Skip to content

Latest commit

 

History

History
3144 lines (2559 loc) · 232 KB

CHANGELOG.md

File metadata and controls

3144 lines (2559 loc) · 232 KB

Change Log

All notable changes to this project will be documented in this file.

[v4.4.0]

Manager

Added

  • Added new unit tests for cluster python module and increased coverage to 99%. (#9995)
  • Added file size limitation on cluster integrity sync. (#11190)
  • Added unittests for CLIs script files. (#13424)

Changed

  • wazuh-logtest now shows warnings about ruleset issues. (#10822)
  • Modulesd memory is now managed by jemalloc, this helps reduce memory fragmentation. (#12206)
  • The manager now refuses multiple connections from the same agent. (#11702)
  • Updated the Vulnerability Detector configuration reporting to include MSU and skip JSON Red Hat feed. (#12117)
  • Improved the shared configuration file handling performance. (#12352)
  • The agent group data is now natively handled by Wazuh DB. (#11753)
  • Improved security at cluster zip filenames creation. (#10710)
  • Refactor of the core/common.py module. (#12390)
  • Refactor format_data_into_dictionary method of WazuhDBQuerySyscheck class. (#12497)
  • Limit the maximum zip size that can be created while synchronizing cluster Integrity. (#11124)
  • Refactored the functions in charge of synchronizing files in the cluster. (#13065)
  • Changed MD5 hash function to BLAKE2 for cluster file comparison. (#13079)
  • Renamed wazuh-logtest and wazuh-clusterd scripts to follow the same scheme as the other scripts (spaces symbolized with _ instead of -). (#12926)

Fixed

  • Fixed wazuh-dbd halt procedure. (#10873)
  • Fixed compilation warnings in the manager. (#12098)
  • Fixed a bug in the manager that did not send shared folders correctly to agents belonging to multiple groups. (#12516)
  • Fixed the Active Response decoders to support back the top entries for source IP in reports. (#12834)
  • Fixed the feed update interval option of Vulnerability Detector for the JSON Red Hat feed. (#13338)
  • Fixed several code flaws in the python framework. (#12127)
    • Fixed code flaw regarding the use of XML package. (#10635)
    • Fixed code flaw regarding permissions at group directories. (#10636)
    • Fixed code flaw regarding temporary directory names. (#10544)
    • Fixed code flaw regarding try, except and pass block in wazuh-clusterd. (#11951)
  • Fixed framework datetime transformations to UTC. (#10782)
  • Fixed a cluster error when Master-Worker tasks where not properly stopped after an exception occurred in one or both parts. (#11866)
  • Fixed cluster logger issue printing 'NoneType: None' in error logs. (#12831)
  • Fixed unhandled cluster error when reading a malformed configuration. (#13419)
  • Fixed framework unit test failures when they are run by the root user. (#13368)

Removed

  • Removed the unused internal option wazuh_db.sock_queue_size. (#12409)
  • Removed all the unused exceptions from the exceptions.py file. (#10940)
  • Removed unused execute method from core/utils.py. (#10740)
  • Removed unused set_user_name function in framework. (#13119)

Agent

Added

  • Added support of CPU frequency data provided by Syscollector on Raspberry Pi. (#11756)
  • Added support for IPv6 address collection in the agent. (#11450)
  • Added the process startup time data provided by Syscollector on macOS. (#11833)
  • Added support of package retrieval in Syscollector for OpenSUSE Tumbleweed and Fedora 34. (#11571)
  • Added the process startup time data provided by Syscollector on macOS. Thanks to @LubinLew. (#11640)
  • Added support for package data provided by Syscollector on Solaris. (#11796)
  • Added support for delta events in Syscollector when data gets changed. (#10843)
  • Added support for pre-installed Windows packages in Syscollector. (#12035)
  • Added support for IPv6 on agent-manager connection and enrollment. (#11268)
  • Added support for CIS-CAT Pro v3 and v4 to the CIS-CAT integration module. Thanks to @hustliyilin. (#12582)
  • Added support for the use of the Azure integration module in Linux agents. (#10870)
  • Added new error messages when using invalid credentials with the Azure integration. (#11852)
  • Added reparse option to CloudWatchLogs and Google Cloud Storage integrations. (#12515)

Changed

  • Improved the free RAM data provided by Syscollector. (#11587)
  • The Windows installer (MSI) now provides signed DLL files. (#12752)
  • Changed the group ownership of the Modulesd process to root. (#12748)
  • Some parts of Agentd and Execd have got refactored. (#12750)
  • Handled new exception in the external integration modules. (#10478)
  • Optimized the number of calls to DB maintenance tasks performed by the AWS integration. (#11828)
  • Improved the reparse performance by removing unnecessary queries from external integrations. (#12404)
  • Updated and expanded Azure module logging functionality to use the ossec.log file. (#12478)
  • Improved the error management of the Google Cloud integration. (#12647)
  • Deprecated logging tag in GCloud integration. It now uses wazuh_modules debug value to set the verbosity level. (#12769)
  • The last_dates.json file of the Azure module has been deprecated in favour of a new ORM and database. (12849)
  • Improved the error handling in AWS integration's decompress_file method. (#12929)
  • Use zlib for zip compression in cluster synchronization. (#11190)

Fixed

  • Fixed collection of maximum user data length. Thanks to @LubinLew. (#7687)
  • Fixed missing fields in Syscollector on Windows 10. (#10772)
  • Fixed the process startup time data provided by Syscollector on Linux. Thanks to @LubinLew. (#11227)
  • Fixed network data reporting by Syscollector related to tunnel or VPN interfaces. (#11837)
  • Skipped V9FS file system at Rootcheck to prevent false positives on WSL. (#12066)
  • Fixed double file handle closing in Logcollector on Windows. (#9067)
  • Fixed a bug in Syscollector that may prevent the agent from stopping when the manager connection is lost. (#11949)
  • Fixed internal exception handling issues on Solaris 10. (#12148)
  • Fixed duplicate error message IDs in the log. (#12300)
  • Fixed compilation warnings in the agent. (#12691)
  • Fixed the skip_on_error parameter of the AWS integration module, which was set to True by default. (#1247)
  • Fixed AWS DB maintenance with Load Balancer Buckets. (#12381)
  • Fixed AWS integration's test_config_format_created_date unit test. (#12650)
  • Fixed created_date field for LB and Umbrella integrations. (#12630)
  • Fixed AWS integration database maintenance error managament. (#13185)

RESTful API

Added

  • Added new API integration tests for a Wazuh environment without a cluster configuration. (#10620)
  • Added wazuh-modulesd tags to GET /manager/logs and GET /cluster/{node_id}/logs endpoints. (#11731)
  • Added python decorator to soft deprecate API endpoints adding deprecation headers to their responses. (#12438)
  • Added new exception to inform that /proc directory is not found or permissions to see its status are not granted. (#12486)
  • Added new field and filter to GET /agents response to retrieve agent groups configuration synchronization status. (#12362)
  • Added agent groups configuration synchronization status to GET /agents/summary/status endpoint. (12498)
  • Added JSON log handling. (#11171)
  • Added integration tests for IPv6 agent's registration. (#12029)
  • Enable ordering by Agents count in /groups endpoints. (#12887)
  • Added hash to API logs to identify users logged in with authorization context. (#12092)

Changed

  • Improved GET /cluster/healthcheck endpoint and cluster_control -i more CLI call in loaded cluster environments. (#11341)
  • Removed never_connected agent status limitation when trying to assign agents to groups. (#12595)
  • Changed API version and upgrade_version filters to work with different version formats. (#12551)
  • Renamed GET /agents/{agent_id}/group/is_sync endpoint to GET /agents/group/is_sync and added new agents_list parameter. (#9413)
  • Added POST /security/user/authenticate endpoint and marked GET /security/user/authenticate endpoint as deprecated. (#10397)

Fixed

  • Fixed copy functions used for the backup files and upload endpoints to prevent incorrent metadata. (#12302)
  • Fixed a bug regarding ids not being sorted with cluster disabled in Active Response and Agent endpoints. (#11010)
  • Fixed a bug where null values from wazuh-db where returned in API responses. (#10736)
  • Connections through WazuhQueue will be closed gracefully in all situations. (#12063)
  • Fixed exception handling when trying to get the active configuration of a valid but not configured component. (#12450)
  • Fixed api.yaml path suggested as remediation at exception.py (#12700)
  • Fixed /tmp access error in containers of API integration tests environment. (#12768)
  • The API will return an exception when the user asks for agent inventory information and there is no database for it (never connected agents). (#13096)
  • Improved regex used for the q parameter on API requests with special characters and brackets. (#13171) (#13386)
  • Removed board_serial from syscollector integration tests expected responses. (#12592)
  • Removed cmd field from expected responses of syscollector integration tests. (#12557)

Removed

  • Removed null remediations from failed API responses. (#12053)
  • Deprecated GET /agents/{agent_id}/group/is_sync endpoint. (#12365)

Other

Added

  • Added unit tests to the component in Analysisd that extracts the IP address from events. (#12733)
  • Added python-json-logger dependency. (#12518)

Changed

  • Prevented the Ruleset test suite from restarting the manager. (#10773)

[v4.3.4]

Manager

Changed

  • Integratord now tries to read alerts indefinitely, instead of performing 3 attempts. (#13437)

[v4.3.3] - 2022-05-31

Manager

Fixed

  • Avoid creating duplicated client tags during deployment. (#13651)

Agent

Fixed

  • Prevented Agentd from resetting its configuration on client block re-definition. (#13642)

[v4.3.2] - 2022-05-30

Manager

Fixed

  • Fixed a crash in Vuln Detector when scanning agents running on Windows. (#13616)

[v4.3.1] - 2022-05-18

Manager

Fixed

  • Fixed a crash when overwrite rules are triggered. (#13439)
  • Fixed a memory leak when loading overwrite rules. (#13439)
  • Fixed the use of relationship labels in overwrite rules. (#13439)
  • Fixed regex used to transform into datetime in the logtest framework function. (#13430)

RESTful API

Fixed

  • Fixed API response when using sort in Agent upgrade related endpoints. (#13178)

Ruleset

Fixed

  • Fixed rule 92656, added field condition win.eventdata.logonType equals 10 to avoid false positives. (#13409)

[v4.3.0] - 2022-05-05

Manager

Added

  • Added support for Arch Linux OS in Vulnerability Detector. Thanks to Aviel Warschawski (@avielw). (#8178)
  • Added a log message in the cluster.log file to notify that wazuh-clusterd has been stopped. (#8749)
  • Added message with the PID of wazuh-clusterd process when launched in foreground mode. (#9077)
  • Added time calculation when extra information is requested to the cluster_control binary. (#10492)
  • Added a context variable to indicate origin module in socket communication messages. (#9209)
  • Added unit tests for framework/core files to increase coverage. (#9733)
  • Added a verbose mode in the wazuh-logtest tool. (#9204)
  • Added Vulnerability Detector support for Amazon Linux. (#8830)
  • Introduced new option <force> to set the behavior when Authd finds conflicts on agent enrollment requests. (#10693)
  • Added saniziters to the unit tests execution. (#9099)
  • Vulnerability Detector introduces vulnerability inventory. (#8237)
    • The manager will only deliver alerts when new vulnerabilities are detected in agents or when they stop applying.
  • Added a mechanism to ensure the worker synchronization permissions is reset after a fixed period of time. (#11031)
  • Included mechanism to create and handle PID files for each child process of the API and cluster. (#11799)
  • Added support for Windows 11 in Vulnerability Detector. (#12446)

Changed

  • Changed the internal handling of agent keys in Remoted and Remoted to speed up key reloading. (#8083)
  • The option <server> of the Syslog output now supports hostname resolution. (#7885)
  • The product's UNIX user and group have been renamed to "wazuh". (#7763)
  • The MITRE database has been redesigned to provide full and searchable data. (#7865)
  • The static fields related to FIM have been ported to dynamic fields in Analysisd. (7358)
  • Changed all randomly generated IDs used for cluster tasks. Now, uuid4 is used to ensure IDs are not repeated. (8351)
  • Improved sendsync error log to provide more details of the used parameters. (#8873)
  • Changed walk_dir function to be iterative instead of recursive. (#9708)
  • Refactored Integrity sync behavior so that new synchronizations do not start until extra-valid files are processed. (#10183)
  • Changed cluster synchronization, now the content of the etc/shared folder is synchronized. (#10101)
  • Changed all XML file loads. Now, defusedxml library is used to avoid possible XML-based attacks. (8351)
  • Changed configuration validation from execq socket to com socket. (#8535)
  • Updated utils unittest to improve process_array function coverage. (#8392)
  • Changed request_slice calculation to improve efficiency when accessing wazuh-db data. (#8885)
  • Improved the retrieval of information from wazuh-db so it reaches the optimum size in a single iteration. (#9273)
  • Optimized the way framework uses context cached functions and added a note on context_cached docstring. (#9234)
  • Improved framework regexes to be more specific and less vulnerable. (#9332)
  • Unified framework exceptions for non-active agents. (#9423)
  • Changed RBAC policies to case insensitive. (#9433)
  • Refactored framework stats module into SDK and core components to comply with Wazuh framework code standards. (#9548)
  • Changed the size of the agents chunks sent to the upgrade socket to make the upgrade endpoints faster. (#10309)
  • Refactored rootcheck and syscheck SDK code to make it clearer. (#9408)
  • Adapted Azure-logs module to use Microsoft Graph API instead of Active Directory Graph API. (#9738)
  • Analysisd now reconnects to Active Response if Remoted or Execd get restarted. (#8060)
  • Agent key polling now supports cluster environments. (#10335)
  • Extended support of Vulnerability Detector for Debian 11 (Bullseye). (#10357)
  • Improved Remoted performance with an agent TCP connection sending queue. (#10326)
  • Agent DB synchronization has been boosted by caching the last data checksum in Wazuh DB. (#9093)
  • Logtest now scans new ruleset files when loading a new session. (#8892)
  • CVE alerts by Vulnerability Detector now include the time of detection, severity, and score. (#8237)
  • Fixed manager startup when <database_output> is enabled. (#10849)
  • Improved cluster performance using multiprocessing.
    • Changed the cluster local_integrity task to run in a separate process to improve overall performance. (#10767)
    • The cluster communication with the database for agent information synchronization runs in a parallel separate process. (#10807)
    • The cluster processing of the extra-valid files in the master node is carried out in a parallel separate process. (#10920)
    • The cluster's file compression task in the master node is carried out in a parallel separate process. (#11328)
    • Now the processing of Integrity files in worker nodes is carried out in a parallel separate process (#11364)
    • Use cluster and API single processing when the wazuh user doesn't have permissions to access /dev/shm. (#11386)
  • Changed the Ubuntu OVAL feed URL to security-metadata.canonical.com. (#12491)
  • Let Analysisd warn about missing rule dependencies instead of rejecting the ruleset. (#12652)

Fixed

  • Fixed a memory defect in Remoted when closing connection handles. (#8223)
  • Fixed a timing problem in the manager that might prevent Analysisd from sending Active responses to agents. (#7625)
  • Fixed a bug in Analysisd that did not apply field lookup in rules that overwrite other ones. (#8210)
  • Prevented the manager from leaving dangling agent database files. (#8902)
  • Corrected remediation message for error code 6004. (#8254)
  • Fixed a bug when deleting non-existing users or roles in the security SDK. (#8157)
  • Fixed a bug with agent.conf file permissions when creating an agent group. (#8418)
  • Fixed wrong exceptions with wdb pagination mechanism. (#8422)
  • Fixed error when loading some rules with the \ character. (#8747)
  • Changed WazuhDBQuery class to properly close socket connections and prevent file descriptor leaks. (#9216)
  • Fixed error in the api configuration when using the agent_upgrade script. (#10320)
  • Handle JSONDecodeError in Distributed API class methods. (#10341)
  • Fixed an issue with duplicated logs in Azure-logs module and applied several improvements to it. (#9738)
  • Fixed the query parameter validation to allow usage of special chars in Azure module. (#10680)
  • Fix a bug running wazuh-clusterd process when it was already running. (#8394)
  • Allow cluster to send and receive messages with size higher than request_chunk. (#8732)
  • Fixed a bug that caused wazuh-clusterd process to not delete its pidfile when running in foreground mode and it is stopped. (#9077)
  • Fixed race condition due to lack of atomicity in the cluster synchronization mechanism. (#10376)
  • Fixed bug when displaying the dates of the cluster tasks that have not finished yet. Now n/a is displayed in these cases. (#10492)
  • Fixed missing field value_type in FIM alerts. (#9196)
  • Fixed a typo in the SSH Integrity Check script for Agentless. (#9292)
  • Fixed multiple race conditions in Remoted. (#10421)
  • The manager's agent database has been fixed to prevent dangling entries from removed agents. (#10390)
  • Fixed the alerts generated by FIM when a lookup operation on an SID fails. (#9765)
  • Fixed a bug that caused cluster agent-groups files to be synchronized multiple times unnecessarily. (#10866)
  • Fixed an issue in Wazuh DB that compiled the SQL statements multiple times unnecessarily. (#10922)
  • Fixed a crash in Analysisd when setting Active Response with agent_id = 0. (#10948)
  • Fixed an uninitialized Blowfish encryption structure warning. (#11161)
  • Fixed a memory overrun hazard in Vulnerability Detector. (#11262)
  • Fixed a bug when using a limit parameter higher than the total number of objects in the wazuh-db queries. (#11282)
  • Prevented a false positive for MySQL in Vulnerability Detector. (#11440)
  • Fixed segmentation fault in Analysisd when setting the number of queues to zero. (#11448)
  • Fixed false positives in Vulnerability Detector when scanning OVAl for Ubuntu Xenial and Bionic. (#11440)
  • Fixed an argument injection hazard in the Pagerduty integration script. Reported by Jose Maria Zaragoza (@JoseMariaZ). (#11835)
  • Fixed memory leaks in the feed parser at Vulnerability Detector. (#11863)
    • Architecture data member from the RHEL 5 feed.
    • RHSA items containing no CVEs.
    • Unused RHSA data member when parsing Debian feeds.
  • Prevented Authd from exiting due to a pipe signal if Wazuh DB gets closed. (#12368)
  • Fixed a buffer handling bug in Remoted that left the syslog TCP server stuck. (#12415)
  • Fixed a memory leak in Vulnerability Detector when discarding kernel packages. (#12644)
  • Fixed a memory leak at wazuh-logtest-legacy when matching a level-0 rule. (#12655)
  • Fixed a bug in the Vulnerability Detector CPE helper that may lead to produce false positives about Firefox ESR. (#13067)

Removed

  • The data reporting for Rootcheck scans in the agent_control tool has been deprecated. (#8399)
  • Removed old framework functions used to calculate agent status. (#8846)

Agent

Added

  • Added an option to allow the agent to refresh the connection to the manager. (#8016)
  • Introduced a new module to collect audit logs from GitHub. (#8532)
  • FIM now expands wildcarded paths in the configuration on Windows agents. (8461)
  • FIM reloads wildcarded paths on full scans. (8754)
  • Added new path_suffix option to AWS module configuration. (#8306)
  • Added new discard_regex option to AWS module configuration. (8331)
  • Added support for the S3 Server Access bucket type in AWS module. (#8482)
  • Added support for Google Cloud Storage buckets using a new GCP module called gcp-bucket. (#9119)
  • Added support for VPC endpoints in AWS module. (#9420)
  • Added support for GCS access logs in the GCP module. (#9279)
  • Added an iam role session duration parameter to AWS module. (#10198)
  • Added support for variables in SCA policies. (#8826)
  • FIM now fills an audit rule file to support who-data although Audit is in immutable mode. (#7721)
  • Introduced an integration to collect audit logs from Office365. (#8957)
  • Added a new field DisplayVersion to Syscollector to help Vulnerability Detector match vulnerabilities for Windows. (#10168)
  • Added support for macOS agent upgrade via WPK. (#10148)
  • Added Logcollector support for macOS logs (Unified Logging System). (#8632)

