-
Notifications
You must be signed in to change notification settings - Fork 8
/
CHANGES
408 lines (242 loc) · 12 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
2.3.0 | 2024-07-05 13:33:50 +0200
* Extend list of artifacts included into release.
* Update link in README.
* Fix for Windows compilation.
* Bump submodules.
* Revert dependabout grouping.
2.3.0-dev.119 | 2024-03-28 12:40:14 +0100
* Bump 3rdparty submodules with 9 updates.
2.3.0-dev.117 | 2024-03-28 11:42:56 +0100
* Bump submodules.
* Group dependabot dependencies.
2.3.0-dev.105 | 2024-03-11 11:10:50 +0100
* Bump submodules.
2.3.0-dev.96 | 2024-02-26 09:46:01 +0100
* Bump submodules and GH actions.
2.3.0-dev.94 | 2024-01-15 10:58:04 +0100
* Fix synchronization issue with console. If a query couldn't be
processed, client and server could get synchronized.
* Update license headers.
2.3.0-dev.90 | 2024-01-12 14:49:01 +0100
* Linux: Integrate `bpftools` and add central manager for handling
BPF programs. We now require `clang` for building the agent on
Linux.
* Linux: Add BPF-based `processes_events` and `sockets_events`
tables. These remain experimental for now and may require further
fine tuning.
* Linux: Add function retrieve kernel version.
* Add Dependabot configuration.
* Update README.
* Bump IXWebSocket.
2.3.0-dev.80 | 2024-01-09 09:15:06 +0100
* Add `processes_events` and `sockets_events` tables on macOS. The
former uses Endpoint Security, the latter a Network Extension.
These remain experimental for now.
2.3.0-dev.78 | 2024-01-08 10:25:51 +0100
* GH-8: Support attaching interactive console to a running agent.
By default, an agent now creates a UNIX socket for its console that an
external client can connect to. To connect to an already running
agent, execute `zeek-agent -r` on the same machine (note that client
and server must be running as the same user, probably `root`). Client
and server can specify a different socket path through `-s <PATH>`.
The environment variable `ZEEK_AGENT_SOCKET` can be set to specify the
path as well.
Remote consoles aren't support on Windows yet.
Internally, we switch the classic local console over to the same IPC
mechanism we now use for remote consoles, so that there's only one
implementation. For Windows, where actual IPC isn't implemented yet,
we provide a dummy implementation for this purpose that just forwards
data inside the main (and only) process.
Note: This has a known issue on Windows where the local console
stops taking input after the first command. That remains to be
fixed.
* Reformat Zeek scripts with `zeek-script`.
* Fix help message.
* Fix return value of scheduler loop.
* Bump `spdlog`.
* Bump `fmt`.
2.3.0-dev.71 | 2023-12-20 12:11:13 +0100
* Notarization updates and fixes. We now use Apple's new
`notarytool` along with App Store Connect credentials.
* Rework the EndpointSecurity manager.
* Rework handling of macOS deployment target.
By default, our deployment target is now the current platform's major
version. That avoids problems with system libraries not matching in
for what they were built.
To set a different deployment target, there's now a corresponding
`configure` option. We set that for CI builds.
As part of this change, we also raise the CI's deployment target to
Monterey.
* Use `gawk` in `auxil` scripts.
* Support tables that are disabled at first, but may later become active.
* Make tables thread-safe.
* Add helper to table class for getting current system time.
* Build without Broker by default.
Broker support isn't needed anymore with Zeek >= 5.0. We now build
without it by default. To re-enable Broker support for Zeek 4.x,
you can still configure with ``--enable-broker``.
The pre-build binaries also no longer include Broker support.
* Silence new clang-tidy warnings.
2.3.0-dev.61 | 2023-12-12 10:33:37 -0700
* Avoid dereferencing cookie field that could intentionally be unset
2.3.0-dev.59 | 2023-12-11 09:56:46 -0700
* Merge branch 'topic/timw/fix-timestamp-parsing'
* topic/timw/fix-timestamp-parsing:
Don't add timezone offset to ISO time, since it results in errors
Parse 'timestamp' fields from json received from Zeek correctly
* Don't add timezone offset to ISO time, since it results in errors
* Parse 'timestamp' fields from json received from Zeek correctly
* Update pathfind submodule for #include fix
2.3.0-dev.55 | 2023-12-01 09:42:11 -0700
* Add section about building for Windows to README
* CI: Use correct vcpkg root for Windows builds
* Update vcpkg to 2023.11.20
This fixes the build on Windows failing to find zlib.
* Update doctest to v2.4.11
This fixes, among other things, build failures on macOS due to sprintf
being fully deprecated in XCode 14.
* CI: Update ubuntu builds to use zeek 5.0.9 for ubuntu22, remove zeek 4.0 build
* CI: Update github actions used across all jobs
* CI: Update to macOS 13
GitHub's action runner complains that we're still trying to use macOS 11
and is killing the builds. This requires some tinkering with the brew
packages that are installed, but don't like to update cleanly (python
and php specifically).
2.3.0-dev.47 | 2022-11-29 15:58:23 -0800
* Minor grammar fixes (William Stearns)
2.3.0-dev.45 | 2022-10-31 18:18:38 +0100
* GH-52: Switch `glob::glob` to use `ghc::filesystem`.
* Reorganize platform-specific code.
* Factor out our CMake compile and link options.
* Move macOS installer app into platform code.
2.3.0-dev.39 | 2022-08-05 10:29:03 +0200
* Add a macOS network extension to the agent.
On macOS, the agent was already running as a system extension. This
adds the appropriate magic to hook into the OS as a "Network
Extension", so that we gain access to network activity. We don't use
this yet for anything, but this gets all the infrastructure pieces in
place.
* Add `stderr` as a log destination.
