osquery

5.13.0

Git Commits

Representing commits from 20 contributors! Thank you all.

Windows codesigning note

The Windows binaries and MSI package have been signed with the Fleet Device Management codesigning certificate as the osquery project is currently working on identity verification to get a new signing certificate.

Table Changes

• The Python manifest directories, .egg-info and .dist-info, contain flat file hierarchies (#8318)
• Add new file path for alf plist (macOS 15) (#8352)
• Table users on linux by default to return only users in /etc/passwd (#8342)
• Add sha256 hash to apparmor_profiles table (#8345)
• Add support for metalink and store repo config file name in yum_sources table (#8307)
• Update user_ssh_keys with additional details for OpenSSL-style keys (#8314)
• Fix table dns_resolvers dns-search bug with multiple search domains (#8329)
• Fix process_open_sockets to correctly displays family and protocol on macOS (#8315)
• Add missing SSH key types to authorized_keys that support FIDO2 authentication (#8319)

Under the Hood improvements

• Improve error message when required constraint missing (#8358)
• Add verbose logging when distributed requests fail and retry (#8321)

Bug Fixes

• Fix for Potential memory leak in class ServiceArgumentParser's Constructor (#8368)
• Fix for Crash in ServiceArgumentParser via ServiceMain (#8353)
• Fixing real precision by limiting precision to 15 digits (#8355 and #8302)
• Fix invalid memory access in curl_certificates table (#8339)
• Add pending state to ATC tables to avoid duplicate sql attaches (#8324) & revert ATC changes from (#8233) that caused a race condition and ATC table failure
• Fix crash when carve size is stored as string (#8297)

Documentation

• Updated Time Machine table documentation to require FDA (#8325)
• Update processes table spec and docs, to remove outdated column alias (#8363)
• Fill in missing column descriptions to spec for device_partitions (#8364)
• Improve explanation of required columns (#8365)
• Update package_receipts table example (#8326)
• Remove some duplicated words from code comments and strings (#8336)

Build

• Correct spec file name to macwin (#8311)
• Fix xz submodule url: the GitHub mirror was banned due to CVE-2024-3094 (#8304)
• Update Linux Docker image to Ubuntu 20.04 (#8369)
• Fix util-linux submodule url (#8303)
• Update macos builder to 14 and tester to 12 (#8359)
• Make fallthrough explicit in sqlite_encoding.cpp (#8361)
• Fix macOS python dependencies install step (#8308)

Git Commits

This release is a hot fix. It reverts #8233, which had inadvertently broken ATC tables under some conditions.

Representing commits from 3 contributors! Thank you all.

Bug Fixes

• Revert Don't add ATC table name to registry until after sqlite DB initialization #8233 (#8334)

Build

• CI: Fix macOS python dependencies install step (#8308)

Draft

draft

Draft

5.10.2

Git Commits

This release has several updates and bugfixes. Several improvements to various tables, and their handling.

One potential breaking change, is in how the watchdog calculates CPU utilization.
Previously, this calculation was based on physical CPUs, now it is based on virtual cores. We believe this makes more sense with modern CPUs.

A second potential breaking change, is in PR #8102. In addition to allowing decorations to the top level of the status logs, this PR normalizes the decorations format to the results log. In practice, this means that the unixTime, severity and line JSON fields are now numbers instead of strings.

Representing commits from 18 contributors! Thank you all.

New Features

• Add --enable_watchdog_debug flag and improve watchdog error messages (#8070)
• Add --aws_enforce_fips to enforce AWS FIPS endpoints (#8075)
• Add new AWS valid regions (#8110)
• Implement decorations_top_level flag for status logs (#8102)

Table Changes

• Add new macOS SIP config flags (#8101)
• Added cloud_id to ycloud_instance_metadata - the vm metadata table for Yandex Cloud (#8086)
• Allow querying of kernel and filesystem drivers (#8119)
• Update es_process_file_events adding support for open events, and for only triggering on file_paths (#8114)
• Update firefox_addons to use rapidjson to parse and don't block on read (#8089)
• Update macOS es_process_events table: quote spaces in command line and environment variables (#8054)
• Update linux disk_encryption to recursively query parent crypt status (#8052)
• Add, and revert, indexing on block_devices (#8037, #8151)

