Osquery

[Git Commits](https://github.com/osquery/osquery/compare/5.7.0...5.8.1)

Representing commits from 22 contributors! Thank you all.

New Features

- Record and send statistics for distributed queries ([7870](https://github.com/osquery/osquery/pull/7870))

Table Changes

- Add ETW-based process events table for Windows ([7821](https://github.com/osquery/osquery/pull/7821))
- Add `pid_with_namespace` for `yara` table ([7920](https://github.com/osquery/osquery/pull/7920))
- Add a new table `kernel_keys` to the Linux platform ([7876](https://github.com/osquery/osquery/pull/7876))
- Leave `min_version` empty in `xprotect_meta` when not specified ([7926](https://github.com/osquery/osquery/pull/7926))
- Port the `secureboot` table to macOS ([7692](https://github.com/osquery/osquery/pull/7692))
- Update `docker_container_stats` table to include `cached_memory` column ([7807](https://github.com/osquery/osquery/pull/7807))
- `cpu_info`: Port the table to macOS x86 and Apple Silicon ([7757](https://github.com/osquery/osquery/pull/7757))
- experiments: Implement a new `bpf_process_events_v2` table ([7773](https://github.com/osquery/osquery/pull/7773))
- `systemd_units`: Add new `unit_file_state` column ([7895](https://github.com/osquery/osquery/pull/7895))

Under the Hood improvements

- Set counter consistently so zero always indicates all records ([7801](https://github.com/osquery/osquery/pull/7801))
- Support logging empty result set in batch format for initial runs ([7803](https://github.com/osquery/osquery/pull/7803))
- Support rollbacks of osquery when new versions introduce new column families ([7712](https://github.com/osquery/osquery/pull/7712))
- analysis.py: Add --pack flag to load queries from a pack file ([7935](https://github.com/osquery/osquery/pull/7935))
- profile.py: Log of queries loaded and raise an error if 0 are loaded ([7934](https://github.com/osquery/osquery/pull/7934))

Bug Fixes

- Clear cached constraints and columns in xBestIndex ([7435](https://github.com/osquery/osquery/pull/7435))
- Fix assert fail for unverified WMI request result ([7921](https://github.com/osquery/osquery/pull/7921))
- Fix leaks in `scheduled_tasks` (7903) ([7904](https://github.com/osquery/osquery/pull/7904))
- Flush console buffer during ungraceful exit ([7829](https://github.com/osquery/osquery/pull/7829))
- Propagate windows errors to the exit code ([7896](https://github.com/osquery/osquery/pull/7896))
- Relax osquery safe permissions check ([7763](https://github.com/osquery/osquery/pull/7763))
- Silence warnings for more builtin Chrome and Brave extensions ([7932](https://github.com/osquery/osquery/pull/7932))
- Workaround for hung `routes` table ([7916](https://github.com/osquery/osquery/pull/7916))
- dns_resolvers: fix typo in the name when spawning in namespace ([7875](https://github.com/osquery/osquery/pull/7875))
- test: Fix flaky test_daemon_sigint ([7888](https://github.com/osquery/osquery/pull/7888))

Documentation

- Add note about `windows_security_products` compatibility ([7880](https://github.com/osquery/osquery/pull/7880))
- CHANGELOG 5.7.0 ([7894](https://github.com/osquery/osquery/pull/7894))
- Docs: mention the recent adoption of automatic CVE scanning ([7878](https://github.com/osquery/osquery/pull/7878))
- Fix broken link in CODE_OF_CONDUCT.md ([7922](https://github.com/osquery/osquery/pull/7922))
- docs: Update the list of pages ([7866](https://github.com/osquery/osquery/pull/7866))
- docs: clarify that logger_plugin is set from CLI ([7917](https://github.com/osquery/osquery/pull/7917))

