5.10.2
5.10.2
This release has several updates and bugfixes. Several improvements to various tables, and their handling.
One potential breaking change, is in how the watchdog calculates CPU utilization.
Previously, this calculation was based on physical CPUs, now it is based on virtual cores. We believe this makes more sense with modern CPUs.
A second potential breaking change, is in PR #8102. In addition to allowing decorations to the top level of the status logs, this PR normalizes the decorations format to the results log. In practice, this means that the unixTime
, severity
and line
JSON fields are now numbers instead of strings.
Representing commits from 18 contributors! Thank you all.
New Features
- Add
--enable_watchdog_debug
flag and improve watchdog error messages (#8070) - Add
--aws_enforce_fips
to enforce AWS FIPS endpoints (#8075) - Add new AWS valid regions (#8110)
- Implement
decorations_top_level
flag for status logs (#8102)
Table Changes
- Add new macOS SIP config flags (#8101)
- Added
cloud_id
toycloud_instance_metadata
- the vm metadata table for Yandex Cloud (#8086) - Allow querying of kernel and filesystem drivers (#8119)
- Update
es_process_file_events
adding support for open events, and for only triggering onfile_paths
(#8114) - Update
firefox_addons
to use rapidjson to parse and don't block on read (#8089) - Update macOS
es_process_events
table: quote spaces in command line and environment variables (#8054) - Update linux
disk_encryption
to recursively query parent crypt status (#8052) - Add, and revert, indexing on
block_devices
(#8037, #8151)
Under the Hood improvements
- Add warnings when an enrollment secret cannot be found (#8082)
- Avoid blocking when reading plist files (#8099)
- Fix named virtual table create statement (#8139)
- Remove forensicReadFile (#8085)
- Substitute the TEXT macro with SQL_TEXT in table code (#8091)
- Use JSON member iterator instead of rescanning (#8122)
- core: Avoid checking if a file exists before opening (#8087)
- improvement: Avoid unnecessary string conversions (#8093)
- watchdog: Use virtual cores to calculate CPU utilization limit (#8104)
Bug Fixes
- Always lock event_index_mutex when accessing event_index map (#8077)
- Check audit return values with <= (#8125)
- Fix
wifi_survey
table not to crash if the ssid cannot be retrieved (#8153) - Fix macOS EndpointSecurity FIM mute inversion for file paths (#8166)
Documentation
- Add a list of Osquery fleet managers (#7781)
- Add basic file carving documentation (#8118)
- Changelog for 5.9.1 (#8088)
- Changelog 5.10.1 (#8155)
- Fixed small doc error (#8147)
- Update Automatic Table Construction example (#8094)
- Update XCode version mentions to the proper one (#8128)
- Update the description of
serial_number
inconnected_displays
(#8113)
Build
- Fix openssl build arch for Windows ARM64 (#8134)
- Fix python test http server use
SSLContext.wrap_socket()
instead of deprecatedssl.wrap_socket()
(#8169) - GitHub Action to cleanup at stale ec2 runners (#8156)
- Ignore CVE-2023-30571 (#8065)
- Missing pragma/header guard for boottime.h (#8117)
- Permit cross compiling for x86_64 on Apple Silicon (#8136)
- build: update macos hosted github runner to macos-12 monterey (#8100)
- ci: Fix DistributedTests.test_run_queries_with_denylisted_query test (#8154)
- ci: Increase aarch64 available space by splitting the build (#8131)
- ci: Increase disk space on the Linux x86_64 runner (#8133)
- ci: Remove flakyness when removing unused packages on Linux (#8144)
- cve: Fix the expat product name in the libraries manifest (#8158)
- cve: Ignore dbus CVE-2023-34969 (#8126)
- cve: Ignore libcap CVE-2023-2603 (#8127)
- cve: Update expat to version 2.5.0 (#8159)
- cve: Update libmagic to 5.45 (#8142)
- cve: Update lzma to 5.4.4 (#8135)
- cve: Update openssl to 3.1.3 (#8141)
- libs: Fix openssl build on aarch64 (#8084)
- libs: Update openssl to 3.1.1 (#8081)
- libs: Update openssl to 3.1.2 (#8124)
- test: Fix leaks in inotify and rocksdb tests (#8080)