Under the Hood improvements

• Add warnings when an enrollment secret cannot be found (#8082)
• Avoid blocking when reading plist files (#8099)
• Fix named virtual table create statement (#8139)
• Remove forensicReadFile (#8085)
• Substitute the TEXT macro with SQL_TEXT in table code (#8091)
• Use JSON member iterator instead of rescanning (#8122)
• core: Avoid checking if a file exists before opening (#8087)
• improvement: Avoid unnecessary string conversions (#8093)
• watchdog: Use virtual cores to calculate CPU utilization limit (#8104)

Bug Fixes

• Always lock event_index_mutex when accessing event_index map (#8077)
• Check audit return values with <= (#8125)
• Fix wifi_survey table not to crash if the ssid cannot be retrieved (#8153)
• Fix macOS EndpointSecurity FIM mute inversion for file paths (#8166)

Documentation

• Add a list of Osquery fleet managers (#7781)
• Add basic file carving documentation (#8118)
• Changelog for 5.9.1 (#8088)
• Changelog 5.10.1 (#8155)
• Fixed small doc error (#8147)
• Update Automatic Table Construction example (#8094)
• Update XCode version mentions to the proper one (#8128)
• Update the description of serial_number in connected_displays (#8113)

Build

• Fix openssl build arch for Windows ARM64 (#8134)
• Fix python test http server use SSLContext.wrap_socket() instead of deprecated ssl.wrap_socket() (#8169)
• GitHub Action to cleanup at stale ec2 runners (#8156)
• Ignore CVE-2023-30571 (#8065)
• Missing pragma/header guard for boottime.h (#8117)
• Permit cross compiling for x86_64 on Apple Silicon (#8136)
• build: update macos hosted github runner to macos-12 monterey (#8100)
• ci: Fix DistributedTests.test_run_queries_with_denylisted_query test (#8154)
• ci: Increase aarch64 available space by splitting the build (#8131)
• ci: Increase disk space on the Linux x86_64 runner (#8133)
• ci: Remove flakyness when removing unused packages on Linux (#8144)
• cve: Fix the expat product name in the libraries manifest (#8158)
• cve: Ignore dbus CVE-2023-34969 (#8126)
• cve: Ignore libcap CVE-2023-2603 (#8127)
• cve: Update expat to version 2.5.0 (#8159)
• cve: Update libmagic to 5.45 (#8142)
• cve: Update lzma to 5.4.4 (#8135)
• cve: Update openssl to 3.1.3 (#8141)
• libs: Fix openssl build on aarch64 (#8084)
• libs: Update openssl to 3.1.1 (#8081)
• libs: Update openssl to 3.1.2 (#8124)
• test: Fix leaks in inotify and rocksdb tests (#8080)

draft

draft

Sorry for thge noise

5.9.1

Git Commits

Big shoutout for the Windows Arm port!

Representing commits from 14 contributors! Thank you all.

New Features

• Add support for Windows on Arm (#7918)
• logger: Add new string_batch request type to compliment existing string type (#8027)

Table Changes

• Add connected_displays table on macOS (#7946)
• Add windows_search table (#7990)
• Restore functionality of crashes table on macOS 12 and newer (#7819)
• Update keychain_items to include data about key types (#8002)
• Update os_version to include Apple RSR fields using native API (#8011)
• Update safari_extensions to handle the current app extensions pattern (#7991)
• Update system_info to include the nnumber of sockets (#8038)
• Update unified_log table to add predicate column and optimize timestamp constraint (#8019)

Under the Hood improvements

• Improving listDirectoriesInDirectory by using std::fs (#7974)
• Do not consider a 404 as an error in ec2-instance-metadata (#8025)
• Release objects and free memory obtained from COM (#7999)
• Do not pass wstring::c_str() to wstringToString function (#8000)
• Do not copy process arguments into vector for CreateProcess call (#7956)

Bug Fixes

• Fix version column in homebrew_packages (#8057)
• Improve extended_attributes implementation for Linux and macOS (#8046)
• Update event tables to mark time column as "additional" (#8020)

Documentation

• Update expired Slack invite (#8051)
• Update es_process_file_events.table description (#7978)
• CHANGELOG 5.8.2 (#7986)

Build

• cve: Update to openssl 1.1.1u (#8050)
• cmake: Add an option to disable shallow git clone operations (#8026)
• Fix the aarch64 workflow (#8036)
• test: Fix a leak in ExtendedAttributesTableTests SetUp function (#8045)
• cve: Update libxml2 to v2.11.2 (#8023)
• libs: Bring out LZ4 from rdkafka and update it to v1.9.4 (#7996)
• ci: Update python version and docs build tools (#7969)
• ci: Update aarch64 runner to Ubuntu 20.04 and update badges (#7984)
• Add few unit tests for the hashing component (#7993)

5.8.2

Git Commits

5.8.2 is a hotfix for how osquery's COM security initialization works See https://github.com/osquery/osquery/issues/7962 for details.

