osquery/osquery 4.4.0

on GitHub

New Features / Under the Hood improvements

• Implement container access from tables on Linux (#6209, #6485)
• Update language to use 'allow list' and 'deny list' (#6489, #6487, #6488, #6493)
• macos: Automatic configuration of the OpenBSM audit rules (#6447)
• macos: Add polling to OpenBSM publisher (#6436)
• Add messages to distributed query results (#6352)
• Implement event batching support for Windows tables (#6280)

Table Changes

• Add container access to the os_version table (#6413)
• Add container access to DEB, RPM, NPM packages tables (#6414)
• Add fields auid, fs{u,g}id, s{u,g}id to auditd based tables (#6362)
• Improve apt_sources resiliency (#6482)
• Make file and hash container columns hidden (#6486)
• Add 'maintainer', 'section', 'priority' columns to deb_packages (#6442)
• Add 'vendor', 'package_group' columns to rpm_packages (#6443)
• Add 'arch' column to os_version (#6444)
• Add 'board_xxx' columns to system_info table (#6398)
• Windows: omit non-interactive sessions from logged_in_users (#6375)
• Fixes to package_bom table (#6457, #6461)
• Add chassis_info table for windows (#5282)
• Add Azure tables (#6507)

Bug Fixes

• Update hash cache inode number in query cache (#6440)
• Only explode registry key if it can be tokenized (#6474)
• Change ErrorBase::takeUnderlyingError to non const (#6483)
• Use RapidJSON to fix event format results and the Kafka Logger (#6449)
• Correct the 'cwd' and 'root' columns of processes table on Windows (#6459)
• Correct some SQLite types (#6392)
• Partial fix for md_devices issue (#6417)
• Fix the handling of empty args strings, on Windows (#6460)
• Refactor shutdown logging, and remove explicit syslog call (#6376)
• Change the Windows registry LIKE path constraint to filter recursively (#6448)
• Use sync resolve within http client (#6490)
• Fix typed_row table caching (#6508)
• Do not use system proxy for AWS local authority (#6512)
• Only populate table cache with star-like selects (#6513)

Documentation

• Update osquery security policy (#6425)
• Updating changelog for 4.3.0 release (#6387)
• Improve the new table tutorial (#6479)
• Add Auto Table Construction to docs (#6476)
• Add documentation for enabling socket_events on macOS (#6407)
• Update winbaseobj table description (#6429)
• Fixing the description of failed_login_count from account_policy_data (#6415)
• Remove references to brew in macOS install (#6494)
• Add note to bump the Homebrew cask (#6519)
• Updating docs on cpack usage to include Chocolatey (#6022)
• Changelog for 4.4.0 (#6492, #6523))

Build

• Fix Userassist.test_sanity test sometimes failing (#6396)
• Drop the facebook and source_migration layers (#6473)
• Move ssdeep-cpp to source_migration (#6464)
• Move smartmontools to source_migration (#6465)
• Build augeas from source on macOS (#6399)
• Build lldpd from source on macOS (#6406)
• Build linenoise-ng from source on macOS and Windows (#6412)
• Build sleuthkit from source on macOS (#6416)
• Build popt from source on macOS (#6409)
• Fix libelfin build on ossfuzz and LLVM/Clang 10 (#6472)
• Use the patched libelfin version (#6480)
• codegen: Port Jinja2 to Templite (#6470)
• Pass the minimum macOS SDK version to openssl only if explicitly set (#6471)
• Add git-lfs as dep for macOS build in documentation (#6384)
• Update openssl from 1.1.1f to 1.1.1g (#6432)
• Build openssl with the macOS SDK version taken from CMake (#6469)
• Do not install openssl docs (#6441)
• Update build configuration of ReadTheDocs (#6434, #6456)
• Link librdkafka on Windows (#6454)
• Build sleuthkit on Windows (#6445)
• Add nupkg cpack build option and update Windows deployment script (#6262)
• Fix rpm and deb package name format (#6468)
• Fix atom_packages, processes, rpm_packages tests (#6518)
• Fixes and cleanup for Windows compiler flags (#6521)
• Correct macOS framework linking (#6522)

Security Issues

• Disable openssl compression support (#6433)

Hardening

• Use LOAD_LIBRARY_SEARCH_SYSTEM32 for LoadLibrary (#6458)