Changed

  • The agent now reports the version of the running AIX operating system to the manager. (#8381)
  • Improved the reliability of the user ID parsing in FIM who-data mode on Linux. (#8604)
  • Extended support of Logcollector for MySQL 4.7 logs. Thanks to @YoyaYOSHIDA. (#5047)
  • Agents running on FreeBSD and OpenBSD now report their IP address. (#9887)
  • Reduced verbosity of FIM debugging logs. (#8202)
  • The agent's IP resolution frequency has been limited to prevent high CPU load. (#9992)
  • Syscollector has been optimized to use lees memory. (#10236)
  • Added support of ZscalerOS system information in the agent. (#10337)
  • Syscollector has been extended to collect missing Microsoft product hotfixes. (#10259)
  • Updated the osquery integration to find the new osqueryd location as of version 5.0. (#10396)
  • The internal FIM data handling has been simplified to find files by their path instead of their inode. (#9123)
  • Reimplemented the WPK installer rollback on Windows. (#9764)
  • Active responses for Windows agents now support native fields from Eventchannel. (#10208)
  • Error logs by Logcollector when a file is missing have been changed to info logs. (#10651)
  • The agent MSI installer for Windows now detects the platform version to install the default configuration. (#8724)
  • Agent logs for inability to resolve the manager hostname now have info level. (#3659)
  • Added ID number to connection enrollment logs. (#11276)
  • Standardized the use of the only_logs_after parameter in the external integration modules. (#10838)
  • Updated DockerListener integration shebang to python3 for Wazuh agents. (#12150)
  • Updated the Windows installer ico and png assets to the new logo. (#12779)

Fixed

  • Fixed a bug in FIM that did not allow monitoring new directories in real-time mode if the limit was reached at some point. (#8784)
  • Fixed a bug in FIM that threw an error when a query to the internal database returned no data. (#8941)
  • Fixed an error where the IP address was being returned along with the port for Amazon NLB service.(#8362)
  • Fixed AWS module to properly handle the exception raised when processing a folder without logs. (#8372
  • Fixed a bug with AWS module when pagination is needed in the bucket. (#8433)
  • Fixed an error with the ipGeoLocation field in AWS Macie logs. (#8672)
  • Changed an incorrect debug message in the GCloud integration module. (#10333)
  • Data race conditions have been fixed in FIM. (#7848)
  • Fixed wrong command line display in the Syscollector process report on Windows. (#10011)
  • Prevented Modulesd from freezing if Analysisd or Agentd get stopped before it. (#10249)
  • Fixed wrong keepalive message from the agent when file merged.mg is missing. (#10405)
  • Fixed missing logs from the Windows agent when it's getting stopped. (#10381)
  • Fixed missing packages reporting in Syscollector for macOS due to empty architecture data. (#10524)
  • Fixed FIM on Linux to parse audit rules with multiple keys for who-data. (#7506)
  • Fixed Windows 11 version collection in the agent. (#10639)
  • Fixed missing Eventchannel location in Logcollector configuration reporting. (#10602)
  • Updated CloudWatch Logs integration to avoid crashing when AWS raises Throttling errors. (#10794)
  • Fixed AWS modules' log file filtering when there are logs with and without a prefix mixed in a bucket. (#10718)
  • Fixed a bug on the installation script that made upgrades not to update the code of the external integration modules. (#10884)
  • Fixed issue with AWS integration module trying to parse manually created folders as if they were files. (#10921)
  • Fixed installation errors in OS with no subversion. (#11086)
  • Fixed a typo in an error log about enrollment SSL certificate. (#11115)
  • Fixed unit tests for Windows agent when built on MinGW 10. (#11121)
  • Fixed Windows agent compilation warnings. (#10942)
  • Fixed the OS version reported by the agent on OpenSUSE Tumbleweed. (#11207)
  • Prevented Syscollector from truncating the open port inode numbers on Linux. (#11329)
  • Fixed agent auto-restart on configuration changes when started via wazuh-control on a Systemd based Linux OS. (#11365)
  • Fixed a bug in the AWS module resulting in unnecessary API calls when trying to obtain the different Account IDs for the bucket. (#10952)
  • Fixed Azure integration's configuration parsing to allow omitting optional parameters. (#11278)
  • Fixed Azure Storage credentials validation bug. (#11296)
  • Fixed the read of the hostname in the installation process for openSUSE. (#11455)
  • Fixed the graceful shutdown when agent loses connection. (#11425)
  • Fixed error "Unable to set server IP address" on the Windows agent. (#11736)
  • Fixed reparse option in the AWS VPCFlow and Config integrations. (#11608)
  • Removed unnecessary calls to the AWS API made by the VPCFlow and Config integration modules. (#11644)
  • Fixed how the AWS Config module parses the dates used to request logs from AWS. (#12324)
  • Let Logcollector audit format parse logs with a custom name_format. (#12676)
  • Fixed Agent bootstrap issue that might lead to startup timeout when it cannot resolve a manager hostname. (#12704)
  • Fixed a bug in the agent's leaky bucket throughput regulator that could leave it stuck if the time is advanced on Windows. (#13088)

Removed

  • Removed oscap module files as it was already deprecated since v4.0.0. (#10900)

RESTful API

Added

  • Added new PUT /agents/reconnect endpoint to force agents reconnection to the manager. (#7988)
  • Added select parameter to the GET /security/users, GET /security/roles, GET /security/rules and GET /security/policies endpoints. (#6761)
  • Added type and status filters to GET /vulnerability/{agent_id} endpoint. (#8100)
  • Added an option to configure SSL ciphers. (#7490)
  • Added an option to configure the maximum response time of the API. (#8919)
  • Added new DELETE /rootcheck/{agent_id} endpoint. (#8945)
  • Added new GET /vulnerability/{agent_id}/last_scan endpoint to check the latest vulnerability scan of an agent. (#9028)
  • Added new cvss and severity fields and filters to GET /vulnerability/{agent_id} endpoint. (#9028)
  • Added an option to configure the maximum allowed API upload size. (#9100)
  • Added new unit and integration tests for API models. (#9142)
  • Added message with the PID of wazuh-apid process when launched in foreground mode. (#9077)
  • Added external id, source and url to the MITRE endpoints responses. (#9144)
  • Added custom healthchecks for legacy agents in API integration tests, improving maintainability. (#9297)
  • Added new unit tests for the API python module to increase coverage. (#9914)
  • Added docker logs separately in API integration tests environment to get cleaner reports. (#10238)
  • Added new disconnection_time field to GET /agents response. (#10437)
  • Added new filters to agents upgrade endpoints. (#10457)
  • Added new API endpoints to access all the MITRE information. (#8288)
  • Show agent-info permissions flag when using cluster_control and in the GET /cluster/healthcheck API endpoint. (#10947)
  • Save agents' ossec.log if an API integration test fails. (#11931)
  • Added POST /security/user/authenticate/run_as endpoint to API bruteforce blocking system. (#12085)
  • Added new API endpoint to obtain summaries of agent vulnerabilities' inventory items. (#12638)
  • Added fields external_references, condition, title, published and updated to GET /vulnerability/{agent_id} API endpoint. (#12727)
  • Added the possibility to include strings in brackets in values of the q parameter. (#13262)

Changed

  • Renamed SSL protocol configuration parameter. (#7490)
  • Reviewed and updated API spec examples and JSON body examples. (#8827)
  • Improved the performance of several API endpoints. This is specially appreciable in environments with a big number of agents.
    • Improved PUT /agents/group endpoint. (#8937)
    • Improved PUT /agents/restart endpoint. (#8938)
    • Improved DELETE /agents endpoint. (#8950)
    • Improved PUT /rootcheck endpoint. (#8959)
    • Improved PUT /syscheck endpoint. (#8966)
    • Improved DELETE /groups endpoint and changed API response to be more consistent. (#9046)
  • Changed DELETE /rootcheck endpoint to DELETE /experimental/rootcheck. (#8945)
  • Reduced the time it takes for wazuh-apid process to check its configuration when using the -t parameter. (#9012)
  • Fixed malfunction in the sort parameter of syscollector endpoints. (#9019)
  • Improved API integration tests stability when failing in entrypoint. (#9113)
  • Made SCA API integration tests dynamic to validate responses coming from any agent version. (#9228)
  • Refactored and standardized all the date fields in the API responses to use ISO8601. (#9227)
  • Removed Server header from API HTTP responses. (#9263)
  • Improved JWT implementation by replacing HS256 signing algorithm with RS256. (#9371)
  • Removed limit of agents to upgrade using the API upgrade endpoints. (#10009)
  • Changed Windows agents FIM responses to return permissions as JSON. (#10158)
  • Adapted API endpoints to changes in wazuh-authd daemon force parameter. (#10389)
  • Deprecated use_only_authd API configuration option and related functionality. wazuh-authd will always be required for creating and removing agents. (#10512)
  • Improved API validators and related unit tests. (#10745)
  • Improved specific module healthchecks in API integration tests environment. (#10905)
  • Changed thread pool executors for process pool executors to improve API availability. (#10916)
  • Changed HTTPS options to use files instead of relative paths. (#11410)

Fixed

  • Fixed inconsistency in RBAC resources for group:create, decoders:update, and rules:update actions. (#8196)
  • Fixed the handling of an API error message occurring when Wazuh is started with a wrong ossec.conf. Now the execution continues and raises a warning. (8378)
  • Fixed a bug with sort parameter that caused a wrong response when sorting by several fields.(#8548)
  • Fixed the description of force_time parameter in the API spec reference. (#8597)
  • Fixed API incorrect path in remediation message when maximum number of requests per minute is reached. (#8537)
  • Fixed agents' healthcheck error in the API integration test environment. (#9071)
  • Fixed a bug with wazuh-apid process handling of pidfiles when running in foreground mode. (#9077)
  • Fixed a bug with RBAC group_id matching. (#9192)
  • Removed temporal development keys and values from GET /cluster/healthcheck response. (#9147)
  • Fixed several errors when filtering by dates. (#9227)
  • Fixed limit in some endpoints like PUT /agents/group/{group_id}/restart and added a pagination method. (#9262)
  • Fixed bug with the search parameter resulting in invalid results. (#9320)
  • Fixed wrong values of external_id field in MITRE resources. (#9368)
  • Fixed how the API integration testing environment checks that wazuh-apid daemon is running before starting the tests. (#9399)
  • Add healthcheck to verify that logcollector stats are ready before starting the API integration test. (#9777)
  • Fixed API integration test healthcheck used in the vulnerability test cases. (#10159)
  • Fixed an error with PUT /agents/node/{node_id}/restart endpoint when no agents are present in selected node. (#10179)
  • Fixed RBAC experimental API integration tests expecting a 1760 code in implicit requests. (#10322)
  • Fixed cluster race condition that caused API integration test to randomly fail. (#10289)
  • Fixed PUT /agents/node/{node_id}/restart endpoint to exclude exception codes properly. (#10619)
  • Fixed PUT /agents/group/{group_id}/restart endpoint to exclude exception codes properly. (#10666)
  • Fixed agent endpoints q parameter to allow more operators when filtering by groups. (#10656)
  • Fixed API integration tests related to rule, decoder and task endpoints. (#10830)
  • Improved exceptions handling when starting the Wazuh API service. (#11411)
  • Fixed race condition while creating RBAC database. (#11598)
  • Fixed API integration tests failures caused by race conditions. (#12102)

Removed

  • Removed select parameter from GET /agents/stats/distinct endpoint. (#8599)
  • Removed GET /mitre endpoint. (#8099)
  • Deprecated the option to set log path in the configuration. (#11410)

Ruleset

Added

  • Added Carbanak detection rules. (#11306)
  • Added Cisco FTD rules and decoders. (#11309)
  • Added decoders for AWS EKS service. (#11284)
  • Added F5 BIG IP ruleset. (#11394)
  • Added GCP VPC Storage, Firewall and Flow rules. (#11191)
  • Added Gitlab v12 ruleset. (#11323)
  • Added Microsoft Exchange Server rules and decoders. (#11289)
  • Added Microsoft Windows persistence by using registry keys detection. (#11390)
  • Added Oracle Database 12c rules and decoders. (#11274)
  • Added rules for Carbanak step 1.A - User Execution: Malicious File. (#8476)
  • Added rules for Carbanak step 2.A - Local Discovery. (#11212)
  • Added rules for Carbanak step 2.B - Screen Capture. (#9075)
  • Added rules for Carbanak step 5.B - Lateral Movement via SSH. (#9097)
  • Added rules for Carbanak step 9.A - User Monitoring. (#11342)
  • Added rules for Cloudflare WAF. (#11373)
  • Added ruleset for ESET Remote console. (#11013)
  • Added ruleset for GITHUB audit logs. (#8532)
  • Added ruleset for Palo Alto v8.X - v10.X. (#11137)
  • Added SCA policy for Amazon Linux 1. (#11431)
  • Added SCA policy for Amazon Linux 2. (#11480)
  • Added SCA policy for apple macOS 10.14 Mojave. (#7035)
  • Added SCA policy for apple macOS 10.15 Catalina. (#7036)
  • Added SCA policy for macOS Big Sur. (#11454)
  • Added SCA policy for Microsoft IIS 10. (#11250)
  • Added SCA policy for Microsoft SQL 2016. (#11249)
  • Added SCA policy for Mongo Database 3.6. (#11247)
  • Added SCA policy for NGINX. (#11248)
  • Added SCA policy for Oracle Database 19c. (#11245)
  • Added SCA policy for PostgreSQL 13. (#11154)
  • Added SCA policy for SUSE Linux Enterprise Server 15. (#11223)
  • Added SCA policy for Ubuntu 14. (#11432)
  • Added SCA policy for Ubuntu 16. (#11452)
  • Added SCA policy for Ubuntu 18. (#11453)
  • Added SCA policy for Ubuntu 20. (#11430)
  • Added SCA policy for. Solaris 11.4. (#11286)
  • Added Sophos UTM Firewall ruleset. (#11122)
  • Added Wazuh-api ruleset. (#11357)

Changed

  • Updated audit rules. (#11016)
  • Updated AWS s3 ruleset. (#11177)
  • Updated Exim 4 decoder and rules to latest format. (#11344)
  • Updated MITRE DB with latest MITRE JSON specification. (#8738)
  • Updated multiple rules to remove alert_by_email option. (#11255)
  • Updated NextCloud ruleset. (#11795)
  • Updated ProFTPD decoder. (#11232)
  • Updated RedHat Enterprise Linux 8 SCA up to version 1.0.1. (#11242)
  • Updated rules and decoders for FortiNet products. (#11100)
  • Updated SCA policy for CentOS 7. (#11429)
  • Updated SCA policy for CentOS 8. (#8751)
  • Updated SonicWall rules decoder. (#11263)
  • Updated SSHD ruleset. (#11388)
  • From file 0580-win-security_rules.xml, rules with id 60198 and 60199 are moved to file 0585-win-application_rules.xml, with rule ids 61071 and 61072 respectively. (#8552)

Fixed

  • Fixed bad character on rules 60908 and 60884 - win-application rules. (#11117)
  • Fixed Microsoft logs rules. (#11369)
  • Fixed PHP rules for MITRE and groups. (#11405)
  • Fixed rules id for Microsoft Windows Powershell. (#11214)

Other

Changed

  • Upgraded external SQLite library dependency version to 3.36. (#10247)
  • Upgraded external BerkeleyDB library dependency version to 18.1.40. (#10247)
  • Upgraded external OpenSSL library dependency version to 1.1.1l. (#10247)
  • Upgraded external Google Test library dependency version to 1.11. (#10927)
  • Upgraded external Aiohttp library dependency version to 3.8.1. (11436)
  • Upgraded external Werkzeug library dependency version to 2.0.2. (11436)
  • Upgraded embedded Python version to 3.9.9. (11436)

Fixed

  • Fixed error detection in the CURL helper library. (#9168)
  • Fixed external BerkeleyDB library support for GCC 11. (#10899)
  • Fixed an installation error due to missing OS minor version on CentOS Stream. (#11086)
  • Fixed an installation error due to missing command hostname on OpenSUSE Tumbleweed. (#11455)

[v4.2.7] - 2022-05-30

Manager

Fixed

  • Fixed a crash in Vuln Detector when scanning agents running on Windows (backport from 4.3.2). (#13617)

[v4.2.6] - 2022-03-29

Manager

Fixed

  • Fixed an integer overflow hazard in wazuh-remoted that caused it to drop incoming data after receiving 2^31 messages. (#11974)

[v4.2.5] - 2021-11-15

Manager

Changed

  • Active response requests for agents between v4.2.0 and v4.2.4 is now sanitized to prevent unauthorized code execution. (#10809)

Agent

Fixed

  • A bug in the Active response tools that may allow unauthorized code execution has been mitigated. Reported by @rk700. (#10809)

[v4.2.4] - 2021-10-20

Manager

Fixed

  • Prevented files belonging to deleted agents from remaining in the manager. (#9158)
  • Fixed inaccurate agent group file cleanup in the database sync module. (#10432)
  • Prevented the manager from corrupting the agent data integrity when the disk gets full. (#10479)
  • Fixed a resource leak in Vulnerability Detector when scanning Windows agents. (#10559)
  • Stop deleting agent related files in cluster process when an agent is removed from client.keys. (#9061)

[v4.2.3] - 2021-10-06

Manager

Fixed

  • Fixed a bug in Remoted that might lead it to crash when retrieving an agent's group. (#10388)

[v4.2.2] - 2021-09-28

Manager

Changed

  • Clean up the agent's inventory data on the manager if Syscollector is disabled. (#9133)
  • Authd now refuses enrollment attempts if the agent already holds a valid key. (#9779)

Fixed

  • Fixed a false positive in Vulnerability Detector when packages have multiple conditions in the OVAL feed. (#9647)
  • Prevented pending agents from keeping their state indefinitely in the manager. (#9042)
  • Fixed Remoted to avoid agents in connected state with no group assignation. (#9088)
  • Fixed a bug in Analysisd that ignored the value of the rule option noalert. (#9278)
  • Fixed Authd's startup to set up the PID file before loading keys. (#9378)
  • Fixed a bug in Authd that delayed the agent timestamp update when removing agents. (#9295)
  • Fixed a bug in Wazuh DB that held wrong agent timestamp data. (#9705)
  • Fixed a bug in Remoted that kept deleted shared files in the multi-groups' merged.mg file. (#9942)
  • Fixed a bug in Analysisd that overwrote its queue socket when launched in test mode. (#9987)
  • Fixed a condition in the Windows Vulnerability Detector to prevent false positives when evaluating DU patches. (#10016)
  • Fixed a memory leak when generating the Windows report in Vulnerability Detector. (#10214)
  • Fixed a file descriptor leak in Analysisd when delivering an AR request to an agent. (#10194)
  • Fixed error with Wazuh path in Azure module. (#10250)

Agent

Changed

  • Optimized Syscollector scan performance. (#9907)
  • Reworked the Google Cloud Pub/Sub integration module to increase the number of processed events per second allowing multithreading. Added new num_threads option to module configuration. (#9927)
  • Upgraded google-cloud-pubsub dependency to the latest stable version (2.7.1). (#9964)
  • Reimplemented the WPK installer rollback on Linux. (#9443)
  • Updated AWS WAF implementation to change httpRequest.headers field format. (#10217)

Fixed

  • Prevented the manager from hashing the shared configuration too often. (#9710)
  • Fixed a memory leak in Logcollector when re-subscribing to Windows Eventchannel. (#9310)
  • Fixed a memory leak in the agent when enrolling for the first time if it had no previous key. (#9967)
  • Removed CloudWatchLogs log stream limit when there are more than 50 log streams. (#9934)
  • Fixed a problem in the Windows installer that causes the agent to be unable to get uninstalled or upgraded. (#9897)
  • Fixed AWS WAF log parsing when there are multiple dicts in one line. (#9775)
  • Fixed a bug in AWS CloudWatch Logs module that caused already processed logs to be collected and reprocessed. (#10024)
  • Avoid duplicate alerts from case-insensitive 32-bit registry values in FIM configuration for Windows agents. (#8256)
  • Fixed a bug in the sources and WPK installer that made upgrade unable to detect the previous installation on CentOS 7. (#10210)

RESTful API

Changed

  • Made SSL ciphers configurable and renamed SSL protocol option. (#10219)

Fixed

  • Fixed a bug with distributed API calls when the cluster is disabled. (#9984)

[v4.2.1] - 2021-09-03

Fixed

  • Installer:

    • Fixed a bug in the upgrade to 4.2.0 that disabled Eventchannel support on Windows agent. (#9973)
  • Modules:

    • Fixed a bug with Python-based integration modules causing the integrations to stop working in agents for Wazuh v4.2.0. (#9975)

[v4.2.0] - 2021-08-25

Added

  • Core:

