This is a pre-release for internal testing of extensions changes.

New features in 2.10.2

#3884 The macOS firewall exception URLs are now included in alf_exceptions

The systemd service unit includes a post-init script to reload the units properly.

Bug fixes

#3892 Use better precision for calculating process start time on macOS
#3917 Event tap publisher resource management fixes

Table changes (from 2.10.0 to 2.10.2)

Added table curl to All Platforms
Added table curl_certificate to All Platforms
Added table pipes to Microsoft Windows
Added column dst_port (TEXT_TYPE) to table iptables
Added column src_port (TEXT_TYPE) to table iptables

New features in 2.10.0

We've ported our HTTP client to Boost Beast to allow for more meaningful TLS errors and support for HTTP proxies.

#3623 Use Boost Beast as the HTTP client implementation (previously we used cpp-netlib)

Bug fixes

#3862 Lock access to individual SQL databases
#3856 Fix extended_schema on Windows (previously all extended columns were HIDDEN)

Table changes (from 2.9.0 to 2.10.0)

Added table key_events to Darwin (Apple OS X)
Added table authenticode to Microsoft Windows
Added table logical_drives to Microsoft Windows
Added table physical_disk_performance to Microsoft Windows
Added column version (TEXT_TYPE) to table usb_devices

New features in 2.9.0

This is a security release, it includes fixes for weaknesses in several virtual tables.

Please check out the new SECURITY.md security issues tracker for more details. This release has updated several dependency formulas. The focus for those updates was also security related. While it is unclear if weaknesses in dependencies have an exact adverse effect on osquery, it is important to update them regardless. These updates mean a stronger and safer set of binary versions available on the https://osquery.io downloads page.

Bug fixes

#3785 (CVE-2017-15026) Use sanitized SQL for ie_extensions on Windows
#3783 Drop temporary privileges to the intended user within safari_extensions
#3782 (CVE-2017-15027) Use the owner of parent path in dropToParent event if the parent is a symlink
#3781 (CVE-2017-15028) Drop temporary privileges to the intended user within known_hosts

The notable dependency updates include:
#3780 libmagic updated to 5.32
#3775 libxml2 updated to 2.9.5
#3767 augeas updated to 1.8.1
#3770 libarchive updated to 3.3.3

New features in 2.8.1

This is largely a break-fix release addressing an issue with Kinesis/Firehose logging format. This release also sees a few small changes to the newly designed website as well as a small overhaul to the filesystem abstraction to make use of boosts path objects.

Bug fixes

#3746 Check Crypt API values for nullptr before using in disk_encryption table
#3743 Add newline character between loglines for Firehose/Kinesis

Table changes (from 2.8.0 to 2.8.1)

Added column last_opened_time (DOUBLE_TYPE) to table apps

New features in 2.8.0

This release merges the osqueryi shell into the osqueryd daemon. Both binaries will still be shipped with all platforms packages and the osqueryi binary is simply a copy of osqueryd binary. The core logic of the shell meerly checks the name of the running executable, and if it's osqueryi we launch into the shell. This release also sees various changes to our third party dependencies. Firstly we have dropped snappy and LZ4 from our dependency chain in favor of ZSTD, so these packages will no longer be required for builds. Further we have upgraded all platforms to make use of Boost 1.65.0, and finally we have successfully seen Firehose/Kinesis logging brought to the Windows platform. Lastly a few hardening changes to the RocksDB interface will ensure a better and more robust interface with the local caching database and strive to recover from database corruption.

#3635 RocksDB interface has been extended to include a 'backup' and recover feature
#3641 Firehose/Kinesis logging is now supported on Windows

Bug fixes

#3613 Fixed boost 1.65.0 builds for macos
#3599 Addressed an issue in the Kinesis/Firehose record size check
#3628 Wrapped the Windows shutdown event logic in a Mutex
#3651 New query counter added to ignore initial results for differential querying
#3661 Fixed listening_ports table to use readlink instead of readpath
#3663 Fixed RocksDB interface to avoid calling DB::Flush so often
#3662 Fixed debug info breakage introduced via binary merging
#3673 Fixed builds linking against shared objects
#3671 Fixed bug which had changed enrollment tests path
#3685 Use PackageKit to better enumerate package receipts on macos
#3698 Address shutdown behavior on Windows to ensure safe service stop