Build

- Do not catch table or registry exceptions when running tests ([7621](https://github.com/osquery/osquery/pull/7621))
- Fix and document discovery queries behavior on distributed queries and add tests ([7655](https://github.com/osquery/osquery/pull/7655))
- Try to free some disk space on the arm64 runners ([7950](https://github.com/osquery/osquery/pull/7950))
- ci: Automatically cancel old PR jobs ([7887](https://github.com/osquery/osquery/pull/7887))
- ci: Improve error message when a library is missing from the manifest ([7899](https://github.com/osquery/osquery/pull/7899))
- ci: Remove Windows 32bit build ([7939](https://github.com/osquery/osquery/pull/7939))
- ci: Update some actions to remove deprecation warnings ([7864](https://github.com/osquery/osquery/pull/7864))
- ci: Workaround in the aarch64 runner to avoid out of space ([7941](https://github.com/osquery/osquery/pull/7941))
- cmake: Remove forced static libraries search for osquery-toolchain ([7881](https://github.com/osquery/osquery/pull/7881))
- cve: Ignore libcryptsetup cves ([7871](https://github.com/osquery/osquery/pull/7871))
- cve: Ignore libdpkg CVE-2022-1664 ([7872](https://github.com/osquery/osquery/pull/7872))
- cve: Ignore libgcrypt cves ([7873](https://github.com/osquery/osquery/pull/7873))
- cve: Ignore sqlite CVE-2022-46908 ([7911](https://github.com/osquery/osquery/pull/7911))
- cve: Ignore util-linux cves ([7929](https://github.com/osquery/osquery/pull/7929))
- cve: Update librpm to 4.18.0 ([7910](https://github.com/osquery/osquery/pull/7910))
- cve: Update openssl to 1.1.1t ([7937](https://github.com/osquery/osquery/pull/7937))
- cve: Update yara to 4.2.3 ([7912](https://github.com/osquery/osquery/pull/7912))
- git: Ignore compile_commands.json and pyrightconfig.json ([7885](https://github.com/osquery/osquery/pull/7885))
- libs: Fix libmagic build on macOS ([7915](https://github.com/osquery/osquery/pull/7915))
- libs: Fix system paths used by dbus ([7919](https://github.com/osquery/osquery/pull/7919))
- libs: Update dbus to 1.12.24 ([7905](https://github.com/osquery/osquery/pull/7905))
- libs: Update libarchive to 3.6.2 ([7877](https://github.com/osquery/osquery/pull/7877))
- libs: Update libxml2 to 2.10.3 ([7882](https://github.com/osquery/osquery/pull/7882))
- libs: Update popt to 1.19 ([7909](https://github.com/osquery/osquery/pull/7909))
- libs: Update util-linux to 2.35.2 ([7902](https://github.com/osquery/osquery/pull/7902))
- libs: Update zlib to 1.2.13 ([7874](https://github.com/osquery/osquery/pull/7874))
- libs: update Thrift to 0.17 ([7868](https://github.com/osquery/osquery/pull/7868))
- test: Add an option to run only selected python testcases ([7890](https://github.com/osquery/osquery/pull/7890))
- test: Speed up ec2InstanceMetadata.test_sanity ([7907](https://github.com/osquery/osquery/pull/7907))


<a name="5.7.0"></a>

[Git Commits](https://github.com/osquery/osquery/compare/5.6.0...5.7.0)

Representing commits from 12 contributors! Thank you all.

CVEs

Addressed by updating a library:

Ignored due to not affecting osquery:
- libzstd CVE-2021-24031 via ([7865](https://github.com/osquery/osquery/pull/7865))

New Features

- New table `security_profile_info` to retrieve security profile information on Windows ([7794](https://github.com/osquery/osquery/pull/7794))