    • Added support for bookmarks in Logcollector, allowing to follow the log file at the point where the agent stopped. (#3368)
    • Improved support for multi-line logs with a variable number of lines in Logcollector. (#5652)
    • Added an option to limit the number of files per second in FIM. (#6830)
    • Added a statistics file to Logcollector. Such data is also available via API queries. (#7109)
    • Allow statistical data queries to the agent. (#7239)
    • Allowed quoting in commands to group arguments in the command wodle and SCA checks. (#7307)
    • Let agents running on Solaris send their IP to the manager. (#7408)
    • New option <ip_update_interval> to set how often the agent refresh its IP address. (#7444)
    • Added support for testing location information in Wazuh Logtest. (#7661)
    • Added Vulnerability Detector reports to Wazuh DB to know which CVE’s affect an agent. (#7731)
    • Introduced an option to enable or disable listening Authd TLS port. (#8755)
  • API:

    • Added new endpoint to get agent stats from different components. (#7200)
    • Added new endpoint to modify users' allow_run_as flag. (#7588)
    • Added new endpoint to get vulnerabilities that affect an agent. (#7647)
    • Added API configuration validator. (#7803)
    • Added the capability to disable the max_request_per_minute API configuration option using 0 as value. (#8115)
  • Ruleset:

    • Decoders
      • Added support for UFW firewall to decoders. (#7100)
      • Added Sophos firewall Decoders (#7289)
      • Added Wazuh API Decoders (#7289)
      • Added F5 BigIP Decoders. (#7289)
    • Rules
      • Added Sophos firewall Rules (#7289)
      • Added Wazuh API Rules (#7289)
      • Added Firewall Rules
      • Added F5 BigIp Rules. (#7289)
    • SCA
      • Added CIS policy "Ensure XD/NX support is enabled" back for SCA. (#7316)
      • Added Apple MacOS 10.14 SCA (#7035)
      • Added Apple MacOS 10.15 SCA (#7036)
      • Added Apple MacOS 11.11 SCA (#7037)

Changed

  • Cluster:

    • Improved the cluster nodes integrity calculation process. It only calculates the MD5 of the files that have been modified since the last integrity check. (#8175)
    • Changed the synchronization of agent information between cluster nodes to complete the synchronization in a single task for each worker. (#8182)
    • Changed cluster logs to show more useful information. (#8002)
  • Core:

    • Wazuh daemons have been renamed to a unified standard. (#6912)
    • Wazuh CLIs have been renamed to a unified standard. (#6903)
    • Wazuh internal directories have been renamed to a unified standard. (#6920)
    • Prevent a condition in FIM that may lead to a memory error. (#6759)
    • Let FIM switch to real-time mode for directories where who-data is not available (Audit in immutable mode). (#6828)
    • Changed the Active Response protocol to receive messages in JSON format that include the full alert. (#7317)
    • Changed references to the product name in logs. (#7264)
    • Syscollector now synchronizes its database with the manager, avoiding full data delivery on each scan. (#7379)
    • Remoted now supports both TCP and UDP protocols simultaneously. (#7541)
    • Improved the unit tests for the os_net library. (#7595)
    • FIM now removes the audit rules when their corresponding symbolic links change their target. (#6999)
    • Compilation from sources now downloads the external dependencies prebuilt. (#7797)
    • Added the old implementation of Logtest as wazuh-logtest-legacy. (#7807)
    • Improved the performance of Analysisd when running on multi-core hosts. (#7974)
    • Agents now report the manager when they stop. That allows the manager to log an alert and immediately set their state to "disconnected". (#8021)
    • Wazuh building is now independent from the installation directory. (#7327)
    • The embedded python interpreter is provided in a preinstalled, portable package. (#7327)
    • Wazuh resources are now accessed by a relative path to the installation directory. (#7327)
    • The error log that appeared when the agent cannot connect to SCA has been switched to warning. (#8201)
    • The agent now validates the Audit connection configuration when enabling whodata for FIM on Linux. (#8921)
  • API:

    • Removed ruleset version from GET /cluster/{node_id}/info and GET /manager/info as it was deprecated. (#6904)
    • Changed the POST /groups endpoint to specify the group name in a JSON body instead of in a query parameter. (#6909)
    • Changed the PUT /active-response endpoint function to create messages with the new JSON format. (#7312)
    • New parameters added to DELETE /agents endpoint and older_than field removed from response. (#6366)
    • Changed login security controller to avoid errors in Restful API reference links. (#7909)
    • Changed the PUT /agents/group/{group_id}/restart response format when there are no agents assigned to the group. (#8123)
    • Agent keys used when adding agents are now obscured in the API log. (#8149)
    • Improved all agent restart endpoints by removing active-response check. (#8457)
    • Improved API requests processing time by applying cache to token RBAC permissions extraction. It will be invalidated if any resource related to the token is modified. (#8615)
    • Increased to 100000 the maximum value accepted for limit API parameter, default value remains at 500. (#8841)
  • Framework:

    • Improved agent insertion algorithm when Authd is not available. (#8682)
  • Ruleset:

    • The ruleset was normalized according to the Wazuh standard. (#6867)
    • Rules
      • Changed Ossec Rules. (#7260)
      • Changed Cisco IOS Rules. (#7289)
      • Changed ID from 51000 to 51003 in Dropbear Rules. (#7289)
      • Changed 6 new rules for Sophos Rules. (#7289)
    • Decoders
      • Changed Active Response Decoders. (#7317)
      • Changed Auditd Decoders. (#7289)
      • Changed Checkpoint Smart1 Decoders. (#8676)
      • Changed Cisco ASA Decoders. (#7289)
      • Changed Cisco IOS Decoders. (#7289)
      • Changed Kernel Decoders. (#7837)
      • Changed OpenLDAP Decoders. (#7289)
      • Changed Ossec Decoders. (#7260)
      • Changed Sophos Decoders. (#7289)
      • Changed PFsense Decoders. (#7289)
      • Changed Panda PAPS Decoders. (#8676)
  • External dependencies:

    • Upgrade boto3, botocore, requests, s3transfer and urllib3 Python dependencies to latest stable versions. (#8886)
    • Update Python to latest stable version (3.9.6). (#9389)
    • Upgrade GCP dependencies and pip to latest stable version.
    • Upgrade python-jose to 3.1.0.
    • Add tabulate dependency.

Fixed

  • Cluster:

    • Fixed memory usage when creating cluster messages. (#6736)
    • Fixed a bug when unpacking incomplete headers in cluster messages. (#8142)
    • Changed error message to debug when iterating a file listed that is already deleted. (#8499)
    • Fixed cluster timeout exceptions. (#8901)
    • Fixed unhandled KeyError when an error command is received in any cluster node. (#8872)
    • Fixed unhandled cluster error in send_string() communication protocol. (#8943)
  • Core:

    • Fixed a bug in FIM when setting scan_time to "12am" or "12pm". (#6934)
    • Fixed a bug in FIM that produced wrong alerts when the file limit was reached. (#6802)
    • Fixed a bug in Analysisd that reserved the static decoder field name "command" but never used it. (#7105)
    • Fixed evaluation of fields in the tag <description> of rules. (#7073)
    • Fixed bugs in FIM that caused symbolic links to not work correctly. (#6789)
    • Fixed path validation in FIM configuration. (#7018)
    • Fixed a bug in the "ignore" option on FIM where relative paths were not resolved. (#7018)
    • Fixed a bug in FIM that wrongly detected that the file limit had been reached. (#7268)
    • Fixed a bug in FIM that did not produce alerts when a domain user deleted a file. (#7265)
    • Fixed Windows agent compilation with GCC 10. (#7359)
    • Fixed a bug in FIM that caused to wrongly expand environment variables. (#7332)
    • Fixed the inclusion of the rule description in archives when matched a rule that would not produce an alert. (#7476)
    • Fixed a bug in the regex parser that did not accept empty strings. (#7495)
    • Fixed a bug in FIM that did not report deleted files set with real-time in agents on Solaris. (#7414)
    • Fixed a bug in Remoted that wrongly included the priority header in syslog when using TCP. (#7633)
    • Fixed a stack overflow in the XML parser by limiting 1024 levels of recursion. (#7782)
    • Prevented Vulnerability Detector from scanning all the agents in the master node that are connected to another worker. (#7795)
    • Fixed an issue in the database sync module that left dangling agent group files. (#7858)
    • Fixed memory leaks in the regex parser in Analysisd. (#7919)
    • Fixed a typo in the initial value for the hotfix scan ID in the agents' database schema. (#7905)
    • Fixed a segmentation fault in Vulnerability Detector when parsing an unsupported package version format. (#8003)
    • Fixed false positives in FIM when the inode of multiple files change, due to file inode collisions in the engine database. (#7990)
    • Fixed the error handling when wildcarded Redhat feeds are not found. (#6932)
    • Fixed the equals comparator for OVAL feeds in Vulnerability Detector. (#7862)
    • Fixed a bug in FIM that made the Windows agent crash when synchronizing a Windows Registry value that starts with a colon (:). (#8098 #8143)
    • Fixed a starving hazard in Wazuh DB that might stall incoming requests during the database commitment. (#8151)
    • Fixed a race condition in Remoted that might make it crash when closing RID files. (#8224)
    • Fixed a descriptor leak in the agent when failed to connect to Authd. (#8789)
    • Fixed a potential error when starting the manager due to a delay in the creation of Analysisd PID file. (#8828)
    • Fixed an invalid memory access hazard in Vulnerability Detector. (#8551)
    • Fixed an error in the FIM decoder at the manager when the agent reports a file with an empty ACE list. (#8571)
    • Prevented the agent on macOS from getting corrupted after an operating system upgrade. (#8620)
    • Fixed an error in the manager that could not check its configuration after a change by the API when Active response is disabled. (#8357)
    • Fixed a problem in the manager that left remote counter and agent group files when removing an agent. (#8630)
    • Fixed an error in the agent on Windows that could corrupt the internal FIM databas due to disabling the disk sync. (#8905)
    • Fixed a crash in Logcollector on Windows when handling the position of the file. (#9364)
    • Fixed a buffer underflow hazard in Remoted when handling input messages. Thanks to Johannes Segitz (@jsegitz). (#9285)
    • Fixed a bug in the agent that tried to verify the WPK CA certificate even when verification was disabled. (#9547)
  • API:

    • Fixed wrong API messages returned when getting agents' upgrade results. (#7587)
    • Fixed wrong user string in API logs when receiving responses with status codes 308 or 404. (#7709)
    • Fixed API errors when cluster is disabled and node_type is worker. (#7867)
    • Fixed redundant paths and duplicated tests in API integration test mapping script. (#7798)
    • Fixed an API integration test case failing in test_rbac_white_all and added a test case for the enable/disable run_as endpoint.(8014)
    • Fixed a thread race condition when adding or deleting agents without authd (8148)
    • Fixed CORS in API configuration. (#8496)
    • Fixed api.log to avoid unhandled exceptions on API timeouts. (#8887)
  • Ruleset:

    • Fixed usb-storage-attached regex pattern to support blank spaces. (#7837)
    • Fixed SCA checks for RHEL7 and CentOS 7. Thanks to J. Daniel Medeiros (@jdmedeiros). (#7645)
    • Fixed the match criteria of the AWS WAF rules. (#8111)
    • Fixed sample log in sudo decoders.
    • Fixed Pix Decoders match regex. (#7485)
    • Fixed regex in Syslog Rules. (#7289)
    • Fixed category in PIX Rules. (#7289)
    • Fixed authentication tag in group for MSauth Rules. (#7289)
    • Fixed match on Nginx Rules. (#7122)
    • Fixed sample log on Netscaler Rules. (#7783)
    • Fixed match field for rules 80441 and 80442 in Amazon Rules. (#8111)
    • Fixed sample logs in Owncloud Rules. (#7122)
    • Fixed authentication tag in group for Win Security Rules. (#7289)
    • Fixed sample log in Win Security Rules. (#7783)
    • Fixed sample log in Win Application Rules. (#7783)
    • Fixed mitre block in Paloalto Rules. (#7783)
  • Modules:

    • Fixed an error when trying to use a non-default aws profile with CloudWatchLogs (#9331)

Removed

  • Core:

    • File /etc/ossec-init.conf does not exist anymore. (#7175)
    • Unused files have been removed from the repository, including TAP tests. (#7398)
  • API:

    • Removed the allow_run_as parameter from endpoints POST /security/users and PUT /security/users/{user_id}. (#7588)
    • Removed behind_proxy_server option from configuration. (#7006)
  • Framework:

    • Deprecated update_ruleset script. (#6904)
  • Ruleset

    • Removed rule 51004 from Dropbear Rules. (#7289)
    • Remuved rules 23508, 23509 and 23510 from Vulnerability Detector Rules.

[v4.1.5] - 2021-04-22

Fixed

  • Core:
    • Fixed a bug in Vulnerability Detector that made Modulesd crash while updating the NVD feed due to a missing CPE entry. (4cbd1e8)

[v4.1.4] - 2021-03-25

Fixed

  • Cluster:
    • Fixed workers reconnection after restarting master node. Updated asyncio.Task.all_tasks method removed in Python 3.9. (#8017)

[v4.1.3] - 2021-03-23

Changed

  • External dependencies:
    • Upgraded Python version from 3.8.6 to 3.9.2 and several Python dependencies. (#7943)

Fixed

  • Core:

    • Fixed an error in FIM when getting the files' modification time on Windows due to wrong permission flags. (#7870)
    • Fixed a bug in Wazuh DB that truncated the output of the agents' status query towards the cluster. (#7873)
  • API:

    • Fixed validation for absolute and relative paths. (#7906)

[v4.1.2] - 2021-03-08

Changed

  • Core:

    • The default value of the agent disconnection time option has been increased to 10 minutes. (#7744)
    • The warning log from Remoted about sending messages to disconnected agents has been changed to level-1 debug log. (#7755)
  • API:

    • API logs showing request parameters and body will be generated with API log level info instead of debug. (#7735)
  • External dependencies:

    • Upgraded aiohttp version from 3.6.2 to 3.7.4. (#7734)

Fixed

  • Core:
    • Fix a bug in the unit tests that randomly caused false failures. (#7723)
    • Fixed a bug in the Analysisd configuration that did not apply the setting json_null_fields. (#7711)
    • Fixed the checking of the option ipv6 in Remoted. (#7737)
    • Fixed the checking of the option rids_closing_time in Remoted. (#7746)

[v4.1.1] - 2021-02-25

Added

  • External dependencies:

    • Added cython (0.29.21) library to Python dependencies. (#7451)
    • Added xmltodict (0.12.0) library to Python dependencies. (#7303)
  • API:

    • Added new endpoints to manage rules files. (#7178)
    • Added new endpoints to manage CDB lists files. (#7180)
    • Added new endpoints to manage decoder files. (#7179)
    • Added new manager and cluster endpoints to update Wazuh configuration (ossec.conf). (#7181)

Changed

  • External dependencies:

    • Upgraded Python version from 3.8.2 to 3.8.6. (#7451)
    • Upgraded Cryptography python library from 3.2.1 to 3.3.2. (#7451)
    • Upgraded cffi python library from 1.14.0 to 1.14.4. (#7451)
  • API:

    • Added raw parameter to GET /manager/configuration and GET cluster/{node_id}/configuration to load ossec.conf in xml format. (#7565)

Fixed

  • API:
    • Fixed an error with the RBAC permissions in the GET /groups endpoint. (#7328)
    • Fixed a bug with Windows registries when parsing backslashes. (#7309)
    • Fixed an error with the RBAC permissions when assigning multiple agent:group resources to a policy. (#7393)
    • Fixed an error with search parameter when using special characters. (#7301)
  • AWS Module:
    • Fixed a bug that caused an error when attempting to use an IAM Role with CloudWatchLogs service. (#7330)
  • Framework:
    • Fixed a race condition bug when using RBAC expand_group function. (#7353)
    • Fix migration process to overwrite default RBAC policies. (#7594)
  • Core:
    • Fixed a bug in Windows agent that did not honor the buffer's EPS limit. (#7333)
    • Fixed a bug in Integratord that might lose alerts from Analysisd due to a race condition. (#7338)
    • Silence the error message when the Syslog forwarder reads an alert with no rule object. (#7539)
    • Fixed a memory leak in Vulnerability Detector when updating NVD feeds. (#7559)
    • Prevent FIM from raising false positives about group name changes due to a thread unsafe function. (#7589)

Removed

  • API:
    • Deprecated /manager/files and /cluster/{node_id}/files endpoints. (#7209)

[v4.1.0] - 2021-02-15

Added

  • Core:
    • Allow negation of expressions in rules. (#6258)
    • Support for PCRE2 regular expressions in rules and decoders. (#6480)
    • Added new ruleset test module. Allow testing and verification of rules and decoders using Wazuh User Interface. (#5337)
    • Added new upgrade module. WPK upgrade feature has been moved to this module, which offers support for cluster architecture and simultaneous upgrades. (#5387)
    • Added new task module. This module stores and manages all the tasks that are executed in the agents or managers. (#5386)
    • Let the time interval to detect that an agent got disconnected configurable. Deprecate parameter DISCON_TIME. (#6396)
    • Added support to macOS in Vulnerability Detector. (#6532)
    • Added the capability to perform FIM on values in the Windows Registry. (#6735)
  • API:
    • Added endpoints to query and manage Rootcheck data. (#6496)
    • Added new endpoint to check status of tasks. (#6029)
    • Added new endpoints to run the logtest tool and delete a logtest session. (#5984)
    • Added debug2 mode for API log and improved debug mode. (#6822)
    • Added missing secure headers for API responses. (#7024)
    • Added new config option to disable uploading configurations containing remote commands. (#7016)
  • AWS Module:
    • Added support for AWS load balancers (Application Load Balancer, Classic Load Balancer and Network Load Balancer). (#6034)
  • Framework:
    • Added new framework modules to use the logtest tool. (#5870)
    • Improved q parameter on rules, decoders and cdb-lists modules to allow multiple nested fields. (#6560)

Changed

  • Core:
    • Removed the limit of agents that a manager can support. (#6097)
      • Migration of rootcheck results to Wazuh DB to remove the files with the results of each agent. (#6096)
      • Designed new mechanism to close RIDS files when agents are disconnected. (#6112)
    • Moved CA configuration section to verify WPK signatures from active-response section to agent-upgrade section. (#5929)
    • The tool ossec-logtest has been renamed to wazuh-logtest, and it uses a new testing service integrated in Analysisd. (#6103)
    • Changed error message to debug when multiple daemons attempt to remove an agent simultaneously (#6185)
    • Changed error message to warning when the agent fails to reach a module. (#5817)
  • API:
    • Changed the status parameter behavior in the DELETE /agents endpoint to enhance security. (#6829)
    • Changed upgrade endpoints to accept a list of agents, maximum 100 agents per request. (#5336)
    • Improved input validation regexes for names and array_names. (#7015)
  • Framework:
    • Refactored framework to work with new upgrade module. (#5537)
    • Refactored agent upgrade CLI to work with new ugprade module. It distributes petitions in a clustered environment. (#5675)
    • Changed rule and decoder details structure to support PCRE2. (#6318)
    • Changed access to agent's status. (#6326)
    • Improved AWS Config integration to avoid performance issues by removing alert fields with variables such as Instance ID in its name. (#6537)

Fixed

  • Core:
    • Fixed error in Analysisd when getting the ossec group ID. (#6688)
    • Prevented FIM from reporting configuration error when setting patterns that match no files. (#6187)
    • Fixed the array parsing when building JSON alerts. (#6687)
    • Added Firefox ESR to the CPE helper to distinguish it from Firefox when looking for vulnerabilities. (#6610)
    • Fixed the evaluation of packages from external sources with the official vendor feeds in Vulnerability Detector. (#6611)
    • Fixed the handling of duplicated tags in the Vulnerability Detector configuration. (#6683)
    • Fixed the validation of hotfixes gathered by Syscollector. (#6706)
    • Fixed the reading of the Linux OS version when /etc/os-release doesn't provide it. (#6674)
    • Fixed a false positive when comparing the minor target of CentOS packages in Vulnerability Detector. (#6709)
    • Fixed a zombie process leak in Modulesd when using commands without a timeout. (#6719)
    • Fixed a race condition in Remoted that might create agent-group files with wrong permissions. (#6833)
    • Fixed a warning log in Wazuh DB when upgrading the global database. (#6697)
    • Fixed a bug in FIM on Windows that caused false positive due to changes in the host timezone or the daylight saving time when monitoring files in a FAT32 filesystem. (#6801)
    • Fixed the purge of the Redhat vulnerabilities database before updating it. (#7050)
    • Fixed a condition race hazard in Authd that may prevent the daemon from updating client.keys after adding an agent. (#7271)
  • API:
    • Fixed an error with /groups/{group_id}/config endpoints (GET and PUT) when using complex localfile configurations. (#6276)
  • Framework:
    • Fixed a cluster_control bug that caused an error message when running wazuh-clusterd in foreground. (#6724)
    • Fixed a bug with add_manual(agents) function when authd is disabled. (#7062)