Table changes (from 2.7.0 to 2.8.0)

Added table python_packages to All Platforms
Added table chocolatey_packages to Microsoft Windows
Added table curl to POSIX-compatible Plaforms
Added column friendly_name (TEXT_TYPE) to table interface_addresses
Added column friendly_name (TEXT_TYPE) to table interface_details
Added column host (TEXT_TYPE) to table preferences
Removed table process_file_events from Darwin (Apple OS X)
Removed table python_packages from POSIX-compatible Plaforms

New features in 2.7.0

#3506 FSEvents on macOS will monitor mount events within already-monitored directories
#3503 OpenBSM events are monitored as process_events on macOS
#3265 Add RapidJSON integration as a boost property tree replacement
#3530 Implement excluded paths for FIM for Linux and macOS

Bug fixes

#3517 Wait for each extension before respawning
#3553 and #3552 Fixing memory leaks in virtual tables
#3534 Improve macOS process start_time column
#3539 Fix sizes for block_devices on macOS and Linux
#3574 Display correct UID for proceses for Domain Users on Windows
#3580 Fix handling of multiple LIKE and GLOB predicates*

• When using LIKE and GLOB with OR in query predicates the SQLite optimizer may replace TEXT fields with incorrect values, causing unexpected behavior for tables like file expecting globbing input for path names.

Table changes (from 2.6.0 to 2.7.0)

Added table process_memory_map to All Platforms (from POSIX)

Added table device_firmware to Darwin (Apple OS X)
Added table gatekeeper to Darwin (Apple OS X)
Added table gatekeeper_approved_apps to Darwin (Apple OS X)
Added table shared_folders to Darwin (Apple OS X)
Added table sharing_preferences to Darwin (Apple OS X)
Added table certificates to MacOS and Windows
Added table user_events to POSIX-compatible Plaforms
Added table ec2_instance_metadata to Ubuntu, CentOS
Added table ec2_instance_tags to Ubuntu, CentOS

Added column block_size (INTEGER_TYPE) to table block_devices
Added column cwd (TEXT_TYPE) to table process_events
Added column status (BIGINT_TYPE) to table process_events
Added column action (TEXT_TYPE) to table scheduled_tasks
Added column class (TEXT_TYPE) to table usb_devices
Added column protocol (TEXT_TYPE) to table usb_devices
Added column subclass (TEXT_TYPE) to table usb_devices

This is the next stable build of osquery, ready for production. This release fixes many bugs in the Windows version vastly improving stability and some tables. The SQLite version was also bumped to 3.19.3 and improvements were made to inotify eventing on linux. The preferences table on Darwin has also been changed and it's core functionality moved to a new plist table. See (#3455) for more details as this may require updates to any scheduled queries that use this table. For more complete release notes, see the highlights below.

Several bug fixes pertaining to Windows:

• (#3478) Fixed a crash in interface_details - If WMI data was empty, an invalid access occurred.
• (#3481) Choco build output directory change - Building a package will now drop you in the directory you started in, not the build directory.
• (#3475) Fixed worker respawn logic - Killed workers were not being respawned correctly due to a lack of early exit.
• (#3470) system_info FQDN - The system_info table on Windows will now return the full FQDN, not just the host name.
• (#3484) Additional install locations - The programs table checks more locations to find installed applications.
• (#3431) Skip tests on Windows - It's now possible to skip building tests via a environment variable on Windows.
• (#3444) Autoexec - Added a new table to find auto-executing programs.
• (#3436) IE Extensions - Added a new table to list extensions installed in IE.

A few bug fixes to POSIX/macOS

• (#3454) (#3473) (#3476) High Sierra related fixes - Fixed a bug where the local clang-format wasn't being used and instead of the system one was called. Also fixed a globbing bug caused by a new file ordering on APFS systems.
• (#3480) Mount event on Darwin - FSEvents now also catches mount events and these alerts go through the same pub sub flow with the action "MOUNTED".