Table Changes

- Add column to `es_process_events` for process codesigning flags ([7726](https://github.com/osquery/osquery/pull/7726))
- `shimcache`: Only check CurrentControlSet to avoid duplicate rows ([7832](https://github.com/osquery/osquery/pull/7832))
- `processes`: Fix the procfs memory unit kB, which is 1024 bytes not 1000 ([7818](https://github.com/osquery/osquery/pull/7818))
- Fix permissions on opening pipes for reading in `pipes` table ([7810](https://github.com/osquery/osquery/pull/7810))
- Fix the empty `host` column from `logged_in_users` table ([7685](https://github.com/osquery/osquery/pull/7685))
- `docker_containers`: Don't report `finished_at` for a container which is still running ([7783](https://github.com/osquery/osquery/pull/7783))
- `processes`: Stabilize the `start_time` column value on macOS and Linux ([7788](https://github.com/osquery/osquery/pull/7788))

Bug Fixes

- Do not access the AWS SDK request content type if missing ([7834](https://github.com/osquery/osquery/pull/7834))
- Fix deadlock when logging happens during a database reset ([7798](https://github.com/osquery/osquery/pull/7798))
- Fix handling of some errors during an AWS HTTP request ([7811](https://github.com/osquery/osquery/pull/7811))

Documentation

- CHANGELOG 5.6.0 ([7804](https://github.com/osquery/osquery/pull/7804))
- Add link to official YARA docs ([7792](https://github.com/osquery/osquery/pull/7792))
- Fix typo in `keychain_items` ([7790](https://github.com/osquery/osquery/pull/7790))

Packs

- packs/incident_response: `process_memory_map` is also applicable to Darwin ([7789](https://github.com/osquery/osquery/pull/7789))

Build

- cve: Ignore zstd CVE-2021-24031 ([7865](https://github.com/osquery/osquery/pull/7865))
- ci: Add a job and helper scripts to periodically scan for CVEs ([7787](https://github.com/osquery/osquery/pull/7787))
- ci: Update how we set github workflow step outputs ([7791](https://github.com/osquery/osquery/pull/7791))
- ci: Fix python version when installing modules and testing on macos ([7813](https://github.com/osquery/osquery/pull/7813))

<a name="5.6.0"></a>

[Git Commits](https://github.com/osquery/osquery/compare/5.5.1...5.6.0)

Representing commits from 10 contributors! Thank you all.

Table Changes

- Add `firmware_type` column to `platform_info` on macOS ([7727](https://github.com/osquery/osquery/pull/7727))
- Add additional vendor support for the windows `wmi_bios_info` table ([7631](https://github.com/osquery/osquery/pull/7631))
- Fix `docker_container_processes` on macOS ([7746](https://github.com/osquery/osquery/pull/7746))
- Fix `process_file_events` subscriber being incorrectly initialized ([7759](https://github.com/osquery/osquery/pull/7759))
- Fix `secureboot` on windows by acquire the necessary process privileges ([7743](https://github.com/osquery/osquery/pull/7743))
- Improve macOS `mdfind` -- Reduce table overhead and support interruption ([7738](https://github.com/osquery/osquery/pull/7738))
- Remove `binary` column from `firefox_addons` table ([7735](https://github.com/osquery/osquery/pull/7735))
- Remove `is_running` column from macOS `running_apps` table ([7774](https://github.com/osquery/osquery/pull/7774))

Under the Hood improvements

- Add `notes` field to the schema and associated json ([7747](https://github.com/osquery/osquery/pull/7747))
- Add extended platforms to the schema and associated json ([7760](https://github.com/osquery/osquery/pull/7760))
- Fix a leak and improve users and groups APIs on Windows ([7755](https://github.com/osquery/osquery/pull/7755))
- Have `--tls_dump` output body to `stderr` ([7715](https://github.com/osquery/osquery/pull/7715))
- Improvements to osquery AWS logic ([7714](https://github.com/osquery/osquery/pull/7714))
- Remove leftover FreeBSD related code and documentation ([7739](https://github.com/osquery/osquery/pull/7739))

