All notable changes to this project will be documented in this file.
- Added new unit tests for cluster python module and increased coverage to 99%. (#9995)
- Added file size limitation on cluster integrity sync. (#11190)
- Added unittests for CLIs script files. (#13424)
- wazuh-logtest now shows warnings about ruleset issues. (#10822)
- Modulesd memory is now managed by jemalloc, this helps reduce memory fragmentation. (#12206)
- The manager now refuses multiple connections from the same agent. (#11702)
- Updated the Vulnerability Detector configuration reporting to include MSU and skip JSON Red Hat feed. (#12117)
- Improved the shared configuration file handling performance. (#12352)
- The agent group data is now natively handled by Wazuh DB. (#11753)
- Improved security at cluster zip filenames creation. (#10710)
- Refactor of the core/common.py module. (#12390)
- Refactor format_data_into_dictionary method of WazuhDBQuerySyscheck class. (#12497)
- Limit the maximum zip size that can be created while synchronizing cluster Integrity. (#11124)
- Refactored the functions in charge of synchronizing files in the cluster. (#13065)
- Changed MD5 hash function to BLAKE2 for cluster file comparison. (#13079)
- Renamed wazuh-logtest and wazuh-clusterd scripts to follow the same scheme as the other scripts (spaces symbolized with _ instead of -). (#12926)
- Fixed wazuh-dbd halt procedure. (#10873)
- Fixed compilation warnings in the manager. (#12098)
- Fixed a bug in the manager that did not send shared folders correctly to agents belonging to multiple groups. (#12516)
- Fixed the Active Response decoders to support back the top entries for source IP in reports. (#12834)
- Fixed the feed update interval option of Vulnerability Detector for the JSON Red Hat feed. (#13338)
- Fixed several code flaws in the python framework. (#12127)
- Fixed framework datetime transformations to UTC. (#10782)
- Fixed a cluster error when Master-Worker tasks where not properly stopped after an exception occurred in one or both parts. (#11866)
- Fixed cluster logger issue printing 'NoneType: None' in error logs. (#12831)
- Fixed unhandled cluster error when reading a malformed configuration. (#13419)
- Fixed framework unit test failures when they are run by the root user. (#13368)
- Removed the unused internal option
wazuh_db.sock_queue_size
. (#12409) - Removed all the unused exceptions from the exceptions.py file. (#10940)
- Removed unused execute method from core/utils.py. (#10740)
- Removed unused set_user_name function in framework. (#13119)
- Added support of CPU frequency data provided by Syscollector on Raspberry Pi. (#11756)
- Added support for IPv6 address collection in the agent. (#11450)
- Added the process startup time data provided by Syscollector on macOS. (#11833)
- Added support of package retrieval in Syscollector for OpenSUSE Tumbleweed and Fedora 34. (#11571)
- Added the process startup time data provided by Syscollector on macOS. Thanks to @LubinLew. (#11640)
- Added support for package data provided by Syscollector on Solaris. (#11796)
- Added support for delta events in Syscollector when data gets changed. (#10843)
- Added support for pre-installed Windows packages in Syscollector. (#12035)
- Added support for IPv6 on agent-manager connection and enrollment. (#11268)
- Added support for CIS-CAT Pro v3 and v4 to the CIS-CAT integration module. Thanks to @hustliyilin. (#12582)
- Added support for the use of the Azure integration module in Linux agents. (#10870)
- Added new error messages when using invalid credentials with the Azure integration. (#11852)
- Added reparse option to CloudWatchLogs and Google Cloud Storage integrations. (#12515)
- Improved the free RAM data provided by Syscollector. (#11587)
- The Windows installer (MSI) now provides signed DLL files. (#12752)
- Changed the group ownership of the Modulesd process to root. (#12748)
- Some parts of Agentd and Execd have got refactored. (#12750)
- Handled new exception in the external integration modules. (#10478)
- Optimized the number of calls to DB maintenance tasks performed by the AWS integration. (#11828)
- Improved the reparse performance by removing unnecessary queries from external integrations. (#12404)
- Updated and expanded Azure module logging functionality to use the ossec.log file. (#12478)
- Improved the error management of the Google Cloud integration. (#12647)
- Deprecated
logging
tag in GCloud integration. It now useswazuh_modules
debug value to set the verbosity level. (#12769) - The last_dates.json file of the Azure module has been deprecated in favour of a new ORM and database. (12849)
- Improved the error handling in AWS integration's
decompress_file
method. (#12929) - Use zlib for zip compression in cluster synchronization. (#11190)
- Fixed collection of maximum user data length. Thanks to @LubinLew. (#7687)
- Fixed missing fields in Syscollector on Windows 10. (#10772)
- Fixed the process startup time data provided by Syscollector on Linux. Thanks to @LubinLew. (#11227)
- Fixed network data reporting by Syscollector related to tunnel or VPN interfaces. (#11837)
- Skipped V9FS file system at Rootcheck to prevent false positives on WSL. (#12066)
- Fixed double file handle closing in Logcollector on Windows. (#9067)
- Fixed a bug in Syscollector that may prevent the agent from stopping when the manager connection is lost. (#11949)
- Fixed internal exception handling issues on Solaris 10. (#12148)
- Fixed duplicate error message IDs in the log. (#12300)
- Fixed compilation warnings in the agent. (#12691)
- Fixed the
skip_on_error
parameter of the AWS integration module, which was set toTrue
by default. (#1247) - Fixed AWS DB maintenance with Load Balancer Buckets. (#12381)
- Fixed AWS integration's
test_config_format_created_date
unit test. (#12650) - Fixed created_date field for LB and Umbrella integrations. (#12630)
- Fixed AWS integration database maintenance error managament. (#13185)
- Added new API integration tests for a Wazuh environment without a cluster configuration. (#10620)
- Added wazuh-modulesd tags to
GET /manager/logs
andGET /cluster/{node_id}/logs
endpoints. (#11731) - Added python decorator to soft deprecate API endpoints adding deprecation headers to their responses. (#12438)
- Added new exception to inform that /proc directory is not found or permissions to see its status are not granted. (#12486)
- Added new field and filter to
GET /agents
response to retrieve agent groups configuration synchronization status. (#12362) - Added agent groups configuration synchronization status to
GET /agents/summary/status
endpoint. (12498) - Added JSON log handling. (#11171)
- Added integration tests for IPv6 agent's registration. (#12029)
- Enable ordering by Agents count in
/groups
endpoints. (#12887) - Added hash to API logs to identify users logged in with authorization context. (#12092)
- Improved
GET /cluster/healthcheck
endpoint andcluster_control -i more
CLI call in loaded cluster environments. (#11341) - Removed
never_connected
agent status limitation when trying to assign agents to groups. (#12595) - Changed API version and upgrade_version filters to work with different version formats. (#12551)
- Renamed
GET /agents/{agent_id}/group/is_sync
endpoint toGET /agents/group/is_sync
and added newagents_list
parameter. (#9413) - Added
POST /security/user/authenticate
endpoint and markedGET /security/user/authenticate
endpoint as deprecated. (#10397)
- Fixed copy functions used for the backup files and upload endpoints to prevent incorrent metadata. (#12302)
- Fixed a bug regarding ids not being sorted with cluster disabled in Active Response and Agent endpoints. (#11010)
- Fixed a bug where
null
values from wazuh-db where returned in API responses. (#10736) - Connections through
WazuhQueue
will be closed gracefully in all situations. (#12063) - Fixed exception handling when trying to get the active configuration of a valid but not configured component. (#12450)
- Fixed api.yaml path suggested as remediation at exception.py (#12700)
- Fixed /tmp access error in containers of API integration tests environment. (#12768)
- The API will return an exception when the user asks for agent inventory information and there is no database for it (never connected agents). (#13096)
- Improved regex used for the
q
parameter on API requests with special characters and brackets. (#13171) (#13386) - Removed board_serial from syscollector integration tests expected responses. (#12592)
- Removed cmd field from expected responses of syscollector integration tests. (#12557)
- Removed null remediations from failed API responses. (#12053)
- Deprecated
GET /agents/{agent_id}/group/is_sync
endpoint. (#12365)
- Added unit tests to the component in Analysisd that extracts the IP address from events. (#12733)
- Added
python-json-logger
dependency. (#12518)
- Prevented the Ruleset test suite from restarting the manager. (#10773)
- Integratord now tries to read alerts indefinitely, instead of performing 3 attempts. (#13437)
- Avoid creating duplicated client tags during deployment. (#13651)
- Prevented Agentd from resetting its configuration on client block re-definition. (#13642)
- Fixed a crash in Vuln Detector when scanning agents running on Windows. (#13616)
- Fixed a crash when overwrite rules are triggered. (#13439)
- Fixed a memory leak when loading overwrite rules. (#13439)
- Fixed the use of relationship labels in overwrite rules. (#13439)
- Fixed regex used to transform into datetime in the logtest framework function. (#13430)
- Fixed API response when using sort in Agent upgrade related endpoints. (#13178)
- Fixed rule 92656, added field condition win.eventdata.logonType equals 10 to avoid false positives. (#13409)
- Added support for Arch Linux OS in Vulnerability Detector. Thanks to Aviel Warschawski (@avielw). (#8178)
- Added a log message in the
cluster.log
file to notify that wazuh-clusterd has been stopped. (#8749) - Added message with the PID of
wazuh-clusterd
process when launched in foreground mode. (#9077) - Added time calculation when extra information is requested to the
cluster_control
binary. (#10492) - Added a context variable to indicate origin module in socket communication messages. (#9209)
- Added unit tests for framework/core files to increase coverage. (#9733)
- Added a verbose mode in the wazuh-logtest tool. (#9204)
- Added Vulnerability Detector support for Amazon Linux. (#8830)
- Introduced new option
<force>
to set the behavior when Authd finds conflicts on agent enrollment requests. (#10693) - Added saniziters to the unit tests execution. (#9099)
- Vulnerability Detector introduces vulnerability inventory. (#8237)
- The manager will only deliver alerts when new vulnerabilities are detected in agents or when they stop applying.
- Added a mechanism to ensure the worker synchronization permissions is reset after a fixed period of time. (#11031)
- Included mechanism to create and handle PID files for each child process of the API and cluster. (#11799)
- Added support for Windows 11 in Vulnerability Detector. (#12446)
- Changed the internal handling of agent keys in Remoted and Remoted to speed up key reloading. (#8083)
- The option
<server>
of the Syslog output now supports hostname resolution. (#7885) - The product's UNIX user and group have been renamed to "wazuh". (#7763)
- The MITRE database has been redesigned to provide full and searchable data. (#7865)
- The static fields related to FIM have been ported to dynamic fields in Analysisd. (7358)
- Changed all randomly generated IDs used for cluster tasks. Now,
uuid4
is used to ensure IDs are not repeated. (8351) - Improved sendsync error log to provide more details of the used parameters. (#8873)
- Changed
walk_dir
function to be iterative instead of recursive. (#9708) - Refactored Integrity sync behavior so that new synchronizations do not start until extra-valid files are processed. (#10183)
- Changed cluster synchronization, now the content of the
etc/shared
folder is synchronized. (#10101) - Changed all XML file loads. Now,
defusedxml
library is used to avoid possible XML-based attacks. (8351) - Changed configuration validation from execq socket to com socket. (#8535)
- Updated utils unittest to improve process_array function coverage. (#8392)
- Changed
request_slice
calculation to improve efficiency when accessing wazuh-db data. (#8885) - Improved the retrieval of information from
wazuh-db
so it reaches the optimum size in a single iteration. (#9273) - Optimized the way framework uses context cached functions and added a note on context_cached docstring. (#9234)
- Improved framework regexes to be more specific and less vulnerable. (#9332)
- Unified framework exceptions for non-active agents. (#9423)
- Changed RBAC policies to case insensitive. (#9433)
- Refactored framework stats module into SDK and core components to comply with Wazuh framework code standards. (#9548)
- Changed the size of the agents chunks sent to the upgrade socket to make the upgrade endpoints faster. (#10309)
- Refactored rootcheck and syscheck SDK code to make it clearer. (#9408)
- Adapted Azure-logs module to use Microsoft Graph API instead of Active Directory Graph API. (#9738)
- Analysisd now reconnects to Active Response if Remoted or Execd get restarted. (#8060)
- Agent key polling now supports cluster environments. (#10335)
- Extended support of Vulnerability Detector for Debian 11 (Bullseye). (#10357)
- Improved Remoted performance with an agent TCP connection sending queue. (#10326)
- Agent DB synchronization has been boosted by caching the last data checksum in Wazuh DB. (#9093)
- Logtest now scans new ruleset files when loading a new session. (#8892)
- CVE alerts by Vulnerability Detector now include the time of detection, severity, and score. (#8237)
- Fixed manager startup when
<database_output>
is enabled. (#10849) - Improved cluster performance using multiprocessing.
