osquery-1/CHANGELOG.md

4.0.2

This release fixes crashes identified in 4.0.1. There are no changes in functionality.

Git Commits

Bug Fixes

• Fix configuration of AWS libraries to address crash in Linux (#5799)
• Remove RocksDB optimization causing crash (#5797)

4.0.1

This release has two major focuses. It is the first release since osquery transitioned to a Linux Foundation project.

It features a heavily reworked build system. This aims to provide flexibility and stability.

Git Commits

New Features / Under the Hood improvements

• Linux Audit process_events Implement support for fork/vfork/clone/execveat (#5701)
• New SQLite function regex_match to match across columns (#5444)
• LRU cache for syscall tracing (#5521)
• Basic tracing via eBPF on Linux (#5403, #5386, #5384)
• Experimental kill and setuid syscall tracing in Linux via eBPF (#5519)
• New eventing (ev2) framework (#5401)
• Improved table performance profiles (#5187)
• macOS query pack: detect SearchAwesome malware (#5713)
• macOS query pack: detect when a process is tapping keyboard event (#5345)

Build

• Refactor CMake build (#5604, #5627, #5630, (#5618), (#5619))
• Refactor third-party libraries to build from source on Linux (#5706)
• Add Azure Pipelines support for CI/CD (#5604, #5632, #5626, #5613, #5607, #5673, #5610)
• Add Buck as a build system (971bee44)
• Use urllib2 to automatically handle HTTP 301/302 redirections (#5612)
• Update MSI package to install to Program Files on Windows (#5579)
• Linux custom toolchain integration (#5759)

Harderning

• Link binaries with Full RELRO on Linux (#5748)
• Remove FTS features from SQLite (#5703) (#5702)
• Fix SQLite API usage errors (#5551)
• Fix issues reported by ASAN (#5665)
• Handle bad FDs in md_tables (#5553)
• Fix lock resource leak in events/syslog (#5552)
• Fix memory leak in macOS keychain_items and extended_attributes tables (#5550, #5538)
• Fix memory leak in genLoggedInUsers (Windows). Update WTSFreeMemoryEx to WTSFreeMemory (#5642)
• Fix potential null dereferences in smbios_tables (#5332)
• Fix osquery exiting with wrong status (3824c2e6)
• Add additional install and uninstall flag incompatibility check (85eb77a0)
• Fix warning with constants initialisation in magic (2a624f2f)
• Fix sign compare warning in file_compression (b93069b3)
• Refactored logical_drives table on Windows (#5400)
• Refactored core/windows/wmi to use smart pointers (#5492)
• Fixed various potential crashes in the virtual table implementaion (6ade85a5)
• Increase the amount of MaxRecvRetries for Thrift sockets (#5390)

Bug Fixes

• Fix the reading of the serial of a certificate (little-endian big int) (#5742)
• Fix bugs and update pathname variables in MSI package build script (#5733)
• Fix registry table exception closing an uninitialized key handle (#5718)
• Config views are now recreated on startup (#5732)
• Change MSI Service Error handling on Windows (#5467)
• Allow mounting SQLite DBs using WAL journaling with ATC (#5525, #5633)
• Fix mount table interacting with direct autofs (#5635)
• Fix HTTP Host Header to include port (#5576)
• Various fixes to the Windows certificates table and expansion to include Personal certificates (#5697), (#5696), (#5640), (#5631)
• Add optimization back to macOS users and groups (#5684)
• Do not return a row for macOS battery if no data is present (#5650)
• Fix several integer conversions in process_ops (#5614)
• Include weekends on the kernel_panics table (#5298)
• Fix key_strength bug for Windows certificates table (#5304)
• The interface column of routes table could be empty on Windows (bcf0ab8e)
• The name column of programs table could be empty on Windows (7bceba4b)
• Fix disable_watcher flag (08dc11b7)
• Populate path column correctly in firefox_addons table (#5462)
• Fix numeric monitoring plugin not being registered (#5484)
• Fix wrong error code returned when querying the Windows registry (#5621)
• Fix logical_drives boot partition detection (#5477)
• Replace sync calls by async within the HTTP client implementation (#5606)
• Fix RocksDB crash related to OptimizeForSmallDb (a31d7582)
• Fix bug in table column data validator (e3037331)
• Fix random port problem (a32ed7c4)
• Refactor battery table and return information even if advanced information is missing (6a64e353)

Table Changes

• Added table ibridge_info on macOS (Notebooks only) (#5707)
• Added table running_apps on macOS (#5216)
• Added table atom_packages on macOS and Linux (6d159d40)
• Remove EC2 tables on Windows (#5657)
• Added column win_timestamp to time table on Windows (3bbe6c51)
• Added column is_hidded to users and groups table on macOS (#5368)
• Added column profile to chrome_extensions table (#5213)
• Added column epoch to rpm_packages table on Linux (#5248)
• Added column sid to logged_in_users table on Windows (#5454)
• Added column registry_hive to logged_in_users table on Windows (#5454)
• Added column sid to certificates table on Windows (#5631)
• Added column store_location to certificates table on Windows (#5631)
• Added column store to certificates table on Windows (#5631)
• Added column username to certificates table on Windows (#5631)
• Added column store_id to certificates table on Windows (#5631)
• Added column product_version to file table on Windows (#5431)
• Added column source to sudoers table on POSIX systems (#5350)