Documentation

- CHANGELOG 5.5.1 ([7737](https://github.com/osquery/osquery/pull/7737))
- Correct the description on how to configure and use Yara signature urls ([7769](https://github.com/osquery/osquery/pull/7769))
- Document difference between `yara` and `yara_events` ([7744](https://github.com/osquery/osquery/pull/7744))
- Link to the slack archives ([7786](https://github.com/osquery/osquery/pull/7786))
- Update docs: `_changes` tables are not evented ([7762](https://github.com/osquery/osquery/pull/7762))

Build

- Delete temporary CTest files ([7782](https://github.com/osquery/osquery/pull/7782))
- Fix table tests for macOS `running_apps` ([7775](https://github.com/osquery/osquery/pull/7775))
- Fix table tests for windows `platform_info` ([7742](https://github.com/osquery/osquery/pull/7742))
- Migrate jobs from ubuntu-18.04 to ubuntu-20.04 ([7745](https://github.com/osquery/osquery/pull/7745))
- Remove unused find_packages modules and submodule ([7771](https://github.com/osquery/osquery/pull/7771))

<a name="5.5.1"></a>

anticipated `unified_log` for macOS, this table is the replacement for
`asl`, and uses the current Apple APIs. Additionally, several tables
have improved their cross-platform support.

Representing commits from 14 contributors! Thank you all.

New Features

- Add denylist mechanism to distributed queries ([7675](https://github.com/osquery/osquery/pull/7675))

Table Changes

- Add `cgroup_path` column to `processes` table on Linux ([7728](https://github.com/osquery/osquery/pull/7728))
- Add `firmware_type` column to `platform_info` table on Windows. ([7710](https://github.com/osquery/osquery/pull/7710))
- Add `unified_log` table for macOS (UAL) ([7598](https://github.com/osquery/osquery/pull/7598), [#7713](https://github.com/osquery/osquery/pull/7713))
- Port `memory_devices` table to Windows ([7633](https://github.com/osquery/osquery/pull/7633))
- Port `platform_info` table to M1 Macs ([7660](https://github.com/osquery/osquery/pull/7660))
- Restore macOS `kernel_panics` table on modern macOS ([7585](https://github.com/osquery/osquery/pull/7585))
- Update `battery` table on macOS m1 with correct raw battery max and current capacity ([7721](https://github.com/osquery/osquery/pull/7721))
- Update `mdfind` query timeout to 30 seconds ([7725](https://github.com/osquery/osquery/pull/7725))
- Update macos `password_policy` table to use use `-1` as sentinel value for `uid` column ([7699](https://github.com/osquery/osquery/pull/7699))
- Update parsing of `authorized_keys` file ([7560](https://github.com/osquery/osquery/pull/7560))
- Update the `registry` table to be case insensitive for `key` ([7708](https://github.com/osquery/osquery/pull/7708))


Under the Hood improvements

- Add a mechanism to reduce memory retained on Linux ([7502](https://github.com/osquery/osquery/pull/7502))
- Add denylist mechanism to distributed queries ([7675](https://github.com/osquery/osquery/pull/7675))
- Add table spec support for `COLLATE NOCASE` ([7680](https://github.com/osquery/osquery/pull/7680))
- Improve Pidfile handling ([7304](https://github.com/osquery/osquery/pull/7304))
- Prevent the audit event system from using too much memory ([7329](https://github.com/osquery/osquery/pull/7329))
- carves: use full pathnames while creating an archive ([7681](https://github.com/osquery/osquery/pull/7681))

Bug Fixes

- Fix `GetMemorySize` for Windows `memory_devices` table ([7711](https://github.com/osquery/osquery/pull/7711))
- Fix `tpm_info` bug where values were out of date ([7686](https://github.com/osquery/osquery/pull/7686))
- Fix a crash when parsing ATC config with no columns ([7693](https://github.com/osquery/osquery/pull/7693))
- Fix bug in GetHomeDirectories filesystem function ([7705](https://github.com/osquery/osquery/pull/7705))

