v1.19.0

What's Changed

Table Changes

• Remove deprecated MacOS keys from socketfilterfw table by @Micah-Kolide in #2193

Build and Package

• package-builder: add podman support via --container_tool by @tstromberg in #1722

Features and Improvements

• [KATC] Support plain leveldb databases by @RebeccaMahany in #2188
• [KATC] Add row transform step to decode hex-encoded strings by @RebeccaMahany in #2195

Bug Fixes

• [KATC] hexDecode should strip out null chars by @RebeccaMahany in #2200
• [KATC] If sqlite db cannot be queried, continue to query other dbs by @RebeccaMahany in #2199

Full Changelog: v1.18.3...v1.19.0

v1.18.3

What's Changed

Build and Package

• check in updated root.json by @zackattack01 in #2189

Bug Fixes

• Add launcher query-windowsupdates subcommand to avoid memory leak temporarily by @RebeccaMahany in #2185

General

• routine performance checks part 1 by @zackattack01 in #2184
• Increase sleep duration in CPU profiling to 5 seconds by @cesarfda in #2183
• dont stop control server fetch for hardware key failure by @James-Pickett in #2187

Full Changelog: v1.18.0...v1.18.3

v1.18.0

What's Changed

Build and Package

• checking in root.json for packaging by @cesarfda in #2154
• Add Exec Test job for containers by @RebeccaMahany in #2159
• Support target parsing for non-default arches by @RebeccaMahany in #2163
• make deps + build default make by @James-Pickett in #2168

Features and Improvements

• james/dt4a auth by @James-Pickett in #2149
• Include nightly extension id by @directionless in #2158
• Allow for manipulating osquery's effective distributed_interval within 5 seconds by @RebeccaMahany in #2157
• rename zta to dt4a as much as possible by @James-Pickett in #2156
• Add two new flags controlling acceleration by @RebeccaMahany in #2160
• Allow dt4a endpoints to accelerate control + osquery request intervals by @RebeccaMahany in #2161
• also accelerate osq distributed forwarding during control server accelerations by @James-Pickett in #2164
• dt4a - use b64 url encoding everywhere, removed unnecessary b64 by @James-Pickett in #2172
• Keep 2 versions in update library, rather than 3 by @RebeccaMahany in #2173
• Add logs to indicate when launcher is checking for updates by @RebeccaMahany in #2174
• Remove old tracing library from launcher by @RebeccaMahany in #2177
• Switch from default freelist type to more performant option by @RebeccaMahany in #2178
• move munemo check into middleware by @James-Pickett in #2166

Bug Fixes

• Requests to the control server should have timeouts set by @RebeccaMahany in #2153
• KVStore.Get should return nil, not error, when no results are found by @RebeccaMahany in #2165
• Check that ATC config exists before making a plugin out of it by @RebeccaMahany in #2171

Tests, Docs, and Other No-op Changes

• Add more old OSes to the container execs by @directionless in #2162

General

• Bump github.com/golang-jwt/jwt/v5 from 5.0.0 to 5.2.2 by @dependabot in #2169
• Update kit and goleveldb by @directionless in #2170
• Upgrade modernc/sqlite to v1.36.2 by @RebeccaMahany in #2179

Full Changelog: v1.17.0...v1.18.0

v1.17.0

Important

Though stable, 1.16.1 was incompatible with older linuxes, such as Ubuntu 20.04. This v1.17.0 release addresses this issue.

What's Changed

Build and Package

• Build for linux in ubuntu 20.04 container by @RebeccaMahany in #2152
• Root.json generator by @cesarfda in #2142

Features and Improvements

• [IndexedDB/KATC] TypedArrays and ArrayBuffers by @RebeccaMahany in #2148
• Log CheckExecutable thoroughly by @RebeccaMahany in #2150

Bug Fixes

• Do not suppress errors when running CheckExecutable by @RebeccaMahany in #2151

General

• swap path separator for windows in lockfile path collection by @zackattack01 in #2146
• Bump golang.org/x/net from 0.33.0 to 0.36.0 by @dependabot in #2147

Full Changelog: v1.16.1...v1.17.0

v1.16.1

Important

Though stable, 1.16.1 is incompatible with older linuxes, such as Ubuntu 20.04. Launcher 1.17 will address this.

