osquery/osquery 4.5.1

on GitHub

Under the Hood improvements

• Improve carver tests by faking postCarve (#6659)
• Emit an error during carving, if the carve SQL function is disabled (#6658)
• Update carves specs to allow full scan (#6657)
• Update carves table to use JSON (#6656)
• Improve performance and accuracy of Windows registry querying (#6647)
• Refactor ephemeral database plugin into core and simplify tests (#6648)

Table Changes

• Support for Office MRU (most recently used) entries (#6587)
• Implement configurable timeout through WHERE clause on curl_certificate (#6641)
• Add atom_packages table spec to window (#6649)
• Add signature information to authenticode table on windows (#6677)
• Add additional AWS regions (#6666)

Bug Fixes

• Fix container overflow in curl_certificate (#6664)
• Fix handling of invalid array bound error with EvtNext function (#6660)
• Fix wmi_bios_info table searching (#5246)
• Fix image column within drivers table on Windows (#6652)
• Fix windows dirPathsAreEqual to use the documented way (#6690)
• Fix incorrect stat() return checking within process_events (#6694)
• Always flush stdout when called with --help (#6693)

Documentation

• Document max scheduled query interval (#6683)
• Update documentation around build steps (#6681)
• Documentation copy editing (#6676, #6665, #6662)
• Add 4.5.0 CHANGELOG (#6646)
• Add 4.5.1 CHANGELOG (#6692)

Build

• Improve flaky python test handling (#6654)
• Restore test_osqueryi (#6631)
• Limit osqueryd CPU usage to 20% in systemd unit file (#6644)
• Improve flaky test_osqueryi (#6688)
• Add cppcheck support to macOS (#6685)

Hardening

• Add exception catching for table execution (#6689)