Documentation

- Add core to the type column description of osquery_extensions schema ([7716](https://github.com/osquery/osquery/pull/7716))
- Add documentation about 3rd-party dependency security ([7684](https://github.com/osquery/osquery/pull/7684))
- Add example for hostname form in `curl_certificate` table ([7706](https://github.com/osquery/osquery/pull/7706))
- Adds info on how to use GTEST_FILTER on windows ([7696](https://github.com/osquery/osquery/pull/7696))
- Changelog 5.4.0 ([7678](https://github.com/osquery/osquery/pull/7678))
- Describe user-context-related caveat for screenlock table ([7649](https://github.com/osquery/osquery/pull/7649))
- Update schema for `process_open_sockets.state` ([7733](https://github.com/osquery/osquery/pull/7733))
- Update schema to reflect `platform_info` columns not available in Windows ([7732](https://github.com/osquery/osquery/pull/7732))

Build

- Add validation integration test for memory_devices ([7722](https://github.com/osquery/osquery/pull/7722))
- Temporarily disable memory_devices integration test ([7717](https://github.com/osquery/osquery/pull/7717))
- Update minimum macOS support from 10.12 to 10.14 ([7707](https://github.com/osquery/osquery/pull/7707))
- ci: Update and temporarily disable the macOS Catalina test job ([7700](https://github.com/osquery/osquery/pull/7700))
- cmake: Prevent defining some Linux only targets on other platforms ([7672](https://github.com/osquery/osquery/pull/7672))
- libs: Update libxml2 to v2.9.14 ([7729](https://github.com/osquery/osquery/pull/7729))
- libs: Update sqlite to version 3.39.2 ([7736](https://github.com/osquery/osquery/pull/7736))
- test: Fix Mdfind.test_sanity flakyness ([7701](https://github.com/osquery/osquery/pull/7701))

<a name="5.4.0"></a>

[Git Commits](https://github.com/osquery/osquery/compare/5.3.0...5.4.0)

Representing commits from 15 contributors! Thank you all.

New Features

- We're extending macOS Endpoint Security to include File Integrity monitoring. Check out the new `es_process_file_events` table. ([7579](https://github.com/osquery/osquery/pull/7579))
- Add Docker build scripts and configuration ([7619](https://github.com/osquery/osquery/pull/7619))

Deprecation Notices

- Prevent CLI_FLAGs to be set via config ([7561](https://github.com/osquery/osquery/pull/7561))
- Remove the `lldp_neighbors` table ([7664](https://github.com/osquery/osquery/pull/7664))

Table Changes

- New Table: `es_process_file_events` for macOS Endpoint Security based FIM ([7579](https://github.com/osquery/osquery/pull/7579))
- New Table: `password_policy` table for macOS ([7594](https://github.com/osquery/osquery/pull/7594))
- New Table: `windows_update_history` ([7407](https://github.com/osquery/osquery/pull/7407))
- Add `memory_available` to linux `memory_info` table ([7669](https://github.com/osquery/osquery/pull/7669))
- Port the `cpu_info` table to linux ([7499](https://github.com/osquery/osquery/pull/7499))
- Remove the `lldp_neighbors` table ([7664](https://github.com/osquery/osquery/pull/7664))
- Update `deb_packages` table to not sisplay arch info in the package name ([7638](https://github.com/osquery/osquery/pull/7638))
- Update `hardware_model` in the `system_info` table on Apple M1 machines to report correctly ([7662](https://github.com/osquery/osquery/pull/7662))
- Update `shared_resources` table to add type names, fix type/maximum_allowed handling ([7645](https://github.com/osquery/osquery/pull/7645))

Under the Hood improvements

- Expand env vars before trying to enumerate crashes in `windows_crashes` table ([7391](https://github.com/osquery/osquery/pull/7391))
- Implement a split and trim function using std::string_view ([7636](https://github.com/osquery/osquery/pull/7636))
- Improve scheduled query denylisting and scheduler shutdown ([7492](https://github.com/osquery/osquery/pull/7492))
- Prevent CLI_FLAGs to be set via config ([7561](https://github.com/osquery/osquery/pull/7561))
- Remove unnecessary string copy ([7625](https://github.com/osquery/osquery/pull/7625))