- Changed the cluster
local_integrity
task to run in a separate process to improve overall performance. (#10767) - The cluster communication with the database for agent information synchronization runs in a parallel separate process. (#10807)
- The cluster processing of the extra-valid files in the master node is carried out in a parallel separate process. (#10920)
- The cluster's file compression task in the master node is carried out in a parallel separate process. (#11328)
- Now the processing of Integrity files in worker nodes is carried out in a parallel separate process (#11364)
- Use cluster and API single processing when the wazuh user doesn't have permissions to access
/dev/shm
. (#11386)
- Changed the cluster
- Changed the Ubuntu OVAL feed URL to security-metadata.canonical.com. (#12491)
- Let Analysisd warn about missing rule dependencies instead of rejecting the ruleset. (#12652)
- Fixed a memory defect in Remoted when closing connection handles. (#8223)
- Fixed a timing problem in the manager that might prevent Analysisd from sending Active responses to agents. (#7625)
- Fixed a bug in Analysisd that did not apply field lookup in rules that overwrite other ones. (#8210)
- Prevented the manager from leaving dangling agent database files. (#8902)
- Corrected remediation message for error code 6004. (#8254)
- Fixed a bug when deleting non-existing users or roles in the security SDK. (#8157)
- Fixed a bug with
agent.conf
file permissions when creating an agent group. (#8418) - Fixed wrong exceptions with wdb pagination mechanism. (#8422)
- Fixed error when loading some rules with the
\
character. (#8747) - Changed
WazuhDBQuery
class to properly close socket connections and prevent file descriptor leaks. (#9216) - Fixed error in the api configuration when using the
agent_upgrade
script. (#10320) - Handle
JSONDecodeError
in Distributed API class methods. (#10341) - Fixed an issue with duplicated logs in Azure-logs module and applied several improvements to it. (#9738)
- Fixed the query parameter validation to allow usage of special chars in Azure module. (#10680)
- Fix a bug running wazuh-clusterd process when it was already running. (#8394)
- Allow cluster to send and receive messages with size higher than request_chunk. (#8732)
- Fixed a bug that caused
wazuh-clusterd
process to not delete its pidfile when running in foreground mode and it is stopped. (#9077) - Fixed race condition due to lack of atomicity in the cluster synchronization mechanism. (#10376)
- Fixed bug when displaying the dates of the cluster tasks that have not finished yet. Now
n/a
is displayed in these cases. (#10492) - Fixed missing field
value_type
in FIM alerts. (#9196) - Fixed a typo in the SSH Integrity Check script for Agentless. (#9292)
- Fixed multiple race conditions in Remoted. (#10421)
- The manager's agent database has been fixed to prevent dangling entries from removed agents. (#10390)
- Fixed the alerts generated by FIM when a lookup operation on an SID fails. (#9765)
- Fixed a bug that caused cluster agent-groups files to be synchronized multiple times unnecessarily. (#10866)
- Fixed an issue in Wazuh DB that compiled the SQL statements multiple times unnecessarily. (#10922)
- Fixed a crash in Analysisd when setting Active Response with agent_id = 0. (#10948)
- Fixed an uninitialized Blowfish encryption structure warning. (#11161)
- Fixed a memory overrun hazard in Vulnerability Detector. (#11262)
- Fixed a bug when using a limit parameter higher than the total number of objects in the wazuh-db queries. (#11282)
- Prevented a false positive for MySQL in Vulnerability Detector. (#11440)
- Fixed segmentation fault in Analysisd when setting the number of queues to zero. (#11448)
- Fixed false positives in Vulnerability Detector when scanning OVAl for Ubuntu Xenial and Bionic. (#11440)
- Fixed an argument injection hazard in the Pagerduty integration script. Reported by Jose Maria Zaragoza (@JoseMariaZ). (#11835)
- Fixed memory leaks in the feed parser at Vulnerability Detector. (#11863)
- Architecture data member from the RHEL 5 feed.
- RHSA items containing no CVEs.
- Unused RHSA data member when parsing Debian feeds.
- Prevented Authd from exiting due to a pipe signal if Wazuh DB gets closed. (#12368)
- Fixed a buffer handling bug in Remoted that left the syslog TCP server stuck. (#12415)
- Fixed a memory leak in Vulnerability Detector when discarding kernel packages. (#12644)
- Fixed a memory leak at wazuh-logtest-legacy when matching a level-0 rule. (#12655)
- Fixed a bug in the Vulnerability Detector CPE helper that may lead to produce false positives about Firefox ESR. (#13067)
- The data reporting for Rootcheck scans in the agent_control tool has been deprecated. (#8399)
- Removed old framework functions used to calculate agent status. (#8846)
- Added an option to allow the agent to refresh the connection to the manager. (#8016)
- Introduced a new module to collect audit logs from GitHub. (#8532)
- FIM now expands wildcarded paths in the configuration on Windows agents. (8461)
- FIM reloads wildcarded paths on full scans. (8754)
- Added new
path_suffix
option to AWS module configuration. (#8306) - Added new
discard_regex
option to AWS module configuration. (8331) - Added support for the S3 Server Access bucket type in AWS module. (#8482)
- Added support for Google Cloud Storage buckets using a new GCP module called
gcp-bucket
. (#9119) - Added support for VPC endpoints in AWS module. (#9420)
- Added support for GCS access logs in the GCP module. (#9279)
- Added an iam role session duration parameter to AWS module. (#10198)
- Added support for variables in SCA policies. (#8826)
- FIM now fills an audit rule file to support who-data although Audit is in immutable mode. (#7721)
- Introduced an integration to collect audit logs from Office365. (#8957)
- Added a new field
DisplayVersion
to Syscollector to help Vulnerability Detector match vulnerabilities for Windows. (#10168) - Added support for macOS agent upgrade via WPK. (#10148)
- Added Logcollector support for macOS logs (Unified Logging System). (#8632)
- The agent now reports the version of the running AIX operating system to the manager. (#8381)
- Improved the reliability of the user ID parsing in FIM who-data mode on Linux. (#8604)
- Extended support of Logcollector for MySQL 4.7 logs. Thanks to @YoyaYOSHIDA. (#5047)
- Agents running on FreeBSD and OpenBSD now report their IP address. (#9887)
- Reduced verbosity of FIM debugging logs. (#8202)
- The agent's IP resolution frequency has been limited to prevent high CPU load. (#9992)
- Syscollector has been optimized to use lees memory. (#10236)
- Added support of ZscalerOS system information in the agent. (#10337)
- Syscollector has been extended to collect missing Microsoft product hotfixes. (#10259)
- Updated the osquery integration to find the new osqueryd location as of version 5.0. (#10396)
- The internal FIM data handling has been simplified to find files by their path instead of their inode. (#9123)
- Reimplemented the WPK installer rollback on Windows. (#9764)
- Active responses for Windows agents now support native fields from Eventchannel. (#10208)
- Error logs by Logcollector when a file is missing have been changed to info logs. (#10651)
- The agent MSI installer for Windows now detects the platform version to install the default configuration. (#8724)
- Agent logs for inability to resolve the manager hostname now have info level. (#3659)
- Added ID number to connection enrollment logs. (#11276)
- Standardized the use of the
only_logs_after
parameter in the external integration modules. (#10838) - Updated DockerListener integration shebang to python3 for Wazuh agents. (#12150)
- Updated the Windows installer ico and png assets to the new logo. (#12779)
- Fixed a bug in FIM that did not allow monitoring new directories in real-time mode if the limit was reached at some point. (#8784)
- Fixed a bug in FIM that threw an error when a query to the internal database returned no data. (#8941)
- Fixed an error where the IP address was being returned along with the port for Amazon NLB service.(#8362)
- Fixed AWS module to properly handle the exception raised when processing a folder without logs. (#8372
- Fixed a bug with AWS module when pagination is needed in the bucket. (#8433)
- Fixed an error with the ipGeoLocation field in AWS Macie logs. (#8672)
- Changed an incorrect debug message in the GCloud integration module. (#10333)
- Data race conditions have been fixed in FIM. (#7848)
- Fixed wrong command line display in the Syscollector process report on Windows. (#10011)
- Prevented Modulesd from freezing if Analysisd or Agentd get stopped before it. (#10249)
- Fixed wrong keepalive message from the agent when file merged.mg is missing. (#10405)
- Fixed missing logs from the Windows agent when it's getting stopped. (#10381)
- Fixed missing packages reporting in Syscollector for macOS due to empty architecture data. (#10524)
- Fixed FIM on Linux to parse audit rules with multiple keys for who-data. (#7506)
- Fixed Windows 11 version collection in the agent. (#10639)
- Fixed missing Eventchannel location in Logcollector configuration reporting. (#10602)
- Updated CloudWatch Logs integration to avoid crashing when AWS raises Throttling errors. (#10794)
- Fixed AWS modules' log file filtering when there are logs with and without a prefix mixed in a bucket. (#10718)
- Fixed a bug on the installation script that made upgrades not to update the code of the external integration modules. (#10884)
- Fixed issue with AWS integration module trying to parse manually created folders as if they were files. (#10921)
- Fixed installation errors in OS with no subversion. (#11086)
- Fixed a typo in an error log about enrollment SSL certificate. (#11115)
- Fixed unit tests for Windows agent when built on MinGW 10. (#11121)
- Fixed Windows agent compilation warnings. (#10942)
- Fixed the OS version reported by the agent on OpenSUSE Tumbleweed. (#11207)
- Prevented Syscollector from truncating the open port inode numbers on Linux. (#11329)
- Fixed agent auto-restart on configuration changes when started via
wazuh-control
on a Systemd based Linux OS. (#11365) - Fixed a bug in the AWS module resulting in unnecessary API calls when trying to obtain the different Account IDs for the bucket. (#10952)
- Fixed Azure integration's configuration parsing to allow omitting optional parameters. (#11278)
- Fixed Azure Storage credentials validation bug. (#11296)
- Fixed the read of the hostname in the installation process for openSUSE. (#11455)
- Fixed the graceful shutdown when agent loses connection. (#11425)
- Fixed error "Unable to set server IP address" on the Windows agent. (#11736)
- Fixed reparse option in the AWS VPCFlow and Config integrations. (#11608)
- Removed unnecessary calls to the AWS API made by the VPCFlow and Config integration modules. (#11644)
- Fixed how the AWS Config module parses the dates used to request logs from AWS. (#12324)
- Let Logcollector audit format parse logs with a custom name_format. (#12676)
- Fixed Agent bootstrap issue that might lead to startup timeout when it cannot resolve a manager hostname. (#12704)
- Fixed a bug in the agent's leaky bucket throughput regulator that could leave it stuck if the time is advanced on Windows. (#13088)
- Removed oscap module files as it was already deprecated since v4.0.0. (#10900)
- Added new
PUT /agents/reconnect
endpoint to force agents reconnection to the manager. (#7988) - Added
select
parameter to theGET /security/users
,GET /security/roles
,GET /security/rules
andGET /security/policies
endpoints. (#6761) - Added type and status filters to
GET /vulnerability/{agent_id}
endpoint. (#8100) - Added an option to configure SSL ciphers. (#7490)
- Added an option to configure the maximum response time of the API. (#8919)
- Added new
DELETE /rootcheck/{agent_id}
endpoint. (#8945) - Added new
GET /vulnerability/{agent_id}/last_scan
endpoint to check the latest vulnerability scan of an agent. (#9028) - Added new
cvss
andseverity
fields and filters toGET /vulnerability/{agent_id}
endpoint. (#9028) - Added an option to configure the maximum allowed API upload size. (#9100)
- Added new unit and integration tests for API models. (#9142)
- Added message with the PID of
wazuh-apid
process when launched in foreground mode. (#9077) - Added
external id
,source
andurl
to the MITRE endpoints responses. (#9144) - Added custom healthchecks for legacy agents in API integration tests, improving maintainability. (#9297)
- Added new unit tests for the API python module to increase coverage. (#9914)
- Added docker logs separately in API integration tests environment to get cleaner reports. (#10238)
- Added new
disconnection_time
field toGET /agents
response. (#10437) - Added new filters to agents upgrade endpoints. (#10457)
- Added new API endpoints to access all the MITRE information. (#8288)
- Show agent-info permissions flag when using cluster_control and in the
GET /cluster/healthcheck
API endpoint. (#10947) - Save agents' ossec.log if an API integration test fails. (#11931)
- Added
POST /security/user/authenticate/run_as
endpoint to API bruteforce blocking system. (#12085) - Added new API endpoint to obtain summaries of agent vulnerabilities' inventory items. (#12638)
- Added fields external_references, condition, title, published and updated to GET /vulnerability/{agent_id} API endpoint. (#12727)
- Added the possibility to include strings in brackets in values of the
q
parameter. (#13262)
- Renamed SSL protocol configuration parameter. (#7490)
- Reviewed and updated API spec examples and JSON body examples. (#8827)
- Improved the performance of several API endpoints. This is specially appreciable in environments with a big number of agents.