[v4.0.4] - 2021-01-14

Added

  • API:
    • Added missing secure headers for API responses. (#7138)
    • Added new config option to disable uploading configurations containing remote commands. (#7134)
    • Added new config option to choose the SSL ciphers. Default value TLSv1.2. (#7164)

Changed

  • API:
    • Deprecated endpoints to restore and update API configuration file. (#7132)
    • Default expiration time of the JWT token set to 15 minutes. (#7167)

Fixed

  • API:
    • Fixed a path traversal flaw (CVE-2021-26814) affecting 4.0.0 to 4.0.3 at /manager/files and /cluster/{node_id}/files endpoints. (#7131)
  • Framework:
    • Fixed a bug with add_manual(agents) function when authd is disabled. (#7135)
  • Core:
    • Fixed the purge of the Redhat vulnerabilities database before updating it. (#7133)

[v4.0.3] - 2020-11-30

Fixed

  • API:
    • Fixed a problem with certain API calls exceeding timeout in highly loaded cluster environments. (#6753)

[v4.0.2] - 2020-11-24

Added

  • Core:
    • Added macOS Big Sur version detection in the agent. (#6603)

Changed

  • API:
    • GET /agents/summary/os, GET /agents/summary/status and GET /overview/agents will no longer consider 000 as an agent. (#6574)
    • Increased to 64 the maximum number of characters that can be used in security users, roles, rules, and policies names. (#6657)

Fixed

  • API:
    • Fixed an error with POST /security/roles/{role_id}/rules when removing role-rule relationships with admin resources. (#6594)
    • Fixed a timeout error with GET /manager/configuration/validation when using it in a slow environment. (#6530)
  • Framework:
    • Fixed an error with some distributed requests when the cluster configuration is empty. (#6612)
    • Fixed special characters in default policies. (#6575)
  • Core:
    • Fixed a bug in Remoted that limited the maximum agent number to MAX_AGENTS-3 instead of MAX_AGENTS-2. (#4560)
    • Fixed an error in the network library when handling disconnected sockets. (#6444)
    • Fixed an error in FIM when handling temporary files and registry keys exceeding the path size limit. (#6538)
    • Fixed a bug in FIM that stopped monitoring folders pointed by a symbolic link. (#6613)
    • Fixed a race condition in FIM that could cause Syscheckd to stop unexpectedly. (#6696)

[v4.0.1] - 2020-11-11

Changed

  • Framework:
    • Updated Python's cryptography library to version 3.2.1 (#6442)

Fixed

  • API:
    • Added missing agent:group resource to RBAC's catalog. (6427)
    • Changed limit parameter behaviour in GET sca/{agent_id}/checks/{policy_id} endpoint and fixed some loss of information when paginating wdb. (#6464)
    • Fixed an error with GET /security/users/me when logged in with run_as. (#6506)
  • Framework:
    • Fixed zip files compression and handling in cluster integrity synchronization. (#6367)
  • Core
    • Fixed version matching when assigning feed in Vulnerability Detector. (#6505)
    • Prevent unprivileged users from accessing the Wazuh Agent folder in Windows. (#3593)
    • Fix a bug that may lead the agent to crash when reading an invalid Logcollector configuration. (#6463)

[v4.0.0] - 2020-10-23

Added

  • Added enrollment capability. Agents are now able to request a key from the manager if current key is missing or wrong. (#5609)
  • Migrated the agent-info data to Wazuh DB. (#5541)
  • API:
    • Embedded Wazuh API with Wazuh Manager, there is no need to install Wazuh API. (9860823)
    • Migrated Wazuh API server from nodejs to python. (#2640)
    • Added asynchronous aiohttp server for the Wazuh API. (#4474)
    • New Wazuh API is approximately 5 times faster on average. (#5834)
    • Added OpenAPI based Wazuh API specification. (#2413)
    • Improved Wazuh API reference documentation based on OpenAPI spec using redoc. (#4967)
    • Added new yaml Wazuh API configuration file. (#2570)
    • Added new endpoints to manage API configuration and deprecated configure_api.sh. (#2570)
    • Added RBAC support to Wazuh API. (#3287)
    • Added new endpoints for Wazuh API security management. (#3410)
    • Added SQLAlchemy ORM based database for RBAC. (#3375)
    • Added new JWT authentication method. (7080ac3)
    • Wazuh API up and running by default in all nodes for a clustered environment.
    • Added new and improved error handling. (#2843 (#5345)
    • Added tavern and docker based Wazuh API integration tests. (#3612)
    • Added new and unified Wazuh API responses structure. (3421015)
    • Added new endpoints for Wazuh API users management. (#3280)
    • Added new endpoint to restart agents which belong to a node. (#5381)
    • Added and improved q filter in several endpoints. (#5431)
    • Tested and improved Wazuh API security. (#5318)
      • Added DDOS blocking system. (#5318)
      • Added brute force attack blocking system. (#5318)
      • Added content-type validation. (#5318)
  • Vulnerability Detector:
    • Redhat vulnerabilities are now fetched from OVAL benchmarks. (#5352)
    • Debian vulnerable packages are now fetched from the Security Tracker. (#5304)
    • The Debian Security Tracker feed can be loaded from a custom location. (#5449)
    • The package vendor is used to discard vulnerabilities. (#5330)
    • Allow compressed feeds for offline updates. (#5745)
    • The manager now updates the MSU feed automatically. (#5678)
    • CVEs with no affected version defined in all the feeds are now reported. (#5284)
    • CVEs vulnerable for the vendor and missing in the NVD are now reported. (#5305)
  • File Integrity Monitoring:
    • Added options to limit disk usage using report changes option in the FIM module. (#5157)
  • Added and updated framework unit tests to increase coverage. (#3287)
  • Added improved support for monitoring paths from environment variables. (#4961)
  • Added base64_log format to the log builder for Logcollector. (#5273)

Changed

  • Changed the default manager-agent connection protocol to TCP. (#5696)
  • Disable perpetual connection attempts to modules. (#5622)
  • Unified the behaviour of Wazuh daemons when reconnecting with unix sockets. (#4510)
  • Changed multiple Wazuh API endpoints. (#2640) (#2413)
  • Refactored framework module in SDK and core. (#5263)
  • Refactored FIM Windows events handling. (#5144)
  • Changed framework to access global.db using wazuh-db. (#6095)
  • Changed agent-info synchronization task in Wazuh cluster. (#5585)
  • Use the proper algorithm name for SHA-256 inside Prelude output. Thanks to François Poirotte (@fpoirotte). (#5004)
  • Elastic Stack configuration files have been adapted to Wazuh v4.x. (#5796)
  • Explicitly use Bash for the Pagerduty integration. Thanks to Chris Kruger (@montdidier). (#4641)

Fixed

  • Vulnerability Detector:
    • Vulnerabilities of Windows Server 2019 which not affects to Windows 10 were not being reported. (#5524)
    • Vulnerabilities patched by a Microsoft update with no supersedence were not being reported. (#5524)
    • Vulnerabilities patched by more than one Microsoft update were not being evaluated agains all the patches. (#5717)
    • Duplicated alerts in Windows 10. (#5600)
    • Syscollector now discards hotfixes that are not fully installed. (#5792)
    • Syscollector now collects hotfixes that were not being parsed. (#5792)
    • Update Windows databases when run_on_start is disabled. (#5335)
    • Fixed the NVD version comparator to remove undesired suffixes. (#5362)
    • Fixed not escaped single quote in vuln detector SQL query. (#5570)
    • Unified alerts title. (#5826)
    • Fixed potential error in the GZlib when uncompressing NVD feeds. (#5989)
  • File Integrity Monitoring:
    • Fixed an error with last scan time in Syscheck API endpoints. (a9acd3a)
    • Fixed support for monitoring directories which contain commas. (#4961)
    • Fixed a bug where configuring a directory to be monitored as real-time and whodata resulted in real-time prevailing. (#4961)
    • Fixed using an incorrect mutex while deleting inotify watches. (#5126)
    • Fixed a bug which could cause multiple FIM threads to request the same temporary file. (#5213)
    • Fixed a bug where deleting a file permanently in Windows would not trigger an alert. (#5144)
    • Fixed a typo in the file monitoring options log entry. (#5591)
    • Fixed an error where monitoring a drive in Windows under scheduled or realtime mode would generate alerts from the recycle bin. (#4771)
    • When monitoring a drive in Windows in the format U:, it will monitor U:\ instead of the agent's working directory. (#5259)
    • Fixed a bug where monitoring a drive in Windows with recursion_level set to 0 would trigger alerts from files inside its subdirectories. (#5235)
  • Fixed an Azure wodle dependency error. The package azure-storage-blob>12.0.0 does not include a component used. (#6109)
  • Fixed bugs reported by GCC 10.1.0. (#5119)
  • Fixed compilation errors with USE_PRELUDE enabled. Thanks to François Poirotte (@fpoirotte). (#5003)
  • Fixed default gateway data gathering in Syscollector on Linux 2.6. (#5548)
  • Fixed the Eventchannel collector to keep working when the Eventlog service is restarted. (#5496)
  • Fixed the OpenSCAP script to work over Python 3. (#5317)
  • Fixed the launcher.sh generation in macOS source installation. (#5922)

Removed

  • Removed Wazuh API cache endpoints. (#3042)
  • Removed Wazuh API rootcheck endpoints. (#5246)
  • Deprecated Debian Jessie and Wheezy for Vulnerability Detector (EOL). (#5660)
  • Removed references to manage_agents in the installation process. (#5840)
  • Removed compatibility with deprecated configuration at Vulnerability Detector. (#5879)

[v3.13.4]

Fixed

  • Fixed a crash in Vuln Detector when scanning agents running on Windows (backport from 4.3.2). (#13624)

[v3.13.3] - 2021-04-28

Fixed

  • Fixed a bug in Vulnerability Detector that made Modulesd crash while updating the NVD feed due to a missing CPE entry. (#8346)

[v3.13.2] - 2020-09-21

Fixed

  • Updated the default NVD feed URL from 1.0 to 1.1 in Vulnerability Detector. (#6056)

[v3.13.1] - 2020-07-14

Added

  • Added two new settings <max_retries> and <retry_interval> to adjust the agent failover interval. (#5433)

Fixed

  • Fixed a crash in Modulesd caused by Vulnerability Detector when skipping a kernel package if the agent has OS info disabled. (#5467)

[v3.13.0] - 2020-06-29

Added

  • Vulnerability Detector improvements. (#5097)
    • Include the NVD as feed for Linux agents in Vulnerability Detector.
    • Improve the Vulnerability Detector engine to correlate alerts between different feeds.
    • Add Vulnerability Detector module unit testing for Unix source code.
    • A timeout has been added to the updates of the vulnerability detector feeds to prevent them from getting hung up. (#5153)
  • New option for the JSON decoder to choose the treatment of Array structures. (#4836)
  • Added mode value (real-time, Who-data, or scheduled) as a dynamic field in FIM alerts. (#5051)
  • Set a configurable maximum limit of files to be monitored by FIM. (#4717)
  • New integration for pull logs from Google Cloud Pub/Sub. (#4078)
  • Added support for MITRE ATT&CK knowledge base. (#3746)
  • Microsoft Software Update Catalog used by vulnerability detector added as a dependency. (#5101)
  • Added support for aarch64 and armhf architectures. (#5030)

Changed

  • Internal variable rt_delay configuration changes to 5 milliseconds. (#4760)
  • Who-data includes new fields: process CWD, parent process id, and CWD of parent process. (#4782)
  • FIM opens files with shared deletion permission. (#5018)
  • Extended the statics fields comparison in the ruleset options. (#4416)
  • The state field was removed from vulnerability alerts. (#5211)
  • The NVD is now the primary feed for the vulnerability detector in Linux. (#5097)
  • Removed OpenSCAP policies installation and configuration block. (#5061)
  • Changed the internal configuration of Analysisd to be able to register by default a number of agents higher than 65536. (#4332)
  • Changed same/different_systemname for same/different_system_name in Analysisd static filters. (#5131)
  • Updated the internal Python interpreter from v3.7.2 to v3.8.2. (#5030)

Fixed

  • Fixed a bug that, in some cases, kept the memory reserved when deleting monitored directories in FIM. (#5115)
  • Freed Inotify watches moving directories in the real-time mode of FIM. (#4794)
  • Fixed an error that caused deletion alerts with a wrong path in Who-data mode. (#4831)
  • Fixed generating alerts in Who-data mode when moving directories to the folder being monitored in Windows. (#4762)
  • Avoid truncating the full log field of the alert when the path is too long. (#4792)
  • Fixed the change of monitoring from Who-data to real-time when there is a failure to set policies in Windows. (#4753)
  • Fixed an error that prevents restarting Windows agents from the manager. (#5212)
  • Fixed an error that impedes the use of the tag URL by configuring the NVD in a vulnerability detector module. (#5165)
  • Fixed TOCTOU condition in Clusterd when merging agent-info files. (#5159)
  • Fixed race condition in Analysisd when handling accumulated events. (#5091)
  • Avoided to count links when generating alerts for ignored directories in Rootcheck. Thanks to Artur Molchanov (@Hexta). (#4603)
  • Fixed typo in the path used for logging when disabling an account. Thanks to Fontaine Pierre (@PierreFontaine). (#4839)
  • Fixed an error when receiving different Syslog events in the same TCP packet. (#5087)
  • Fixed a bug in Vulnerability Detector on Modulesd when comparing Windows software versions. (#5168)
  • Fixed a bug that caused an agent's disconnection time not to be displayed correctly. (#5142)
  • Optimized the function to obtain the default gateway. Thanks to @WojRep
  • Fixed host verification when signing a certificate for the manager. (#4963)
  • Fixed possible duplicated ID on 'client.keys' adding new agent through the API with a specific ID. (#4982)
  • Avoid duplicate descriptors using wildcards in 'localfile' configuration. (#4977)
  • Added guarantee that all processes are killed when service stops. (#4975)
  • Fixed mismatch in integration scripts when the debug flag is set to active. (#4800)

[v3.12.3] - 2020-04-30

Changed

  • Disable WAL in databases handled by Wazuh DB to save disk space. (#4949)

Fixed

  • Fixed a bug in Remoted that could prevent agents from connecting in UDP mode. (#4897)
  • Fixed a bug in the shared library that caused daemons to not find the ossec group. (#4873)
  • Prevent Syscollector from falling into an infinite loop when failed to collect the Windows hotfixes. (#4878)
  • Fixed a memory leak in the system scan by Rootcheck on Windows. (#4948)
  • Fixed a bug in Logcollector that caused the out_format option not to apply for the agent target. (#4942)
  • Fixed a bug that caused FIM to not handle large inode numbers correctly. (#4914)
  • Fixed a bug that made ossec-dbd crash due to a bad mutex initialization. (#4552)

[v3.12.2] - 2020-04-09

Fixed

  • Fixed a bug in Vulnerability Detector that made wazuh-modulesd crash when parsing the version of a package from a RHEL feed. (#4885)

[v3.12.1] - 2020-04-08

Changed

  • Updated MSU catalog on 31/03/2020. (#4819)

Fixed

  • Fixed compatibility with the Vulnerability Detector feeds for Ubuntu from Canonical, that are available in a compressed format. (#4834)
  • Added missing field ‘database’ to the FIM on-demand configuration report. (#4785)
  • Fixed a bug in Logcollector that made it forward a log to an external socket infinite times. (#4802)
  • Fixed a buffer overflow when receiving large messages from Syslog over TCP connections. (#4778)
  • Fixed a malfunction in the Integrator module when analyzing events without a certain field. (#4851)
  • Fix XML validation with paths ending in \. (#4783)

Removed

  • Removed support for Ubuntu 12.04 (Precise) in Vulneratiliby Detector as its feed is no longer available.

[v3.12.0] - 2020-03-24

Added

  • Add synchronization capabilities for FIM. (#3319)
  • Add SQL database for the FIM module. Its storage can be switched between disk and memory. (#3319)
  • Add support for monitoring AWS S3 buckets in GovCloud regions. (#3953)
  • Add support for monitoring Cisco Umbrella S3 buckets. (#3890)
  • Add automatic reconnection with the Eventchannel service when it is restarted. (#3836)
  • Add a status validation when starting Wazuh. (#4237)
  • Add FIM module unit testing for Unix source code. (#4688)
  • Add multi-target support for unit testing. (#4564)
  • Add FIM module unit testing for Windows source code. (#4633)

Changed

  • Move the FIM logic engine to the agent. (#3319)
  • Make Logcollector continuously attempt to reconnect with the agent daemon. (#4435)
  • Make Windows agents to send the keep-alive independently. (#4077)
  • Do not enforce source IP checking by default in the registration process. (#4083)
  • Updated API manager/configuration endpoint to also return the new synchronization and whodata syscheck fields (#4241)
  • Disabled the chroot jail in Agentd on UNIX.

