New Features / Under the Hood improvements
- Implement container access from tables on Linux (#6209, #6485)
- Update language to use 'allow list' and 'deny list' (#6489, #6487, #6488, #6493)
- macos: Automatic configuration of the OpenBSM audit rules (#6447)
- macos: Add polling to OpenBSM publisher (#6436)
- Add messages to distributed query results (#6352)
- Implement event batching support for Windows tables (#6280)
Table Changes
- Add container access to the os_version table (#6413)
- Add container access to DEB, RPM, NPM packages tables (#6414)
- Add fields auid, fs{u,g}id, s{u,g}id to auditd based tables (#6362)
- Improve apt_sources resiliency (#6482)
- Make file and hash container columns hidden (#6486)
- Add 'maintainer', 'section', 'priority' columns to deb_packages (#6442)
- Add 'vendor', 'package_group' columns to rpm_packages (#6443)
- Add 'arch' column to os_version (#6444)
- Add 'board_xxx' columns to system_info table (#6398)
- Windows: omit non-interactive sessions from logged_in_users (#6375)
- Fixes to package_bom table (#6457, #6461)
- Add chassis_info table for windows (#5282)
- Add Azure tables (#6507)
Bug Fixes
- Update hash cache inode number in query cache (#6440)
- Only explode registry key if it can be tokenized (#6474)
- Change ErrorBase::takeUnderlyingError to non const (#6483)
- Use RapidJSON to fix event format results and the Kafka Logger (#6449)
- Correct the 'cwd' and 'root' columns of processes table on Windows (#6459)
- Correct some SQLite types (#6392)
- Partial fix for md_devices issue (#6417)
- Fix the handling of empty args strings, on Windows (#6460)
- Refactor shutdown logging, and remove explicit syslog call (#6376)
- Change the Windows registry LIKE path constraint to filter recursively (#6448)
- Use sync resolve within http client (#6490)
- Fix typed_row table caching (#6508)
- Do not use system proxy for AWS local authority (#6512)
- Only populate table cache with star-like selects (#6513)
Documentation
- Update osquery security policy (#6425)
- Updating changelog for 4.3.0 release (#6387)
- Improve the new table tutorial (#6479)
- Add Auto Table Construction to docs (#6476)
- Add documentation for enabling socket_events on macOS (#6407)
- Update winbaseobj table description (#6429)
- Fixing the description of failed_login_count from account_policy_data (#6415)
- Remove references to brew in macOS install (#6494)
- Add note to bump the Homebrew cask (#6519)
- Updating docs on cpack usage to include Chocolatey (#6022)
- Changelog for 4.4.0 (#6492, #6523))
Build
- Fix Userassist.test_sanity test sometimes failing (#6396)
- Drop the facebook and source_migration layers (#6473)
- Move ssdeep-cpp to source_migration (#6464)
- Move smartmontools to source_migration (#6465)
- Build augeas from source on macOS (#6399)
- Build lldpd from source on macOS (#6406)
- Build linenoise-ng from source on macOS and Windows (#6412)
- Build sleuthkit from source on macOS (#6416)
- Build popt from source on macOS (#6409)
- Fix libelfin build on ossfuzz and LLVM/Clang 10 (#6472)
- Use the patched libelfin version (#6480)
- codegen: Port Jinja2 to Templite (#6470)
- Pass the minimum macOS SDK version to openssl only if explicitly set (#6471)
- Add git-lfs as dep for macOS build in documentation (#6384)
- Update openssl from 1.1.1f to 1.1.1g (#6432)
- Build openssl with the macOS SDK version taken from CMake (#6469)
- Do not install openssl docs (#6441)
- Update build configuration of ReadTheDocs (#6434, #6456)
- Link librdkafka on Windows (#6454)
- Build sleuthkit on Windows (#6445)
- Add nupkg cpack build option and update Windows deployment script (#6262)
- Fix rpm and deb package name format (#6468)
- Fix atom_packages, processes, rpm_packages tests (#6518)
- Fixes and cleanup for Windows compiler flags (#6521)
- Correct macOS framework linking (#6522)
Security Issues
- Disable openssl compression support (#6433)
Hardening
- Use LOAD_LIBRARY_SEARCH_SYSTEM32 for LoadLibrary (#6458)