- Improved
PUT /agents/group
endpoint. (#8937) - Improved
PUT /agents/restart
endpoint. (#8938) - Improved
DELETE /agents
endpoint. (#8950) - Improved
PUT /rootcheck
endpoint. (#8959) - Improved
PUT /syscheck
endpoint. (#8966) - Improved
DELETE /groups
endpoint and changed API response to be more consistent. (#9046)
- Improved
- Changed
DELETE /rootcheck
endpoint toDELETE /experimental/rootcheck
. (#8945) - Reduced the time it takes for
wazuh-apid
process to check its configuration when using the-t
parameter. (#9012) - Fixed malfunction in the
sort
parameter of syscollector endpoints. (#9019) - Improved API integration tests stability when failing in entrypoint. (#9113)
- Made SCA API integration tests dynamic to validate responses coming from any agent version. (#9228)
- Refactored and standardized all the date fields in the API responses to use ISO8601. (#9227)
- Removed
Server
header from API HTTP responses. (#9263) - Improved JWT implementation by replacing HS256 signing algorithm with RS256. (#9371)
- Removed limit of agents to upgrade using the API upgrade endpoints. (#10009)
- Changed Windows agents FIM responses to return permissions as JSON. (#10158)
- Adapted API endpoints to changes in
wazuh-authd
daemonforce
parameter. (#10389) - Deprecated
use_only_authd
API configuration option and related functionality.wazuh-authd
will always be required for creating and removing agents. (#10512) - Improved API validators and related unit tests. (#10745)
- Improved specific module healthchecks in API integration tests environment. (#10905)
- Changed thread pool executors for process pool executors to improve API availability. (#10916)
- Changed HTTPS options to use files instead of relative paths. (#11410)
- Fixed inconsistency in RBAC resources for
group:create
,decoders:update
, andrules:update
actions. (#8196) - Fixed the handling of an API error message occurring when Wazuh is started with a wrong
ossec.conf
. Now the execution continues and raises a warning. (8378) - Fixed a bug with
sort
parameter that caused a wrong response when sorting by several fields.(#8548) - Fixed the description of
force_time
parameter in the API spec reference. (#8597) - Fixed API incorrect path in remediation message when maximum number of requests per minute is reached. (#8537)
- Fixed agents' healthcheck error in the API integration test environment. (#9071)
- Fixed a bug with
wazuh-apid
process handling of pidfiles when running in foreground mode. (#9077) - Fixed a bug with RBAC
group_id
matching. (#9192) - Removed temporal development keys and values from
GET /cluster/healthcheck
response. (#9147) - Fixed several errors when filtering by dates. (#9227)
- Fixed limit in some endpoints like
PUT /agents/group/{group_id}/restart
and added a pagination method. (#9262) - Fixed bug with the
search
parameter resulting in invalid results. (#9320) - Fixed wrong values of
external_id
field in MITRE resources. (#9368) - Fixed how the API integration testing environment checks that
wazuh-apid
daemon is running before starting the tests. (#9399) - Add healthcheck to verify that
logcollector
stats are ready before starting the API integration test. (#9777) - Fixed API integration test healthcheck used in the
vulnerability
test cases. (#10159) - Fixed an error with
PUT /agents/node/{node_id}/restart
endpoint when no agents are present in selected node. (#10179) - Fixed RBAC experimental API integration tests expecting a 1760 code in implicit requests. (#10322)
- Fixed cluster race condition that caused API integration test to randomly fail. (#10289)
- Fixed
PUT /agents/node/{node_id}/restart
endpoint to exclude exception codes properly. (#10619) - Fixed
PUT /agents/group/{group_id}/restart
endpoint to exclude exception codes properly. (#10666) - Fixed agent endpoints
q
parameter to allow more operators when filtering by groups. (#10656) - Fixed API integration tests related to rule, decoder and task endpoints. (#10830)
- Improved exceptions handling when starting the Wazuh API service. (#11411)
- Fixed race condition while creating RBAC database. (#11598)
- Fixed API integration tests failures caused by race conditions. (#12102)
- Removed select parameter from GET /agents/stats/distinct endpoint. (#8599)
- Removed
GET /mitre
endpoint. (#8099) - Deprecated the option to set log
path
in the configuration. (#11410)
- Added Carbanak detection rules. (#11306)
- Added Cisco FTD rules and decoders. (#11309)
- Added decoders for AWS EKS service. (#11284)
- Added F5 BIG IP ruleset. (#11394)
- Added GCP VPC Storage, Firewall and Flow rules. (#11191)
- Added Gitlab v12 ruleset. (#11323)
- Added Microsoft Exchange Server rules and decoders. (#11289)
- Added Microsoft Windows persistence by using registry keys detection. (#11390)
- Added Oracle Database 12c rules and decoders. (#11274)
- Added rules for Carbanak step 1.A - User Execution: Malicious File. (#8476)
- Added rules for Carbanak step 2.A - Local Discovery. (#11212)
- Added rules for Carbanak step 2.B - Screen Capture. (#9075)
- Added rules for Carbanak step 5.B - Lateral Movement via SSH. (#9097)
- Added rules for Carbanak step 9.A - User Monitoring. (#11342)
- Added rules for Cloudflare WAF. (#11373)
- Added ruleset for ESET Remote console. (#11013)
- Added ruleset for GITHUB audit logs. (#8532)
- Added ruleset for Palo Alto v8.X - v10.X. (#11137)
- Added SCA policy for Amazon Linux 1. (#11431)
- Added SCA policy for Amazon Linux 2. (#11480)
- Added SCA policy for apple macOS 10.14 Mojave. (#7035)
- Added SCA policy for apple macOS 10.15 Catalina. (#7036)
- Added SCA policy for macOS Big Sur. (#11454)
- Added SCA policy for Microsoft IIS 10. (#11250)
- Added SCA policy for Microsoft SQL 2016. (#11249)
- Added SCA policy for Mongo Database 3.6. (#11247)
- Added SCA policy for NGINX. (#11248)
- Added SCA policy for Oracle Database 19c. (#11245)
- Added SCA policy for PostgreSQL 13. (#11154)
- Added SCA policy for SUSE Linux Enterprise Server 15. (#11223)
- Added SCA policy for Ubuntu 14. (#11432)
- Added SCA policy for Ubuntu 16. (#11452)
- Added SCA policy for Ubuntu 18. (#11453)
- Added SCA policy for Ubuntu 20. (#11430)
- Added SCA policy for. Solaris 11.4. (#11286)
- Added Sophos UTM Firewall ruleset. (#11122)
- Added Wazuh-api ruleset. (#11357)
- Updated audit rules. (#11016)
- Updated AWS s3 ruleset. (#11177)
- Updated Exim 4 decoder and rules to latest format. (#11344)
- Updated MITRE DB with latest MITRE JSON specification. (#8738)
- Updated multiple rules to remove alert_by_email option. (#11255)
- Updated NextCloud ruleset. (#11795)
- Updated ProFTPD decoder. (#11232)
- Updated RedHat Enterprise Linux 8 SCA up to version 1.0.1. (#11242)
- Updated rules and decoders for FortiNet products. (#11100)
- Updated SCA policy for CentOS 7. (#11429)
- Updated SCA policy for CentOS 8. (#8751)
- Updated SonicWall rules decoder. (#11263)
- Updated SSHD ruleset. (#11388)
- From file 0580-win-security_rules.xml, rules with id 60198 and 60199 are moved to file 0585-win-application_rules.xml, with rule ids 61071 and 61072 respectively. (#8552)
- Fixed bad character on rules 60908 and 60884 - win-application rules. (#11117)
- Fixed Microsoft logs rules. (#11369)
- Fixed PHP rules for MITRE and groups. (#11405)
- Fixed rules id for Microsoft Windows Powershell. (#11214)
- Upgraded external SQLite library dependency version to 3.36. (#10247)
- Upgraded external BerkeleyDB library dependency version to 18.1.40. (#10247)
- Upgraded external OpenSSL library dependency version to 1.1.1l. (#10247)
- Upgraded external Google Test library dependency version to 1.11. (#10927)
- Upgraded external Aiohttp library dependency version to 3.8.1. (11436)
- Upgraded external Werkzeug library dependency version to 2.0.2. (11436)
- Upgraded embedded Python version to 3.9.9. (11436)
- Fixed error detection in the CURL helper library. (#9168)
- Fixed external BerkeleyDB library support for GCC 11. (#10899)
- Fixed an installation error due to missing OS minor version on CentOS Stream. (#11086)
- Fixed an installation error due to missing command
hostname
on OpenSUSE Tumbleweed. (#11455)
- Fixed a crash in Vuln Detector when scanning agents running on Windows (backport from 4.3.2). (#13617)
- Fixed an integer overflow hazard in
wazuh-remoted
that caused it to drop incoming data after receiving 2^31 messages. (#11974)
- Active response requests for agents between v4.2.0 and v4.2.4 is now sanitized to prevent unauthorized code execution. (#10809)
- A bug in the Active response tools that may allow unauthorized code execution has been mitigated. Reported by @rk700. (#10809)
- Prevented files belonging to deleted agents from remaining in the manager. (#9158)
- Fixed inaccurate agent group file cleanup in the database sync module. (#10432)
- Prevented the manager from corrupting the agent data integrity when the disk gets full. (#10479)
- Fixed a resource leak in Vulnerability Detector when scanning Windows agents. (#10559)
- Stop deleting agent related files in cluster process when an agent is removed from
client.keys
. (#9061)
- Fixed a bug in Remoted that might lead it to crash when retrieving an agent's group. (#10388)
- Clean up the agent's inventory data on the manager if Syscollector is disabled. (#9133)
- Authd now refuses enrollment attempts if the agent already holds a valid key. (#9779)
- Fixed a false positive in Vulnerability Detector when packages have multiple conditions in the OVAL feed. (#9647)
- Prevented pending agents from keeping their state indefinitely in the manager. (#9042)
- Fixed Remoted to avoid agents in connected state with no group assignation. (#9088)
- Fixed a bug in Analysisd that ignored the value of the rule option
noalert
. (#9278) - Fixed Authd's startup to set up the PID file before loading keys. (#9378)
- Fixed a bug in Authd that delayed the agent timestamp update when removing agents. (#9295)
- Fixed a bug in Wazuh DB that held wrong agent timestamp data. (#9705)
- Fixed a bug in Remoted that kept deleted shared files in the multi-groups' merged.mg file. (#9942)
- Fixed a bug in Analysisd that overwrote its queue socket when launched in test mode. (#9987)
- Fixed a condition in the Windows Vulnerability Detector to prevent false positives when evaluating DU patches. (#10016)
- Fixed a memory leak when generating the Windows report in Vulnerability Detector. (#10214)
- Fixed a file descriptor leak in Analysisd when delivering an AR request to an agent. (#10194)
- Fixed error with Wazuh path in Azure module. (#10250)
- Optimized Syscollector scan performance. (#9907)
- Reworked the Google Cloud Pub/Sub integration module to increase the number of processed events per second allowing multithreading. Added new
num_threads
option to module configuration. (#9927) - Upgraded google-cloud-pubsub dependency to the latest stable version (2.7.1). (#9964)
- Reimplemented the WPK installer rollback on Linux. (#9443)
- Updated AWS WAF implementation to change
httpRequest.headers
field format. (#10217)
- Prevented the manager from hashing the shared configuration too often. (#9710)
- Fixed a memory leak in Logcollector when re-subscribing to Windows Eventchannel. (#9310)
- Fixed a memory leak in the agent when enrolling for the first time if it had no previous key. (#9967)
- Removed CloudWatchLogs log stream limit when there are more than 50 log streams. (#9934)
- Fixed a problem in the Windows installer that causes the agent to be unable to get uninstalled or upgraded. (#9897)
- Fixed AWS WAF log parsing when there are multiple dicts in one line. (#9775)
- Fixed a bug in AWS CloudWatch Logs module that caused already processed logs to be collected and reprocessed. (#10024)
- Avoid duplicate alerts from case-insensitive 32-bit registry values in FIM configuration for Windows agents. (#8256)
- Fixed a bug in the sources and WPK installer that made upgrade unable to detect the previous installation on CentOS 7. (#10210)
- Made SSL ciphers configurable and renamed SSL protocol option. (#10219)
- Fixed a bug with distributed API calls when the cluster is disabled. (#9984)
-
Installer:
- Fixed a bug in the upgrade to 4.2.0 that disabled Eventchannel support on Windows agent. (#9973)
-
Modules:
- Fixed a bug with Python-based integration modules causing the integrations to stop working in agents for Wazuh v4.2.0. (#9975)
-
Core:
- Added support for bookmarks in Logcollector, allowing to follow the log file at the point where the agent stopped. (#3368)
- Improved support for multi-line logs with a variable number of lines in Logcollector. (#5652)
- Added an option to limit the number of files per second in FIM. (#6830)
- Added a statistics file to Logcollector. Such data is also available via API queries. (#7109)
- Allow statistical data queries to the agent. (#7239)
- Allowed quoting in commands to group arguments in the command wodle and SCA checks. (#7307)
- Let agents running on Solaris send their IP to the manager. (#7408)
- New option
<ip_update_interval>
to set how often the agent refresh its IP address. (#7444) - Added support for testing location information in Wazuh Logtest. (#7661)
- Added Vulnerability Detector reports to Wazuh DB to know which CVE’s affect an agent. (#7731)
- Introduced an option to enable or disable listening Authd TLS port. (#8755)
-
API:
- Added new endpoint to get agent stats from different components. (#7200)
- Added new endpoint to modify users' allow_run_as flag. (#7588)
- Added new endpoint to get vulnerabilities that affect an agent. (#7647)
- Added API configuration validator. (#7803)
- Added the capability to disable the max_request_per_minute API configuration option using 0 as value. (#8115)
-
Ruleset:
- Decoders
- Rules
- SCA
-
Cluster:
- Improved the cluster nodes integrity calculation process. It only calculates the MD5 of the files that have been modified since the last integrity check. (#8175)
- Changed the synchronization of agent information between cluster nodes to complete the synchronization in a single task for each worker. (#8182)
- Changed cluster logs to show more useful information. (#8002)
-
Core:
- Wazuh daemons have been renamed to a unified standard. (#6912)
- Wazuh CLIs have been renamed to a unified standard. (#6903)
- Wazuh internal directories have been renamed to a unified standard. (#6920)
- Prevent a condition in FIM that may lead to a memory error. (#6759)
- Let FIM switch to real-time mode for directories where who-data is not available (Audit in immutable mode). (#6828)
- Changed the Active Response protocol to receive messages in JSON format that include the full alert. (#7317)
- Changed references to the product name in logs. (#7264)
- Syscollector now synchronizes its database with the manager, avoiding full data delivery on each scan. (#7379)
- Remoted now supports both TCP and UDP protocols simultaneously. (#7541)
- Improved the unit tests for the os_net library. (#7595)
- FIM now removes the audit rules when their corresponding symbolic links change their target. (#6999)
- Compilation from sources now downloads the external dependencies prebuilt. (#7797)
- Added the old implementation of Logtest as
wazuh-logtest-legacy
. (#7807) - Improved the performance of Analysisd when running on multi-core hosts. (#7974)
- Agents now report the manager when they stop. That allows the manager to log an alert and immediately set their state to "disconnected". (#8021)
- Wazuh building is now independent from the installation directory. (#7327)
- The embedded python interpreter is provided in a preinstalled, portable package. (#7327)
- Wazuh resources are now accessed by a relative path to the installation directory. (#7327)
- The error log that appeared when the agent cannot connect to SCA has been switched to warning. (#8201)
- The agent now validates the Audit connection configuration when enabling whodata for FIM on Linux. (#8921)
-
API:
- Removed ruleset version from
GET /cluster/{node_id}/info
andGET /manager/info
as it was deprecated. (#6904) - Changed the
POST /groups
endpoint to specify the group name in a JSON body instead of in a query parameter. (#6909) - Changed the
PUT /active-response
endpoint function to create messages with the new JSON format. (#7312) - New parameters added to
DELETE /agents
endpoint andolder_than