Fixed

  • Avoid reopening the current socket when Logcollector fails to send a event. (#4696)
  • Prevent Logcollector from starving when has to reload files. (#4730)
  • Fix a small memory leak in clusterd. (#4465)
  • Fix a crash in the fluent forwarder when SSL is not enabled. (#4675)
  • Replace non-reentrant functions to avoid race condition hazards. (#4081)
  • Fixed the registration of more than one agent as any when forcing to use the source IP. (#2533)
  • Fix Windows upgrades in custom directories. (#2534)
  • Fix the format of the alert payload passed to the Slack integration. (#3978)

[v3.11.4] - 2020-02-25

Changed

  • Remove chroot in Agentd to allow it resolve DNS at any time. (#4652)

[v3.11.3] - 2020-01-28

Fixed

  • Fixed a bug in the Windows agent that made Rootcheck report false positives about file size mismatch. (#4493)

[v3.11.2] - 2020-01-22

Changed

  • Optimized memory usage in Vulnerability Detector when fetching the NVD feed. (#4427)

Fixed

  • Rootcheck scan produced a 100% CPU peak in Syscheckd because it applied <readall> option even when disabled. (#4415)
  • Fixed a handler leak in Rootcheck and SCA on Windows agents. (#4456)
  • Prevent Remoted from exiting when a client closes a connection prematurely. (#4390)
  • Fixed crash in Slack integration when handling an alert with no description. (#4426)
  • Fixed Makefile to allow running scan-build for Windows agents. (#4314)
  • Fixed a memory leak in Clusterd. (#4448)
  • Disable TCP keepalive options at os_net library to allow building Wazuh on OpenBSD. (#4462)

[v3.11.1] - 2020-01-03

Fixed

  • The Windows Eventchannel log decoder in Analysisd maxed out CPU usage due to an infinite loop. (#4412)

[v3.11.0] - 2019-12-23

Added

  • Add support to Windows agents for vulnerability detector. (#2787)
  • Add support to Debian 10 Buster for vulnerability detector (by @aderumier). (#4151)
  • Make the Wazuh service to start after the network systemd unit (by @VAdamec). (#1106)
  • Add process inventory support for Mac OS X agents. (#3322)
  • Add port inventory support for MAC OS X agents. (#3349)
  • Make Analysisd compile the CDB list upon start. (#3488)
  • New rules option global_frequency to make frequency rules independent from the event source. (#3931)
  • Add a validation for avoiding agents to keep trying to connect to an invalid address indefinitely. (#3951)
  • Add the condition field of SCA checks to the agent databases. (#3631)
  • Display a warning message when registering to an unverified manager. (#4207)
  • Allow JSON escaping for logs on Logcollector's output format. (#4273)
  • Add TCP keepalive support for Fluent Forwarder. (#4274)
  • Add the host's primary IP to Logcollector's output format. (#4380)

Changed

  • Now EventChannel alerts include the full message with the translation of coded fields. (#3320)
  • Changed -G agent-auth description in help message. (#3856)
  • Unified the Makefile flags allowed values. (#4034)
  • Let Logcollector queue file rotation and keepalive messages. (#4222)
  • Changed default paths for the OSQuery module in Windows agents. (#4148)
  • Fluent Forward now packs the content towards Fluentd into an object. (#4334)

Fixed

  • Fix frequency rules to be increased for the same agent by default. (#3931)
  • Fix protocol, system_name, data and extra_data static fields detection. (#3591)
  • Fix overwriting agents by Authd when force option is less than 0. (#3527)
  • Fix Syscheck nodiff option for substring paths. (#3015)
  • Fix Logcollector wildcards to not detect directories as log files. (#3788)
  • Make Slack integration work with agentless alerts (by @dmitryax). (#3971)
  • Fix bugs reported by Clang analyzer. (#3887)
  • Fix compilation errors on OpenBSD platform. (#3105)
  • Fix on-demand configuration labels section to obtain labels attributes. (#3490)
  • Fixed race condition between wazuh-clusterd and wazuh-modulesd showing a 'No such file or directory' in cluster.log when synchronizing agent-info files in a cluster environment (#4007)
  • Fixed 'ConnectionError object has no attribute code' error when package repository is not available (#3441)
  • Fix the blocking of files monitored by Who-data in Windows agents. (#3872)
  • Fix the processing of EventChannel logs with unexpected characters. (#3320)
  • Active response Kaspersky script now logs the action request in active-responses.log (#2748)
  • Fix service's installation path for CentOS 8. (#4060)
  • Add macOS Catalina to the list of detected versions. (#4061)
  • Prevent FIM from producing false negatives due to wrong checksum comparison. (#4066)
  • Fix previous_output count for alerts when matching by group. (#4097)
  • Fix event iteration when evaluating contextual rules. (#4106)
  • Fix the use of prefilter_cmd remotely by a new local option allow_remote_prefilter_cmd. (#4178 & 4194)
  • Fix restarting agents by group using the API when some of them are in a worker node. (#4226)
  • Fix error in Fluent Forwarder that requests an user and pass although the server does not need it. (#3910)
  • Fix FTS data length bound mishandling in Analysisd. (#4278)
  • Fix a memory leak in Modulesd and Agentd when Fluent Forward parses duplicate options. (#4334)
  • Fix an invalid memory read in Agentd when checking a remote configuration containing an invalid stanza inside <labels>. (#4334)
  • Fix error using force_reload and the eventchannel format in UNIX systems. (#4294)

[v3.10.2] - 2019-09-23

Fixed

  • Fix error in Logcollector when reloading localfiles with timestamp wildcards. (#3995)

[v3.10.1] - 2019-09-19

Fixed

  • Fix error after removing a high volume of agents from a group using the Wazuh API. (#3907)
  • Fix error in Remoted when reloading agent keys (busy resource). (#3988)
  • Fix invalid read in Remoted counters. (#3989)

[v3.10.0] - 2019-09-16

Added

  • Add framework function to obtain full summary of agents. (#3842)
  • SCA improvements. (#3286)
    • Refactor de SCA internal logic and policy syntax. (#3249)
    • Support to follow symbolic links. (#3228)
    • Add numerical comparator for SCA rules. (#3374)
    • Add SCA decoded events count to global stats. (#3623)
  • Extend duplicate file detection for LogCollector. (#3867)
  • Add HIPAA and NIST 800 53 compliance mapping as rule groups.(#3411 & #3420)
  • Add SCA compliance groups to rule groups in alerts. (#3427)
  • Add IPv6 loopback address to localhost list in DB output module (by @aquerubin). (#3140)
  • Accept ] and > as terminal prompt characters for Agentless. (#3209)

Changed

  • Modify logs for agent authentication issues by Remoted. (#3662)
  • Make Syscollector logging messages more user-friendly. (#3397)
  • Make SCA load by default all present policies at the default location. (#3607)
  • Increase IPSIZE definition for IPv6 compatibility (by @aquerubin). (#3259)
  • Replace local protocol definitions with Socket API definitions (by @aquerubin). (#3260)
  • Improved error message when some of required Wazuh daemons are down. Allow restarting cluster nodes except when ossec-execd is down. (#3496)
  • Allow existing aws_profile argument to work with vpcflowlogs in AWS wodle configuration. Thanks to Adam Williams (@awill1988). (#3729)

Fixed

  • Fix exception handling when using an invalid bucket in AWS wodle (#3652)
  • Fix error message when an AWS bucket is empty (#3743)
  • Fix error when getting profiles in custom AWS buckets (#3786)
  • Fix SCA integrity check when switching between manager nodes. (#3884)
  • Fix alert email sending when no_full_log option is set in a rule. (#3174)
  • Fix error in Windows who-data when handling the directories list. (#3883)
  • Fix error in the hardware inventory collector for PowerPC architectures. (#3624)
  • Fix the use of mutexes in the OS_Regex library. (#3533)
  • Fix invalid read in the OS_Regex library. (#3815)
  • Fix compilation error on FreeBSD 13 and macOS 10.14. (#3832)
  • Fix typo in the license of the files. (#3779)
  • Fix error in execd when upgrading agents remotely while auto-restarting. (#3437)
  • Prevent integrations from inheriting descriptors. (#3514)
  • Overwrite rules label fix and rules features tests. (#3414)
  • Fix typo: replace readed with read. (#3328)
  • Introduce global mutex for Rootcheck decoder. (#3530)
  • Fix errors reported by scan-build. (#3452 & #3785)
  • Fix the handling of wm_exec() output.(#3486)
  • Fix FIM duplicated entries in Windows. (#3504)
  • Remove socket deletion from epoll. (#3432)
  • Let the sources installer support NetBSD. (#3444)
  • Fix error message from openssl v1.1.1. (#3413)
  • Fix compilation issue for local installation. (#3339)
  • Fix exception handling when /tmp have no permissions and tell the user the problem. (#3401)
  • Fix who-data alerts when audit logs contain hex fields. (#3909)
  • Remove useless select() calls in Analysisd decoders. (#3964)

[v3.9.5] - 2019-08-08

Fixed

  • Fixed a bug in the Framework that prevented Cluster and API from handling the file client.keys if it's mounted as a volume on Docker.
  • Fixed a bug in Analysisd that printed the millisecond part of the alerts' timestamp without zero-padding. That prevented Elasticsearch 7 from indexing those alerts. (#3814)

[v3.9.4] - 2019-08-07

Changed

  • Prevent agent on Windows from including who-data on FIM events for child directories without who-data enabled, even if it's available. (#3601)
  • Prevent Rootcheck configuration from including the <ignore> settings if they are empty. (#3634)
  • Wazuh DB will delete the agent DB-related files immediately when removing an agent. (#3691)

Fixed

  • Fixed bug in Remoted when correlating agents and their sockets in TCP mode. (#3602)
  • Fix bug in the agent that truncated its IP address if it occupies 15 characters. (#3615)
  • Logcollector failed to overwrite duplicate <localfile> stanzas. (#3616)
  • Analysisd could produce a double free if an Eventchannel message contains an invalid XML member. (#3626)
  • Fixed defects in the code reported by Coverity. (#3627)
  • Fixed bug in Analysisd when handling invalid JSON input strings. (#3648)
  • Fix handling of SCA policies with duplicate ID in Wazuh DB. (#3668)
  • Cluster could fail synchronizing some files located in Docker volumes. (#3669)
  • Fix a handler leak in the FIM whodata engine for Windows. (#3690)
  • The Docker listener module was storing and ignoring the output of the integration. (#3768)
  • Fixed memory leaks in Syscollector for macOS agents. (#3795)
  • Fix dangerous mutex initialization in Windows hosts. (#3805)

[v3.9.3] - 2019-07-08

Changed

  • Windows Eventchannel log collector will no longer report bookmarked events by default (those that happened while the agent was stopped). (#3485)
  • Remoted will discard agent-info data not in UTF-8 format. (#3581)

Fixed

  • Osquery integration did not follow the osquery results file (osqueryd.results.log) as of libc 2.28. (#3494)
  • Windows Eventchannnel log collector did not update the bookmarks so it reported old events repeatedly. (#3485)
  • The agent sent invalid info data in the heartbeat message if it failed to get the host IP address. (#3555)
  • Modulesd produced a memory leak when being queried for its running configuration. (#3564)
  • Analysisd and Logtest crashed when trying rules having <different_geoip> and no <not_same_field> stanza. (#3587)
  • Vulnerability Detector failed to parse the Canonical's OVAL feed due to a syntax change. (#3563)
  • AWS Macie events produced erros in Elasticsearch. (#3608)
  • Rules with <list lookup="address_match_key" /> produced a false match if the CDB list file is missing. (#3609)
  • Remote configuration was missing the <ignore> stanzas for Syscheck and Rootcheck when defined as sregex. (#3617)

[v3.9.2] - 2019-06-10

Added

  • Added support for Ubuntu 12.04 to the SCA configuration template. (#3361)

Changed

  • Prevent the agent from stopping if it fails to resolve the manager's hostname on startup. (#3405)
  • Prevent Remoted from logging agent connection timeout as an error, now it's a debugging log. (#3426)

Fixed

  • A configuration request to Analysisd made it crash if the option <white_list> is empty. (#3383)
  • Fixed error when uploading some configuration files through API in wazuh-docker environments. (#3335)
  • Fixed error deleting temporary files during cluster synchronization. (#3379)
  • Fixed bad permissions on agent-groups files synchronized via wazuh-clusterd. (#3438)
  • Fixed bug in the database module that ignored agents registered with a network mask. (#3351)
  • Fixed a memory bug in the CIS-CAT module. (#3406)
  • Fixed a bug in the agent upgrade tool when checking the version number. (#3391)
  • Fixed error checking in the Windows Eventchannel log collector. (#3393)
  • Prevent Analysisd from crashing at SCA decoder due to a race condition calling a thread-unsafe function. (#3466)
  • Fix a file descriptor leak in Modulesd on timeout when running a subprocess. (#3470)
    • OpenSCAP.
    • CIS-CAT.
    • Command.
    • Azure.
    • SCA.
    • AWS.
    • Docker.
  • Prevent Modulesd from crashing at Vulnerability Detector when updating a RedHat feed. (3458)

[v3.9.1] - 2019-05-21

Added

  • Added directory existence checking for SCA rules. (#3246)
  • Added line number to error messages when parsing YAML files. (#3325)
  • Enhanced wildcard support for Windows Logcollector. (#3236)

Changed

  • Changed the extraction point of the package name in the Vulnerability Detector OVALs. (#3245)

Fixed

  • Fixed SCA request interval option limit. (#3254)
  • Fixed SCA directory checking. (#3235)
  • Fixed potential out of bounds memory access. (#3285)
  • Fixed CIS-CAT XML report parser. (#3261)
  • Fixed .ssh folder permissions for Agentless. (#2660)
  • Fixed repeated fields in SCA summary events. (#3278)
  • Fixed command output treatment for the SCA module. (#3297)
  • Fixed agent_upgrade tool to set the manager version as the default one. (#2721)
  • Fixed execd crash when timeout list is not initialized. (#3316)
  • Fixed support for reading large files on Windows Logcollector. (#3248)
  • Fixed the manager restarting process via API on Docker. (#3273)
  • Fixed the agent_info files synchronization between cluster nodes. (#3272)

Removed

  • Removed 5-second reading timeout for File Integrity Monitoring scan. (#3366)

[v3.9.0] - 2019-05-02

Added

  • New module to perform Security Configuration Assessment scans. (#2598)
  • New Logcollector features. (#2929)
    • Let Logcollector filter files by content. (#2796)
    • Added a pattern exclusion option to Logcollector. (#2797)
    • Let Logcollector filter files by date. (#2799)
    • Let logcollector support wildcards on Windows. (#2898)
  • Fluent forwarder for agents. (#2828)
  • Collect network and port inventory for Windows XP/Server 2003. (#2464)
  • Included inventory fields as dynamic fields in events to use them in rules. (#2441)
  • Added an option startup_healthcheck in FIM so that the the who-data health-check is optional. (#2323)
  • The real agent IP is reported by the agent and shown in alerts and the App interface. (#2577)
  • Added support for organizations in AWS wodle. (#2627)
  • Added support for hot added symbolic links in Whodata. (#2466)
  • Added -t option to wazuh-clusterd binary (#2691).
  • Added options same_field and not_same_field in rules to correlate dynamic fields between events. (#2689)
  • Added optional daemons start by default. (#2769)
  • Make the Windows installer to choose the appropriate ossec.conf file based on the System version. (#2773)
  • Added writer thread preference for Logcollector. (#2783)
  • Added database deletion from Wazuh-DB for removed agents. (#3123)

Changed

  • Introduced a network buffer in Remoted to cache incomplete messages from agents. This improves the performance by preventing Remoted from waiting for complete messages. (#2528)
  • Improved alerts about disconnected agents: they will contain the data about the disconnected agent, although the alert is actually produced by the manager. (#2379)
  • PagerDuty integration plain text alert support (by @spartantri). (#2403)
  • Improved Remoted start-up logging messages. (#2460)
  • Let agent_auth warn when it receives extra input arguments. (#2489)
  • Update the who-data related SELinux rules for Audit 3.0. This lets who-data work on Fedora 29. (#2419)
  • Changed data source for network interface's MAC address in Syscollector so that it will be able to get bonded interfaces' MAC. (#2550)
  • Migrated unit tests from Check to TAP (Test Anything Protocol). (#2572)
  • Now labels starting with _ are reserved for internal use. (#2577)
  • Now AWS wodle fetches aws.requestParameters.disableApiTermination with an unified format (#2614)
  • Improved overall performance in cluster (#2575)
  • Some improvements has been made in the vulnerability-detector module. (#2603)
  • Refactor of decoded fields from the Windows eventchannel decoder. (#2684)
  • Deprecate global option <queue_size> for Analysisd. (#2729)
  • Excluded noisy events from Windows Eventchannel. (#2763)
  • Replaced printf functions in agent-authd. (#2830)
  • Replaced strtoul() using NULL arguments with atol() in wodles config files. (#2801)
  • Added a more descriptive message for SSL error when agent-auth fails. (#2941)
  • Changed the starting Analysisd messages about loaded rules from info to debug level. (#2881)
  • Re-structured messages for FIM module. (#2926)
  • Changed diff output in Syscheck for Windows. (#2969)
  • Replaced OSSEC e-mail subject with Wazuh in ossec-maild. (#2975)
  • Added keepalive in TCP to manage broken connections in ossec-remoted. (#3069)
  • Change default restart interval for Docker listener module to one minute. (#2679)

Fixed

  • Fixed error in Syscollector for Windows older than Vista when gathering the hardware inventory. (#2326)
  • Fixed an error in the OSQuery configuration validation. (#2446)
  • Prevent Integrator, Syslog Client and Mail forwarded from getting stuck while reading alerts.json. (#2498)
  • Fixed a bug that could make an Agent running on Windows XP close unexpectedly while receiving a WPK file. (#2486)
  • Fixed ossec-control script in Solaris. (#2495)
  • Fixed a compilation error when building Wazuh in static linking mode with the Audit library enabled. (#2523)
  • Fixed a memory hazard in Analysisd on log pre-decoding for short logs (less than 5 bytes). (#2391)
  • Fixed defects reported by Cppcheck. (#2521)
    • Double free in GeoIP data handling with IPv6.
    • Buffer overlay when getting OS information.
    • Check for successful memory allocation in Syscollector.
  • Fix out-of-memory error in Remoted when upgrading an agent with a big data chunk. (#2594)
  • Re-registered agent are reassigned to correct groups when the multigroup is empty. (#2440)
  • Wazuh manager starts regardless of the contents of local_decoder.xml. (#2465)
  • Let Remoted wait for download module availability. (#2517)
  • Fix duplicate field names at some events for Windows eventchannel. (#2500)
  • Delete empty fields from Windows Eventchannel alerts. (#2492)
  • Fixed memory leak and crash in Vulnerability Detector. (#2620)
  • Prevent Analysisd from crashing when receiving an invalid Syscollector event. (#2621)
  • Fix a bug in the database synchronization module that left broken references of removed agents to groups. (#2628)
  • Fixed restart service in AIX. (#2674)
  • Prevent Execd from becoming defunct when Active Response disabled. (#2692)
  • Fix error in Syscollector when unable to read the CPU frequency on agents. (#2740)
  • Fix Windows escape format affecting non-format messages. (#2725)
  • Avoid a segfault in mail daemon due to the XML tags order in the ossec.conf. (#2711)
  • Prevent the key updating thread from starving in Remoted. (#2761)
  • Fixed error logging on Windows agent. (#2791)
  • Let CIS-CAT decoder reuse the Wazuh DB connection socket. (#2800)
  • Fixed issue with agent-auth options without argument. (#2808)
  • Fixed control of the frequency counter in alerts. (#2854)
  • Ignore invalid files for agent groups. (#2895)
  • Fixed invalid behaviour when moving files in Whodata mode. (#2888)
  • Fixed deadlock in Remoted when updating the keyentries structure. (#2956)
  • Fixed error in Whodata when one of the file permissions cannot be extracted. (#2940)
  • Fixed System32 and SysWOW64 event processing in Whodata. (#2935)
  • Fixed Syscheck hang when monitoring system directories. (#3059)
  • Fixed the package inventory for MAC OS X. (#3035)
  • Translated the Audit Policy fields from IDs for Windows events. (#2950)
  • Fixed broken pipe error when Wazuh-manager closes TCP connection. (#2965)
  • Fixed whodata mode on drives other than the main one. (#2989)
  • Fixed bug occurred in the database while removing an agent. (#2997)
  • Fixed duplicated alerts for Red Hat feed in vulnerability-detector. (#3000)
  • Fixed bug when processing symbolic links in Whodata. (#3025)
  • Fixed option for ignoring paths in rootcheck. (#3058)
  • Allow Wazuh service on MacOSX to be available without restart. (#3119)
  • Ensure internal_options.conf file is overwritten on Windows upgrades. (#3153)
  • Fixed the reading of the setting attempts of the Docker module. (#3067)
  • Fix a memory leak in Docker listener module. (#2679)

[v3.8.2] - 2019-01-30

Fixed

  • Analysisd crashed when parsing a log from OpenLDAP due to a bug in the option <accumulate>. (#2456)
  • Modulesd closed unexpectedly if a command was defined without a <tag> option. (#2470)
  • The Eventchannel decoder was not being escaping backslashes correctly. (#2483)
  • The Eventchannel decoder was leaving spurious trailing spaces in some fields. (#2484)

[v3.8.1] - 2019-01-25

Fixed

  • Fixed memory leak in Logcollector when reading Windows eventchannel. (#2450)
  • Fixed script parsing error in Solaris 10. (#2449)
  • Fixed version comparisons on Red Hat systems. (By @orlando-jamie) (#2445)

[v3.8.0] - 2019-01-19

Added

  • Logcollector extension for Windows eventchannel logs in JSON format. (#2142)
  • Add options to detect attribute and file permission changes for Windows. (#1918)
  • Added Audit health-check in the Whodata initialization. (#2180)
  • Added Audit rules auto-reload in Whodata. (#2180)
  • Support for new AWS services in the AWS wodle (#2242):
    • AWS Config
    • AWS Trusted Advisor
    • AWS KMS
    • AWS Inspector
    • Add support for IAM roles authentication in EC2 instances.
  • New module "Agent Key Polling" to integrate agent key request to external data sources. (#2127)
    • Look for missing or old agent keys when Remoted detects an authorization failure.
    • Request agent keys by calling a defined executable or connecting to a local socket.
  • Get process inventory for Windows natively. (#1760)
  • Improved vulnerability detection in Red Hat systems. (#2137)
  • Add retries to download the OVAL files in vulnerability-detector. (#1832)
  • Auto-upgrade FIM databases in Wazuh-DB. (#2147)
  • New dedicated thread for AR command running on Windows agent. (#1725)
    • This will prevent the agent from delaying due to an AR execution.
  • New internal option to clean residual files of agent groups. (#1985)
  • Add a manifest to run agent-auth.exe with elevated privileges. (#1998)
  • Compress last-entry files to check differences by FIM. (#2034)
  • Add error messages to integration scripts. (#2143)
  • Add CDB lists building on install. (#2167)
  • Update Wazuh copyright for internal files. (#2343)
  • Added option to allow maild select the log file to read from. (#977)
  • Add table to control the metadata of the vuln-detector DB. (#2402)

