4.6.0
New Features
- Initial implementations for BPF-based socket and process events tables (#6571)
- Support EC2 tables on Windows (#6756)
Under the Hood improvements
- BPF: Add container support to fork/vfork/clone (#6721)
- BPF: Additional improvements on the initial implementation (#6717)
- BPF: Fix the tests (#6783)
- BPF: Fix wrong d_type compare in filesystem classes (#6774)
- BPF: Implement additional syscalls to track file descriptor usage (#6723)
- Remove unused LTCG flag (#6769)
- Support TLS client certificate chains (#6753)
- Refactor carver to use the Scheduler (#6671)
- Add configuration flag to disable file_events by default (#6663)
- libs: Build x86_64 configurations on Ubuntu 14.04 (#6687)
- libs: Port the RocksDB Win7 compatibility patch to the MSBuild generator (#6765)
- libs: Update BPF libraries to support LLVM 11 (#6775)
- libs: Update RocksDB to version 6.14.5 (#6759)
- libs: Update bzip2 to version 1.0.8 (#6786)
- libs: Update ebpfpub to latest version (#6757)
- libs: Update sqlite to version 3.34.0 (#6804)
- libs: update aws-sdk to 1.7.230 (#6749)
- Adding support for pretty-printing JSON results in osqueryi (#6695)
Table Changes
- Add Yandex Browser support for chrome_extensions (#6735)
- Add additional file stat flags to Darwin (bsd_flags) (#6699)
- Add extended_attributes table to Linux, add support for Linux capabilities (#6195)
- Add indexed column support to Windows users table (#6782)
- Enable AWS Instance profile as credential provider on Windows (#6754)
- Add systemd support for startup_items on Linux (#6562)
Bug Fixes
- Do not use memset on VirtualTable, a non-POD type (#6760)
- Fix deadlock when registering two extensions (#6745)
- Fix last_connected column in wifi_networks on Catalina (#6669)
- Fix missing negations, duplicate rows in iptables table (#6713)
- Fix shadow table to detect empty passwords (#6696)
- Free memory allocated by ConvertStringSidToSid (#6714)
- PackageIdentifiers are optional in InstallHistory.plist (#6767)
- Removing PUNYCODE flag from windows string conversions (#6730)
- Fix memory leak in the dbus classes (#6773)
- Change the kernel_modules size column type to BIGINT (#6712)
Documentation
- Add a README.md to source-based libraries (#6686)
- Fix spelling typos (#6705)
- Journald Audit Logs Masking Documentation (#6748)
Build
- CI: Provide built packages as Azure artifacts (#6772)
- CI: Python installation improvements on Windows (#6764)
- CI: Update brew scripts (#6794)
- CMake: Disable BPF support if the LLVM libs are not compatible (#6746)
- CMake: Use CPACK_RPM_PACKAGE_RELEASE (#6805)
- CMake: Add max version limit to 3.18.0 on Linux (#6801)
- Change urls for submodules gpg-error, libgcrypt, libcap (#6768)
- Reduce linkage requirements for tests (#6715)
- Remove a Buck leftover (#6799)
- Remove boost workaround introduced in #5591 for string_view (#6771)
- Tests: Fix tests on Catalina (#6704)
- Update cmake_minum_required to 3.17.5 and pin version in CI (#6770)
- build: Fix Windows build on newer MSVC (#6732)
- extensions: Always compile examples to prevent them from breaking (#6747)
Security Issues
- Add SQLite authorizer to mitgate CVE-2020-26273 / GHSA-4g56-2482-x7q8 (c3f9a3d)