First stable 2.x release with major improvements across performance, compliance, and accuracy.
Added
Vectorscan Integration
High-performance pattern matching engine for regex-based scanners:
- All 25+ scanners now use Vectorscan for significantly faster scanning
- Lower CPU usage with batch pattern matching
- PatternProvider trait for scanner integration
Government & Defense Compliance
New policy frameworks for regulated environments:
- CUI (Controlled Unclassified Information)
- CMMC (Cybersecurity Maturity Model Certification)
- FedRAMP (Federal Risk and Authorization Management Program)
- FISMA (Federal Information Security Management Act)
- CCPA (California Consumer Privacy Act)
ISO 27001:2022 Compliance Policy
New policy framework implementing ISO/IEC 27001:2022 controls:
- 4-level data classification (Restricted, Confidential, Internal, Public)
- Control A.8.12 (Data leakage prevention - NEW in 2022 revision)
- Control A.5.12 (Classification of information)
- Control A.8.11 (Data masking)
- Control A.5.15 (Access control)
- Automatic classification of all 25 scanner findings
- Configurable enforcement for masking, encryption, and access controls
macOS Endpoint Security Framework
macOS now uses Apple’s Endpoint Security framework for enhanced file monitoring:
- Superior performance with kernel-level event delivery
- Complete system-wide visibility
- Code-signed and notarized with Apple entitlement
- New Prometheus metrics:
es_monitoring_active,es_events_received_total,es_event_processing_seconds
Dynamic Configuration
Hot-reload configuration via OSQuery table:
aquilon_dlp_configenterprise table for fleet management- Kernel-level path filtering for watch_paths
Other Additions
- Fuzzing infrastructure with security fixes
- Mutation testing workflow (
make mutants-branch) - Platform separation tests for correct monitoring backend selection
- Migration compatibility tests for backward compatibility
Improved
Context-aware Scanning
Distinguishes real PII from meta-discussion:
- “SSN format is XXX-XX-XXXX” no longer triggers false positives
- Scanner context validation for all PII types
False Positive Reduction
Business-focused improvements:
- Excludes version strings, OIDs, test emails
- Excludes private/unique-local IP addresses from PII detection
- GDPR email attribution filtering
- Context requirements for IP/IBAN/SSN scanners
Linux File Monitoring
Replaced notify with fanotify for more reliable monitoring
macOS Performance
- Removed 4096 directory watch limit (ES monitors system-wide with pattern matching)
- Faster startup (no path enumeration needed with ES)
- Lower memory usage (pattern matching vs maintaining path lists)
- Removed complex recursive watch update logic (ES handles all paths automatically)
OSQuery Performance
Background triage batch writer for non-blocking updates
Fixed
- Infinite loop on malformed 7z archives (lzma-rust2 0.15.6)
- Workers getting stuck on deleted files
- Dedup_set cleanup on queue full errors
- OSQuery health check intervals too aggressive
- Metrics cleanup and wiring
- Type inference ambiguity from typed_path crate
- macOS event coverage improvements
- macOS symlink handling (e.g.,
/tmp→/private/tmp) - macOS path canonicalization for watch patterns
- macOS service name update for osquery 5.0.1+
- macOS robust JSON parsing with
osqueryi --lineformat - macOS version validation (enforces macOS 11.0+ requirement)
- macOS osquery version validation (enforces osquery 5.0.1+)
- macOS metadata preservation with ditto
- macOS locale-independent certificate validation
Security
- macOS binary signature verification before execution
- macOS atomic file operations (tmp + mv pattern) to prevent TOCTOU attacks
- macOS extension autoload symlink in PKG to eliminate runtime race condition
Reliability
- macOS stale lock detection with PID tracking for crashed installation detection
- macOS full installation idempotency
- macOS removed unnecessary socket permission modification
Breaking Changes
- macOS Monitoring Backend: Replaced FSEvents with Endpoint Security framework (ES-only, no fallback)
- ES initialization failure is now fatal with clear setup instructions
- Requires code-signed binary with
com.apple.developer.endpoint-security.cliententitlement - Requires Full Disk Access in System Settings → Privacy & Security → Full Disk Access
- Requires running with
sudofor ES client creation - See
docs/macos/endpoint-security-framework.mdfor complete setup guide
- macOS Requirements: Now requires Full Disk Access and root privileges on macOS
- Dependency Cleanup: Removed macOS-specific features from notify dependency
Removed
- macOS FSEvents fallback (ES initialization failure is now fatal)
- macOS FSEvents code and metrics (no longer needed)
- macOS dynamic watch path updates (ES pattern matching eliminates this need)