Changed

  • Now Wazuh manager can be started with an empty configuration in ossec.conf. (#2086)
  • The Authentication daemon is now enabled by default. (#2129)
  • Make FIM show alerts for new files by default. (#2213)
  • Reduce the length of the query results from Vulnerability Detector to Wazuh DB. (#1798)
  • Improved the build system to automatically detect a big-endian platform. (#2031)
    • Building option USE_BIG_ENDIAN is not already needed on Solaris (SPARC) or HP-UX.
  • Expanded the regex pattern maximum size from 2048 to 20480 bytes. (#2036)
  • Improved IP address validation in the option <white_list> (by @pillarsdotnet). (#1497)
  • Improved rule option <info> validation (by @pillarsdotnet). (#1541)
  • Deprecated the Syscheck option <remove_old_diff> by making it mandatory. (#1915)
  • Fix invalid error "Unable to verity server certificate" in ossec-authd (server). (#2045)
  • Remove deprecated flag REUSE_ID from the Makefile options. (#2107)
  • Syscheck first queue error message changed into a warning. (#2146)
  • Do the DEB and RPM package scan regardless of Linux distribution. (#2168)
  • AWS VPC configuration in the AWS wodle (#2242).
  • Hide warning log by FIM when cannot open a file that has just been removed. (#2201)
  • The default FIM configuration will ignore some temporary files. (#2202)

Fixed

  • Fixed error description in the osquery configuration parser (by @pillarsdotnet). (#1499)
  • The FTS comment option <ftscomment> was not being read (by @pillarsdotnet). (#1536)
  • Fixed error when multigroup files are not found. (#1792)
  • Fix error when assigning multiple groups whose names add up to more than 4096 characters. (#1792)
  • Replaced "getline" function with "fgets" in vulnerability-detector to avoid compilation errors with older versions of libC. (#1822)
  • Fix bug in Wazuh DB when trying to store multiple network interfaces with the same IP from Syscollector. (#1928)
  • Improved consistency of multigroups. (#1985)
  • Fixed the reading of the OS name and version in HP-UX systems. (#1990)
  • Prevent the agent from producing an error on platforms that don't support network timeout. (#2001)
  • Logcollector could not set the maximum file limit on HP-UX platform. (2030)
  • Allow strings up to 64KB long for log difference analysis. (#2032)
  • Now agents keep their registration date when upgrading the manager. (#2033)
  • Create an empty client.keys file on a fresh installation of a Windows agent. (2040)
  • Allow CDB list keys and values to have double quotes surrounding. (#2046)
  • Remove file queue/db/.template.db on upgrade / restart. (2073)
  • Fix error on Analysisd when check_value doesn't exist. (2080)
  • Prevent Rootcheck from looking for invalid link count in agents running on Solaris (by @ecsc-georgew). (2087)
  • Fixed the warning messages when compiling the agent on AIX. (2099)
  • Fix missing library when building Wazuh with MySQL support. (#2108)
  • Fix compile warnings for the Solaris platform. (#2121)
  • Fixed regular expression for audit.key in audit decoder. (#2134)
  • Agent's ossec-control stop should wait a bit after killing a process. (#2149)
  • Fixed error ocurred while monitoring symbolic links in Linux. (#2152)
  • Fixed some bugs in Logcollector: (#2154)
    • If Logcollector picks up a log exceeding 65279 bytes, that log may lose the null-termination.
    • Logcollector crashes if multiple wildcard stanzas resolve the same file.
    • An error getting the internal file position may lead to an undefined condition.
  • Execd daemon now runs even if active response is disabled (#2177)
  • Fix high precision timestamp truncation in rsyslog messages. (#2128)
  • Fix missing Whodata section to the remote configuration query. (#2173)
  • Bugfixes in AWS wodle (#2242):
    • Fixed bug in AWS Guard Duty alerts when there were multiple remote IPs.
    • Fixed bug when using flag remove_from_bucket.
    • Fixed bug when reading buckets generating more than 1000 logs in the same day.
    • Increase qty of aws.eventNames and remove usage of aws.eventSources.
  • Fix bug in cluster configuration when using Kubernetes (#2227).
  • Fix network timeout setup in agent running on Windows. (#2185)
  • Fix default values for the <auto_ignore> option. (#2210)
  • Fix bug that made Modulesd and Remoted crash on ARM architecture. (#2214)
  • The regex parser included the next character after a group:
    • If the input string just ends after that character. (#2216)
    • The regex parser did not accept a group terminated with an escaped byte or a class. (#2224)
  • Fixed buffer overflow hazard in FIM when performing change report on long paths on macOS platform. (#2285)
  • Fix sending of the owner attribute when a file is created in Windows. (#2292)
  • Fix audit reconnection to the Whodata socket (#2305)
  • Fixed agent connection in TCP mode on Windows XP. (#2329)
  • Fix log shown when a command reaches its timeout and ignore_output is enabled. (#2316)
  • Analysisd and Syscollector did not detect the number of cores on Raspberry Pi. (#2304)
  • Analysisd and Syscollector did not detect the number of cores on CentOS 5. (#2340)

[v3.7.2] - 2018-12-17

Changed

  • Logcollector will fully read a log file if it reappears after being deleted. (#2041)

Fixed

  • Fix some bugs in Logcollector: (#2041)
    • Logcollector ceases monitoring any log file containing a binary zero-byte.
    • If a local file defined with wildcards disappears, Logcollector incorrectly shows a negative number of remaining open attempts.
    • Fixed end-of-file detection for text-based file formats.
  • Fixed a bug in Analysisd that made it crash when decoding a malformed FIM message. (#2089)

[v3.7.1] - 2018-12-05

Added

  • New internal option remoted.guess_agent_group allowing agent group guessing by Remoted to be optional. (#1890)
  • Added option to configure another audit keys to monitor. (#1882)
  • Added option to create the SSL certificate and key with the install.sh script. (#1856)
  • Add IPv6 support to host-deny.sh script. (by @iasdeoupxe). (#1583)
  • Added tracing information (PID, function, file and line number) to logs when debugging is enabled. (#1866)

Changed

  • Change errors messages to descriptive warnings in Syscheck when a files is not reachable. (#1730)
  • Add default values to global options to let the manager start. (#1894)
  • Improve Remoted performance by reducing interaction between threads. (#1902)

Fixed

  • Prevent duplicates entries for denied IP addresses by host-deny.sh. (by @iasdeoupxe). (#1583)
  • Fix issue in Logcollector when reaching the file end before getting a full line. (#1744)
  • Throw an error when a nonexistent CDB file is added in the ossec.conf file. (#1783)
  • Fix bug in Remoted that truncated control messages to 1024 bytes. (#1847)
  • Avoid that the attribute ignore of rules silence alerts. (#1874)
  • Fix race condition when decoding file permissions. (#1879
  • Fix to overwrite FIM configuration when directories come in the same tag separated by commas. (#1886)
  • Fixed issue with hash table handling in FTS and label management. (#1889)
  • Fixed id's and description of FIM alerts. (#1891)
  • Fix log flooding by Logcollector when monitored files disappear. (#1893)
  • Fix bug configuring empty blocks in FIM. (#1897)
  • Let the Windows agent reset the random generator context if it's corrupt. (#1898)
  • Prevent Remoted from logging errors if the cluster configuration is missing or invalid. (#1900)
  • Fix race condition hazard in Remoted when handling control messages. (#1902)
  • Fix uncontrolled condition in the vulnerability-detector version checker. (#1932)
  • Restore support for Amazon Linux in vulnerability-detector. (#1932)
  • Fixed starting wodles after a delay specified in interval when run_on_start is set to no, on the first run of the agent. (#1906)
  • Prevent agent-auth tool from creating the file client.keys outside the agent's installation folder. (#1924)
  • Fix symbolic links attributes reported by syscheck in the alerts. (#1926)
  • Added some improvements and fixes in Whodata. (#1929)
  • Fix FIM decoder to accept Windows user containing spaces. (#1930)
  • Add missing field restrict when querying the FIM configuration remotely. (#1931)
  • Fix values of FIM scan showed in agent_control info. (#1940)
  • Fix agent group updating in database module. (#2004)
  • Logcollector prevents vmhgfs from synchronizing the inode. (#2022)
  • File descriptor leak that may impact agents running on UNIX platforms. (#2021)
  • CIS-CAT events were being processed by a wrong decoder. (#2014)

[v3.7.0] - 2018-11-10

Added

  • Adding feature to remotely query agent configuration on demand. (#548)
  • Boost Analysisd performance with multithreading. (#1039)
  • Adding feature to let agents belong to multiple groups. (#1135)
  • Boost FIM decoding performance by storing data into Wazuh DB using SQLite databases. (#1333)
    • FIM database is cleaned after restarting agent 3 times, deleting all entries that left being monitored.
    • Added script to migrate older Syscheck databases to WazuhDB. (#1504) (#1333)
  • Added rule testing output when restarting manager. (#1196)
  • New wodle for Azure environment log and process collection. (#1306)
  • New wodle for Docker container monitoring. (#1368)
  • Disconnect manager nodes in cluster if no keep alive is received or sent during two minutes. (#1482)
  • API requests are forwarded to the proper manager node in cluster. (#885)
  • Centralized configuration pushed from manager overwrite the configuration of directories that exist with the same path in ossec.conf. (#1740)

Changed

  • Refactor Python framework code to standardize database requests and support queries. (#921)
  • Replaced the execvpe function by execvp for the Wazuh modules. (#1207)
  • Avoid the use of reference ID in Syscollector network tables. (#1315)
  • Make Syscheck case insensitive on Windows agent. (#1349)
  • Avoid conflicts with the size of time_t variable in wazuh-db. (#1366)
  • Osquery integration updated: (#1369)
    • Nest the result data into a "osquery" object.
    • Extract the pack name into a new field.
    • Include the query name in the alert description.
    • Minor fixes.
  • Increased AWS S3 database entry limit to 5000 to prevent reprocessing repeated events. (#1391)
  • Increased the limit of concurrent agent requests: 1024 by default, configurable up to 4096. (#1473)
  • Change the default vulnerability-detector interval from 1 to 5 minutes. (#1729)
  • Port the UNIX version of Auth client (agent_auth) to the Windows agent. (#1790)
    • Support of TLSv1.2 through embedded OpenSSL library.
    • Support of SSL certificates for agent and manager validation.
    • Unify Auth client option set.

Fixed

  • Fixed email_alerts configuration for multiple recipients. (#1193)
  • Fixed manager stopping when no command timeout is allowed. (#1194)
  • Fixed getting RAM memory information from mac OS X and FreeBSD agents. (#1203)
  • Fixed mandatory configuration labels check. (#1208)
  • Fix 0 value at check options from Syscheck. (1209)
  • Fix bug in whodata field extraction for Windows. (#1233)
  • Fix stack overflow when monitoring deep files. (#1239)
  • Fix typo in whodata alerts. (#1242)
  • Fix bug when running quick commands with timeout of 1 second. (#1259)
  • Prevent offline agents from generating vulnerability-detector alerts. (#1292)
  • Fix empty SHA256 of rotated alerts and log files. (#1308)
  • Fixed service startup on error. (#1324)
  • Set connection timeout for Auth server (#1336)
  • Fix the cleaning of the temporary folder. (#1361)
  • Fix check_mtime and check_inode views in Syscheck alerts. (#1364)
  • Fixed the reading of the destination address and type for PPP interfaces. (#1405)
  • Fixed a memory bug in regex when getting empty strings. (#1430)
  • Fixed report_changes with a big ammount of files. (#1465)
  • Prevent Logcollector from null-terminating socket output messages. (#1547)
  • Fix timeout overtaken message using infinite timeout. (#1604)
  • Prevent service from crashing if global.db is not created. (#1485)
  • Set new agent.conf template when creating new groups. (#1647)
  • Fix bug in Wazuh Modules that tried to delete PID folders if a subprocess call failed. (#1836)

[v3.6.1] - 2018-09-07

Fixed

  • Fixed ID field length limit in JSON alerts, by @gandalfn. (#1052)
  • Fix segmentation fault when the agent version is empty in Vulnerability Detector. (#1191)
  • Fix bug that removes file extensions in rootcheck. (#1197)
  • Fixed incoherence in Client Syslog between plain-text and JSON alert input in <location> filter option. (#1204)
  • Fixed missing agent name and invalid predecoded hostname in JSON alerts. (#1213)
  • Fixed invalid location string in plain-text alerts. (#1213)
  • Fixed default stack size in threads on AIX and HP-UX. (#1215)
  • Fix socket error during agent restart due to daemon start/stop order. (#1221)
  • Fix bug when checking agent configuration in logcollector. (#1225)
  • Fix bug in folder recursion limit count in FIM real-time mode. (#1226)
  • Fixed errors when parsing AWS events in Elasticsearch. (#1229)
  • Fix bug when launching osquery from Wazuh. (#1230)

[v3.6.0] - 2018-08-29

Added

  • Add rescanning of expanded files with wildcards in logcollector (#332)
  • Parallelization of logcollector (#627)
    • Now the input of logcollector is multithreaded, reading logs in parallel.
    • A thread is created for each type of output socket.
    • Periodically rescan of new files.
    • New options have been added to internal_options.conf file.
  • Added statistical functions to remoted. (#682)
  • Rootcheck and Syscheck (FIM) will run independently. (#991)
  • Add hash validation for binaries executed by the wodle command. (#1027)
  • Added a recursion level option to Syscheck to set the directory scanning depth. (#1081)
  • Added inactive agent filtering option to agent_control, syscheck_control and rootcheck control_tools. (#1088)
  • Added custom tags to FIM directories and registries. (#1096)
  • Improved AWS CloudTrail wodle by @UranusBytes (#913 & #1105).
  • Added support to process logs from more AWS services: Guard Duty, IAM, Inspector, Macie and VPC. (#1131).
  • Create script for blocking IP's using netsh-advfirewall. (#1172).

Changed

  • The maximum log length has been extended up to 64 KiB. (#411)
  • Changed logcollector analysis message order. (#675)
  • Let hostname field be the name of the agent, without the location part. (#1080)
  • The internal option syscheck.max_depth has been renamed to syscheck.default_max_depth. (#1081)
  • Show warning message when configuring vulnerability-detector for an agent. (#1130)
  • Increase the minimum waiting time from 0 to 1 seconds in Vulnerability-Detector. (#1132)
  • Prevent Windows agent from not loading the configuration if an AWS module block is found. (#1143)
  • Set the timeout to consider an agent disconnected to 1800 seconds in the framework. (#1155)

Fixed

  • Fix agent ID zero-padding in alerts coming from Vulnerability Detector. (#1083)
  • Fix multiple warnings when agent is offline. (#1086)
  • Fixed minor issues in the Makefile and the sources installer on HP-UX, Solaris on SPARC and AIX systems. (#1089)
  • Fixed SHA256 changes messages in alerts when it is disabled. (#1100)
  • Fixed empty configuration blocks for Wazuh modules. (#1101)
  • Fix broken pipe error in Wazuh DB by Vulnerability Detector. (#1111)
  • Restored firewall-drop AR script for Linux. (#1114)
  • Fix unknown severity in Red Hat systems. (#1118)
  • Added a building flag to compile the SQLite library externally for the API. (#1119)
  • Fixed variables length when storing RAM information by Syscollector. (#1124)
  • Fix Red Hat vulnerability database update. (#1127)
  • Fix allowing more than one wodle command. (#1128)
  • Fixed after_regex offset for the decoding algorithm. (#1129)
  • Prevents some vulnerabilities from not being checked for Debian. (#1166)
  • Fixed legacy configuration for vulnerability-detector. (#1174)
  • Fix active-response scripts installation for Windows. (#1182).
  • Fixed open-scap deadlock when opening large files. (#1206). Thanks to @juergenc for detecting this issue.

Removed

  • The 'T' multiplier has been removed from option max_output_size. (#1089)

[v3.5.0] - 2018-08-10

Added

  • Improved configuration of OVAL updates. (#416)
  • Added selective agent software request in vulnerability-detector. (#404)
  • Get Linux packages inventory natively. (#441)
  • Get Windows packages inventory natively. (#471)
  • Supporting AES encryption for manager and agent. (#448)
  • Added Debian and Ubuntu 18 support in vulnerability-detector. (#470)
  • Added Rids Synchronization. (#459)
  • Added option for setting the group that the agent belongs to when registering it with authd (#460)
  • Added option for setting the source IP when the agent registers with authd (#460)
  • Added option to force the vulnerability detection in unsupported OS. (#462)
  • Get network inventory natively. (#546)
  • Add arch check for Red Hat's OVAL in vulnerability-detector. (#625)
  • Integration with Osquery. (#627)
    • Enrich osquery configuration with pack files aggregation and agent labels as decorators.
    • Launch osquery daemon in background.
    • Monitor results file and send them to the manager.
    • New option in rules <location> to filter events by osquery.
    • Support folders in shared configuration. This makes easy to send pack folders to agents.
    • Basic ruleset for osquery events and daemon logs.
  • Boost Remoted performance with multithreading. (#649)
    • Up to 16 parallel threads to decrypt messages from agents.
    • Limit the frequency of agent keys reloading.
    • Message input buffer in Analysisd to prevent control messages starvation in Remoted.
  • Module to download shared files for agent groups dinamically. (#519)
    • Added group creation for files.yml if the group does not exist. (#1010)
  • Added scheduling options to CIS-CAT integration. (#586)
  • Option to download the wpk using http in agent_upgrade. (#798)
  • Add 172.0.0.1 as manager IP when creating global.db. (#970)
  • New requests for Syscollector. (#728)
  • cluster_control shows an error if the status does not exist. (#1002)
  • Get Windows hardware inventory natively. (#831)
  • Get processes and ports inventory by the Syscollector module.
  • Added an integration with Kaspersky Endpoint Security for Linux via Active Response. (#1056)

Changed

  • Add default value for option -x in agent_control tool.
  • External libraries moved to an external repository.
  • Ignore OverlayFS directories on Rootcheck system scan.
  • Extracts agent's OS from the database instead of the agent-info.
  • Increases the maximum size of XML parser to 20KB.
  • Extract CVE instead of RHSA codes into vulnerability-detector. (#549)
  • Store CIS-CAT results into Wazuh DB. (#568)
  • Add profile information to CIS-CAT reports. (#658)
  • Merge external libraries into a unique shared library. (#620)
  • Cluster log rotation: set correct permissions and store rotations in /logs/ossec. (#667)
  • Distinct requests don't allow limit=0 or limit>maximun_limit. (#1007)
  • Deprecated arguments -i, -F and -r for Authd. (#1013)
  • Increase the internal memory for real-time from 12 KiB to 64 KiB. (#1062)

Fixed

  • Fixed invalid alerts reported by Syscollector when the event contains the word "error". (#461)
  • Silenced Vuls integration starting and ending alerts. (#541)
  • Fix problem comparing releases of ubuntu packages. (#556)
  • Windows delete pending active-responses before reset agent. (#563)
  • Fix bug in Rootcheck for Windows that searches for keys in 32-bit mode only. (#566)
  • Alert when unmerge files fails on agent. (#731)
  • Fixed bugs reading logs in framework. (#856)
  • Ignore uppercase and lowercase sorting an array in framework. (#814)
  • Cluster: reject connection if the client node has a different cluster name. (#892)
  • Prevent the JSON object must be str, not 'bytes' error. (#997)
  • Fix long sleep times in vulnerability detector.
  • Fix inconsistency in the alerts format for the manager in vulnerability-detector.
  • Fix bug when processing the packages in vulnerability-detector.
  • Prevent to process Syscollector events by the JSON decoder. (#674)
  • Stop Syscollector data storage into Wazuh DB when an error appears. (#674)
  • Fix bug in Syscheck that reported false positive about removed files. (#1044)
  • Fix bug in Syscheck that misinterpreted no_diff option. (#1046)
  • Fixes in file integrity monitoring for Windows. (#1062)
    • Fix Windows agent crash if FIM fails to extract the file owner.
    • Prevent FIM real-time mode on Windows from stopping if the internal buffer gets overflowed.
  • Prevent large logs from flooding the log file by Logcollector. (#1067)
  • Fix allowing more than one wodle command and compute command timeout when ignore_output is enabled. (#1102)