What's Changed

Build and Package

• Update cache key for Store Artifacts job by @RebeccaMahany in #2098
• Update matrix.artifactos casing for store_artifacts job by @RebeccaMahany in #2100
• Update to newest version of root.json by @RebeccaMahany in #2123
• Remove usage of soon-to-be-deprecated ubuntu-20.04 runner by @RebeccaMahany in #2131

Features and Improvements

• Receive ZTA info via control server and make it available via localserver by @RebeccaMahany in #2096
• make launcher version a doctor check by @James-Pickett in #2105
• handle terminal tpm errors by @James-Pickett in #2110
• osquery history cleanup part 2 by @zackattack01 in #2113
• Check origin header against allowlist for /zta endpoint by @RebeccaMahany in #2117
• Allow origin (in requests to /zta) to be missing or empty by @RebeccaMahany in #2127
• Move KATC tables to restartable extension manager server by @RebeccaMahany in #2128
• [IndexedDB/KATC] Implement JS map and JS set deserialization for chrome and firefox by @RebeccaMahany in #2135
• add system startup trigger to watchdog by @zackattack01 in #2136
• [IndexedDB/KATC] Implement regexp deserialization for chrome and firefox by @RebeccaMahany in #2139
• [IndexedDB/KATC] Implement primitives deserialization for chrome and firefox by @RebeccaMahany in #2140
• [IndexedDB/KATC] Implement or partially implement parsing for BigInts, Strings, arrays containing data other than strings and objects, and others by @RebeccaMahany in #2144

Bug Fixes

• Ensure sqlite driver is imported for tables that query sqlite databases by @RebeccaMahany in #2094
• return proper error for homebrew not found on macos by @zackattack01 in #2103
• make uninitialized osquery history informational for doctor output by @zackattack01 in #2106
• make sure db reset logs encapsulate change values by @zackattack01 in #2111
• add config file option to flare command for improved flexibility by @cesarfda in #2107
• Remove osqueryd version prefix from CurrentRunningOsqueryVersion by @RebeccaMahany in #2118
• Ensure enrollment details are set by @RebeccaMahany in #2120
• Further delay calling cancel after uploading flare by @RebeccaMahany in #2124
• time machine exclusion updates by @zackattack01 in #2129
• Wait up to 20 seconds for runLauncher shutdown on service shutdown request by @RebeccaMahany in #2145

Tests, Docs, and Other No-op Changes

• add tenv linter, fix up os.Setenv offenses in tests by @zackattack01 in #2088
• Explicitly initialize startup settings store in test by @RebeccaMahany in #2138

General

• Enable rowserrcheck linter and fix existing violations by @RebeccaMahany in #2087
• enable predeclared linter, fixup existing offenses by @zackattack01 in #2090
• Improvements after reviewing new tracing data by @RebeccaMahany in #2089
• Enable exhaustive linter by @RebeccaMahany in #2092
• Enable noctx linter and fix existing violations by @RebeccaMahany in #2093
• presence detection callback by @James-Pickett in #2048
• Generate enrollment details on launcher startup by @cesarfda in #2068
• fix early return caught by linter by @James-Pickett in #2102
• remove unneeded rsa references, upgrade krypto by @James-Pickett in #2101
• check munemo in local server by @James-Pickett in #2095
• move osquery history to knapsack by @zackattack01 in #2104
• clear osquery distributed_denylist_duration when watchdog is disabled by @zackattack01 in #2112
• Enable perfsprint linter with limited ruleset and fix existing violations by @RebeccaMahany in #2115
• Add logs when CollectAndSetEnrollmentDetails fails by @RebeccaMahany in #2119
• Refactor trace exporter to utilize enrollment details from knapsack by @cesarfda in #2122
• Bump package/golang version to fix govulncheck GO-2025-3487 by @RebeccaMahany in #2125
• verify secure enclave keys exist in secure enclave by @James-Pickett in #2116
• Sleep before running tmutil by @RebeccaMahany in #2132
• secure enclave more comments, logging by @James-Pickett in #2130

Full Changelog: v1.15.2...v1.16.1

v1.15.2

What's Changed

Features and Improvements

• Set an accelerated distributed_interval in the osquery config for the osquery instance startup period by @RebeccaMahany in #2063
• Speed up launcher startup and collect more data about slow parts of startup by @RebeccaMahany in #2065
• Add wrapper to enforce timeout for extension tables by @RebeccaMahany in #2077
• Allow a maximum of five ongoing queries per table by @RebeccaMahany in #2078

Bug Fixes

• [KATC] Support fields with JS Date type for Chrome/Firefox extension databases by @RebeccaMahany in #2054
• Reuse startup settings writer for osquery extension instead of creating a new one for each new config by @RebeccaMahany in #2067
• Force migration rather than halting launcher startup by @RebeccaMahany in #2069
• fix default case and add test for log shipper level setting by @zackattack01 in #2083
• fix send buffer (log shipping) out of range panic by @James-Pickett in #2080

Tests, Docs, and Other No-op Changes

• Print logs when flaky autoupdate test fails by @RebeccaMahany in #2053
• test cleanup improvements by @zackattack01 in #2015