Representing commits from 6 contributors! Thank you all.

Bug Fixes

• Fix empty batch result set reporting (#7958)
• Fix COM security initialization by setting COM security per interface level (#7963)
• Fix username field in managed_policy table (#7944)

Documentation

• CHANGELOG 5.8.1 (#7957)

Build

• test: Do not always expect a row from the secureboot table (#7967)
• cmake: Only link against the experiments loader when needed (#7959)
• tests: Fix some tests becoming osquery shells (#7964)
• test: Fix SystemdUnitsTest missing the unit_file_state column (#7965)
• tests: Do not always build root tests on Linux (#7966)

5.8.1

Git Commits

Representing commits from 22 contributors! Thank you all.

New Features

• Record and send statistics for distributed queries (#7870)

Table Changes

• Add ETW-based process events table for Windows (#7821)
• Add pid_with_namespace for yara table (#7920)
• Add a new table kernel_keys to the Linux platform (#7876)
• Leave min_version empty in xprotect_meta when not specified (#7926)
• Port the secureboot table to macOS (#7692)
• Update docker_container_stats table to include cached_memory column (#7807)
• cpu_info: Port the table to macOS x86 and Apple Silicon (#7757)
• experiments: Implement a new bpf_process_events_v2 table (#7773)
• systemd_units: Add new unit_file_state column (#7895)

Under the Hood improvements

• Set counter consistently so zero always indicates all records (#7801)
• Support logging empty result set in batch format for initial runs (#7803)
• Support rollbacks of osquery when new versions introduce new column families (#7712)
• analysis.py: Add --pack flag to load queries from a pack file (#7935)
• profile.py: Log # of queries loaded and raise an error if 0 are loaded (#7934)

Bug Fixes

• Clear cached constraints and columns in xBestIndex (#7435)
• Fix assert fail for unverified WMI request result (#7921)
• Fix leaks in scheduled_tasks (#7903) (#7904)
• Flush console buffer during ungraceful exit (#7829)
• Propagate windows errors to the exit code (#7896)
• Relax osquery safe permissions check (#7763)
• Silence warnings for more builtin Chrome and Brave extensions (#7932)
• Workaround for hung routes table (#7916)
• dns_resolvers: fix typo in the name when spawning in namespace (#7875)
• test: Fix flaky test_daemon_sigint (#7888)

Documentation

• Add note about windows_security_products compatibility (#7880)
• CHANGELOG 5.7.0 (#7894)
• Docs: mention the recent adoption of automatic CVE scanning (#7878)
• Fix broken link in CODE_OF_CONDUCT.md (#7922)
• docs: Update the list of pages (#7866)
• docs: clarify that logger_plugin is set from CLI (#7917)

Build

• Do not catch table or registry exceptions when running tests (#7621)
• Fix and document discovery queries behavior on distributed queries and add tests (#7655)
• Try to free some disk space on the arm64 runners (#7950)
• ci: Automatically cancel old PR jobs (#7887)
• ci: Automatically cancel old PR jobs (#7887)
• ci: Improve error message when a library is missing from the manifest (#7899)
• ci: Improve error message when a library is missing from the manifest (#7899)
• ci: Remove Windows 32bit build (#7939)
• ci: Remove Windows 32bit build (#7939)
• ci: Update some actions to remove deprecation warnings (#7864)
• ci: Update some actions to remove deprecation warnings (#7864)
• ci: Workaround in the aarch64 runner to avoid out of space (#7941)
• ci: Workaround in the aarch64 runner to avoid out of space (#7941)
• cmake: Remove forced static libraries search for osquery-toolchain (#7881)
• cve: Ignore libcryptsetup cves (#7871)
• cve: Ignore libdpkg CVE-2022-1664 (#7872)
• cve: Ignore libgcrypt cves (#7873)
• cve: Ignore sqlite CVE-2022-46908 (#7911)
• cve: Ignore util-linux cves (#7929)
• cve: Update librpm to 4.18.0 (#7910)
• cve: Update openssl to 1.1.1t (#7937)
• cve: Update yara to 4.2.3 (#7912)
• git: Ignore compile_commands.json and pyrightconfig.json (#7885)
• libs: Fix libmagic build on macOS (#7915)
• libs: Fix system paths used by dbus (#7919)
• libs: Update dbus to 1.12.24 (#7905)
• libs: Update libarchive to 3.6.2 (#7877)
• libs: Update libxml2 to 2.10.3 (#7882)
• libs: Update popt to 1.19 (#7909)
• libs: Update util-linux to 2.35.2 (#7902)
• libs: Update zlib to 1.2.13 (#7874)
• libs: update Thrift to 0.17 (#7868)
• test: Add an option to run only selected python testcases (#7890)
• test: Speed up ec2InstanceMetadata.test_sanity (#7907)