Removed

  • Deleted Lua language support.
  • Deleted integration with Vuls. (#879)
  • Deleted agent_list tool, replaced by agent_control. (ba0265b)

[v3.4.0] - 2018-07-24

Added

  • Support for SHA256 checksum in Syscheck (by @arshad01). (#410)
  • Added an internal option for Syscheck to tune the RT alerting delay. (#434)
  • Added two options in the tag <auto_ignore> frequency and timeframe to hide alerts when they are played several times in a given period of time. (#857)
  • Include who-data in Syscheck for file integrity monitoring. (#756)
    • Linux Audit setup and monitoring to watch directories configured with who-data.
    • Direct communication with Auditd on Linux to catch who-data related events.
    • Setup of SACL for monitored directories on Windows.
    • Windows Audit events monitoring through Windows Event Channel.
    • Auto setup of audit configuration and reset when the agent quits.
  • Syscheck in frequency time show alerts from deleted files. (#857)
  • Added an option target to customize output format per-target in Logcollector. (#863)
  • New option for the JSON decoder to choose the treatment of NULL values. (#677)
  • Remove old snapshot files for FIM. (#872)
  • Distinct operation in agents. (#920)
  • Added support for unified WPK. (#865)
  • Added missing debug options for modules in the internal options file. (#901)
  • Added recursion limits when reading directories. (#947)

Changed

  • Renamed cluster client node type to worker (#850).
  • Changed a descriptive message in the alert showing what attributes changed. (#857)
  • Change visualization of Syscheck alerts. (#857)
  • Add all the available fields in the Syscheck messages from the Wazuh configuration files. (#857)
  • Now the no_full_log option only affects JSON alerts. (#881)
  • Delete temporary files when stopping Wazuh. (#732)
  • Send OpenSCAP checks results to a FIFO queue instead of temporary files. (#732)
  • Default behavior when starting Syscheck and Rootcheck components. (#829)
    • They are disabled if not appear in the configuration.
    • They can be set up as empty blocks in the configuration, applying their default values.
    • Improvements of error and information messages when they start.
  • Improve output of DELETE/agents when no agents were removed. (#868)
  • Include the file owner SID in Syscheck alerts.
  • Change no previous checksum error message to information log. (#897)
  • Changed default Syscheck scan speed: 100 files per second. (#975)
  • Show network protocol used by the agent when connecting to the manager. (#980)

Fixed

  • Syscheck RT process granularized to make frequency option more accurate. (#434)
  • Fixed registry_ignore problem on Syscheck for Windows when arch="both" was used. (#525)
  • Allow more than 256 directories in real-time for Windows agent using recursive watchers. (#540)
  • Fix weird behavior in Syscheck when a modified file returns back to its first state. (#434)
  • Replace hash value xxx (not enabled) for n/a if the hash couldn't be calculated. (#857)
  • Do not report uid, gid or gname on Windows (avoid user=0). (#857)
  • Several fixes generating sha256 hash. (#857)
  • Fixed the option report_changes configuration. (#857)
  • Fixed the 'report_changes' configuration when 'sha1' option is not set. (#857)
  • Fix memory leak reading logcollector config. (#884)
  • Fixed crash in Slack integration for alerts that don't have full log. (#880)
  • Fixed active-responses.log definition path on Windows configuration. (#739)
  • Added warning message when updating Syscheck/Rootcheck database to restart the manager. (#817)
  • Fix PID file creation checking. (#822)
    • Check that the PID file was created and written.
    • This would prevent service from running multiple processes of the same daemon.
  • Fix reading of Windows platform for 64 bits systems. (#832)
  • Fixed Syslog output parser when reading the timestamp from the alerts in JSON format. (#843)
  • Fixed filter for gpg-pubkey packages in Syscollector. (#847)
  • Fixed bug in configuration when reading the repeated_offenders option in Active Response. (#873)
  • Fixed variables parser when loading rules. (#855)
  • Fixed parser files names in the Rootcheck scan. (#840)
  • Removed frequency offset in rules. (#827).
  • Fix memory leak reading logcollector config. (#884)
  • Fixed sort agents by status in GET/agents API request. (#810)
  • Added exception when no agents are selected to restart. (#870)
  • Prevent files from remaining open in the cluster. (#874)
  • Fix network unreachable error when cluster starts. (#800)
  • Fix empty rules and decoders file check. (#887)
  • Prevent to access an unexisting hash table from 'whodata' thread. (#911)
  • Fix CA verification with more than one 'ca_store' definitions. (#927)
  • Fix error in syscollector API calls when Wazuh is installed in a directory different than /var/ossec. (#942).
  • Fix error in CentOS 6 when wazuh-cluster is disabled. (#944).
  • Fix Remoted connection failed warning in TCP mode due to timeout. (#958)
  • Fix option 'rule_id' in syslog client. (#979)
  • Fixed bug in legacy agent's server options that prevented it from setting port and protocol.

[v3.3.1] - 2018-06-18

Added

  • Added total_affected_agents and total_failed_ids to the DELETE/agents API request. (#795)

Changed

  • Management of empty blocks in the configuration files. (#781)
  • Verify WPK with Wazuh CA by default. (#799)

Fixed

  • Windows prevents agent from renaming file. (#773)
  • Fix manager-agent version comparison in remote upgrades. (#765)
  • Fix log flooding when restarting agent while the merged file is being receiving. (#788)
  • Fix issue when overwriting rotated logs in Windows agents. (#776)
  • Prevent OpenSCAP module from running on Windows agents (incompatible). (#777)
  • Fix issue in file changes report for FIM on Linux when a directory contains a backslash. (#775)
  • Fixed missing minor field in agent data managed by the framework. (#771)
  • Fixed missing build and key fields in agent data managed by the framework. (#802)
  • Fixed several bugs in upgrade agents (#784):
    • Error upgrading an agent with status Never Connected.
    • Fixed API support.
    • Sockets were not closing properly.
  • Cluster exits showing an error when an error occurs. (#790)
  • Fixed bug when cluster control or API cannot request the list of nodes to the master. (#762)
  • Fixed bug when the agent.conf contains an unrecognized module. (#796)
  • Alert when unmerge files fails on agent. (#731)
  • Fix invalid memory access when parsing ruleset configuration. (#787)
  • Check version of python in cluster control. (#760)
  • Removed duplicated log message when Rootcheck is disabled. (#783)
  • Avoid infinite attempts to download CVE databases when it fails. (#792)

[v3.3.0] - 2018-06-06

Added

  • Supporting multiple socket output in Logcollector. (#395)
  • Allow inserting static field parameters in rule comments. (#397)
  • Added an output format option for Logcollector to build custom logs. (#423)
  • Included millisecond timing in timestamp to JSON events. (#467)
  • Added an option in Analysisd to set input event offset for plugin decoders. (#512)
  • Allow decoders mix plugin and multiregex children. (#602)
  • Added the option to filter by any field in get_agents_overview, get_agent_group and get_agents_without_group functions of the Python framework. (#743)

Changed

  • Add default value for option -x in agent_upgrade tool.
  • Changed output of agents in cluster control. (#741)

Fixed

  • Fix bug in Logcollector when removing duplicate localfiles. (#402)
  • Fix memory error in Logcollector when using wildcards.
  • Prevent command injection in Agentless daemon. (#600)
  • Fixed bug getting the agents in cluster control. (#741)
  • Prevent Logcollector from reporting an error when a path with wildcards matches no files.
  • Fixes the feature to group with the option multi-line. (#754)

[v3.2.4] - 2018-06-01

Fixed

  • Fixed segmentation fault in maild when <queue-size> is included in the global configuration.
  • Fixed bug in Framework when retrieving mangers logs. (#644)
  • Fixed bug in clusterd to prevent the synchronization of .swp files. (#694)
  • Fixed bug in Framework parsing agent configuration. (#681)
  • Fixed several bugs using python3 with the Python framework. (#701)

[v3.2.3] - 2018-05-28

Added

  • New internal option to enable merged file creation by Remoted. (#603)
  • Created alert item for GDPR and GPG13. (#608)
  • Add support for Amazon Linux in vulnerability-detector.
  • Created an input queue for Analysisd to prevent Remoted starvation. (#661)

Changed

  • Set default agent limit to 14.000 and file descriptor limit to 65.536 per process. (#624)
  • Cluster improvements.
    • New protocol for communications.
    • Inverted communication flow: clients start communications with the master.
    • Just the master address is required in the <nodes> list configuration.
    • Improved synchronization algorithm.
    • Reduced the number of processes to one: wazuh-clusterd.
  • Cluster control tool improvements: outputs are the same regardless of node type.
  • The default input queue for remote events has been increased to 131072 events. (#660)
  • Disconnected agents will no longer report vulnerabilities. (#666)

Fixed

  • Fixed agent wait condition and improve logging messages. (#550)
  • Fix race condition in settings load time by Windows agent. (#551)
  • Fix bug in Authd that prevented it from deleting agent-info files when removing agents.
  • Fix bug in ruleset that did not overwrite the <info> option. (#584)
  • Fixed bad file descriptor error in Wazuh DB (#588)
  • Fixed unpredictable file sorting when creating merged files. (#599)
  • Fixed race condition in Remoted when closing connections.
  • Fix epoch check in vulnerability-detector.
  • Fixed hash sum in logs rotation. (#636)
  • Fixed cluster CPU usage.
  • Fixed invalid deletion of agent timestamp entries. (#639)
  • Fixed segmentation fault in logcollector when multi-line is applied to a remote configuration. (#641)
  • Fixed issue in Syscheck that may leave the process running if the agent is stopped quickly. (#671)

Removed

  • Removed cluster database and internal cluster daemon.

[v3.2.2] - 2018-05-07

Added

  • Created an input queue for Remoted to prevent agent connection starvation. (#509)

Changed

  • Updated Slack integration. (#443)
  • Increased connection timeout for remote upgrades. (#480)
  • Vulnerability-detector does not stop agents detection if it fails to find the software for one of them.
  • Improve the version comparator algorithm in vulnerability-detector. (#508)

Fixed

  • Fixed bug in labels settings parser that may make Agentd or Logcollector crash.
  • Fixed issue when setting multiple <server-ip> stanzas in versions 3.0 - 3.2.1. (#433)
  • Fixed bug when socket database messages are not sent correctly. (#435)
  • Fixed unexpected stop in the sources installer when overwriting a previous corrupt installation.
  • Added a synchronization timeout in the cluster to prevent it from blocking (#447)
  • Fixed issue in CSyslogd when filtering by rule group. (#446)
  • Fixed error on DB daemon when parsing rules with options introduced in version 3.0.0.
  • Fixed unrecognizable characters error in Windows version name. (#478)
  • Fix Authd client in old versions of Windows (#479)
  • Cluster's socket management improved to use persistent connections (#481)
  • Fix memory corruption in Syscollector decoder and memory leaks in Vulnerability Detector. (#482)
  • Fixed memory corruption in Wazuh DB autoclosing procedure.
  • Fixed dangling db files at DB Sync module folder. (#489)
  • Fixed agent group file deletion when using Authd.
  • Fix memory leak in Maild with JSON input. (#498)
  • Fixed remote command switch option. (#504)

[v3.2.1] - 2018-03-03

Added

  • Added option in Makefile to disable CIS-CAT module. (#381)
  • Added field totalItems to GET/agents/purgeable/:timeframe API call. (#385)

Changed

  • Giving preference to use the selected Java over the default one in CIS-CAT wodle.
  • Added delay between message delivery for every module. (#389)
  • Verify all modules for the shared configuration. (#408)
  • Updated OpenSSL library to 1.1.0g.
  • Insert agent labels in JSON archives no matter the event matched a rule.
  • Support for relative/full/network paths in the CIS-CAT configuration. (#419)
  • Improved cluster control to give more information. (#421)
  • Updated rules for CIS-CAT.
  • Removed unnecessary compilation of vulnerability-detector in agents.
  • Increased wazuh-modulesd's subprocess pool.
  • Improved the agent software recollection by Syscollector.

Fixed

  • Fixed crash in Agentd when testing Syscollector configuration from agent.conf file.
  • Fixed duplicate alerts in Vulnerability Detector.
  • Fixed compiling issues in Solaris and HP-UX.
  • Fixed bug in Framework when listing directories due to permissions issues.
  • Fixed error handling in CIS-CAT module. (#401)
  • Fixed some defects reported by Coverity. (#406)
  • Fixed OS name detection in macOS and old Linux distros. (#409)
  • Fixed linked in HP-UX.
  • Fixed Red Hat detection in vulnerability-detector.
  • Fixed segmentation fault in wazuh-cluster when files path is too long.
  • Fixed a bug getting groups and searching by them in GET/agents API call. (#390)
  • Several fixes and improvements in cluster.
  • Fixed bug in wazuh-db when closing exceeded databases in transaction.
  • Fixed bug in vulnerability-detector that discarded valid agents.
  • Fixed segmentation fault in Windows agents when getting OS info.
  • Fixed memory leaks in vulnerability-detector and CIS-CAT wodle.
  • Fixed behavior when working directory is not found in CIS-CAT wodle.

[v3.2.0] - 2018-02-13

Added

  • Added support to synchronize custom rules and decoders in the cluster.(#344)
  • Add field status to GET/agents/groups/:group_id API call.(#338)
  • Added support for Windows to CIS-CAT integration module (#369)
  • New Wazuh Module "aws-cloudtrail" fetching logs from S3 bucket. (#351)
  • New Wazuh Module "vulnerability-detector" to detect vulnerabilities in agents and managers.

Fixed

  • Fixed oscap.py to support new versions of OpenSCAP scanner.(#331)
  • Fixed timeout bug when the cluster port was closed. (#343)
  • Improve exception handling in cluster_control. (#343)
  • Fixed bug in cluster when receive an error response from client. (#346)
  • Fixed bug in framework when the manager is installed in different path than /var/ossec. (#335)
  • Fixed predecoder hostname field in JSON event output.
  • Several fixes and improvements in cluster.

[v3.1.0] - 2017-12-22

Added

  • New Wazuh Module "command" for asynchronous command execution.
  • New field "predecoder.timestamp" for JSON alerts including timestamp from logs.
  • Added reload action to ossec-control in local mode.
  • Add duration control of a cluster database synchronization.
  • New internal option for agents to switch applying shared configuration.
  • Added GeoIP address finding for input logs in JSON format.
  • Added alert and archive output files rotation capabilities.
  • Added rule option to discard field "firedtimes".
  • Added VULS integration for running vulnerability assessments.
  • CIS-CAT Wazuh Module to scan CIS policies.

Changed

  • Keepping client.keys file permissions when modifying it.
  • Improve Rootcheck formula to select outstanding defects.
  • Stop related daemon when disabling components in ossec-control.
  • Prevented cluster daemon from starting on RHEL 5 or older.
  • Let Syscheck report file changes on first scan.
  • Allow requests by node name in cluster_control binary.
  • Improved help of cluster_control binary.
  • Integrity control of files in the cluster.

Fixed

  • Fixed netstat command in localfile configuration.
  • Fixed error when searching agents by ID.
  • Fixed syslog format pre-decoder for logs with missing (optional) space after tag.
  • Fixed alert ID when plain-text alert output disabled.
  • Fixed Monitord freezing when a sendmail-like executable SMTP server is set.
  • Fixed validation of Active Response used by agent_control.
  • Allow non-ASCII characters in Windows version string.

[v3.0.0] - 2017-12-12

Added

  • Added group property for agents to customize shared files set.
  • Send shared files to multiple agents in parallel.
  • New decoder plugin for logs in JSON format with dynamic fields definition.
  • Brought framework from API to Wazuh project.
  • Show merged files MD5 checksum by agent_control and framework.
  • New reliable request protocol for manager-agent communication.
  • Remote agent upgrades with signed WPK packages.
  • Added option for Remoted to prevent it from writing shared merged file.
  • Added state for Agentd and Windows agent to notify connection state and metrics.
  • Added new JSON log format for local file monitoring.
  • Added OpenSCAP SSG datastream content for Ubuntu Trusty Tahr.
  • Field "alert_id" in JSON alerts (by Dan Parriott).
  • Added support of "any" IP address to OSSEC batch manager (by Jozef Reisinger).
  • Added ossec-agent SElinux module (by kreon).
  • Added previous output to JSON output (by João Soares).
  • Added option for Authd to specify the allowed cipher list (by James Le Cuirot).
  • Added option for cipher suites in Authd settings.
  • Added internal option for Remoted to set the shared configuration reloading time.
  • Auto restart agents when new shared configuration is pushed from the manager.
  • Added native support for Systemd.
  • Added option to register unlimited agents in Authd.
  • New internal option to limit the number of file descriptors in Analysisd and Remoted.
  • Added new state "pending" for agents.
  • Added internal option to disable real-time DB synchronization.
  • Allow multiple manager stanzas in Agentd settings.
  • New internal option to limit the receiving time in TCP mode.
  • Added manager hostname data to agent information.
  • New option for rotating internal logs by size.
  • Added internal option to enable or disable daily rotation of internal logs.
  • Added command option for Monitord to overwrite 'day_wait' parameter.
  • Adding templates and sample alert for Elasticsearch 6.0.
  • Added option to enable/disable Authd on install and auto-generate certificates.
  • Pack secure TCP messages into a single packet.
  • Added function to install SCAP policies depending on OS version.
  • Added integration with Virustotal.
  • Added timeout option for TCP sockets in Remoted and Agentd.
  • Added option to start the manager after installing.
  • Added a cluster of managers (wazuh-clusterd) and a script to control it (cluster_control).

Changed

  • Increased shared file delivery speed when using TCP.
  • Increased TCP listening socket backlog.
  • Changed Windows agent UI panel to show revision number instead of installation date.
  • Group every decoded field (static and dynamic fields) into a data object for JSON alerts.
  • Reload shared files by Remoted every 10 minutes.
  • Increased string size limit for XML reader to 4096 bytes.
  • Updated Logstash configuration and Elasticsearch mappings.
  • Changed template fields structure for Kibana dashboards.
  • Increased dynamic field limit to 1024, and default to 256.
  • Changed agent buffer 'length' parameter to 'queue_size'.
  • Changed some Rootcheck error messages to verbose logs.
  • Removed unnecessary message by manage_agents advising to restart Wazuh manager.
  • Update PF tables Active response (by d31m0).
  • Create the users and groups as system users and groups in specs (by Dan Parriott).
  • Show descriptive errors when an agent loses the connection using TCP.
  • Prevent agents with the same name as the manager host from getting added.
  • Changed 'message' field to 'data' for successful agent removing response in Authd API.
  • Changed critical error to standard error in Syslog Remoted when no access list has been configured.
  • Ignore hidden files in shared folder for merged file.
  • Changed agent notification time values: notify time to 1 minute and reconnect time to 5 minutes.
  • Prevent data field from being inserted into JSON alerts when it's empty.
  • Spelling corrections (by Josh Soref).
  • Moved debug messages when updating shared files to level 2.
  • Do not create users ossecm or ossecr on agents.
  • Upgrade netstat command in Logcollector.
  • Prevent Monitord and DB sync module from dealing with agent files on local installations.
  • Speed up DB syncing by keeping databases opened and an inotify event queue.
  • Merge server's IP and hostname options to one setting.
  • Enabled Active Response by default in both Windows and UNIX.
  • Make Monitord 'day_wait' internal option affect log rotation.
  • Extend Monitord 'day_wait' internal option range.
  • Prevent Windows agent from log error when the manager disconnected.
  • Improve Active Response filtering options.
  • Use init system (Systemd/SysVinit) to restart Wazuh when upgrading.
  • Added possibility of filtering agents by manager hostname in the Framework.
  • Prevent installer from overwriting agent.conf file.
  • Cancel file sending operation when agent socket is closed.
  • Clean up agent shared folder before unmerging shared configuration.
  • Print descriptive error when request socket refuses connection due to AR disabled.
  • Extend Logcollector line burst limit range.
  • Fix JSON alert file reloading when the file is rotated.
  • Merge IP and Hostname server configuration into "Address" field.
  • Improved TCP transmission performance by packing secure messages.