field removed from response. (#6366) - Changed login security controller to avoid errors in Restful API reference links. (#7909)
- Changed the PUT /agents/group/{group_id}/restart response format when there are no agents assigned to the group. (#8123)
- Agent keys used when adding agents are now obscured in the API log. (#8149)
- Improved all agent restart endpoints by removing active-response check. (#8457)
- Improved API requests processing time by applying cache to token RBAC permissions extraction. It will be invalidated if any resource related to the token is modified. (#8615)
- Increased to 100000 the maximum value accepted for
limit
API parameter, default value remains at 500. (#8841)
- Removed ruleset version from
-
Framework:
- Improved agent insertion algorithm when Authd is not available. (#8682)
-
Ruleset:
- The ruleset was normalized according to the Wazuh standard. (#6867)
- Rules
- Decoders
- Changed Active Response Decoders. (#7317)
- Changed Auditd Decoders. (#7289)
- Changed Checkpoint Smart1 Decoders. (#8676)
- Changed Cisco ASA Decoders. (#7289)
- Changed Cisco IOS Decoders. (#7289)
- Changed Kernel Decoders. (#7837)
- Changed OpenLDAP Decoders. (#7289)
- Changed Ossec Decoders. (#7260)
- Changed Sophos Decoders. (#7289)
- Changed PFsense Decoders. (#7289)
- Changed Panda PAPS Decoders. (#8676)
-
External dependencies:
-
Cluster:
- Fixed memory usage when creating cluster messages. (#6736)
- Fixed a bug when unpacking incomplete headers in cluster messages. (#8142)
- Changed error message to debug when iterating a file listed that is already deleted. (#8499)
- Fixed cluster timeout exceptions. (#8901)
- Fixed unhandled KeyError when an error command is received in any cluster node. (#8872)
- Fixed unhandled cluster error in send_string() communication protocol. (#8943)
-
Core:
- Fixed a bug in FIM when setting scan_time to "12am" or "12pm". (#6934)
- Fixed a bug in FIM that produced wrong alerts when the file limit was reached. (#6802)
- Fixed a bug in Analysisd that reserved the static decoder field name "command" but never used it. (#7105)
- Fixed evaluation of fields in the tag
<description>
of rules. (#7073) - Fixed bugs in FIM that caused symbolic links to not work correctly. (#6789)
- Fixed path validation in FIM configuration. (#7018)
- Fixed a bug in the "ignore" option on FIM where relative paths were not resolved. (#7018)
- Fixed a bug in FIM that wrongly detected that the file limit had been reached. (#7268)
- Fixed a bug in FIM that did not produce alerts when a domain user deleted a file. (#7265)
- Fixed Windows agent compilation with GCC 10. (#7359)
- Fixed a bug in FIM that caused to wrongly expand environment variables. (#7332)
- Fixed the inclusion of the rule description in archives when matched a rule that would not produce an alert. (#7476)
- Fixed a bug in the regex parser that did not accept empty strings. (#7495)
- Fixed a bug in FIM that did not report deleted files set with real-time in agents on Solaris. (#7414)
- Fixed a bug in Remoted that wrongly included the priority header in syslog when using TCP. (#7633)
- Fixed a stack overflow in the XML parser by limiting 1024 levels of recursion. (#7782)
- Prevented Vulnerability Detector from scanning all the agents in the master node that are connected to another worker. (#7795)
- Fixed an issue in the database sync module that left dangling agent group files. (#7858)
- Fixed memory leaks in the regex parser in Analysisd. (#7919)
- Fixed a typo in the initial value for the hotfix scan ID in the agents' database schema. (#7905)
- Fixed a segmentation fault in Vulnerability Detector when parsing an unsupported package version format. (#8003)
- Fixed false positives in FIM when the inode of multiple files change, due to file inode collisions in the engine database. (#7990)
- Fixed the error handling when wildcarded Redhat feeds are not found. (#6932)
- Fixed the
equals
comparator for OVAL feeds in Vulnerability Detector. (#7862) - Fixed a bug in FIM that made the Windows agent crash when synchronizing a Windows Registry value that starts with a colon (
:
). (#8098 #8143) - Fixed a starving hazard in Wazuh DB that might stall incoming requests during the database commitment. (#8151)
- Fixed a race condition in Remoted that might make it crash when closing RID files. (#8224)
- Fixed a descriptor leak in the agent when failed to connect to Authd. (#8789)
- Fixed a potential error when starting the manager due to a delay in the creation of Analysisd PID file. (#8828)
- Fixed an invalid memory access hazard in Vulnerability Detector. (#8551)
- Fixed an error in the FIM decoder at the manager when the agent reports a file with an empty ACE list. (#8571)
- Prevented the agent on macOS from getting corrupted after an operating system upgrade. (#8620)
- Fixed an error in the manager that could not check its configuration after a change by the API when Active response is disabled. (#8357)
- Fixed a problem in the manager that left remote counter and agent group files when removing an agent. (#8630)
- Fixed an error in the agent on Windows that could corrupt the internal FIM databas due to disabling the disk sync. (#8905)
- Fixed a crash in Logcollector on Windows when handling the position of the file. (#9364)
- Fixed a buffer underflow hazard in Remoted when handling input messages. Thanks to Johannes Segitz (@jsegitz). (#9285)
- Fixed a bug in the agent that tried to verify the WPK CA certificate even when verification was disabled. (#9547)
-
API:
- Fixed wrong API messages returned when getting agents' upgrade results. (#7587)
- Fixed wrong
user
string in API logs when receiving responses with status codes 308 or 404. (#7709) - Fixed API errors when cluster is disabled and node_type is worker. (#7867)
- Fixed redundant paths and duplicated tests in API integration test mapping script. (#7798)
- Fixed an API integration test case failing in test_rbac_white_all and added a test case for the enable/disable run_as endpoint.(8014)
- Fixed a thread race condition when adding or deleting agents without authd (8148)
- Fixed CORS in API configuration. (#8496)
- Fixed api.log to avoid unhandled exceptions on API timeouts. (#8887)
-
Ruleset:
- Fixed usb-storage-attached regex pattern to support blank spaces. (#7837)
- Fixed SCA checks for RHEL7 and CentOS 7. Thanks to J. Daniel Medeiros (@jdmedeiros). (#7645)
- Fixed the match criteria of the AWS WAF rules. (#8111)
- Fixed sample log in sudo decoders.
- Fixed Pix Decoders match regex. (#7485)
- Fixed regex in Syslog Rules. (#7289)
- Fixed category in PIX Rules. (#7289)
- Fixed authentication tag in group for MSauth Rules. (#7289)
- Fixed match on Nginx Rules. (#7122)
- Fixed sample log on Netscaler Rules. (#7783)
- Fixed match field for rules 80441 and 80442 in Amazon Rules. (#8111)
- Fixed sample logs in Owncloud Rules. (#7122)
- Fixed authentication tag in group for Win Security Rules. (#7289)
- Fixed sample log in Win Security Rules. (#7783)
- Fixed sample log in Win Application Rules. (#7783)
- Fixed mitre block in Paloalto Rules. (#7783)
-
Modules:
- Fixed an error when trying to use a non-default aws profile with CloudWatchLogs (#9331)
-
Core:
-
API:
-
Framework:
- Deprecated
update_ruleset
script. (#6904)
- Deprecated
-
Ruleset
- Removed rule 51004 from Dropbear Rules. (#7289)
- Remuved rules 23508, 23509 and 23510 from Vulnerability Detector Rules.
- Core:
- Fixed a bug in Vulnerability Detector that made Modulesd crash while updating the NVD feed due to a missing CPE entry. (4cbd1e8)
- Cluster:
- Fixed workers reconnection after restarting master node. Updated
asyncio.Task.all_tasks
method removed in Python 3.9. (#8017)
- Fixed workers reconnection after restarting master node. Updated
- External dependencies:
- Upgraded Python version from 3.8.6 to 3.9.2 and several Python dependencies. (#7943)
-
Core:
-
API:
- Fixed validation for absolute and relative paths. (#7906)
-
Core:
-
API:
- API logs showing request parameters and body will be generated with API log level
info
instead ofdebug
. (#7735)
- API logs showing request parameters and body will be generated with API log level
-
External dependencies:
- Upgraded aiohttp version from 3.6.2 to 3.7.4. (#7734)
- Core:
- Fix a bug in the unit tests that randomly caused false failures. (#7723)
- Fixed a bug in the Analysisd configuration that did not apply the setting
json_null_fields
. (#7711) - Fixed the checking of the option
ipv6
in Remoted. (#7737) - Fixed the checking of the option
rids_closing_time
in Remoted. (#7746)
-
External dependencies:
-
API:
-
External dependencies:
-
API:
- Added raw parameter to GET /manager/configuration and GET cluster/{node_id}/configuration to load ossec.conf in xml format. (#7565)
- API:
- Fixed an error with the RBAC permissions in the
GET /groups
endpoint. (#7328) - Fixed a bug with Windows registries when parsing backslashes. (#7309)
- Fixed an error with the RBAC permissions when assigning multiple
agent:group
resources to a policy. (#7393) - Fixed an error with search parameter when using special characters. (#7301)
- Fixed an error with the RBAC permissions in the
- AWS Module:
- Fixed a bug that caused an error when attempting to use an IAM Role with CloudWatchLogs service. (#7330)
- Framework:
- Core:
- Fixed a bug in Windows agent that did not honor the buffer's EPS limit. (#7333)
- Fixed a bug in Integratord that might lose alerts from Analysisd due to a race condition. (#7338)
- Silence the error message when the Syslog forwarder reads an alert with no rule object. (#7539)
- Fixed a memory leak in Vulnerability Detector when updating NVD feeds. (#7559)
- Prevent FIM from raising false positives about group name changes due to a thread unsafe function. (#7589)
- API:
- Deprecated /manager/files and /cluster/{node_id}/files endpoints. (#7209)
- Core:
- Allow negation of expressions in rules. (#6258)
- Support for PCRE2 regular expressions in rules and decoders. (#6480)
- Added new ruleset test module. Allow testing and verification of rules and decoders using Wazuh User Interface. (#5337)
- Added new upgrade module. WPK upgrade feature has been moved to this module, which offers support for cluster architecture and simultaneous upgrades. (#5387)
- Added new task module. This module stores and manages all the tasks that are executed in the agents or managers. (#5386)
- Let the time interval to detect that an agent got disconnected configurable. Deprecate parameter
DISCON_TIME
. (#6396) - Added support to macOS in Vulnerability Detector. (#6532)
- Added the capability to perform FIM on values in the Windows Registry. (#6735)
- API:
- Added endpoints to query and manage Rootcheck data. (#6496)
- Added new endpoint to check status of tasks. (#6029)
- Added new endpoints to run the logtest tool and delete a logtest session. (#5984)
- Added debug2 mode for API log and improved debug mode. (#6822)
- Added missing secure headers for API responses. (#7024)
- Added new config option to disable uploading configurations containing remote commands. (#7016)
- AWS Module:
- Added support for AWS load balancers (Application Load Balancer, Classic Load Balancer and Network Load Balancer). (#6034)
- Framework:
- Core:
- Removed the limit of agents that a manager can support. (#6097)
- Moved CA configuration section to verify WPK signatures from
active-response
section toagent-upgrade
section. (#5929) - The tool ossec-logtest has been renamed to wazuh-logtest, and it uses a new testing service integrated in Analysisd. (#6103)
- Changed error message to debug when multiple daemons attempt to remove an agent simultaneously (#6185)
- Changed error message to warning when the agent fails to reach a module. (#5817)
- API:
- Framework:
- Refactored framework to work with new upgrade module. (#5537)
- Refactored agent upgrade CLI to work with new ugprade module. It distributes petitions in a clustered environment. (#5675)
- Changed rule and decoder details structure to support PCRE2. (#6318)
- Changed access to agent's status. (#6326)
- Improved AWS Config integration to avoid performance issues by removing alert fields with variables such as Instance ID in its name. (#6537)
- Core:
- Fixed error in Analysisd when getting the ossec group ID. (#6688)
- Prevented FIM from reporting configuration error when setting patterns that match no files. (#6187)
- Fixed the array parsing when building JSON alerts. (#6687)
- Added Firefox ESR to the CPE helper to distinguish it from Firefox when looking for vulnerabilities. (#6610)
- Fixed the evaluation of packages from external sources with the official vendor feeds in Vulnerability Detector. (#6611)
- Fixed the handling of duplicated tags in the Vulnerability Detector configuration. (#6683)
- Fixed the validation of hotfixes gathered by Syscollector. (#6706)
- Fixed the reading of the Linux OS version when
/etc/os-release
doesn't provide it. (#6674) - Fixed a false positive when comparing the minor target of CentOS packages in Vulnerability Detector. (#6709)
- Fixed a zombie process leak in Modulesd when using commands without a timeout. (#6719)
- Fixed a race condition in Remoted that might create agent-group files with wrong permissions. (#6833)
- Fixed a warning log in Wazuh DB when upgrading the global database. (#6697)
- Fixed a bug in FIM on Windows that caused false positive due to changes in the host timezone or the daylight saving time when monitoring files in a FAT32 filesystem. (#6801)
- Fixed the purge of the Redhat vulnerabilities database before updating it. (#7050)
- Fixed a condition race hazard in Authd that may prevent the daemon from updating client.keys after adding an agent. (#7271)
- API:
- Fixed an error with
/groups/{group_id}/config
endpoints (GET and PUT) when using complexlocalfile
configurations. (#6276)
- Fixed an error with
- Framework:
- API:
- API:
- API:
- Fixed a path traversal flaw (CVE-2021-26814) affecting 4.0.0 to 4.0.3 at
/manager/files
and/cluster/{node_id}/files
endpoints. (#7131)
- Fixed a path traversal flaw (CVE-2021-26814) affecting 4.0.0 to 4.0.3 at
- Framework:
- Fixed a bug with add_manual(agents) function when authd is disabled. (#7135)
- Core:
- Fixed the purge of the Redhat vulnerabilities database before updating it. (#7133)
- API:
- Fixed a problem with certain API calls exceeding timeout in highly loaded cluster environments. (#6753)
- Core:
- Added macOS Big Sur version detection in the agent. (#6603)
- API:
- API:
- Framework:
- Core:
- Fixed a bug in Remoted that limited the maximum agent number to
MAX_AGENTS-3
instead ofMAX_AGENTS-2
. (#4560) - Fixed an error in the network library when handling disconnected sockets. (#6444)
- Fixed an error in FIM when handling temporary files and registry keys exceeding the path size limit. (#6538)
- Fixed a bug in FIM that stopped monitoring folders pointed by a symbolic link. (#6613)
- Fixed a race condition in FIM that could cause Syscheckd to stop unexpectedly. (#6696)
- Fixed a bug in Remoted that limited the maximum agent number to
- Framework:
- Updated Python's cryptography library to version 3.2.1 (#6442)
- API:
- Framework:
- Fixed zip files compression and handling in cluster integrity synchronization. (#6367)
- Core
- Added enrollment capability. Agents are now able to request a key from the manager if current key is missing or wrong. (#5609)
- Migrated the agent-info data to Wazuh DB. (#5541)
- API:
- Embedded Wazuh API with Wazuh Manager, there is no need to install Wazuh API. (9860823)
- Migrated Wazuh API server from nodejs to python. (#2640)
- Added asynchronous aiohttp server for the Wazuh API. (#4474)
- New Wazuh API is approximately 5 times faster on average. (#5834)
- Added OpenAPI based Wazuh API specification. (#2413)
- Improved Wazuh API reference documentation based on OpenAPI spec using redoc. (#4967)
- Added new yaml Wazuh API configuration file. (#2570)
- Added new endpoints to manage API configuration and deprecated configure_api.sh. (#2570)
- Added RBAC support to Wazuh API. (#3287)
- Added new endpoints for Wazuh API security management. (#3410)
- Added SQLAlchemy ORM based database for RBAC. (#3375)
- Added new JWT authentication method. (7080ac3)
- Wazuh API up and running by default in all nodes for a clustered environment.
