake: Add an option to disable building libdpkg tables and library (#6848)
- CMake: Detect missing headers during include namespace generation (#6855)
- CMake: Do not attempt to dllimport Thrift symbols (#6856)
- CMake: Do not compile Windows libraries with debug symbols (#6833)
- CMake: Explicitly set the MSVC runtime library (#6818)
- CMake: Fix amalgamated tables generation on change (#6832)
- CMake: Fix platformtablecontaineripc include namespace generation (#6853)
- CMake: Further fix amalgamation file gen on change (#6854)
- CMake: Refactor and rename fuzzers build flag (#6829)
- CMake: Significantly speed up configuration phase (#6914)
- CMake: Use make jobserver for OpenSSL on Linux and macOS (#6821)
- CPack: Remove extraneous lenses directory for augues on macOS (#6998)
- Change libdpkg submodule url to our own GitHub mirror (#6903)
- Disable incremental linking to reduce build size on Windows (#6898)
- GitHub Actions: Fix .deb artifacts, add scheduled builds (#6920)
- Remove
hash
andyara
table from fuzz harnesses (#6972) - libraries: Reduce the compilation units from libarchive (#6886)
- libraries: Remove the last usage of sqlite3 from sleuthkit (#6858)
- libraries: Rename yara str functions to avoid symbol collisions (#6917)
- libraries: Update librpm to version 4.16.1.2 (#6850)
- libraries: Update openssl to version 1.1.1i (#6820)
- libraries: Update thrift to version 0.13.0 (#6822)
Hardening
- Update CODEOWNERS to reflect existing teams (#6955, #6975)
- Restrict access to Thrift server pipe on Windows (#6875)
- Fix a leak in libdpkg when querying the
deb_packages
table (#6892) - Fix UB and dangerous casting in the pubsub framework (#6881)
- Fix heap-use-after-free in deregisterEventSubscriber (#6880)
- Thift patch to support security configuration (#6846)
- Improve config fuzzer dictionary creation script (#6860)
- Avoid running queries for views when fuzzing (#6859)