3.2.7

This release is made available to address CVE-2018-6336.
The fix results in the macOS signature table reporting lines for each architecture within FAT bundled executables.

Improvements

We added lite-support for building the dependencies toolchain with GCC7.
The goal is to help folks building dependencies from source on Ubuntu 18.04 builds.

This also removes native compilation optimizations for RapidJSON.

#4437 Update AWS-SDK-CPP to version 1.4.55
#4439 Update libdpkg to version 1.19.0.5
#4440 Update The SleuthKit to version 4.6.1

#4393 Reduce drift time in query schedule

There was a minor unintentional drifting-effect on the query schedule.
This was adding slight delays to when queries are executed.

C++ extensions built using the external make target can now be bundled into a single executable.

Bug fixes

#3307 Various improvements to the python_packages table.
#4525 Address CVE-2018-6336 by making macOS signatures architecture-aware.

Table changes (from 3.2.6 to 3.2.7)

Added table battery to Darwin (Apple OS X)
Added table cpu_info to Microsoft Windows
Added table memory_array_mapped_addresses to POSIX-compatible Plaforms
Added table memory_arrays to POSIX-compatible Plaforms
Added table memory_device_mapped_addresses to POSIX-compatible Plaforms
Added table memory_error_info to POSIX-compatible Plaforms
Added table ulimit_info to POSIX-compatible Plaforms
Added column readonly_rootfs (INTEGER_TYPE) to table docker_containers
Added column directory (TEXT_TYPE) to table python_packages
Added column arch (TEXT_TYPE) to table signature

3.2.6

Lots of bug fixes!

Bug fixes

#4284 Improve yum_sources reporting
#4310 Fix unicode parsing errors in the configuration
#4341 Fix races in plugin methods (caused by extension registrations)
#4321 Improve EventData parsing in Windows Events
#4328 Fix various errors in the system_controls table on MacOS
#4374 Handle placeholder hardware UUIDs by using an ephemeral UUID
#4399 Fix socket-reuse after failed-connection segfault (large-bug!)
#4401 Fix debuginfo build-id paths
#4404 Fix over-release in disk_encryption on MacOS

Table Changes (from 3.2.4 to 3.2.6)

Added table user_groups to All Platforms (moved from POSIX)
Added table cups_destinations to Darwin (Apple OS X)
Added table cups_jobs to Darwin (Apple OS X)
Added table mdfind to Darwin (Apple OS X)
Added table startup_items to MacOS and Windows
Added table powershell_events to Microsoft Windows
Added table wmi_bios_info to Microsoft Windows
Added table memory_devices to POSIX-compatible Plaforms
Added table npm_packages to Linux
Added column encryption_method (TEXT_TYPE) to table bitlocker_info
Added column link_speed (BIGINT_TYPE) to table interface_details
Added column pci_slot (TEXT_TYPE) to table interface_details
Added column service (TEXT_TYPE) to table interface_details
Added column cgroup_namespace (TEXT_TYPE) to table processes
Added column ipc_namespace (TEXT_TYPE) to table processes
Added column is_elevated_token (INTEGER_TYPE) to table processes
Added column mnt_namespace (TEXT_TYPE) to table processes
Added column net_namespace (TEXT_TYPE) to table processes
Added column pid_namespace (TEXT_TYPE) to table processes
Added column user_namespace (TEXT_TYPE) to table processes
Added column uts_namespace (TEXT_TYPE) to table processes

3.2.5

bug: wait for service thread to finish before exiting with SCM (#4386)

3.2.4

osquery 3.2.4 release notes

This tag represents the first stable release of the osquery 3.0.0 series. The biggest change for 3.0.0 is a migration from boost property trees to Rapid JSON documents. This effects content in our RocksDB persistent store, and JSON interpretation of configuration and logging. Because of this migration we have introduced new database upgrading logic to automatically handle any subsequent database changes. This release also publishes the audit redesign first introduced in 3.1.0, as well as a variety of new tables for all platforms detailed below.

Finally, this release introduces numerous new unit and integration tests for various components of osquery. Going forward, we will be more strict about requiring integration or unit tests for new features introduced to the code base in an effort to make our product more reliable and robust.