5.7.0

Git Commits

Representing commits from 12 contributors! Thank you all.

CVEs

Addressed by updating a library:

Ignored due to not affecting osquery:

• libzstd CVE-2021-24031 via (#7865)

New Features

• New table security_profile_info to retrieve security profile information on Windows (#7794)

Table Changes

• Add column to es_process_events for process codesigning flags (#7726)
• shimcache: Only check CurrentControlSet to avoid duplicate rows (#7832)
• processes: Fix the procfs memory unit kB, which is 1024 bytes not 1000 (#7818)
• Fix permissions on opening pipes for reading in pipes table (#7810)
• Fix the empty host column from logged_in_users table (#7685)
• docker_containers: Don't report finished_at for a container which is still running (#7783)
• processes: Stabilize the start_time column value on macOS and Linux (#7788)

Bug Fixes

• Do not access the AWS SDK request content type if missing (#7834)
• Fix deadlock when logging happens during a database reset (#7798)
• Fix handling of some errors during an AWS HTTP request (#7811)

Documentation

• CHANGELOG 5.6.0 (#7804)
• Add link to official YARA docs (#7792)
• Fix typo in keychain_items (#7790)

Packs

• packs/incident_response: process_memory_map is also applicable to Darwin (#7789)

Build

• cve: Ignore zstd CVE-2021-24031 (#7865)
• ci: Add a job and helper scripts to periodically scan for CVEs (#7787)
• ci: Update how we set github workflow step outputs (#7791)
• ci: Fix python version when installing modules and testing on macos (#7813)

5.6.0

Git Commits

Representing commits from 10 contributors! Thank you all.

Table Changes

• Add firmware_type column to platform_info on macOS (#7727)
• Add additional vendor support for the windows wmi_bios_info table (#7631)
• Fix docker_container_processes on macOS (#7746)
• Fix process_file_events subscriber being incorrectly initialized (#7759)
• Fix secureboot on windows by acquire the necessary process privileges (#7743)
• Improve macOS mdfind -- Reduce table overhead and support interruption (#7738)
• Remove binary column from firefox_addons table (#7735)
• Remove is_running column from macOS running_apps table (#7774)

Under the Hood improvements

• Add notes field to the schema and associated json (#7747)
• Add extended platforms to the schema and associated json (#7760)
• Fix a leak and improve users and groups APIs on Windows (#7755)
• Have --tls_dump output body to stderr (#7715)
• Improvements to osquery AWS logic (#7714)
• Remove leftover FreeBSD related code and documentation (#7739)

Documentation

• CHANGELOG 5.5.1 (#7737)
• Correct the description on how to configure and use Yara signature urls (#7769)
• Document difference between yara and yara_events (#7744)
• Link to the slack archives (#7786)
• Update docs: _changes tables are not evented (#7762)

Build

• Delete temporary CTest files (#7782)
• Fix table tests for macOS running_apps (#7775)
• Fix table tests for windows platform_info (#7742)
• Migrate jobs from ubuntu-18.04 to ubuntu-20.04 (#7745)
• Remove unused find_packages modules and submodule (#7771)

Git Commits

Osquery 5.5.1 has some really exciting table updates! There is a much anticipated unified_log for macOS, this table is the replacement for asl, and uses the current Apple APIs. Additionally, several tables have improved their cross-platform support.

Representing commits from 14 contributors! Thank you all.