- Added new and improved error handling. (#2843 (#5345)
- Added tavern and docker based Wazuh API integration tests. (#3612)
- Added new and unified Wazuh API responses structure. (3421015)
- Added new endpoints for Wazuh API users management. (#3280)
- Added new endpoint to restart agents which belong to a node. (#5381)
- Added and improved q filter in several endpoints. (#5431)
- Tested and improved Wazuh API security. (#5318)
- Vulnerability Detector:
- Redhat vulnerabilities are now fetched from OVAL benchmarks. (#5352)
- Debian vulnerable packages are now fetched from the Security Tracker. (#5304)
- The Debian Security Tracker feed can be loaded from a custom location. (#5449)
- The package vendor is used to discard vulnerabilities. (#5330)
- Allow compressed feeds for offline updates. (#5745)
- The manager now updates the MSU feed automatically. (#5678)
- CVEs with no affected version defined in all the feeds are now reported. (#5284)
- CVEs vulnerable for the vendor and missing in the NVD are now reported. (#5305)
- File Integrity Monitoring:
- Added options to limit disk usage using report changes option in the FIM module. (#5157)
- Added and updated framework unit tests to increase coverage. (#3287)
- Added improved support for monitoring paths from environment variables. (#4961)
- Added
base64_log
format to the log builder for Logcollector. (#5273)
- Changed the default manager-agent connection protocol to TCP. (#5696)
- Disable perpetual connection attempts to modules. (#5622)
- Unified the behaviour of Wazuh daemons when reconnecting with unix sockets. (#4510)
- Changed multiple Wazuh API endpoints. (#2640) (#2413)
- Refactored framework module in SDK and core. (#5263)
- Refactored FIM Windows events handling. (#5144)
- Changed framework to access global.db using wazuh-db. (#6095)
- Changed agent-info synchronization task in Wazuh cluster. (#5585)
- Use the proper algorithm name for SHA-256 inside Prelude output. Thanks to François Poirotte (@fpoirotte). (#5004)
- Elastic Stack configuration files have been adapted to Wazuh v4.x. (#5796)
- Explicitly use Bash for the Pagerduty integration. Thanks to Chris Kruger (@montdidier). (#4641)
- Vulnerability Detector:
- Vulnerabilities of Windows Server 2019 which not affects to Windows 10 were not being reported. (#5524)
- Vulnerabilities patched by a Microsoft update with no supersedence were not being reported. (#5524)
- Vulnerabilities patched by more than one Microsoft update were not being evaluated agains all the patches. (#5717)
- Duplicated alerts in Windows 10. (#5600)
- Syscollector now discards hotfixes that are not fully installed. (#5792)
- Syscollector now collects hotfixes that were not being parsed. (#5792)
- Update Windows databases when
run_on_start
is disabled. (#5335) - Fixed the NVD version comparator to remove undesired suffixes. (#5362)
- Fixed not escaped single quote in vuln detector SQL query. (#5570)
- Unified alerts title. (#5826)
- Fixed potential error in the GZlib when uncompressing NVD feeds. (#5989)
- File Integrity Monitoring:
- Fixed an error with last scan time in Syscheck API endpoints. (a9acd3a)
- Fixed support for monitoring directories which contain commas. (#4961)
- Fixed a bug where configuring a directory to be monitored as real-time and whodata resulted in real-time prevailing. (#4961)
- Fixed using an incorrect mutex while deleting inotify watches. (#5126)
- Fixed a bug which could cause multiple FIM threads to request the same temporary file. (#5213)
- Fixed a bug where deleting a file permanently in Windows would not trigger an alert. (#5144)
- Fixed a typo in the file monitoring options log entry. (#5591)
- Fixed an error where monitoring a drive in Windows under scheduled or realtime mode would generate alerts from the recycle bin. (#4771)
- When monitoring a drive in Windows in the format
U:
, it will monitorU:\
instead of the agent's working directory. (#5259) - Fixed a bug where monitoring a drive in Windows with
recursion_level
set to 0 would trigger alerts from files inside its subdirectories. (#5235)
- Fixed an Azure wodle dependency error. The package azure-storage-blob>12.0.0 does not include a component used. (#6109)
- Fixed bugs reported by GCC 10.1.0. (#5119)
- Fixed compilation errors with
USE_PRELUDE
enabled. Thanks to François Poirotte (@fpoirotte). (#5003) - Fixed default gateway data gathering in Syscollector on Linux 2.6. (#5548)
- Fixed the Eventchannel collector to keep working when the Eventlog service is restarted. (#5496)
- Fixed the OpenSCAP script to work over Python 3. (#5317)
- Fixed the launcher.sh generation in macOS source installation. (#5922)
- Removed Wazuh API cache endpoints. (#3042)
- Removed Wazuh API rootcheck endpoints. (#5246)
- Deprecated Debian Jessie and Wheezy for Vulnerability Detector (EOL). (#5660)
- Removed references to
manage_agents
in the installation process. (#5840) - Removed compatibility with deprecated configuration at Vulnerability Detector. (#5879)
- Fixed a crash in Vuln Detector when scanning agents running on Windows (backport from 4.3.2). (#13624)
- Fixed a bug in Vulnerability Detector that made Modulesd crash while updating the NVD feed due to a missing CPE entry. (#8346)
- Updated the default NVD feed URL from 1.0 to 1.1 in Vulnerability Detector. (#6056)
- Added two new settings <max_retries> and <retry_interval> to adjust the agent failover interval. (#5433)
- Fixed a crash in Modulesd caused by Vulnerability Detector when skipping a kernel package if the agent has OS info disabled. (#5467)
- Vulnerability Detector improvements. (#5097)
- Include the NVD as feed for Linux agents in Vulnerability Detector.
- Improve the Vulnerability Detector engine to correlate alerts between different feeds.
- Add Vulnerability Detector module unit testing for Unix source code.
- A timeout has been added to the updates of the vulnerability detector feeds to prevent them from getting hung up. (#5153)
- New option for the JSON decoder to choose the treatment of Array structures. (#4836)
- Added mode value (real-time, Who-data, or scheduled) as a dynamic field in FIM alerts. (#5051)
- Set a configurable maximum limit of files to be monitored by FIM. (#4717)
- New integration for pull logs from Google Cloud Pub/Sub. (#4078)
- Added support for MITRE ATT&CK knowledge base. (#3746)
- Microsoft Software Update Catalog used by vulnerability detector added as a dependency. (#5101)
- Added support for
aarch64
andarmhf
architectures. (#5030)
- Internal variable rt_delay configuration changes to 5 milliseconds. (#4760)
- Who-data includes new fields: process CWD, parent process id, and CWD of parent process. (#4782)
- FIM opens files with shared deletion permission. (#5018)
- Extended the statics fields comparison in the ruleset options. (#4416)
- The state field was removed from vulnerability alerts. (#5211)
- The NVD is now the primary feed for the vulnerability detector in Linux. (#5097)
- Removed OpenSCAP policies installation and configuration block. (#5061)
- Changed the internal configuration of Analysisd to be able to register by default a number of agents higher than 65536. (#4332)
- Changed
same/different_systemname
forsame/different_system_name
in Analysisd static filters. (#5131) - Updated the internal Python interpreter from v3.7.2 to v3.8.2. (#5030)
- Fixed a bug that, in some cases, kept the memory reserved when deleting monitored directories in FIM. (#5115)
- Freed Inotify watches moving directories in the real-time mode of FIM. (#4794)
- Fixed an error that caused deletion alerts with a wrong path in Who-data mode. (#4831)
- Fixed generating alerts in Who-data mode when moving directories to the folder being monitored in Windows. (#4762)
- Avoid truncating the full log field of the alert when the path is too long. (#4792)
- Fixed the change of monitoring from Who-data to real-time when there is a failure to set policies in Windows. (#4753)
- Fixed an error that prevents restarting Windows agents from the manager. (#5212)
- Fixed an error that impedes the use of the tag URL by configuring the NVD in a vulnerability detector module. (#5165)
- Fixed TOCTOU condition in Clusterd when merging agent-info files. (#5159)
- Fixed race condition in Analysisd when handling accumulated events. (#5091)
- Avoided to count links when generating alerts for ignored directories in Rootcheck. Thanks to Artur Molchanov (@Hexta). (#4603)
- Fixed typo in the path used for logging when disabling an account. Thanks to Fontaine Pierre (@PierreFontaine). (#4839)
- Fixed an error when receiving different Syslog events in the same TCP packet. (#5087)
- Fixed a bug in Vulnerability Detector on Modulesd when comparing Windows software versions. (#5168)
- Fixed a bug that caused an agent's disconnection time not to be displayed correctly. (#5142)
- Optimized the function to obtain the default gateway. Thanks to @WojRep
- Fixed host verification when signing a certificate for the manager. (#4963)
- Fixed possible duplicated ID on 'client.keys' adding new agent through the API with a specific ID. (#4982)
- Avoid duplicate descriptors using wildcards in 'localfile' configuration. (#4977)
- Added guarantee that all processes are killed when service stops. (#4975)
- Fixed mismatch in integration scripts when the debug flag is set to active. (#4800)
- Disable WAL in databases handled by Wazuh DB to save disk space. (#4949)
- Fixed a bug in Remoted that could prevent agents from connecting in UDP mode. (#4897)
- Fixed a bug in the shared library that caused daemons to not find the ossec group. (#4873)
- Prevent Syscollector from falling into an infinite loop when failed to collect the Windows hotfixes. (#4878)
- Fixed a memory leak in the system scan by Rootcheck on Windows. (#4948)
- Fixed a bug in Logcollector that caused the out_format option not to apply for the agent target. (#4942)
- Fixed a bug that caused FIM to not handle large inode numbers correctly. (#4914)
- Fixed a bug that made ossec-dbd crash due to a bad mutex initialization. (#4552)
- Fixed a bug in Vulnerability Detector that made wazuh-modulesd crash when parsing the version of a package from a RHEL feed. (#4885)
- Updated MSU catalog on 31/03/2020. (#4819)
- Fixed compatibility with the Vulnerability Detector feeds for Ubuntu from Canonical, that are available in a compressed format. (#4834)
- Added missing field ‘database’ to the FIM on-demand configuration report. (#4785)
- Fixed a bug in Logcollector that made it forward a log to an external socket infinite times. (#4802)
- Fixed a buffer overflow when receiving large messages from Syslog over TCP connections. (#4778)
- Fixed a malfunction in the Integrator module when analyzing events without a certain field. (#4851)
- Fix XML validation with paths ending in
\
. (#4783)
- Removed support for Ubuntu 12.04 (Precise) in Vulneratiliby Detector as its feed is no longer available.
