SQL powered operating system instrumentation, monitoring, and analytics.
Representing commits from 16 contributors! Thank you all.
Note: The linux .tar.gz
includes debugging symbols. This may be larger than you expect
mdm_managed
column to system_extensions
on macOS (#6915)prefetch
table on Windows (#7076)homebrew_packages
to include new prefix, and allow specifying alternate prefixes (#7117)ntfs_acl_permissions
to list all ACE entries (using GetAce()
) (#7114)processes
table to display additional Windows attributes (secured
, protected
, virtual
, elevated
) (#7121)package_install_history
identifies the packageIdentifiers key (#7099)identifier
is calculated in chrome_extensions
(#7124)pipe_channel
not reading all data in a message (#7139)curl_certificate
timeouts (#7151)xprotect_entries
, xprotect_meta
, launchd
(#7138, #7154)-fexceptions
flag on Windows (#7126)Representing commits from 14 contributors! Thank you all.
This version fixes a regression introduced in 4.7.0 related to events expiration optimization. Please read (#7055) for more information.
This release upgrades openssl, as is general good practice. Osquery is not known to be effected by any security issues in OpenSSL.
.connect
meta command (#6944)deb_packages
fields as optional in test (#7001)chrome_extensions
warnings to verbose (#7032)tls_enroll_max_attempts
flag name in the documentation (#7049)windows_events
table spec (#7035)Commits from 21 contributors! Thank you all!
concat
and concat_ws
sql functions (#6927)computer
column to Windows Eventlogs (#6952)docker_image_history
table (#6884)filevault_status
column to disk_encryption table (#6823)location_services
table on macOS (#6826)shellbags
table (#6949)system_extensions
table on macOS (#6863)systemd_units
table (#6593)ycloud_instance_metadata
table (#6961)augeas
table not to autoload system lenses (#6980)chrome_extensions
table -- more browser support and tests (#6780)office_mru
table to correct platforms (#6827)request_id
and add this to the schema (#6959)journal_mode
to the sqlite authorizer PRAGMAs (#6999)table_info
to the sqlite authorizer PRAGMAs (#6814)long long
data (#6986)augeas
table output bug for non-path entries (#6981)pids
column in docker_container_stats
table (#6965)process_open_files
inode need stoul, not stoi (#6983)hash
and yara
table from fuzz harnesses (#6972)deb_packages
table (#6892)postCarve
(#6659)carve
SQL function is disabled (#6658)carves
specs to allow full scan (#6657)carves
table to use JSON (#6656)registry
querying (#6647)ephemeral
database plugin into core and simplify tests (#6648)curl_certificate
(#6641)atom_packages
table spec to window (#6649)authenticode
table on windows (#6677)curl_certificate
(#6664)EvtNext
function (#6660)wmi_bios_info
table searching (#5246)image
column within drivers
table on Windows (#6652)dirPathsAreEqual
to use the documented way (#6690)stat()
return checking within process_events (#6694)stdout
when called with --help
(#6693)test_osqueryi
(#6631)osqueryd
CPU usage to 20% in systemd unit file (#6644)test_osqueryi
(#6688)cppcheck
support to macOS (#6685)We would like to thank all of the contributors working on bootstrapping the ARM64/AARCH64 support and Windows 32bit support. Additionally, we want to thank those working on Unicode support and all the bug fixes, documentation improvements, and new features. Thank you! :clap:
process_events
callback (#6638)EventFactory::getType
(#6555)UNICODE
and _UNICODE
preprocessors for windows (#6338)Initialize
r (#6530)apparmor_events
table to Linux (#4982)sigurl
column to get YARA signatures from an HTTPS server (#6607)sigrules
column to pass YARA signatures within queries (#6568)windows_event_log
(#6563)chassis_types
and security_breach
columns within chassis_info
(#6608)powershell_events
(#6584)FileVersionRaw
column to file
table for Windows (#5771)dns_cache
table for Windows (#6505)startup_item
s table for Linux (#6502)shimcache
table (#6463)shell_history
to use generators (it will use less memory) (#6541)--scheduler_timeout
correctly (#6618)character_frequencies
size (#6625)TablePlugins
(#6623)readFile
params in createPidFile
(#6578)LocalFree
on deinit ptr inside getUidFromSid
(#6579)readFile
to observe requested read size (#6569)syslog_event
s with a custom non-blocking getline (#6539)psidToString
(#6548)rpm_package_files
(#6544)processes
table (#6596)ExecStartPre
from systemd service unit (#6586)MAJOR_IN_SYSMACROS
/MKDEV
for librpm in CMake (#6554)curl_certificate
tests (#5281)path
column to the ATC generate specs (#6278)disk_info
table (#6323)ppid
in the process_events
table (#6339)--database_dump
flag for RocksDB not outputting anything (#6272)pci_devices
table pci ids extraction in non-existing paths (#6297)process
table cmdline
parsing (#6340)chrome_extension_content_scripts
to All Platforms (#6140)docker_container_fs_changes
to POSIX-compatible Plaforms (#6178)windows_security_center
to Microsoft Windows (#6256)lxd
(#6249)screenlock
to Darwin (Apple OS X) (#6243)userassist
to Microsoft Windows (#5539)status
(TEXT
) to table deb_packages
(#6341)curl_certificate
table (#6176)socket_events
to Darwin (Apple OS X) (#6028)hvci_status
, previously inadvertly left out from the build, to Microsoft Windows (6378)community_id_v1
added as a SQL function (#6211)firefox_addons
to All Platforms (#6200)ssh_configs
to All Platforms (#6161)user_ssh_keys
to All Platforms (#6161)mdls
to Darwin (Apple OS X) (#4825)hvci_status
to Microsoft Windows (#5426)ntfs_journal_events
to Microsoft Windows (#5426)docker_image_layers
to POSIX-compatible Plaforms (#6154)process_open_pipes
to POSIX-compatible Plaforms (#6142)apparmor_profiles
to Ubuntu, CentOS (#6138)selinux_settings
to Ubuntu, CentOS (#6118)lock_status
(INTEGER_TYPE
) to table bitlocker_info
(#6155)percentage_encrypted
(INTEGER_TYPE
) to table bitlocker_info
(#6155)version
(INTEGER_TYPE
) to table bitlocker_info
(#6155)optional_permissions
(TEXT_TYPE
) to table chrome_extensions
(#6115)firefox_addons
from POSIX-compatible Plaforms (#6200)ssh_configs
from POSIX-compatible Plaforms (#6161)user_ssh_keys
from POSIX-compatible Plaforms (#6161)chrome_extensions
table now supports Chromium and Brave (#6126)com.facebook.osquery.plist
for Launch Daemon configuration (#6093)