New Features

• Add denylist mechanism to distributed queries (#7675)

Table Changes

• Add cgroup_path column to processes table on Linux (#7728)
• Add firmware_type column to platform_info table on Windows. (#7710)
• Add unified_log table for macOS (UAL) (#7598, #7713)
• Port memory_devices table to Windows (#7633)
• Port platform_info table to M1 Macs (#7660)
• Restore macOS kernel_panics table on modern macOS (#7585)
• Update battery table on macOS m1 with correct raw battery max and current capacity (#7721)
• Update mdfind query timeout to 30 seconds (#7725)
• Update macos password_policy table to use use -1 as sentinel value for uid column (#7699)
• Update parsing of authorized_keys file (#7560)
• Update the registry table to be case insensitive for key (#7708)

Under the Hood improvements

• Add a mechanism to reduce memory retained on Linux (#7502)
• Add denylist mechanism to distributed queries (#7675)
• Add table spec support for COLLATE NOCASE (#7680)
• Improve Pidfile handling (#7304)
• Prevent the audit event system from using too much memory (#7329)
• carves: use full pathnames while creating an archive (#7681)

Bug Fixes

• Fix GetMemorySize for Windows memory_devices table (#7711)
• Fix tpm_info bug where values were out of date (#7686)
• Fix a crash when parsing ATC config with no columns (#7693)
• Fix bug in GetHomeDirectories filesystem function (#7705)

Documentation

• Add core to the type column description of osquery_extensions schema (#7716)
• Add documentation about 3rd-party dependency security (#7684)
• Add example for hostname form in curl_certificate table (#7706)
• Adds info on how to use GTEST_FILTER on windows (#7696)
• Changelog 5.4.0 (#7678)
• Describe user-context-related caveat for screenlock table (#7649)
• Update schema for process_open_sockets.state (#7733)
• Update schema to reflect platform_info columns not available in Windows (#7732)

Build

• Add validation integration test for memory_devices (#7722)
• Temporarily disable memory_devices integration test (#7717)
• Update minimum macOS support from 10.12 to 10.14 (#7707)
• ci: Update and temporarily disable the macOS Catalina test job (#7700)
• cmake: Prevent defining some Linux only targets on other platforms (#7672)
• libs: Update libxml2 to v2.9.14 (#7729)
• libs: Update sqlite to version 3.39.2 (#7736)
• test: Fix Mdfind.test_sanity flakyness (#7701)

5.4.0

Git Commits

Representing commits from 15 contributors! Thank you all.

New Features

• We're extending macOS Endpoint Security to include File Integrity monitoring. Check out the new es_process_file_events table. (#7579)
• Add Docker build scripts and configuration (#7619)

Deprecation Notices

• Prevent CLI_FLAGs to be set via config (#7561)
• Remove the lldp_neighbors table (#7664)

Table Changes

• New Table: es_process_file_events for macOS Endpoint Security based FIM (#7579)
• New Table: password_policy table for macOS (#7594)
• New Table: windows_update_history (#7407)
• Add memory_available to linux memory_info table (#7669)
• Port the cpu_info table to linux (#7499)
• Remove the lldp_neighbors table (#7664)
• Update deb_packages table to not sisplay arch info in the package name (#7638)
• Update hardware_model in the system_info table on Apple M1 machines to report correctly (#7662)
• Update shared_resources table to add type names, fix type/maximum_allowed handling (#7645)

Under the Hood improvements

• Expand env vars before trying to enumerate crashes in windows_crashes table (#7391)
• Implement a split and trim function using std::string_view (#7636)
• Improve scheduled query denylisting and scheduler shutdown (#7492)
• Prevent CLI_FLAGs to be set via config (#7561)
• Remove unnecessary string copy (#7625)

Bug Fixes

• Add linwin to list of supported PLATFORM_DIRS (#7646)
• Fix AWS certificate verification failing on all services (#7652)
• Fix MBCS support on Windows (#7593)
• Fix local_timezone column in the time table on Windows (#7656)
• Fix system_info table to support unicode on Windows (#7626)
• Fix multiple Yara leaks (#7615)
• Fix std::bad_alloc on pci_devices on Apple Silicon macs (#7648)
• Fix tables spec files to specify linux and not posix (#7644)
• Fix thrift server shutting down when dropping privileges (#7639)

Documentation

• CHANGELOG 5.3.0 (#7575)
• Exclude spec/example.table when generating documentation (#7647)
• Fix a UUID typo in the disk_encryption table (#7608)
• Fix spelling of the word "owned" (#7630)
• Fix typo in FIM docs for Windows (#7676)
• Update the "new release" issue template (#7607)
• clarify browser_plugins table is referencing basically unsupported CNPAPI tech (#7651)