General Updates

• (#3488) Changes to plugin failures - All plugins will now fail if one fails. This ensures plugins are in a good state when initialization finishes.
• (#3485) Update to SQLite - SQLite version bumped to 3.19.3
• (#3489) TSAN fixes - Some general TSAN issues addressed.
• (#3487) Don't ignore SIGCHLD - Stop ignoring the SIGCHLD interrupt to exit faster.
• (#3459) Updates to inotify - Logic improved around add/removing subscribers in the inotify eventer.
• (#3469) Fix TLS Config Update - Fixes TLS update and sets the refresh period to one hour.
• (#3457) Moved pid file - The osquery pid file is now in /var/run/ on Linux and FreeBSD system.
• (#3378) Added epoch time to scheduled queries - To assist in keeping backend systems in sync with system state, an epoch decorator was added.
• (#3455) Separated preferences and plist - Preferences was split into its own table and the functionality of plist parsing was moved to a new plist table.
• (#3448) Watchdog issues resolved - There were some instances where certain flag usage would inadvertently disable the watchdog.
• (#3390) Symlink column in file table - A new column containing information on if the file is a symlink.

New features in 2.5.0:

There are several new features and bug fixes.

#3356 Only reconfigure event publishers if configuration content changes
#3375 Add the "platform mask" to enrollment requests
#3376 Allow Linux publishers to be interrupted (previously they would stop)
#3360 Add a watchdog delay (60s) before enforcing limits to allow for log flushing
#3402 Increase max rpm_package_files to 64k on Linux

Table changes (from 2.4.6 to 2.5.0):

Added table virtual_memory_info to Darwin (Apple OS X)
Added table load_average to POSIX-compatible Plaforms
Added column local_hostname (TEXT_TYPE) to table system_info
Added and removed several columns from Window's drivers table

New features in 2.4.6:

This release contains a 'Rebuild the World' release of third party dependencies with bumps in most of the libraries used by osquery. As a part of this bump in third party dependencies we now make use of Clang's ThinLTO to enhance the linking experience. This release further brings in fixes to our build process to facilitate using ASAN and TSAN frameworks. Lastly this release introduces the concept of views for osquery queries, as well as SQL to_base64 and from_base64 column functions.

#3297 Windows interface_addresses now leverages native Win32 APIs as opposed to WMI
#3312 Add base64 encode and decoding functions
#3306 Adding a config block to create views

Bug fixes

#3307 Fix reading past the end of buffer in fileops tests
#3308 Fix temperature sorting in darwin temperature_sensors table
#3309 Fix crash caused by boost's unhandled exception in filesystem
#3286 Fix sudoers path on FreeBSD, add fields to os_version
#3291 Fix patchlevel reporting for FreeBSD
#3322 Removing pretty printing from windows event log data
#3335 Fix invalid control character in profile.py
[Tidy] Fix all C99 warnings #3353

Table changes (from 2.4.4 to 2.4.6):

Added table fbsd_kmods to FreeBSD
Added column device (TEXT_TYPE) to table disk_events
Added column type (TEXT_TYPE) to table interface_addresses
Removed column bsd_name (TEXT_TYPE) from table disk_events

New features in 2.4.4:

#3267 New SQLite functions: md5, sha1, and sha256
#2956 Augeas' lenses are now bundled with osquery packages
#3226 External build systems can disable YARA, TSK, or LLDB with SKIP_ environment variables.

Bug fixes

#3219 Fix extensions use of database during reset phase
#3248 Submodules will now update correctly on Windows
#3257 The IPv4 route gateways on Windows now work

Table changes (from 2.4.2 to 2.4.4):

Added column args (TEXT_TYPE) to table startup_items
Added column channel (INTEGER_TYPE) to table wifi_status
Added column channel (INTEGER_TYPE) to table wifi_survey

Added table pkg_packages to FreeBSD
Added table docker_container_labels to POSIX-compatible Plaforms
Added table docker_container_mounts to POSIX-compatible Plaforms
Added table docker_container_networks to POSIX-compatible Plaforms
Added table docker_container_ports to POSIX-compatible Plaforms
Added table docker_container_processes to POSIX-compatible Plaforms
Added table docker_container_stats to POSIX-compatible Plaforms
Added table docker_containers to POSIX-compatible Plaforms
Added table docker_image_labels to POSIX-compatible Plaforms
Added table docker_images to POSIX-compatible Plaforms
Added table docker_info to POSIX-compatible Plaforms
Added table docker_network_labels to POSIX-compatible Plaforms
Added table docker_networks to POSIX-compatible Plaforms
Added table docker_version to POSIX-compatible Plaforms
Added table docker_volume_labels to POSIX-compatible Plaforms
Added table docker_volumes to POSIX-compatible Plaforms