Bug Fixes

- Add linwin to list of supported PLATFORM_DIRS ([7646](https://github.com/osquery/osquery/pull/7646))
- Fix AWS certificate verification failing on all services ([7652](https://github.com/osquery/osquery/pull/7652))
- Fix MBCS support on Windows ([7593](https://github.com/osquery/osquery/pull/7593))
- Fix `local_timezone` column in the `time` table on Windows ([7656](https://github.com/osquery/osquery/pull/7656))
- Fix `system_info` table to support unicode on Windows ([7626](https://github.com/osquery/osquery/pull/7626))
- Fix multiple Yara leaks ([7615](https://github.com/osquery/osquery/pull/7615))
- Fix std::bad_alloc on pci_devices on Apple Silicon macs ([7648](https://github.com/osquery/osquery/pull/7648))
- Fix tables spec files to specify `linux` and not `posix` ([7644](https://github.com/osquery/osquery/pull/7644))
- Fix thrift server shutting down when dropping privileges ([7639](https://github.com/osquery/osquery/pull/7639))

Documentation

- CHANGELOG 5.3.0 ([7575](https://github.com/osquery/osquery/pull/7575))
- Exclude `spec/example.table` when generating documentation ([7647](https://github.com/osquery/osquery/pull/7647))
- Fix a UUID typo in the `disk_encryption` table ([7608](https://github.com/osquery/osquery/pull/7608))
- Fix spelling of the word "owned" ([7630](https://github.com/osquery/osquery/pull/7630))
- Fix typo in FIM docs for Windows ([7676](https://github.com/osquery/osquery/pull/7676))
- Update the "new release" issue template ([7607](https://github.com/osquery/osquery/pull/7607))
- clarify browser_plugins table is referencing basically unsupported CNPAPI tech ([7651](https://github.com/osquery/osquery/pull/7651))

Build

- Add an option to build with the leak sanitizer ([7609](https://github.com/osquery/osquery/pull/7609))
- Fix check for PIE support ([7234](https://github.com/osquery/osquery/pull/7234))
- Fix SchedulerTests.test_scheduler_drift_accumulation flakyness ([7613](https://github.com/osquery/osquery/pull/7613))
- Improve config parsing and osqueryfuzz-config performance ([7635](https://github.com/osquery/osquery/pull/7635))
- Initialize users and groups services on all tests that need them ([7620](https://github.com/osquery/osquery/pull/7620))
- ci: Update osquery-packaging commit to the latest one ([7667](https://github.com/osquery/osquery/pull/7667))
- cmake: Add an option to enable or disable using ccache ([7671](https://github.com/osquery/osquery/pull/7671))
- libs: Update OpenSSL to version 1.1.1o ([7629](https://github.com/osquery/osquery/pull/7629))
- libs: Update OpenSSL to version 1.1.1q ([7674](https://github.com/osquery/osquery/pull/7674))
- libs: Update libarchive to version 3.6.1 ([7654](https://github.com/osquery/osquery/pull/7654))
- libs: Update sqlite to version 3.38.5 ([7628](https://github.com/osquery/osquery/pull/7628))

<a name="5.3.0"></a>

[Git Commits](https://github.com/osquery/osquery/compare/5.2.3...5.3.0)

osquery 5.3.0 brings several table improvements and bugfixes.
Worth mentioning also the deprecation of the `smart_drive_info` table
and the new warning added when incorrectly configuring a CLI only flag
via the config file. In the next release CLI only flags will not be
configurable through the config file or refresh anymore.

This release represents commits from 15 contributors! Thank you all.