- Add synchronization capabilities for FIM. (#3319)
- Add SQL database for the FIM module. Its storage can be switched between disk and memory. (#3319)
- Add support for monitoring AWS S3 buckets in GovCloud regions. (#3953)
- Add support for monitoring Cisco Umbrella S3 buckets. (#3890)
- Add automatic reconnection with the Eventchannel service when it is restarted. (#3836)
- Add a status validation when starting Wazuh. (#4237)
- Add FIM module unit testing for Unix source code. (#4688)
- Add multi-target support for unit testing. (#4564)
- Add FIM module unit testing for Windows source code. (#4633)
- Move the FIM logic engine to the agent. (#3319)
- Make Logcollector continuously attempt to reconnect with the agent daemon. (#4435)
- Make Windows agents to send the keep-alive independently. (#4077)
- Do not enforce source IP checking by default in the registration process. (#4083)
- Updated API manager/configuration endpoint to also return the new synchronization and whodata syscheck fields (#4241)
- Disabled the chroot jail in Agentd on UNIX.
- Avoid reopening the current socket when Logcollector fails to send a event. (#4696)
- Prevent Logcollector from starving when has to reload files. (#4730)
- Fix a small memory leak in clusterd. (#4465)
- Fix a crash in the fluent forwarder when SSL is not enabled. (#4675)
- Replace non-reentrant functions to avoid race condition hazards. (#4081)
- Fixed the registration of more than one agent as
any
when forcing to use the source IP. (#2533) - Fix Windows upgrades in custom directories. (#2534)
- Fix the format of the alert payload passed to the Slack integration. (#3978)
- Remove chroot in Agentd to allow it resolve DNS at any time. (#4652)
- Fixed a bug in the Windows agent that made Rootcheck report false positives about file size mismatch. (#4493)
- Optimized memory usage in Vulnerability Detector when fetching the NVD feed. (#4427)
- Rootcheck scan produced a 100% CPU peak in Syscheckd because it applied
<readall>
option even when disabled. (#4415) - Fixed a handler leak in Rootcheck and SCA on Windows agents. (#4456)
- Prevent Remoted from exiting when a client closes a connection prematurely. (#4390)
- Fixed crash in Slack integration when handling an alert with no description. (#4426)
- Fixed Makefile to allow running scan-build for Windows agents. (#4314)
- Fixed a memory leak in Clusterd. (#4448)
- Disable TCP keepalive options at os_net library to allow building Wazuh on OpenBSD. (#4462)
- The Windows Eventchannel log decoder in Analysisd maxed out CPU usage due to an infinite loop. (#4412)
- Add support to Windows agents for vulnerability detector. (#2787)
- Add support to Debian 10 Buster for vulnerability detector (by @aderumier). (#4151)
- Make the Wazuh service to start after the network systemd unit (by @VAdamec). (#1106)
- Add process inventory support for Mac OS X agents. (#3322)
- Add port inventory support for MAC OS X agents. (#3349)
- Make Analysisd compile the CDB list upon start. (#3488)
- New rules option
global_frequency
to make frequency rules independent from the event source. (#3931) - Add a validation for avoiding agents to keep trying to connect to an invalid address indefinitely. (#3951)
- Add the condition field of SCA checks to the agent databases. (#3631)
- Display a warning message when registering to an unverified manager. (#4207)
- Allow JSON escaping for logs on Logcollector's output format. (#4273)
- Add TCP keepalive support for Fluent Forwarder. (#4274)
- Add the host's primary IP to Logcollector's output format. (#4380)
- Now EventChannel alerts include the full message with the translation of coded fields. (#3320)
- Changed
-G
agent-auth description in help message. (#3856) - Unified the Makefile flags allowed values. (#4034)
- Let Logcollector queue file rotation and keepalive messages. (#4222)
- Changed default paths for the OSQuery module in Windows agents. (#4148)
- Fluent Forward now packs the content towards Fluentd into an object. (#4334)
- Fix frequency rules to be increased for the same agent by default. (#3931)
- Fix
protocol
,system_name
,data
andextra_data
static fields detection. (#3591) - Fix overwriting agents by
Authd
whenforce
option is less than 0. (#3527) - Fix Syscheck
nodiff
option for substring paths. (#3015) - Fix Logcollector wildcards to not detect directories as log files. (#3788)
- Make Slack integration work with agentless alerts (by @dmitryax). (#3971)
- Fix bugs reported by Clang analyzer. (#3887)
- Fix compilation errors on OpenBSD platform. (#3105)
- Fix on-demand configuration labels section to obtain labels attributes. (#3490)
- Fixed race condition between
wazuh-clusterd
andwazuh-modulesd
showing a 'No such file or directory' incluster.log
when synchronizing agent-info files in a cluster environment (#4007) - Fixed 'ConnectionError object has no attribute code' error when package repository is not available (#3441)
- Fix the blocking of files monitored by Who-data in Windows agents. (#3872)
- Fix the processing of EventChannel logs with unexpected characters. (#3320)
- Active response Kaspersky script now logs the action request in active-responses.log (#2748)
- Fix service's installation path for CentOS 8. (#4060)
- Add macOS Catalina to the list of detected versions. (#4061)
- Prevent FIM from producing false negatives due to wrong checksum comparison. (#4066)
- Fix
previous_output
count for alerts when matching by group. (#4097) - Fix event iteration when evaluating contextual rules. (#4106)
- Fix the use of
prefilter_cmd
remotely by a new local optionallow_remote_prefilter_cmd
. (#4178 & 4194) - Fix restarting agents by group using the API when some of them are in a worker node. (#4226)
- Fix error in Fluent Forwarder that requests an user and pass although the server does not need it. (#3910)
- Fix FTS data length bound mishandling in Analysisd. (#4278)
- Fix a memory leak in Modulesd and Agentd when Fluent Forward parses duplicate options. (#4334)
- Fix an invalid memory read in Agentd when checking a remote configuration containing an invalid stanza inside
<labels>
. (#4334) - Fix error using force_reload and the eventchannel format in UNIX systems. (#4294)
- Fix error in Logcollector when reloading localfiles with timestamp wildcards. (#3995)
- Fix error after removing a high volume of agents from a group using the Wazuh API. (#3907)
- Fix error in Remoted when reloading agent keys (busy resource). (#3988)
- Fix invalid read in Remoted counters. (#3989)
- Add framework function to obtain full summary of agents. (#3842)
- SCA improvements. (#3286)
- Extend duplicate file detection for LogCollector. (#3867)
- Add HIPAA and NIST 800 53 compliance mapping as rule groups.(#3411 & #3420)
- Add SCA compliance groups to rule groups in alerts. (#3427)
- Add IPv6 loopback address to localhost list in DB output module (by @aquerubin). (#3140)
- Accept
]
and>
as terminal prompt characters for Agentless. (#3209)
- Modify logs for agent authentication issues by Remoted. (#3662)
- Make Syscollector logging messages more user-friendly. (#3397)
- Make SCA load by default all present policies at the default location. (#3607)
- Increase IPSIZE definition for IPv6 compatibility (by @aquerubin). (#3259)
- Replace local protocol definitions with Socket API definitions (by @aquerubin). (#3260)
- Improved error message when some of required Wazuh daemons are down. Allow restarting cluster nodes except when
ossec-execd
is down. (#3496) - Allow existing aws_profile argument to work with vpcflowlogs in AWS wodle configuration. Thanks to Adam Williams (@awill1988). (#3729)
- Fix exception handling when using an invalid bucket in AWS wodle (#3652)
- Fix error message when an AWS bucket is empty (#3743)
- Fix error when getting profiles in custom AWS buckets (#3786)
- Fix SCA integrity check when switching between manager nodes. (#3884)
- Fix alert email sending when no_full_log option is set in a rule. (#3174)
- Fix error in Windows who-data when handling the directories list. (#3883)
- Fix error in the hardware inventory collector for PowerPC architectures. (#3624)
- Fix the use of mutexes in the
OS_Regex
library. (#3533) - Fix invalid read in the
OS_Regex
library. (#3815) - Fix compilation error on FreeBSD 13 and macOS 10.14. (#3832)
- Fix typo in the license of the files. (#3779)
- Fix error in
execd
when upgrading agents remotely while auto-restarting. (#3437) - Prevent integrations from inheriting descriptors. (#3514)
- Overwrite rules label fix and rules features tests. (#3414)
- Fix typo: replace
readed
withread
. (#3328) - Introduce global mutex for Rootcheck decoder. (#3530)
- Fix errors reported by scan-build. (#3452 & #3785)
- Fix the handling of
wm_exec()
output.(#3486) - Fix FIM duplicated entries in Windows. (#3504)
- Remove socket deletion from epoll. (#3432)
- Let the sources installer support NetBSD. (#3444)
- Fix error message from openssl v1.1.1. (#3413)
- Fix compilation issue for local installation. (#3339)
- Fix exception handling when /tmp have no permissions and tell the user the problem. (#3401)
- Fix who-data alerts when audit logs contain hex fields. (#3909)
- Remove useless
select()
calls in Analysisd decoders. (#3964)
- Fixed a bug in the Framework that prevented Cluster and API from handling the file client.keys if it's mounted as a volume on Docker.
- Fixed a bug in Analysisd that printed the millisecond part of the alerts' timestamp without zero-padding. That prevented Elasticsearch 7 from indexing those alerts. (#3814)
- Prevent agent on Windows from including who-data on FIM events for child directories without who-data enabled, even if it's available. (#3601)
- Prevent Rootcheck configuration from including the
<ignore>
settings if they are empty. (#3634) - Wazuh DB will delete the agent DB-related files immediately when removing an agent. (#3691)
- Fixed bug in Remoted when correlating agents and their sockets in TCP mode. (#3602)
- Fix bug in the agent that truncated its IP address if it occupies 15 characters. (#3615)
- Logcollector failed to overwrite duplicate
<localfile>
stanzas. (#3616) - Analysisd could produce a double free if an Eventchannel message contains an invalid XML member. (#3626)
- Fixed defects in the code reported by Coverity. (#3627)
- Fixed bug in Analysisd when handling invalid JSON input strings. (#3648)
- Fix handling of SCA policies with duplicate ID in Wazuh DB. (#3668)
- Cluster could fail synchronizing some files located in Docker volumes. (#3669)
- Fix a handler leak in the FIM whodata engine for Windows. (#3690)
- The Docker listener module was storing and ignoring the output of the integration. (#3768)
- Fixed memory leaks in Syscollector for macOS agents. (#3795)
- Fix dangerous mutex initialization in Windows hosts. (#3805)
- Windows Eventchannel log collector will no longer report bookmarked events by default (those that happened while the agent was stopped). (#3485)
- Remoted will discard agent-info data not in UTF-8 format. (#3581)
- Osquery integration did not follow the osquery results file (osqueryd.results.log) as of libc 2.28. (#3494)
- Windows Eventchannnel log collector did not update the bookmarks so it reported old events repeatedly. (#3485)
- The agent sent invalid info data in the heartbeat message if it failed to get the host IP address. (#3555)
- Modulesd produced a memory leak when being queried for its running configuration. (#3564)
- Analysisd and Logtest crashed when trying rules having
<different_geoip>
and no<not_same_field>
stanza. (#3587) - Vulnerability Detector failed to parse the Canonical's OVAL feed due to a syntax change. (#3563)
- AWS Macie events produced erros in Elasticsearch. (#3608)
- Rules with
<list lookup="address_match_key" />
produced a false match if the CDB list file is missing. (#3609) - Remote configuration was missing the
<ignore>
stanzas for Syscheck and Rootcheck when defined as sregex. (#3617)
- Added support for Ubuntu 12.04 to the SCA configuration template. (#3361)
- Prevent the agent from stopping if it fails to resolve the manager's hostname on startup. (#3405)
- Prevent Remoted from logging agent connection timeout as an error, now it's a debugging log. (#3426)
- A configuration request to Analysisd made it crash if the option
<white_list>
is empty. (#3383) - Fixed error when uploading some configuration files through API in wazuh-docker environments. (#3335)
- Fixed error deleting temporary files during cluster synchronization. (#3379)
- Fixed bad permissions on agent-groups files synchronized via wazuh-clusterd. (#3438)
- Fixed bug in the database module that ignored agents registered with a network mask. (#3351)
- Fixed a memory bug in the CIS-CAT module. (#3406)
- Fixed a bug in the agent upgrade tool when checking the version number. (#3391)
- Fixed error checking in the Windows Eventchannel log collector. (#3393)
- Prevent Analysisd from crashing at SCA decoder due to a race condition calling a thread-unsafe function. (#3466)
- Fix a file descriptor leak in Modulesd on timeout when running a subprocess. (#3470)
- OpenSCAP.
- CIS-CAT.
- Command.
- Azure.
- SCA.
- AWS.
- Docker.