Fixed

  • Fixed wrong queries to get last Syscheck and Rootcheck date.
  • Prevent Logcollector keep-alives from being stored on archives.json.
  • Fixed length of random message within keep-alives.
  • Fixed Windows version detection for Windows 8 and newer.
  • Fixed incorrect CIDR writing on client.keys by Authd.
  • Fixed missing buffer flush by Analysisd when updating Rootcheck database.
  • Stop Wazuh service before removing folder to reinstall.
  • Fixed Remoted service for Systemd (by Phil Porada).
  • Fixed Administrator account mapping in Windows agent installation (by [email protected]).
  • Fixed MySQL support in dbd (by [email protected]).
  • Fixed incorrect warning when unencrypting messages (by Dan Parriott).
  • Fixed Syslog mapping for alerts via Csyslogd (by Dan Parriott).
  • Fixed syntax error in the creation of users in Solaris 11.2 (by Pedro Flor).
  • Fixed some warnings that appeared when compiling on Fedora 26.
  • Fixed permission issue in logs folder.
  • Fixed issue in Remoted that prevented it from send shared configuration when it changed.
  • Fixed Windows agent compilation compability with CentOS.
  • Supporting different case from password prompt in Agentless (by Jesus Fidalgo).
  • Fix bad detection of inotify queue overflowed.
  • Fix repetitive error when a rule's diff file is empty.
  • Fixed log group permission when created by a daemon running as root.
  • Prevented Agentd from logging too many errors when restarted while receiving the merged file.
  • Prevented Remoted from sending data to disconnected agents in TCP mode.
  • Fixed alerts storage in PostgreSQL databases.
  • Fixed invalid previous output data in JSON alerts.
  • Fixed memory error in modulesd for invalid configurations.
  • Fixed default Auth configuration to support custom install directory.
  • Fixed directory transversal vulnerability in Active response commands.
  • Fixed Active response timeout accuracy.
  • Fixed race conditions in concurrent transmissions over TCP.

Removed

  • Removed Picviz support (by Dan Parriott).

[v2.1.1] - 2017-09-21

Changed

  • Improved errors messages related to TCP connection queue.
  • Changed info log about unsupported FS checking in Rootcheck scan to debug messages.
  • Prevent Modules daemon from giving critical error when no wodles are enabled.

Fixed

  • Fix endianess incompatibility in agents on SPARC when connecting via TCP.
  • Fix bug in Authd that made it crash when removing keys.
  • Fix race condition in Remoted when writing logs.
  • Avoid repeated errors by Remoted when sending data to a disconnected agent.
  • Prevented Monitord from rotating non-existent logs.
  • Some fixes to support HP-UX.
  • Prevent processes from sending events when TCP connection is lost.
  • Fixed output header by Syslog client when reading JSON alerts.
  • Fixed bug in Integrator settings parser when reading rules list.

[v2.1.0] - 2017-08-14

Added

  • Rotate and compress log feature.
  • Labeling data for agents to be shown in alerts.
  • New 'auth' configuration template.
  • Make manage_agents capable of add and remove agents via Authd.
  • Implemented XML configuration for Authd.
  • Option -F for Authd to force insertion if it finds duplicated name.
  • Local auth client to manage agent keys.
  • Added OS name and version into global.db.
  • Option for logging in JSON format.
  • Allow maild to send through a sendmail-like executable (by James Le Cuirot).
  • Leaky bucket-like buffer for agents to prevent network flooding.
  • Allow Syslog client to read JSON alerts.
  • Allow Mail reporter to read JSON alerts.
  • Added internal option to tune Rootcheck sleep time.
  • Added route-null Active Response script for Windows 2012 (by @CrazyLlama).

Changed

  • Updated SQLite library to 3.19.2.
  • Updated zlib to 1.2.11.
  • Updated cJSON library to 1.4.7.
  • Change some manage_agents option parameters.
  • Run Auth in background by default.
  • Log classification as debug, info, warning, error and critical.
  • Limit number of reads per cycle by Logcollector to prevent log starvation.
  • Limit OpenSCAP module's event forwarding speed.
  • Increased debug level of repeated Rootcheck messages.
  • Send events when OpenSCAP starts and finishes scans.
  • Delete PID files when a process exits not due to a signal.
  • Change error messages due to SSL handshake failure to debug messages.
  • Force group addition on installation for compatibility with LDAP (thanks to Gary Feltham).

Fixed

  • Fixed compiling error on systems with no OpenSSL.
  • Fixed compiling warning at manage_agents.
  • Fixed ossec-control enable/disable help message.
  • Fixed unique aperture of random device on Unix.
  • Fixed file sum comparison bug at Syscheck realtime engine. (Thanks to Arshad Khan)
  • Close analysisd if alert outputs are disabled for all formats.
  • Read Windows version name for versions newer than Windows 8 / Windows Server 2012.
  • Fixed error in Analysisd that wrote Syscheck and Rootcheck databases of re-added agents on deleted files.
  • Fixed internal option to configure the maximum labels' cache time.
  • Fixed Auth password parsing on client side.
  • Fix bad agent ID assignation in Authd on i686 architecture.
  • Fixed Logcollector misconfiguration in Windows agents.

Removed

  • Remove unused message queue to send alerts from Authd.

[v2.0.1] - 2017-07-19

Changed

  • Changed random data generator for a secure OS-provided generator.
  • Changed Windows installer file name (depending on version).
  • Linux distro detection using standard os-release file.
  • Changed some URLs to documentation.
  • Disable synchronization with SQLite databases for Syscheck by default.
  • Minor changes at Rootcheck formatter for JSON alerts.
  • Added debugging messages to Integrator logs.
  • Show agent ID when possible on logs about incorrectly formatted messages.
  • Use default maximum inotify event queue size.
  • Show remote IP on encoding format errors when unencrypting messages.
  • Remove temporary files created by Syscheck changes reports.
  • Remove temporary Syscheck files for changes reporting by Windows installer when upgrading.

Fixed

  • Fixed resource leaks at rules configuration parsing.
  • Fixed memory leaks at rules parser.
  • Fixed memory leaks at XML decoders parser.
  • Fixed TOCTOU condition when removing directories recursively.
  • Fixed insecure temporary file creation for old POSIX specifications.
  • Fixed missing agentless devices identification at JSON alerts.
  • Fixed FIM timestamp and file name issue at SQLite database.
  • Fixed cryptographic context acquirement on Windows agents.
  • Fixed debug mode for Analysisd.
  • Fixed bad exclusion of BTRFS filesystem by Rootcheck.
  • Fixed compile errors on macOS.
  • Fixed option -V for Integrator.
  • Exclude symbolic links to directories when sending FIM diffs (by Stephan Joerrens).
  • Fixed daemon list for service reloading at ossec-control.
  • Fixed socket waiting issue on Windows agents.
  • Fixed PCI_DSS definitions grouping issue at Rootcheck controls.
  • Fixed segmentation fault bug when stopping on CentOS 5.
  • Fixed compatibility with AIX.
  • Fixed race conditions in ossec-control script.
  • Fixed compiling issue on Windows.
  • Fixed compatibility with Solaris.
  • Fixed XML parsing error due to byte stashing issue.
  • Fixed false error by Syscheck when creating diff snapshots of empty files.
  • Fixed segmentation fault in Authd on i386 platform.
  • Fixed agent-auth exit code for controlled server's errors.
  • Fixed incorrect OVAL patch results classification.

[v2.0.0] - 2017-03-14

Added

  • Wazuh modules manager.
  • Wazuh module for OpenSCAP.
  • Ruleset for OpenSCAP alerts.
  • Kibana dashboards for OpenSCAP.
  • Option at agent_control to restart all agents.
  • Dynamic fields to rules and decoders.
  • Dynamic fields to JSON in alerts/archives.
  • CDB list lookup with dynamic fields.
  • FTS for dynamic fields.
  • Logcollector option to set the frequency of file checking.
  • GeoIP support in Alerts (by Scott R Shinn).
  • Internal option to output GeoIP data on JSON alerts.
  • Matching pattern negation (by Daniel Cid).
  • Syscheck and Rootcheck events on SQLite databases.
  • Data migration tool to SQLite databases.
  • Jenkins QA.
  • 64-bit Windows registry keys support.
  • Complete FIM data output to JSON and alerts.
  • Username, date and inode attributes to FIM events on Unix.
  • Username attribute to FIM events on Windows.
  • Report changes (FIM file diffs) to Windows agent.
  • File diffs to JSON output.
  • Elastic mapping updated for new FIM events.
  • Title and file fields extracted at Rootcheck alerts.
  • Rule description formatting with dynamic field referencing.
  • Multithreaded design for Authd server for fast and reliable client dispatching, with key caching and write scheduling.
  • Auth registration client for Windows (by Gael Muller).
  • Auth password authentication for Windows client.
  • New local decoder file by default.
  • Show server certificate and key paths at Authd help.
  • New option for Authd to verify agent's address.
  • Added support for new format at predecoder (by Brad Lhotsky).
  • Agentless passlist encoding to Base64.
  • New Auditd-specific log format for Logcollector.
  • Option for Authd to auto-choose TLS/SSL method.
  • Compile option for Authd to make it compatible with legacy OSs.
  • Added new templates layout to auto-compose configuration file.
  • New wodle for SQLite database syncing (agent information and fim/pm data).
  • Added XML settings options to exclude some rules or decoders files.
  • Option for agent_control to broadcast AR on all agents.
  • Extended FIM event information forwarded by csyslogd (by Sivakumar Nellurandi).
  • Report Syscheck's new file events on real time.

Changed

  • Isolated logtest directory from analysisd.
  • Remoted informs Analysisd about agent ID.
  • Updated Kibana dashboards.
  • Syscheck FIM attributes to dynamic fields.
  • Force services to exit if PID file creation fails.
  • Atomic writing of client.keys through temporary files.
  • Disabled remote message ID verification by default.
  • Show actual IP on debug message when agents get connected.
  • Enforce rules IDs to max 6 digits.
  • OSSEC users and group as system (UI-hidden) users (by Dennis Golden).
  • Increases Authd connection pool size.
  • Use general-purpose version-flexible SSL/TLS methods for Authd registration.
  • Enforce minimum 3-digit agent ID format.
  • Exclude BTRFS from Rootcheck searching for hidden files inside directories (by Stephan Joerrens).
  • Moved OSSEC and Wazuh decoders to one directory.
  • Prevent manage_agents from doing invalid actions (such methods for manager at agent).
  • Disabled capturing of security events 5145 and 5156 on Windows agent.
  • Utilities to rename an agent or change the IP address (by Antonio Querubin).
  • Added quiet option for Logtest (by Dan Parriott).
  • Output decoder information onto JSON alerts.
  • Enable mail notifications by default for server installation.
  • Agent control option to restart all agents' Syscheck will also restart manager's Syscheck.
  • Make ossec-control to check Authd PID.
  • Enforce every rule to contain a description.
  • JSON output won't contain field "agentip" if tis value is "any".
  • Don't broadcast Active Response messages to disconnected agents.
  • Don't print Syscheck logs if it's disabled.
  • Set default Syscheck and Rootcheck frequency to 12 hours.
  • Generate FIM new file alert by default.
  • Added option for Integrator to set the maximum log length.
  • JSON output nested objects modelling through dynamic fields.
  • Disable TCP for unsupported OSs.
  • Show previous log on JSON alert.
  • Removed confirmation prompt when importing an agent key successfully.
  • Made Syscheck not to ignore files that change more than 3 times by default.
  • Enabled JSON output by default.
  • Updated default syscheck configuration for Windows agents.
  • Limited agent' maximum connection time for notification time.
  • Improved client.keys changing detection method by remoted: use date and inode.
  • Changed boot service name to Wazuh.
  • Active response enabled on Windows agents by default.
  • New folder structure for rules and decoders.
  • More descriptive logs about syscheck real-time monitoring.
  • Renamed XML tags related to rules and decoders inclusion.
  • Set default maximum agents to 8000.
  • Removed FTS numeric bitfield from JSON output.
  • Fixed ID misassignment by manage_agents when the greatest ID exceeds 32512.
  • Run Windows Registry Syscheck scan on first stage when scan_on_start enabled.
  • Set all Syscheck delay stages to a multiple of internal_options.conf/syscheck.sleep value.
  • Changed JSON timestamp format to ISO8601.
  • Overwrite @timestamp field from Logstash with the alert timestamp.
  • Moved timestamp JSON field to the beginning of the object.
  • Changed random data generator for a secure OS-provided generator.

Fixed

  • Logcollector bug that inhibited alerts about file reduction.
  • Memory issue on string manipulation at JSON.
  • Memory bug at JSON alerts.
  • Fixed some CLang warnings.
  • Issue on marching OSSEC user on installing.
  • Memory leaks at configuration.
  • Memory leaks at Analysisd.
  • Bugs and memory errors at agent management.
  • Mistake with incorrect name for PID file (by Tickhon Clearscale).
  • Agent-auth name at messages (it appeared to be the server).
  • Avoid Monitord to log errors when the JSON alerts file doesn't exists.
  • Agents numbering issue (minimum 3 digits).
  • Avoid no-JSON message at agent_control when client.keys empty.
  • Memory leaks at manage_agents.
  • Authd error messages about connection to queue passed to warning.
  • Issue with Authd password checking.
  • Avoid ossec-control to use Dash.
  • Fixed false error about disconnected agent when trying to send it the shared files.
  • Avoid Authd to close when it reaches the maximum concurrency.
  • Fixed memory bug at event diff execution.
  • Fixed resource leak at file operations.
  • Hide help message by useadd and groupadd on OpenBSD.
  • Fixed error that made Analysisd to crash if it received a missing FIM file entry.
  • Fixed compile warnings at cJSON library.
  • Fixed bug that made Active Response to disable all commands if one of them was disabled (by Jason Thomas).
  • Fixed segmentation fault at logtest (by Dan Parriott).
  • Fixed SQL injection vulnerability at Database.
  • Fixed Active Response scripts for Slack and Twitter.
  • Fixed potential segmentation fault at file queue operation.
  • Fixed file permissions.
  • Fixed failing test for Apache 2.2 logs (by Brad Lhotsky).
  • Fixed memory error at net test.
  • Limit agent waiting time for retrying to connect.
  • Fixed compile warnings on i386 architecture.
  • Fixed Monitord crash when sending daily report email.
  • Fixed script to null route an IP address on Windows Server 2012+ (by Theresa Meiksner).
  • Fixed memory leak at Logtest.
  • Fixed manager with TCP support on FreeBSD (by Dave Stoddard).
  • Fixed Integrator launching at local-mode installation.
  • Fixed issue on previous alerts counter (rules with if_matched_sid option).
  • Fixed compile and installing error on Solaris.
  • Fixed segmentation fault on syscheck when no configuration is defined.
  • Fixed bug that prevented manage_agents from removing syscheck/rootcheck database.
  • Fixed bug that made agents connected on TCP to hang if they are rejected by the manager.
  • Fixed segmentation fault on remoted due to race condition on managing keystore.
  • Fixed data lossing at remoted when reloading keystore.
  • Fixed compile issue on MacOS.
  • Fixed version reading at ruleset updater.
  • Fixed detection of BSD.
  • Fixed memory leak (by Byron Golden).
  • Fixed misinterpretation of octal permissions given by Agentless (by Stephan Leemburg).
  • Fixed mistake incorrect openssl flag at Makefile (by Stephan Leemburg).
  • Silence Slack integration transmission messages (by Dan Parriott).
  • Fixed OpenSUSE Systemd misconfiguration (By Stephan Joerrens).
  • Fixed case issue on JSON output for Rootcheck alerts.
  • Fixed potential issue on duplicated agent ID detection.
  • Fixed issue when creating agent backups.
  • Fixed hanging problem on Windows Auth client when negotiation issues.
  • Fixed bug at ossec-remoted that mismatched agent-info files.
  • Fixed resource leaks at rules configuration parsing.
  • Fixed memory leaks at rules parser.
  • Fixed memory leaks at XML decoders parser.
  • Fixed TOCTOU condition when removing directories recursively.
  • Fixed insecure temporary file creation for old POSIX specifications.
  • Fixed missing agentless devices identification at JSON alerts.

Removed

  • Deleted link to LUA sources.
  • Delete ZLib generated files on cleaning.
  • Removed maximum lines limit from diff messages (that remain limited by length).

[v1.1.1] - 2016-05-12

Added

  • agent_control: maximum number of agents can now be extracted using option "-m".
  • maild: timeout limitation, preventing it from hang in some cases.
  • Updated decoders, ruleset and rootchecks from Wazuh Ruleset v1.0.8.
  • Updated changes from ossec-hids repository.

Changed

  • Avoid authd to rename agent if overplaced.
  • Changed some log messages.
  • Reordered directories for agent backups.
  • Don't exit when client.keys is empty by default.
  • Improved client.keys reloading capabilities.

Fixed

  • Fixed JSON output at rootcheck_control.
  • Fixed agent compilation on OS X.
  • Fixed memory issue on removing timestamps.
  • Fixed segmentation fault at reported.
  • Fixed segmentation fault at logcollector.

Removed

  • Removed old rootcheck options.

[v1.1.0] - 2016-04-06

Added

  • Re-usage of agent ID in manage_agents and authd, with time limit.
  • Added option to avoid manager from exiting when there are no keys.
  • Backup of the information about an agent that's going to be deleted.
  • Alerting if Authd can't add an agent because of a duplicated IP.
  • Integrator with Slack and PagerDuty.
  • Simplified keywords for the option "frequency".
  • Added custom Reply-to e-mail header.
  • Added option to syscheck to avoid showing diffs on some files.
  • Created agents-timestamp file to save the agents' date of adding.

Changed

  • client.keys: No longer overwrite the name of an agent with "#-#-#-" to mark it as deleted. Instead, the name will appear with a starting "!".
  • API: Distinction between duplicated and invalid name for agent.
  • Stop the "ERROR: No such file or directory" for Apache.
  • Changed defaults to analysisd event counter.
  • Authd won't use password by default.
  • Changed name of fields at JSON output from binaries.
  • Upgraded rules to Wazuh Ruleset v1.07

Fixed

  • Fixed merged.mg push on Windows Agent
  • Fixed Windows agent compilation issue
  • Fixed glob broken implementation.
  • Fixed memory corruption on the OSSEC alert decoder.
  • Fixed command "useradd" on OpenBSD.
  • Fixed some PostgreSQL issues.
  • Allow to disable syscheck:check_perm after enable check_all.

[v1.0.4] - 2016-02-24

Added

  • JSON output for manage_agents.
  • Increased analysis daemon's memory size.
  • Authd: Added password authorization.
  • Authd: Boost speed performance at assignation of ID for agents
  • Authd: New option -f sec. Force addding new agent (even with duplicated IP) if it was not active for the last sec seconds.
  • manage_agents: new option -d. Force adding new agent (even with duplicated IP)
  • manage_agents: Printing new agent ID on adding.

Changed

  • Authd and manage_agents won't add agents with duplicated IP.

Fixed

  • Solved duplicate IP conflicts on client.keys which prevented the new agent to connect.
  • Hashing files in binary mode. Solved some problems related to integrity checksums on Windows.
  • Fixed issue that made console programs not to work on Windows.

Removed

[v1.0.3] - 2016-02-11

Added

  • JSON CLI outputs: ossec-control, rootcheck_control, syscheck_control, ossec-logtest and more.
  • Preparing integration with RESTful API
  • Upgrade version scripts
  • Merge commits from ossec-hids
  • Upgraded rules to Wazuh Ruleset v1.06

Fixed

  • Folders are no longer included on etc/shared
  • Fixes typos on rootcheck files
  • Kibana dashboards fixes

[v1.0.2] - 2016-01-29

Added

  • Added Wazuh Ruleset updater
  • Added extensions files to support ELK Stack latest versions (ES 2.x, LS 2.1, Kibana 4.3)

Changed

  • Upgraded rules to Wazuh Ruleset v1.05
  • Fixed crash in reportd
  • Fixed Windows EventChannel syntaxis issue
  • Fixed manage_agents bulk option bug. No more "randombytes" errors.
  • Windows deployment script improved

[v1.0.1] - 2015-12-10

Added

  • Wazuh version info file
  • ossec-init.conf now includes wazuh version
  • Integrated with wazuh OSSEC ruleset updater
  • Several new fields at JSON output (archives and alerts)
  • Wazuh decoders folder

Changed

  • Decoders are now splitted in differents files.
  • jsonout_out enable by default
  • JSON groups improvements
  • Wazuh ruleset updated to 1.0.2
  • Extensions: Improved Kibana dashboards
  • Extensions: Improved Windows deployment script

[v1.0.0] - 2015-11-23

  • Initial Wazuh version v1.0