Deprecation Notices

- Deprecate unmaintainable legacy table, `smart_drive_info` ([7464](https://github.com/osquery/osquery/issues/7464), [#7542](https://github.com/osquery/osquery/pull/7542))

New Features

- Add the option `tls_disable_status_log` to prevent status logs from being sent via TLS [7550](https://github.com/osquery/osquery/pull/7550)
- Add SQLite function `in_cidr_block` to check if IPv4/v6 addresses are within the supplied CIDR block [7563](https://github.com/osquery/osquery/pull/7563)

Table Changes

- Add the `admindir` column to the `deb_packages` table to parse package databases on different paths [7549](https://github.com/osquery/osquery/pull/7549)
- Implement and fix `wifi_networks` on macOS Big Sur and newer [7503](https://github.com/osquery/osquery/pull/7503)
- Add windows/darwin support to `npm_packages` [7536](https://github.com/osquery/osquery/pull/7536)
- Move `apt_sources` and `yum_sources` tables to linux only [7537](https://github.com/osquery/osquery/pull/7537)
- Add homebrew paths to the `python_packages` table [7535](https://github.com/osquery/osquery/pull/7535)
- Mark `wall_time` column in `osquery_schedule` as hidden [7501](https://github.com/osquery/osquery/pull/7501)
- Add new metrics and improve description of existing ones in `osquery_schedule` [7438](https://github.com/osquery/osquery/pull/7438)
- Add the `mirrorlist` column in the table `yum_sources` [7479](https://github.com/osquery/osquery/pull/7479)
- Implement `output_size` for `osquery_schedule` [7436](https://github.com/osquery/osquery/pull/7436)
- `deb_packages` table: Use additional instead of index for the `admindir` column [7573](https://github.com/osquery/osquery/pull/7573)
- `certificates` table: Add Linux support [7570](https://github.com/osquery/osquery/pull/7570)
- Add `translated` column to `processes` table to indicate whether the process is running under Apple Rosetta [7507](https://github.com/osquery/osquery/pull/7507)
- Add the "internet password" type to the macOS `keychain_items` table [7576](https://github.com/osquery/osquery/pull/7576)
- Add `original filename` column to `file` table on Windows [7156](https://github.com/osquery/osquery/pull/7156)

Bug Fixes

- Fix watchdog not killing unhealthy worker/extension fast enough [7474](https://github.com/osquery/osquery/pull/7474)
- Fix the `test_http_server.py` `--persist` option [7497](https://github.com/osquery/osquery/pull/7497)
- Update`profile.py --leaks` for python3 [7534](https://github.com/osquery/osquery/pull/7534)
- Fixes osquery tls connections to aws kinesis when tls_server_certs is set [7450](https://github.com/osquery/osquery/pull/7450)
- Fix parsing issue when a backslash as the last character on sudoers file line [7440](https://github.com/osquery/osquery/pull/7440)
- Change the JSON of the results coming from an event scheduled query to an array [7434](https://github.com/osquery/osquery/pull/7434)
- Fix globToRegex truncating UTF16 characters [7430](https://github.com/osquery/osquery/pull/7430)
- Prevent hanging when the WMI server does not respond [7429](https://github.com/osquery/osquery/pull/7429)
- Fix `python_packages` table so that it lists python packages from any user Python installations [7414](https://github.com/osquery/osquery/pull/7414)
- Set string size limit on thrift protocol factory to prevent a crash [7484](https://github.com/osquery/osquery/pull/7484)
- Fix driver image path in `drivers` table [7444](https://github.com/osquery/osquery/pull/7444)
- Do not remove nonblocking flag when reading "special" files, to prevent hangs [7530](https://github.com/osquery/osquery/pull/7530)
- Fix crash due to interaction between distributed and config plugin [7504](https://github.com/osquery/osquery/pull/7504)
- bpf: Disable the BPF publisher in case of error [7500](https://github.com/osquery/osquery/pull/7500)
- Warn about setting CLI_FLAGs in the config [7583](https://github.com/osquery/osquery/pull/7583)
- Explicitly set context for the tables reading utmpx databases [7578](https://github.com/osquery/osquery/pull/7578)
- bpf: Improve socket event handling [7446](https://github.com/osquery/osquery/pull/7446)
- certificates: Refactor the OpenSSL utilities [7581](https://github.com/osquery/osquery/pull/7581)
- Fix shared_resources accessing uninitialized variables [7600](https://github.com/osquery/osquery/pull/7600)