- Prevent Modulesd from crashing at Vulnerability Detector when updating a RedHat feed. (3458)
- Added directory existence checking for SCA rules. (#3246)
- Added line number to error messages when parsing YAML files. (#3325)
- Enhanced wildcard support for Windows Logcollector. (#3236)
- Changed the extraction point of the package name in the Vulnerability Detector OVALs. (#3245)
- Fixed SCA request interval option limit. (#3254)
- Fixed SCA directory checking. (#3235)
- Fixed potential out of bounds memory access. (#3285)
- Fixed CIS-CAT XML report parser. (#3261)
- Fixed .ssh folder permissions for Agentless. (#2660)
- Fixed repeated fields in SCA summary events. (#3278)
- Fixed command output treatment for the SCA module. (#3297)
- Fixed agent_upgrade tool to set the manager version as the default one. (#2721)
- Fixed execd crash when timeout list is not initialized. (#3316)
- Fixed support for reading large files on Windows Logcollector. (#3248)
- Fixed the manager restarting process via API on Docker. (#3273)
- Fixed the agent_info files synchronization between cluster nodes. (#3272)
- Removed 5-second reading timeout for File Integrity Monitoring scan. (#3366)
- New module to perform Security Configuration Assessment scans. (#2598)
- New Logcollector features. (#2929)
- Fluent forwarder for agents. (#2828)
- Collect network and port inventory for Windows XP/Server 2003. (#2464)
- Included inventory fields as dynamic fields in events to use them in rules. (#2441)
- Added an option startup_healthcheck in FIM so that the the who-data health-check is optional. (#2323)
- The real agent IP is reported by the agent and shown in alerts and the App interface. (#2577)
- Added support for organizations in AWS wodle. (#2627)
- Added support for hot added symbolic links in Whodata. (#2466)
- Added
-t
option towazuh-clusterd
binary (#2691). - Added options
same_field
andnot_same_field
in rules to correlate dynamic fields between events. (#2689) - Added optional daemons start by default. (#2769)
- Make the Windows installer to choose the appropriate
ossec.conf
file based on the System version. (#2773) - Added writer thread preference for Logcollector. (#2783)
- Added database deletion from Wazuh-DB for removed agents. (#3123)
- Introduced a network buffer in Remoted to cache incomplete messages from agents. This improves the performance by preventing Remoted from waiting for complete messages. (#2528)
- Improved alerts about disconnected agents: they will contain the data about the disconnected agent, although the alert is actually produced by the manager. (#2379)
- PagerDuty integration plain text alert support (by @spartantri). (#2403)
- Improved Remoted start-up logging messages. (#2460)
- Let agent_auth warn when it receives extra input arguments. (#2489)
- Update the who-data related SELinux rules for Audit 3.0. This lets who-data work on Fedora 29. (#2419)
- Changed data source for network interface's MAC address in Syscollector so that it will be able to get bonded interfaces' MAC. (#2550)
- Migrated unit tests from Check to TAP (Test Anything Protocol). (#2572)
- Now labels starting with
_
are reserved for internal use. (#2577) - Now AWS wodle fetches aws.requestParameters.disableApiTermination with an unified format (#2614)
- Improved overall performance in cluster (#2575)
- Some improvements has been made in the vulnerability-detector module. (#2603)
- Refactor of decoded fields from the Windows eventchannel decoder. (#2684)
- Deprecate global option
<queue_size>
for Analysisd. (#2729) - Excluded noisy events from Windows Eventchannel. (#2763)
- Replaced
printf
functions inagent-authd
. (#2830) - Replaced
strtoul()
using NULL arguments withatol()
in wodles config files. (#2801) - Added a more descriptive message for SSL error when agent-auth fails. (#2941)
- Changed the starting Analysisd messages about loaded rules from
info
todebug
level. (#2881) - Re-structured messages for FIM module. (#2926)
- Changed
diff
output in Syscheck for Windows. (#2969) - Replaced OSSEC e-mail subject with Wazuh in
ossec-maild
. (#2975) - Added keepalive in TCP to manage broken connections in
ossec-remoted
. (#3069) - Change default restart interval for Docker listener module to one minute. (#2679)
- Fixed error in Syscollector for Windows older than Vista when gathering the hardware inventory. (#2326)
- Fixed an error in the OSQuery configuration validation. (#2446)
- Prevent Integrator, Syslog Client and Mail forwarded from getting stuck while reading alerts.json. (#2498)
- Fixed a bug that could make an Agent running on Windows XP close unexpectedly while receiving a WPK file. (#2486)
- Fixed ossec-control script in Solaris. (#2495)
- Fixed a compilation error when building Wazuh in static linking mode with the Audit library enabled. (#2523)
- Fixed a memory hazard in Analysisd on log pre-decoding for short logs (less than 5 bytes). (#2391)
- Fixed defects reported by Cppcheck. (#2521)
- Double free in GeoIP data handling with IPv6.
- Buffer overlay when getting OS information.
- Check for successful memory allocation in Syscollector.
- Fix out-of-memory error in Remoted when upgrading an agent with a big data chunk. (#2594)
- Re-registered agent are reassigned to correct groups when the multigroup is empty. (#2440)
- Wazuh manager starts regardless of the contents of local_decoder.xml. (#2465)
- Let Remoted wait for download module availability. (#2517)
- Fix duplicate field names at some events for Windows eventchannel. (#2500)
- Delete empty fields from Windows Eventchannel alerts. (#2492)
- Fixed memory leak and crash in Vulnerability Detector. (#2620)
- Prevent Analysisd from crashing when receiving an invalid Syscollector event. (#2621)
- Fix a bug in the database synchronization module that left broken references of removed agents to groups. (#2628)
- Fixed restart service in AIX. (#2674)
- Prevent Execd from becoming defunct when Active Response disabled. (#2692)
- Fix error in Syscollector when unable to read the CPU frequency on agents. (#2740)
- Fix Windows escape format affecting non-format messages. (#2725)
- Avoid a segfault in mail daemon due to the XML tags order in the
ossec.conf
. (#2711) - Prevent the key updating thread from starving in Remoted. (#2761)
- Fixed error logging on Windows agent. (#2791)
- Let CIS-CAT decoder reuse the Wazuh DB connection socket. (#2800)
- Fixed issue with
agent-auth
options without argument. (#2808) - Fixed control of the frequency counter in alerts. (#2854)
- Ignore invalid files for agent groups. (#2895)
- Fixed invalid behaviour when moving files in Whodata mode. (#2888)
- Fixed deadlock in Remoted when updating the
keyentries
structure. (#2956) - Fixed error in Whodata when one of the file permissions cannot be extracted. (#2940)
- Fixed System32 and SysWOW64 event processing in Whodata. (#2935)
- Fixed Syscheck hang when monitoring system directories. (#3059)
- Fixed the package inventory for MAC OS X. (#3035)
- Translated the Audit Policy fields from IDs for Windows events. (#2950)
- Fixed broken pipe error when Wazuh-manager closes TCP connection. (#2965)
- Fixed whodata mode on drives other than the main one. (#2989)
- Fixed bug occurred in the database while removing an agent. (#2997)
- Fixed duplicated alerts for Red Hat feed in
vulnerability-detector
. (#3000) - Fixed bug when processing symbolic links in Whodata. (#3025)
- Fixed option for ignoring paths in rootcheck. (#3058)
- Allow Wazuh service on MacOSX to be available without restart. (#3119)
- Ensure
internal_options.conf
file is overwritten on Windows upgrades. (#3153) - Fixed the reading of the setting
attempts
of the Docker module. (#3067) - Fix a memory leak in Docker listener module. (#2679)
- Analysisd crashed when parsing a log from OpenLDAP due to a bug in the option
<accumulate>
. (#2456) - Modulesd closed unexpectedly if a command was defined without a
<tag>
option. (#2470) - The Eventchannel decoder was not being escaping backslashes correctly. (#2483)
- The Eventchannel decoder was leaving spurious trailing spaces in some fields. (#2484)
- Fixed memory leak in Logcollector when reading Windows eventchannel. (#2450)
- Fixed script parsing error in Solaris 10. (#2449)
- Fixed version comparisons on Red Hat systems. (By @orlando-jamie) (#2445)
- Logcollector extension for Windows eventchannel logs in JSON format. (#2142)
- Add options to detect attribute and file permission changes for Windows. (#1918)
- Added Audit health-check in the Whodata initialization. (#2180)
- Added Audit rules auto-reload in Whodata. (#2180)
- Support for new AWS services in the AWS wodle (#2242):
- AWS Config
- AWS Trusted Advisor
- AWS KMS
- AWS Inspector
- Add support for IAM roles authentication in EC2 instances.
- New module "Agent Key Polling" to integrate agent key request to external data sources. (#2127)
- Look for missing or old agent keys when Remoted detects an authorization failure.
- Request agent keys by calling a defined executable or connecting to a local socket.
- Get process inventory for Windows natively. (#1760)
- Improved vulnerability detection in Red Hat systems. (#2137)
- Add retries to download the OVAL files in vulnerability-detector. (#1832)
- Auto-upgrade FIM databases in Wazuh-DB. (#2147)
- New dedicated thread for AR command running on Windows agent. (#1725)
- This will prevent the agent from delaying due to an AR execution.
- New internal option to clean residual files of agent groups. (#1985)
- Add a manifest to run
agent-auth.exe
with elevated privileges. (#1998) - Compress
last-entry
files to check differences by FIM. (#2034) - Add error messages to integration scripts. (#2143)
- Add CDB lists building on install. (#2167)
- Update Wazuh copyright for internal files. (#2343)
- Added option to allow maild select the log file to read from. (#977)
- Add table to control the metadata of the vuln-detector DB. (#2402)
- Now Wazuh manager can be started with an empty configuration in ossec.conf. (#2086)
- The Authentication daemon is now enabled by default. (#2129)
- Make FIM show alerts for new files by default. (#2213)
- Reduce the length of the query results from Vulnerability Detector to Wazuh DB. (#1798)
- Improved the build system to automatically detect a big-endian platform. (#2031)
- Building option
USE_BIG_ENDIAN
is not already needed on Solaris (SPARC) or HP-UX.
- Building option
- Expanded the regex pattern maximum size from 2048 to 20480 bytes. (#2036)
- Improved IP address validation in the option
<white_list>
(by @pillarsdotnet). (#1497) - Improved rule option
<info>
validation (by @pillarsdotnet). (#1541) - Deprecated the Syscheck option
<remove_old_diff>
by making it mandatory. (#1915) - Fix invalid error "Unable to verity server certificate" in ossec-authd (server). (#2045)
- Remove deprecated flag
REUSE_ID
from the Makefile options. (#2107) - Syscheck first queue error message changed into a warning. (#2146)
- Do the DEB and RPM package scan regardless of Linux distribution. (#2168)
- AWS VPC configuration in the AWS wodle (#2242).
- Hide warning log by FIM when cannot open a file that has just been removed. (#2201)
- The default FIM configuration will ignore some temporary files. (#2202)
- Fixed error description in the osquery configuration parser (by @pillarsdotnet). (#1499)
- The FTS comment option
<ftscomment>
was not being read (by @pillarsdotnet). (#1536) - Fixed error when multigroup files are not found. (#1792)
- Fix error when assigning multiple groups whose names add up to more than 4096 characters. (#1792)
- Replaced "getline" function with "fgets" in vulnerability-detector to avoid compilation errors with older versions of libC. (#1822)
- Fix bug in Wazuh DB when trying to store multiple network interfaces with the same IP from Syscollector. (#1928)
- Improved consistency of multigroups. (#1985)
- Fixed the reading of the OS name and version in HP-UX systems. (#1990)
- Prevent the agent from producing an error on platforms that don't support network timeout. (#2001)
- Logcollector could not set the maximum file limit on HP-UX platform. (2030)
- Allow strings up to 64KB long for log difference analysis. (#2032)
- Now agents keep their registration date when upgrading the manager. (#2033)
- Create an empty
client.keys
file on a fresh installation of a Windows agent. (2040) - Allow CDB list keys and values to have double quotes surrounding. (#2046)
- Remove file
queue/db/.template.db
on upgrade / restart. (2073) - Fix error on Analysisd when
check_value
doesn't exist. (2080) - Prevent Rootcheck from looking for invalid link count in agents running on Solaris (by @ecsc-georgew). (2087)
- Fixed the warning messages when compiling the agent on AIX. (2099)
- Fix missing library when building Wazuh with MySQL support. (#2108)
- Fix compile warnings for the Solaris platform. (#2121)
- Fixed regular expression for audit.key in audit decoder. (#2134)
- Agent's ossec-control stop should wait a bit after killing a process. (#2149)
- Fixed error ocurred while monitoring symbolic links in Linux. (#2152)
- Fixed some bugs in Logcollector: (#2154)
- If Logcollector picks up a log exceeding 65279 bytes, that log may lose the null-termination.
- Logcollector crashes if multiple wildcard stanzas resolve the same file.
- An error getting the internal file position may lead to an undefined condition.
- Execd daemon now runs even if active response is disabled (#2177)
- Fix high precision timestamp truncation in rsyslog messages. (#2128)
- Fix missing Whodata section to the remote configuration query. (#2173)
- Bugfixes in AWS wodle (#2242):
- Fixed bug in AWS Guard Duty alerts when there were multiple remote IPs.
- Fixed bug when using flag
remove_from_bucket
. - Fixed bug when reading buckets generating more than 1000 logs in the same day.
- Increase
qty
ofaws.eventNames
and remove usage ofaws.eventSources
.
- Fix bug in cluster configuration when using Kubernetes (#2227).
