osquery/osquery 4.5.0

on GitHub

We would like to thank all of the contributors working on bootstrapping the ARM64/AARCH64 support and Windows 32bit support.
Additionally, we want to thank those working on Unicode support and all the bug fixes, documentation improvements, and new features.
Thank you! 👏

New Features

• ARM64/AARCH64 beta support for Linux (#6612)
• Windows 32bit support (#6543)
• Fix buildup of RocksDB SST files (#6606)

Under the Hood improvements

• Remove selectAllFrom from Linux process_events callback (#6638)
• Remove database read only concept (#6637)
• Move database initialization retry logic into DB API (#6633)
• Move osquery/include files into respective CMake targets (#6557)
• Memoize EventFactory::getType (#6555)
• Update schedule counter behavior (#6223)
• Define UNICODE and _UNICODE preprocessors for windows (#6338)
• Add WMI utility function to convert datetime to FILETIME (#5901)
• Move osquery shutdown logic outside of Initializer (#6530)

Table Changes

• Support for Windows Background Activity Moderator (#6585)
• Add apparmor_events table to Linux (#4982)
• Add sigurl column to get YARA signatures from an HTTPS server (#6607)
• Add sigrules column to pass YARA signatures within queries (#6568)
• Add non-evented table for querying windows_event_log (#6563)
• Improve chassis_types and security_breach columns within chassis_info (#6608)
• Fix bool type usage in powershell_events (#6584)
• Add FileVersionRaw column to file table for Windows (#5771)
• Enable YARA table on Windows (#6564)
• Add dns_cache table for Windows (#6505)
• Add support for processing KILL syscall (#6435)
• Add startup_items table for Linux (#6502)
• Add shimcache table (#6463)
• Refactor shell_history to use generators (it will use less memory) (#6541)

Bug Fixes

• Set thread names correctly on macOS and Linux (#6627)
• Apply --scheduler_timeout correctly (#6618)
• Add check for character_frequencies size (#6625)
• Fix race in removing external TablePlugins (#6623)
• Force shell to disable watchdog and logger (#6621)
• Return early within the shell if relative flags are used (#6605)
• Apply watcher delay each time the worker is started (#6604)
• Set global output function for Thrift (#6592)
• Fix incorrect readFile params in createPidFile (#6578)
• Fix call to LocalFree on deinit ptr inside getUidFromSid (#6579)
• Fix readFile to observe requested read size (#6569)
• Replace fstream within syslog_events with a custom non-blocking getline (#6539)
• Only fire events if a publisher exists (#6553)
• Fix Leak in psidToString (#6548)
• Fix memory leaks in rpm_package_files (#6544)
• Change "Symlink loop" message from warning to verbose (#6545)

Documentation

• Update process auditing docs schema link (#6645)
• Improve descriptions for the processes table (#6596)
• Replace slackin with Slack shared invite (#6617)
• Update copyright notices to osquery foundation (#6589, #6590)

Build

• Fix Windows build by removing non existing C11 conformance (#6629)
• Remove ExecStartPre from systemd service unit (#6586)
• Fix pip upgrade warning within CI (#6576)
• Detect MAJOR_IN_SYSMACROS/MKDEV for librpm in CMake (#6554)
• Add curl_certificate tests (#5281)
• Update YARA library to 4.0.2 (#6559)
• Improve testing assumptions and flush fsevents when stopping (#6552)
• Fix the test utility to allow Windows profiling (#6550)
• Support ASAN for boost coroutine2 using ucontext (#6531)
• Update instructions for CPack package building (#6529)
• Use specific RPM variables to set the package name (#6527)
• Update compiler version used to v142 within Azure (#6528)

Hardening

• Restore PIE support being dropped on Linux (#6611)