Under the Hood improvements

- Implement a performant cache for users and groups on Windows [7516](https://github.com/osquery/osquery/pull/7516)
- Replace WmiRequest constructor with static factory method to improve error handling and prevent crashes [7489](https://github.com/osquery/osquery/pull/7489)
- Remove redundant string conversion [7603](https://github.com/osquery/osquery/pull/7603)

Build

- Fix DebPackages.test_sanity test when the `size` column is empty [7569](https://github.com/osquery/osquery/pull/7569)
- libs: Update libdpkg from version v1.19.0.5 to v1.21.7 [7549](https://github.com/osquery/osquery/pull/7549)
- CI: Restore some release checks [7558](https://github.com/osquery/osquery/pull/7558)
- Prevent ebpfpub linking against the system zlib [7557](https://github.com/osquery/osquery/pull/7557)
- Fix mdfind.test_sanity flaky behavior [7533](https://github.com/osquery/osquery/pull/7533)
- Enable fuzzing and Asan on Windows, enable Asan on macOS [7470](https://github.com/osquery/osquery/pull/7470)
- Update cppcheck to version 2.6.3 and skip analysis for third party code [7455](https://github.com/osquery/osquery/pull/7455)
- Change `cpu_info` test to expect *at least* one socket, not just one [7490](https://github.com/osquery/osquery/pull/7490)
- Fix third party libraries flags leaking to osquery targets [7480](https://github.com/osquery/osquery/pull/7480)
- Add third party libraries target [7467](https://github.com/osquery/osquery/pull/7467)
- Do not run clang-tidy on third party libraries [7432](https://github.com/osquery/osquery/pull/7432)
- CI: Create github workflow target to gate mergeability [7427](https://github.com/osquery/osquery/pull/7427)
- Fix some warnings about unrecognized special characters in the Windows event log test [7478](https://github.com/osquery/osquery/pull/7478)
- Change where the macOS Info.plist is generated [7566](https://github.com/osquery/osquery/pull/7566)
- Add OSQUERY_ENABLE_THREAD_SANITIZER to optionally enable TSan [6997](https://github.com/osquery/osquery/pull/6997)
- Add an option to specify a path to the openssl archive [7559](https://github.com/osquery/osquery/pull/7559)
- packs: Update reverse shell query pack to check for a valid remote_port [7567](https://github.com/osquery/osquery/pull/7567)
- Remove the test_daemon_sighup test [7584](https://github.com/osquery/osquery/pull/7584)
- Fix release tests for Linux aarch64 [7572](https://github.com/osquery/osquery/pull/7572)


Documentation

- docs: remove FreeBSD [7508](https://github.com/osquery/osquery/pull/7508)
- Pin Jinja2 ReadTheDocs dependency to 3.0.3 [7533](https://github.com/osquery/osquery/pull/7533)
- CHANGELOG 5.2.3 [7571](https://github.com/osquery/osquery/pull/7571)
- CHANGELOG 5.2.2 [7447](https://github.com/osquery/osquery/pull/7447)
- Bump mkdocs from 1.1.2 to 1.2.3 in /docs [7457](https://github.com/osquery/osquery/pull/7457)
- Replace OS X with macOS in table specs [7587](https://github.com/osquery/osquery/pull/7587)
- Update `osquery.example.conf` to omit the CLI only flags [7595](https://github.com/osquery/osquery/pull/7595)
- Update documentation about users and groups service flags ([7596](https://github.com/osquery/osquery/pull/7596))
- Update the TSC members ([7543](https://github.com/osquery/osquery/pull/7543))

<a name="5.2.3"></a>