Build

• Add an option to build with the leak sanitizer (#7609)
• Fix check for PIE support (#7234)
• Fix SchedulerTests.test_scheduler_drift_accumulation flakyness (#7613)
• Improve config parsing and osqueryfuzz-config performance (#7635)
• Initialize users and groups services on all tests that need them (#7620)
• ci: Update osquery-packaging commit to the latest one (#7667)
• cmake: Add an option to enable or disable using ccache (#7671)
• libs: Update OpenSSL to version 1.1.1o (#7629)
• libs: Update OpenSSL to version 1.1.1q (#7674)
• libs: Update libarchive to version 3.6.1 (#7654)
• libs: Update sqlite to version 3.38.5 (#7628)

5.3.0

Git Commits

osquery 5.3.0 brings several table improvements and bugfixes.
Worth mentioning also the deprecation of the smart_drive_info table
and the new warning added when incorrectly configuring a CLI only flag
via the config file. In the next release CLI only flags will not be
configurable through the config file or refresh anymore.

This release represents commits from 15 contributors! Thank you all.

Deprecation Notices

• Deprecate unmaintainable legacy table, smart_drive_info #7464

New Features

• Add the option tls_disable_status_log to prevent status logs from being sent via TLS #7550
• Add SQLite function in_cidr_block to check if IPv4/v6 addresses are within the supplied CIDR block #7563

Table Changes

• Add the admindir column to the deb_packages table to parse package databases on different paths #7549
• Implement and fix wifi_networks on macOS Big Sur and newer #7503
• Add windows/darwin support to npm_packages #7536
• Move apt_sources and yum_sources tables to linux only #7537
• Add homebrew paths to the python_packages table #7535
• Mark wall_time column in osquery_schedule as hidden #7501
• Add new metrics and improve description of existing ones in osquery_schedule #7438
• Add the mirrorlist column in the table yum_sources #7479
• Implement output_size for osquery_schedule #7436
• deb_packages table: Use additional instead of index for the admindir column #7573
• certificates table: Add Linux support #7570
• Add translated column to processes table to indicate whether the process is running under Apple Rosetta #7507
• Add the "internet password" type to the macOS keychain_items table #7576
• Add original filename column to file table on Windows #7156

Bug Fixes

• Fix watchdog not killing unhealthy worker/extension fast enough #7474
• Fix the test_http_server.py --persist option #7497
• Updateprofile.py --leaks for python3 #7534
• Fixes osquery tls connections to aws kinesis when tls_server_certs is set #7450
• Fix parsing issue when a backslash as the last character on sudoers file line #7440
• Change the JSON of the results coming from an event scheduled query to an array #7434
• Fix globToRegex truncating UTF16 characters #7430
• Prevent hanging when the WMI server does not respond #7429
• Fix python_packages table so that it lists python packages from any user Python installations #7414
• Set string size limit on thrift protocol factory to prevent a crash #7484
• Fix driver image path in drivers table #7444
• Do not remove nonblocking flag when reading "special" files, to prevent hangs #7530
• Fix crash due to interaction between distributed and config plugin #7504
• bpf: Disable the BPF publisher in case of error #7500
• Warn about setting CLI_FLAGs in the config #7583
• Explicitly set context for the tables reading utmpx databases #7578
• bpf: Improve socket event handling #7446
• certificates: Refactor the OpenSSL utilities #7581
• Fix shared_resources accessing uninitialized variables #7600

Under the Hood improvements

• Implement a performant cache for users and groups on Windows #7516
• Replace WmiRequest constructor with static factory method to improve error handling and prevent crashes #7489
• Remove redundant string conversion #7603

Build

• Fix DebPackages.test_sanity test when the size column is empty #7569
• libs: Update libdpkg from version v1.19.0.5 to v1.21.7 #7549
• CI: Restore some release checks #7558
• Prevent ebpfpub linking against the system zlib #7557
• Fix mdfind.test_sanity flaky behavior #7533
• Enable fuzzing and Asan on Windows, enable Asan on macOS #7470
• Update cppcheck to version 2.6.3 and skip analysis for third party code #7455
• Change cpu_info test to expect at least one socket, not just one #7490
• Fix third party libraries flags leaking to osquery targets #7480
• Add third party libraries target #7467
• Do not run clang-tidy on third party libraries #7432
• CI: Create github workflow target to gate mergeability #7427
• Fix some warnings about unrecognized special characters in the Windows event log test #7478
• Change where the macOS Info.plist is generated #7566
• Add OSQUERY_ENABLE_THREAD_SANITIZER to optionally enable TSan #6997
• Add an option to specify a path to the openssl archive #7559
• packs: Update reverse shell query pack to check for a valid remote_port #7567
• Remove the test_daemon_sighup test #7584