New features in osquery 3

• We've migrated away from boost property trees in favor of RapidJSON objects. This migration resulted in massive performance gains for serialization to and from the database.
• The linux audit subsystem has been rearchitected to be more performant, reliably, and extensible.
• The osquery.io website has been overhauled! Use this as a landing portal for table schemas, package downloads, and any news round the product

Bug fixes

#4323 fix HANDLE leak in Windows processes functions
#4325 fix conversion of empty ptree to be empty RJ list
#4305 addressed memory leak in macos sip_config table
#4286 prevent runnable threads from deadlocking Windows service exit
#4276 ensure registry interface is thread safe
#4281 config parser keys are now objects or arrays
#4256 use specific release files in Linux os_version table
#4240 correctly divide uptime on Windows
#4236 ensure accelerated mode handles rapidjson correctly
#4234 filter process open sockets correctly when pid = -1
#4229 continue processing if a namespace lookup fails
#4222 fix crash in parsing stack traces for Windows crashes
#4125 fix leak in darwin disk_encryption table
#4169 correct external plugin name lookup
#4129 add loop detection to fs globbing
#4140 prevent duplicate build linkage by removing WEL as system logger
#4086 address RJ assertion failures in configuration
#4109 address sslv3 handshake failure in carver
#4051 fixes a crash in extended_attributes if file access fails due to permissions
#4047 fixes on_disk entry in processes table for linux

Table changes (from 2.11.2 to 3.2.4)

Added table account_policy_data to Darwin (Apple OS X)
Added table bitlocker_info to Microsoft Windows
Added table disk_info to Microsoft Windows
Added table kva_speculative_info to Microsoft Windows
Added table video_info to Microsoft Windows
Added table apt_sources to POSIX-compatible Plaforms
Added table yum_sources to POSIX-compatible Plaforms
Added table process_file_events to Ubuntu, CentOS

Added column serial (TEXT_TYPE) to table certificates
Added column cgroup_namespace (TEXT_TYPE) to table docker_containers
Added column config_entrypoint (TEXT_TYPE) to table docker_containers
Added column env_variables (TEXT_TYPE) to table docker_containers
Added column finished_at (TEXT_TYPE) to table docker_containers
Added column ipc_namespace (TEXT_TYPE) to table docker_containers
Added column mnt_namespace (TEXT_TYPE) to table docker_containers
Added column net_namespace (TEXT_TYPE) to table docker_containers
Added column path (TEXT_TYPE) to table docker_containers
Added column pid (BIGINT_TYPE) to table docker_containers
Added column pid_namespace (TEXT_TYPE) to table docker_containers
Added column privileged (INTEGER_TYPE) to table docker_containers
Added column security_options (TEXT_TYPE) to table docker_containers
Added column started_at (TEXT_TYPE) to table docker_containers
Added column user_namespace (TEXT_TYPE) to table docker_containers
Added column uts_namespace (TEXT_TYPE) to table docker_containers
Added column signed (INTEGER_TYPE) to table drivers
Added column fd (BIGINT_TYPE) to table listening_ports
Added column net_namespace (TEXT_TYPE) to table listening_ports
Added column path (TEXT_TYPE) to table listening_ports
Added column socket (BIGINT_TYPE) to table listening_ports
Added column net_namespace (TEXT_TYPE) to table process_open_sockets
Added column state (TEXT_TYPE) to table process_open_sockets
Added column disk_bytes_read (BIGINT_TYPE) to table processes
Added column disk_bytes_written (BIGINT_TYPE) to table processes
Added column cpu_microcode (TEXT_TYPE) to table system_info

Removed table apt_sources from Ubuntu, CentOS

3.2.3

bug: handle windows service shutdowns gracefully (#4286)

3.2.2

Properly filter process_open_sockets when pid=-1 (#4234)

3.2.1

tests: Fix compression test failing for Sierra #4139 (#4216)

3.2.0

mac/linux: add disk I/O columns to processes table (#4204)

3.1.0

See the 3.0.0 release notes about the 3.0 series!

This release includes the Linux Audit redesign. This redesign is faster, more reliable, and more extensible!

3.0.0

Welcome to the 3.0.0 series! In this series we'll be moving fast to incorporate new features that improve performance and safety. Minor releases will indicate new landed features. We'll highlight what to expect for compatibility in the release notes for each version.

In this kick-off tag, we're ratcheting the build "runtime" that is installed with make deps. On macOS and Linux this is completely rebuilt to minimize the final binary size. We have also nitpicked compatibility options for macOS and believe this version is much safer for older versions, below 10.13. Finally, this version pays attention to OS and package manager maintainers. It will be a struggle to find the correct dependencies, but 3.0.0 supports a traditional cmake build if the SKIP_DEPS environment variable exists.