General

• Add traces to areas where we suspect launcher could be slow and/or hanging by @RebeccaMahany in #2059
• add tracing to all allowed cmds by @James-Pickett in #2061
• james/tpm runner handle no tpm by @James-Pickett in #2066
• secure enclave - dont set no console user as span error by @James-Pickett in #2064
• Enable revive's defer rule in golangci-lint by @RebeccaMahany in #2070
• Add tracing to kolide tables by @RebeccaMahany in #2073
• Upgrade osquery-go version by @RebeccaMahany in #2075
• Upgrade osquery-go to get renamed Table.Call spans by @RebeccaMahany in #2079
• Ship "Executing scheduled query pack" logs by @RebeccaMahany in #2081
• Use gowrapper by @RebeccaMahany in #2082
• Add rungroup actor name to error when recovering after panic by @RebeccaMahany in #2084
• Get timeout for table generate function from control server by @RebeccaMahany in #2085

Full Changelog: v1.14.0...v1.15.2

v1.14.0

What's Changed

Features and Improvements

• Improvements for osqueryinstance's errgroup by @RebeccaMahany in #2017
• Retry osquery instance launch faster when we see the stale lockfile issue by @RebeccaMahany in #2041
• Enforce a timeout when shutting down errgroup by @RebeccaMahany in #2047

Bug Fixes

• Shut down instances that fail to launch successfully by @RebeccaMahany in #2044

General

• Revert "Store osquery configuration and data per-registration" by @RebeccaMahany in #2030
• Revert "Revert "Store osquery configuration and data per-registration"" by @RebeccaMahany in #2031
• Clean up a couple places not yet using gowrapper by @RebeccaMahany in #2033
• Always log stats for distributed queries by @RebeccaMahany in #2035
• prevent data races around setting nodekey in extension by @zackattack01 in #2039
• add timeout to osqueryinstance Healthy calls by @zackattack01 in #2051

Tests, Docs, and Other No-op Changes

• Run osquery runner restart test on Windows by @RebeccaMahany in #2032
• Make flaky tests less flaky by @RebeccaMahany in #2036
• More flaky test improvements by @RebeccaMahany in #2038
• Even more flaky test improvements by @RebeccaMahany in #2040
• include windows for cleanup retries in runtime tests by @zackattack01 in #2042
• test updates: favor cleanups over defers, and only log from cleanup methods by @zackattack01 in #2043
• Add tests-docs label to release template by @RebeccaMahany in #2052

Full Changelog: v1.13.4...v1.14.0

v1.13.4

What's Changed

Table Changes

• Add registration ID to osquery history by @RebeccaMahany in #1982

Build and Package

• set root directory permissions on MSI install by @zackattack01 in #1978

Features and Improvements

• Re-enable remote restart by @RebeccaMahany in #1975
• add watchdog trigger immediately following wake event by @zackattack01 in #1979
• Don't flag errors related to running flare as standalone by @RebeccaMahany in #2011
• Check for and log information about stale osquery database lock files by @RebeccaMahany in #2006
• Move lockfile logging to osquery log adapter by @RebeccaMahany in #2018

Bug Fixes

• always check fallback paths against identifier by @zackattack01 in #1967
• Set config on interactive command in osquery checkup by @RebeccaMahany in #1968
• Add Windows-friendly alternative for our checkup status emojis by @RebeccaMahany in #1970
• fix InstalledVersionNum for windows build by @zackattack01 in #1971
• Make socket path length shorter for launcher interactive by @RebeccaMahany in #1974
• Switch from CoInitialize to CoInitializeEx by @RebeccaMahany in #1973
• add mutex for presence detection by @James-Pickett in #1981
• A notification is successful as long as we can send to at least one user by @RebeccaMahany in #2000
• Add updated path for ws1HubUtil command by @RebeccaMahany in #2016
• Revert "Switch from CoInitialize to CoInitializeEx" by @RebeccaMahany in #2027

General

• Expose osquery instance status to knapsack by @RebeccaMahany in #1976
• Add basic registration tracking to knapsack by @RebeccaMahany in #1980
• Pass registration ID in to osquery extension by @RebeccaMahany in #1983
• One log adapter per osquery instance; set registration ID and instance run ID on log adapter by @RebeccaMahany in #1985
• Upgrade x/crypto to v0.31.0 by @RebeccaMahany in #1989
• Store osquery configuration and data per-registration by @RebeccaMahany in #1984
• update krypto by @James-Pickett in #1998
• Move launcher tests to their own job to make it faster to re-run on failure by @RebeccaMahany in #2002
• Adding Gowrapper around coroutines by @cesarfda in #1988
• upgrade net pkg to address govuln by @James-Pickett in #2009
• Drop presence detection requests when locked by @James-Pickett in #2008
• hardware key runners by @James-Pickett in #1977
• Use atomic.Bool for rungroup actors that should not run interrupt routines more than once by @RebeccaMahany in #2012
• add more logging to hardware runners by @James-Pickett in #2013
• runtime and agent test improvements by @zackattack01 in #2014
• Refactor goroutine panic handling to use GoWithRecoveryAction by @cesarfda in #2019
• Sanitize response body before logging by @RebeccaMahany in #2020
• dont log osq db lock when using debugger by @James-Pickett in #2021
• reorder presence detection write headers to remove warnings by @zackattack01 in #2024
• create tpm signer once by @James-Pickett in #2025
• add watchdog feature flag check before checking for task installation by @zackattack01 in #2028
• Test update -- need one more Maybe() by @RebeccaMahany in #2029