2.3.0-dev.36 | 2022-08-05 10:27:48 +0200
* Use `p-ranav/glob` library for Windows `files` table.
2.3.0-dev.33 | 2022-07-28 13:56:49 +0200
* Fix ccache on Windows
* Update CI jobs to use `ccache-action@v1.2.2`.
2.3.0-dev.31 | 2022-07-19 11:15:45 +0200
* Adding Windows installer packaging.
* Publish Windows installer as part of the release workflow.
* Add keys to ccache configs in CI to avoid collisions.
* Set `ZEEK_AGENT_VERSION_{MAJOR,MINOR_PATCH}` values during CMake.
2.3.0-dev.25 | 2022-07-12 13:16:30 +0200
* Extend macOS support:
- Add installer application and turn the agent into a system
extension. The installer does three things: (1) it asks the
system to install the extension persistently; (2) it interacts
with the user through a small UI, including offering some basic
configuration; and (3) it communicates with the running
extension through XPC for configuration and status checks.
Application and extensions get bundled into a DMG, and signed
and notarized during CI.
- Implement `system` logging on macOS.
- Read preferences from system's `org.zeek.zeek-agent` via
`defaults`.
- Relocate default paths for configuration and state to
`/Library/Application Support/ZeekAgent`, or the user's version
of that if not running as root. (This may not be final yet.)
- Make Endpoint Security available internally (not used yet).
- Add new icons for macOS. (Matti Bispham)
* Switch default log level to `info`.
* Make agent robust against platforms potentially not being able to
determine paths for configuration and state files.
* Fix bug on Linux/macOS determining admin mode.
2.3.0-dev.10 | 2022-07-08 13:37:18 +0200
* Rework Windows build to use `vcpkg` for dependencies.
* Fix a couple of minor issues for Windows.
* Rename our internal format method to avoid ambiguity with
`std::format`.
* Remove duplicated `out_ptr` license info.
2.3.0-dev.5 | 2022-07-07 16:51:52 +0200
* Prettify WebSocket error messages.
* Do not install IXWebSocket headers.
* Update CI configuration to not treat `v.*-dev` tags as releases.
* Revert unintended submodule bumps.
2.2.0 | 2022-07-05 12:04:10 +0200
* Port to Windows. (Binary build to come with next release.)
* GH-25: Add `files_columns` table that extracts selected columns
from on-disk files und sends them over to Zeek as a record. See
the `README` for documentation.
* GH-7: Extend the type system for table columns. We can now
represent addresses, booleans, counts, intervals, ports, records,
sets, times, and vectors end-to-end, so that they arrive as such
at Zeek. We also update our tables to use the new types where
appropriate.
* GH-34: Disable communication with a Zeek instance if it's package
version is too old.
* Add a 2nd 'differences' mode to queries where no initial snapshot
is provided. We now have (1) "snapshot-and-diffs", which sends an
initial snapshot first, followed by diffs; and (2) "diffs", which
sends an empty initial result and then just diffs.
* Add WebSocket transport layer compatible with Zeek 5.0. We now try
both Broker and WebSocket when connecting to Zeek. The former will
work with Zeek 4.0, the latter with Zeek 5.0.
* Add Broker version to agent handshake.
* Support default values for table parameters.
* Make exception available to table's data acquisition methods to signal failure.
* Move numerical version number computation from CMake to runtime.
* Fix deadlock in scheduler.
* Fix potential dereference of unset optional.
* Fix usage message.
* Fix `assert` that could wrongly trigger.
* Fix console getting stuck on queries with errors, and reduce
unintended latency until query executes.
* Fix CI issue on Ubuntu.
* Fix potential deadlock in unit test.
* Fix trace-level debug logging.
* Fix linker issue on Linux.
* Make --test output available on failure in BTest suite.
* Clean up unused state in Zeek communication code.
* Format Zeek scripts with current zeek-format.
* Update SQLite to 3.38.1 to give us built-in JSON support.
* Update stduuid module.
2.0.4 | 2022-03-04 16:55:11 +0100
* Add new log options. In the configuration file we now provide more
control of log messages:
[log]
type=<stdout|system|file>
level=<error|warn|info|debug|trace>
path=<path for type 'file'>
Default remains logging to stdout at level INFO.
* Fine-tune log levels. We elevate some high-level messages to INFO
level that can be useful to users, and we move some noisy debug
messages to TRACE level (which is available only in debug builds).
* Expose Broker's SSL options in configuration file. This also moves
all Zeek options into a `[zeek]` section of the configuration
file.
* Link against standard version of OpenSSL by default. So far we
hardcoded always using the static OpenSSL libraries. Now that's
done only when with configured with ``--enable-static``, otherwise
we use whatever CMake determines being the default.
* Fix column type in `files_lines` table.
* Fix enforcement of maximum idle timeout.
* Add missing include to appease GCC 11.2.1.
* Update toml++.
2.0.3 | 2022-02-22 13:36:47 +0100
* Adapt to package's new default listening port.
* Fix problem with column caching.
2.0.2 | 2022-02-21 16:36:16 +0100
* Push all asynchronous activity to the main thread to avoid most
inter-thread locking.
* Fix configure's `--sanitizer` argument.
* In `.schema` output, break out table parameters separately.
2.0.1 | 2022-02-21 15:26:44 +0100
* Add a test build of the source code tarball to CI.
* Extend query API to allow specifying tables that must/must not be
present. Agents will ignore queries not meeting expectations.
* Extract version information from Zeek's hello message.
* Adapt to changes to options in the Zeek package.
* Fix differential queries returning empty removed rows.
* Fix time filtering for differential queries.
* Fix double table deactivation.
* Guard against an error case in Darwin system logs collector.
2.0.0 | 2022-02-14 16:14:48 +0100
* Initial release.