Release - 5.18.1 New release published by zwass Revert "Update Windows runner version in hosted_runners.yml (#8618)" (#8633) osquery/osquery

5.18.1 binaries are now available for testing. This should resolve the Windows ARM issue.

amazing 💖

hi, i'm Nora and i'm deploying the advanced Fleet license to my lil company 🙂

i'm really enjoying Fleet so far and osquery is dang cool

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/35e28b66c029f053da8f8a6bfa662307f79b5982|35e28b66>

- Update linux block_device and disk_encryption source data to simple sysfs implementation (#8182) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/600495f52a9ac7080f0df805f70460932e161093|600495f5>

- Fix ATC for open Firefox databases (#8631) osquery/osquery

Hey everyone 👋 The docs specify one should run

make docs

to build the sdk documentation (src)

The public API and SDK headers are documented via doxygen. To generate web-based documentation, you will need to install doxygen, run

make docs

from the repository root, then open

./build/docs/html/index.html

.

But the Makefile was removed a long time ago There’s also an issue about it here: https://github.com/osquery/osquery/issues/7491 What is the right way to compile the SDK docs locally? Thanks!

Hello, I would like to open a topic here regarding YARA. The current implementation of the

yara

table in osquery only supports scanning files on disk. However, the underlying YARA library supports scanning of process memory, which is a critical capability for incident response and forensic investigations. Looking at the osquery implementation,

path

is required in the yara query table.

path

is also validated in the osquery code that calls yara. We thought that by modifying osquery to make

path

optional and adding other table columns that would be useful for memory scanning, such as PID, we would be able to close this gap. I am wondering what it would be required from Elastic to get this change accepted by osquery.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/b890625c8e8347913a647bae63f715eb66e7ea47|b890625c>

- Revert "Revert "Update Windows runner version in hosted_runners.yml (#8618)"" (#8636) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/daff69d02018d343341499c8cd0b02f2683ca5ed|daff69d0>

- Fix build for XCode SDK 16.4 (#8640) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/df1f69e4531f59b53a13b9fb24de21d82c02cd8c|df1f69e4>

- Update build instructions for workaround for XCode SDK > 16.3 (#8650) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/ad587737720d0bcfc9a182ae7dcca626a65c5771|ad587737>

- Fix

NSInvalidArgumentException

when querying

connected_displays

(#8628) osquery/osquery

Hello everyone, I am new here . i need guidance to develop osquery extension of our EDR tool so that we can plugin with it, but confused from where we should start ?

🚨 Going live in 1 hour! 🚨 We are hosting Fleet Device Management Live office hours, a livestream where we answer technical questions about Fleet and work on real code live. 🕕 Starts at 9:00 AM PDT / 12:00 PM EDT / 4:00 PM GMT 🔗 Join here: https://lnkd.in/ggsDZXW4 Whether you're deploying Fleet, hacking on osquery, or just curious how open source device management works, bring your questions. If it's quiet, I'll be working on bugs and building new features in public. No slides. No polish. Just engineering, live.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/9c38cfcb788dd74389989682703684465d593262|9c38cfcb>

- Update yara library from 4.2.3 -> 4.5.4 (#8643) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/ca9150537d84f04c6ebf2af49e601e7c69f5c441|ca915053>

- Add version collate to os_version table's version column (#8659) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/48877a205b91d391204b4ebc1904be22c5a2ad1e|48877a20>

- Add Cursor AI editor configurations (#8656) osquery/osquery

Hello everyone, I am new here and I have a question related to extensions; I am running this query to get the extensions but I am getting state as empty irrespective of extension is enabled/disabled. Does anyone also faced the same issue?

SELECT name, state, version FROM users CROSS JOIN chrome_extensions USING (uid) where name = 'my extension name';

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/f361b5fd739340f3b871632ec3681debef7905e0|f361b5fd>

- Further improvement to Cursor rules (#8662) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/4bd8782dbd678fe12be16d5e8ca7f0e275d6923b|4bd8782d>

- Update Windows build instructions (#8661) osquery/osquery

Hi, Is it possible to get the evented tables' events live using the extension socket?

if not, how can I get them?

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/6e0d1dbafd58cbd417ceb04306df7ca08f1242ee|6e0d1dba>

- Add

entitlements

column to macOS

signature

table (#8666) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/bc67e7d9ab5a59323f7ebf55a5e549ad846141fb|bc67e7d9>

- Add

system_profiler

table for macOS (#8645) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/3f41dfb723c7db8d5ce5b6c72e3a932d646825d6|3f41dfb7>

- Add support for VSCode forks in

vscode_extensions

(#8664) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/95b48d60e514d64f5e3962b240906938b8d3d14a|95b48d60>

- Fix inconsistent counter resets due to

Config::purge()

(#8635) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/09d02a6ee8579d3d5bf2c87c9d749b77ab182329|09d02a6e>

- Add table

deb_package_files

(#8657) osquery/osquery

Release - 5.19.0 New release published by zwass ## What's Changed ### Features • Add table

deb_package_files

by @zwass in #8657 • Add

system_profiler

table for macOS by @zwass in #8645 • Add version collate to

os_version

table's

version

column by @Micah-Kolide in #8659 • Add

entitlements

column to macOS

signature

table by @zwass in #8666 • Add support for VSCode forks in

vscode_extensions

by @zwass in #8664 ### Bugfixes • Fix

NSInvalidArgumentException

when querying

connected_displays

by @Synse in #8628 • Fix inconsistent counter resets due to

Config::purge()

by @skurpad7 in #8635 • Update linux

block_device

and

disk_encryption

source data to simple sysfs implementation by @Micah-Kolide in #8182 • Fix ATC for open Firefox databases by @zwass in #8631 ### Other • libs: yara: 4.2.3 -> 4.5.4 by @LeSuisse in #8643 • Upgrading zlib to 1.3.1 by @ksykulev in #8625 • Fix build for XCode SDK 16.4 by @lucasmrod in #8640 • Update build instructions for workaround for XCode SDK > 16.3 by @lucasmrod in #8650 • Add Cursor AI editor configurations by @zwass in #8656 • Further improvement to Cursor rules by @zwass in #8662 • Update Windows build instructions by @zwass in #8661 ## New Contributors • @Synse made their first contribution in #8628 • @skurpad7 made their first contribution in #8635 Full Changelog: 5.18.0...5.19.0 osquery/osquery

Hey folks, osquery 5.19.0 is now available in pre-release for testing: https://github.com/osquery/osquery/releases/tag/5.19.0. Please file an issue if you run into anything!