Full Changelog: v1.12.3...v1.13.4

v1.12.3

What's Changed

Table Changes

• Added restrictions for datatypes for systemprofiler by @cesarfda in #1914
• added new store for uptime history and uptime tracking with knapsack by @cesarfda in #1923
• [KATC] Add support for doubles to indexeddb parsing by @RebeccaMahany in #1963

Build and Package

• Move off deprecated codeql-action/init@v2 by @RebeccaMahany in #1932
• add numeric install version value to windows registry on install by @zackattack01 in #1953

Features and Improvements

• Report run ID to control server in startup message by @RebeccaMahany in #1947
• upgrade watchdog service to scheduled task by @zackattack01 in #1951
• Add remote restart consumer to handle remote restart actions by @RebeccaMahany in #1948
• Retry osquery instance launch until successful or shutdown requested by @RebeccaMahany in #1952

Bug Fixes

• Get launcher.flags from correct directory in checkup by @RebeccaMahany in #1918
• always generate desktop menu json by @James-Pickett in #1920
• Remove mixer/clock due to bug by @RebeccaMahany in #1926
• Set Access-Control-Allow-Credentials: true in localserver by @RebeccaMahany in #1955
• Give launcher interactive enough time to run during doctor by @RebeccaMahany in #1958
• Set SystemDrive env var on osquery command by @RebeccaMahany in #1960
• Set all env vars on osquery process by @RebeccaMahany in #1961
• deny default write permissions from windows root directory by @zackattack01 in #1962
• Set root dir permissions on Windows with SET instead of DENY, and overwrite existing DACL by @RebeccaMahany in #1965

General

• ADR for osquery extension, runner, and instance refactor by @RebeccaMahany in #1905
• Make jsonrpc the default for transport by @RebeccaMahany in #1919
• Remove and consolidate osquery instance options by @RebeccaMahany in #1909
• Move osquery instance creation and launch into osqueryinstance.go by @RebeccaMahany in #1921
• Update receiver vars for OsqueryInstance for consistency by @RebeccaMahany in #1922
• Move key creation to runLauncher by @RebeccaMahany in #1924
• Move plugin ownership to osqueryinstance by @RebeccaMahany in #1925
• Move osquery extension management into osquery instance by @RebeccaMahany in #1927
• [Tests] Capture osquery logs for troubleshooting flaky tests; use current stable osqueryd in tests by @RebeccaMahany in #1928
• Moved run ID management to knapsack by @cesarfda in #1929
• Separate osquery instance and runner further by @RebeccaMahany in #1931
• Update osquery refactor ADR status by @RebeccaMahany in #1933
• Unique filename for osquery.sock by @RebeccaMahany in #1935
• Unique osquery database per instance by @RebeccaMahany in #1942
• Support running multiple osquery instances by @RebeccaMahany in #1941
• Store expected registration IDs separately from running instances to avoid data race by @RebeccaMahany in #1945
• Test reorganization/backfill for osquery runner and instance by @RebeccaMahany in #1946
• ActionQueue retry on failure by @cesarfda in #1944
• Refactor log file handling to standardize zip creation and improve er… by @cesarfda in #1950
• add current version to windows registry on startup by @zackattack01 in #1956
• add windows installer-info from registry to flares by @zackattack01 in #1957
• choose presence detection reason based on GOOS, enable windows by @James-Pickett in #1959
• Don't perform remote restart yet by @RebeccaMahany in #1966

Full Changelog: v1.11.6...v1.12.3

v1.11.6

What's Changed

Build and Package

• Set osquery version in packaging context by @RebeccaMahany in #1901
• Trim osquery version correctly on Windows by @RebeccaMahany in #1903

Features and Improvements

• If we don't have any TUF metadata locally, return friendlier error message by @RebeccaMahany in #1907
• show desktop immediatly at launch if already enabled by @James-Pickett in #1911
• add resumedFromSleep event to power event watcher by @zackattack01 in #1913

General

• added metadata to server checkup by @cesarfda in #1902
• Remove unused subcommands by @RebeccaMahany in #1906
• add availablesleepstates output to windows flare power report by @zackattack01 in #1912
• collect power events for windows flares by @zackattack01 in #1916

Full Changelog: v1.11.5...v1.11.6