Documentation

• docs: remove FreeBSD #7508
• Pin Jinja2 ReadTheDocs dependency to 3.0.3 #7533
• CHANGELOG 5.2.3 #7571
• CHANGELOG 5.2.2 #7447
• Bump mkdocs from 1.1.2 to 1.2.3 in /docs #7457
• Replace OS X with macOS in table specs #7587
• Update osquery.example.conf to omit the CLI only flags #7595

5.2.3

Git Commits

Osquery 5.2.3 is a security update that focuses on updating some third-party libraries
which contained CVEs that could affect osquery.
Additionally some other third-party libraries and tables have been dropped,
since they were not maintained or considered safe anymore.

Deprecation Notices

• Remove the shortcut_files table #7545
• Remove the ssdeep library and remove its support in the hash table #7520
• Remove the libelfin library and elf parsing tables #7510

Hardening

• libs: Update OpenSSL from version 1.1.1l to 1.1.1n #7506
• libs: Update zlib from v1.2.11 to v1.2.12 #7548
• Update librpm to 4.17.0 #7529
• libs: Update expat from version 2.2.10 to 2.4.7 #7526

Osquery 5.2.2 brings native Apple Silicon (M1) support to the macOS platform. It also represents a comprehensive review and update of our third-party dependencies. To support this work, the developer docs have been updated, as have several parts of the build system

This release represents commits from 24 contributors! Thank you all.

New Features

• Apple Silicon support (#7330)

Deprecation Notices

• The cpuid table is x86 only. See #7462
• The smart_drive_info table has been deprecated, and is not included in the m1 builds. See #7464
• The lldp_neighbors table has been deprecated, and is not included in the m1 builds. See #7463

Table Changes

• Update time table to always reflect UTC values (#7276, #7460, #7437)
• Hide the deprecated antispyware column in windows_security_center (#7411)
• Add windows_firewall_rules table for windows (#7403)

Bug Fixes

• Update the ATC table path column check to be case insensitive (#7442)
• Fix a crash introduced by 5.2.0 when Yara uses its own strutils functions (#7439)
• Fix user_time and system_time unit in processes table on M1 (#7473)

Documentation

• Fix typos in documentation (#7443, #7412)
• CHANGELOG 5.1.0 (#7406)

Build

• Update sqlite to version 3.37.0 (#7426)
• Fix linking of thirdparty_sleuthkit (#7425)
• Fix how we disable tables in the fuzzer init method (#7419)
• Prevent running discovery queries when fuzzing (#7418)
• Add BOOST_USE_ASAN define when enabling Asan (#7469)
• Removing unnecessary macOS version check (#7451)
• Fix submodule cache for macOS CI runner (#7456)
• Add osquery version to macOS app bundle Info.plist (#7452)
• libs: Update OpenSSL to verion 1.1.1l (#7330)
• libs: Update augeas to version 1.12.0 (#7330)
• libs: Update aws-sdk to version 1.9.116 (#7330)
• libs: Update boost to version 1.77 (#7330)
• libs: Update gflags to 2.2.2 (#7330)
• libs: Update glog to version 0.5.0 (#7330)
• libs: Update googletest to version 1.11.0 (#7330)
• libs: Update libarchive to version 3.5.2 (#7330)
• libs: Update libcap to version 1.2.59 (#7330)
• libs: Update libmagic to version 5.40 (#7330)
• libs: Update librdkafka to version 1.8.0 (#7330)
• libs: Update libxml2 to version 2.9.12 (#7330)
• libs: Update linenoise-ng to the latest commit (#7330)
• libs: Update lzma to version 5.2.5 (#7330)
• libs: Update rocksdb to version 6.22.1 (#7330)
• libs: Update sleuthkit to version 4.11.0 (#7330)
• libs: Update ssdeep-cpp to the latest commit (d8705da) (#7330)
• libs: Update thrift to version 0.15.0 (#7330)
• libs: Update yara to version 4.1.3 (#7330)
• libs: Update zstd to version 1.4.0 (#7330)