- Fix network timeout setup in agent running on Windows. (#2185)
- Fix default values for the
<auto_ignore>
option. (#2210) - Fix bug that made Modulesd and Remoted crash on ARM architecture. (#2214)
- The regex parser included the next character after a group:
- Fixed buffer overflow hazard in FIM when performing change report on long paths on macOS platform. (#2285)
- Fix sending of the owner attribute when a file is created in Windows. (#2292)
- Fix audit reconnection to the Whodata socket (#2305)
- Fixed agent connection in TCP mode on Windows XP. (#2329)
- Fix log shown when a command reaches its timeout and
ignore_output
is enabled. (#2316) - Analysisd and Syscollector did not detect the number of cores on Raspberry Pi. (#2304)
- Analysisd and Syscollector did not detect the number of cores on CentOS 5. (#2340)
- Logcollector will fully read a log file if it reappears after being deleted. (#2041)
- Fix some bugs in Logcollector: (#2041)
- Logcollector ceases monitoring any log file containing a binary zero-byte.
- If a local file defined with wildcards disappears, Logcollector incorrectly shows a negative number of remaining open attempts.
- Fixed end-of-file detection for text-based file formats.
- Fixed a bug in Analysisd that made it crash when decoding a malformed FIM message. (#2089)
- New internal option
remoted.guess_agent_group
allowing agent group guessing by Remoted to be optional. (#1890) - Added option to configure another audit keys to monitor. (#1882)
- Added option to create the SSL certificate and key with the install.sh script. (#1856)
- Add IPv6 support to
host-deny.sh
script. (by @iasdeoupxe). (#1583) - Added tracing information (PID, function, file and line number) to logs when debugging is enabled. (#1866)
- Change errors messages to descriptive warnings in Syscheck when a files is not reachable. (#1730)
- Add default values to global options to let the manager start. (#1894)
- Improve Remoted performance by reducing interaction between threads. (#1902)
- Prevent duplicates entries for denied IP addresses by
host-deny.sh
. (by @iasdeoupxe). (#1583) - Fix issue in Logcollector when reaching the file end before getting a full line. (#1744)
- Throw an error when a nonexistent CDB file is added in the ossec.conf file. (#1783)
- Fix bug in Remoted that truncated control messages to 1024 bytes. (#1847)
- Avoid that the attribute
ignore
of rules silence alerts. (#1874) - Fix race condition when decoding file permissions. (#1879
- Fix to overwrite FIM configuration when directories come in the same tag separated by commas. (#1886)
- Fixed issue with hash table handling in FTS and label management. (#1889)
- Fixed id's and description of FIM alerts. (#1891)
- Fix log flooding by Logcollector when monitored files disappear. (#1893)
- Fix bug configuring empty blocks in FIM. (#1897)
- Let the Windows agent reset the random generator context if it's corrupt. (#1898)
- Prevent Remoted from logging errors if the cluster configuration is missing or invalid. (#1900)
- Fix race condition hazard in Remoted when handling control messages. (#1902)
- Fix uncontrolled condition in the vulnerability-detector version checker. (#1932)
- Restore support for Amazon Linux in vulnerability-detector. (#1932)
- Fixed starting wodles after a delay specified in
interval
whenrun_on_start
is set tono
, on the first run of the agent. (#1906) - Prevent
agent-auth
tool from creating the file client.keys outside the agent's installation folder. (#1924) - Fix symbolic links attributes reported by
syscheck
in the alerts. (#1926) - Added some improvements and fixes in Whodata. (#1929)
- Fix FIM decoder to accept Windows user containing spaces. (#1930)
- Add missing field
restrict
when querying the FIM configuration remotely. (#1931) - Fix values of FIM scan showed in agent_control info. (#1940)
- Fix agent group updating in database module. (#2004)
- Logcollector prevents vmhgfs from synchronizing the inode. (#2022)
- File descriptor leak that may impact agents running on UNIX platforms. (#2021)
- CIS-CAT events were being processed by a wrong decoder. (#2014)
- Adding feature to remotely query agent configuration on demand. (#548)
- Boost Analysisd performance with multithreading. (#1039)
- Adding feature to let agents belong to multiple groups. (#1135)
- Boost FIM decoding performance by storing data into Wazuh DB using SQLite databases. (#1333)
- Added rule testing output when restarting manager. (#1196)
- New wodle for Azure environment log and process collection. (#1306)
- New wodle for Docker container monitoring. (#1368)
- Disconnect manager nodes in cluster if no keep alive is received or sent during two minutes. (#1482)
- API requests are forwarded to the proper manager node in cluster. (#885)
- Centralized configuration pushed from manager overwrite the configuration of directories that exist with the same path in ossec.conf. (#1740)
- Refactor Python framework code to standardize database requests and support queries. (#921)
- Replaced the
execvpe
function byexecvp
for the Wazuh modules. (#1207) - Avoid the use of reference ID in Syscollector network tables. (#1315)
- Make Syscheck case insensitive on Windows agent. (#1349)
- Avoid conflicts with the size of time_t variable in wazuh-db. (#1366)
- Osquery integration updated: (#1369)
- Nest the result data into a "osquery" object.
- Extract the pack name into a new field.
- Include the query name in the alert description.
- Minor fixes.
- Increased AWS S3 database entry limit to 5000 to prevent reprocessing repeated events. (#1391)
- Increased the limit of concurrent agent requests: 1024 by default, configurable up to 4096. (#1473)
- Change the default vulnerability-detector interval from 1 to 5 minutes. (#1729)
- Port the UNIX version of Auth client (agent_auth) to the Windows agent. (#1790)
- Support of TLSv1.2 through embedded OpenSSL library.
- Support of SSL certificates for agent and manager validation.
- Unify Auth client option set.
- Fixed email_alerts configuration for multiple recipients. (#1193)
- Fixed manager stopping when no command timeout is allowed. (#1194)
- Fixed getting RAM memory information from mac OS X and FreeBSD agents. (#1203)
- Fixed mandatory configuration labels check. (#1208)
- Fix 0 value at check options from Syscheck. (1209)
- Fix bug in whodata field extraction for Windows. (#1233)
- Fix stack overflow when monitoring deep files. (#1239)
- Fix typo in whodata alerts. (#1242)
- Fix bug when running quick commands with timeout of 1 second. (#1259)
- Prevent offline agents from generating vulnerability-detector alerts. (#1292)
- Fix empty SHA256 of rotated alerts and log files. (#1308)
- Fixed service startup on error. (#1324)
- Set connection timeout for Auth server (#1336)
- Fix the cleaning of the temporary folder. (#1361)
- Fix check_mtime and check_inode views in Syscheck alerts. (#1364)
- Fixed the reading of the destination address and type for PPP interfaces. (#1405)
- Fixed a memory bug in regex when getting empty strings. (#1430)
- Fixed report_changes with a big ammount of files. (#1465)
- Prevent Logcollector from null-terminating socket output messages. (#1547)
- Fix timeout overtaken message using infinite timeout. (#1604)
- Prevent service from crashing if global.db is not created. (#1485)
- Set new agent.conf template when creating new groups. (#1647)
- Fix bug in Wazuh Modules that tried to delete PID folders if a subprocess call failed. (#1836)
- Fixed ID field length limit in JSON alerts, by @gandalfn. (#1052)
- Fix segmentation fault when the agent version is empty in Vulnerability Detector. (#1191)
- Fix bug that removes file extensions in rootcheck. (#1197)
- Fixed incoherence in Client Syslog between plain-text and JSON alert input in
<location>
filter option. (#1204) - Fixed missing agent name and invalid predecoded hostname in JSON alerts. (#1213)
- Fixed invalid location string in plain-text alerts. (#1213)
- Fixed default stack size in threads on AIX and HP-UX. (#1215)
- Fix socket error during agent restart due to daemon start/stop order. (#1221)
- Fix bug when checking agent configuration in logcollector. (#1225)
- Fix bug in folder recursion limit count in FIM real-time mode. (#1226)
- Fixed errors when parsing AWS events in Elasticsearch. (#1229)
- Fix bug when launching osquery from Wazuh. (#1230)
- Add rescanning of expanded files with wildcards in logcollector (#332)
- Parallelization of logcollector (#627)
- Now the input of logcollector is multithreaded, reading logs in parallel.
- A thread is created for each type of output socket.
- Periodically rescan of new files.
- New options have been added to internal_options.conf file.
- Added statistical functions to remoted. (#682)
- Rootcheck and Syscheck (FIM) will run independently. (#991)
- Add hash validation for binaries executed by the wodle
command
. (#1027) - Added a recursion level option to Syscheck to set the directory scanning depth. (#1081)
- Added inactive agent filtering option to agent_control, syscheck_control and rootcheck control_tools. (#1088)
- Added custom tags to FIM directories and registries. (#1096)
- Improved AWS CloudTrail wodle by @UranusBytes (#913 & #1105).
- Added support to process logs from more AWS services: Guard Duty, IAM, Inspector, Macie and VPC. (#1131).
- Create script for blocking IP's using netsh-advfirewall. (#1172).
- The maximum log length has been extended up to 64 KiB. (#411)
- Changed logcollector analysis message order. (#675)
- Let hostname field be the name of the agent, without the location part. (#1080)
- The internal option
syscheck.max_depth
has been renamed tosyscheck.default_max_depth
. (#1081) - Show warning message when configuring vulnerability-detector for an agent. (#1130)
- Increase the minimum waiting time from 0 to 1 seconds in Vulnerability-Detector. (#1132)
- Prevent Windows agent from not loading the configuration if an AWS module block is found. (#1143)
- Set the timeout to consider an agent disconnected to 1800 seconds in the framework. (#1155)
- Fix agent ID zero-padding in alerts coming from Vulnerability Detector. (#1083)
- Fix multiple warnings when agent is offline. (#1086)
- Fixed minor issues in the Makefile and the sources installer on HP-UX, Solaris on SPARC and AIX systems. (#1089)
- Fixed SHA256 changes messages in alerts when it is disabled. (#1100)
- Fixed empty configuration blocks for Wazuh modules. (#1101)
- Fix broken pipe error in Wazuh DB by Vulnerability Detector. (#1111)
- Restored firewall-drop AR script for Linux. (#1114)
- Fix unknown severity in Red Hat systems. (#1118)
- Added a building flag to compile the SQLite library externally for the API. (#1119)
- Fixed variables length when storing RAM information by Syscollector. (#1124)
- Fix Red Hat vulnerability database update. (#1127)
- Fix allowing more than one wodle command. (#1128)
- Fixed
after_regex
offset for the decoding algorithm. (#1129) - Prevents some vulnerabilities from not being checked for Debian. (#1166)
- Fixed legacy configuration for
vulnerability-detector
. (#1174) - Fix active-response scripts installation for Windows. (#1182).
- Fixed
open-scap
deadlock when opening large files. (#1206). Thanks to @juergenc for detecting this issue.
- The 'T' multiplier has been removed from option
max_output_size
. (#1089)
- Improved configuration of OVAL updates. (#416)
- Added selective agent software request in vulnerability-detector. (#404)
- Get Linux packages inventory natively. (#441)
- Get Windows packages inventory natively. (#471)
- Supporting AES encryption for manager and agent. (#448)
- Added Debian and Ubuntu 18 support in vulnerability-detector. (#470)
- Added Rids Synchronization. (#459)
- Added option for setting the group that the agent belongs to when registering it with authd (#460)
- Added option for setting the source IP when the agent registers with authd (#460)
- Added option to force the vulnerability detection in unsupported OS. (#462)
- Get network inventory natively. (#546)
- Add arch check for Red Hat's OVAL in vulnerability-detector. (#625)
- Integration with Osquery. (#627)
- Enrich osquery configuration with pack files aggregation and agent labels as decorators.
- Launch osquery daemon in background.
- Monitor results file and send them to the manager.
- New option in rules
<location>
to filter events by osquery. - Support folders in shared configuration. This makes easy to send pack folders to agents.
- Basic ruleset for osquery events and daemon logs.
- Boost Remoted performance with multithreading. (#649)
- Up to 16 parallel threads to decrypt messages from agents.
- Limit the frequency of agent keys reloading.
- Message input buffer in Analysisd to prevent control messages starvation in Remoted.
- Module to download shared files for agent groups dinamically. (#519)
- Added group creation for files.yml if the group does not exist. (#1010)
- Added scheduling options to CIS-CAT integration. (#586)
- Option to download the wpk using http in
agent_upgrade
. (#798) - Add
172.0.0.1
as manager IP when creatingglobal.db
. (#970) - New requests for Syscollector. (#728)
cluster_control
shows an error if the status does not exist. (#1002)- Get Windows hardware inventory natively. (#831)
- Get processes and ports inventory by the Syscollector module.
- Added an integration with Kaspersky Endpoint Security for Linux via Active Response. (#1056)
- Add default value for option -x in agent_control tool.
- External libraries moved to an external repository.
- Ignore OverlayFS directories on Rootcheck system scan.
- Extracts agent's OS from the database instead of the agent-info.
- Increases the maximum size of XML parser to 20KB.
- Extract CVE instead of RHSA codes into vulnerability-detector. (#549)
- Store CIS-CAT results into Wazuh DB. (#568)
- Add profile information to CIS-CAT reports. (#658)
- Merge external libraries into a unique shared library. (#620)
- Cluster log rotation: set correct permissions and store rotations in /logs/ossec. (#667)
Distinct
requests don't allowlimit=0
orlimit>maximun_limit
. (#1007)- Deprecated arguments -i, -F and -r for Authd. (#1013)
- Increase the internal memory for real-time from 12 KiB to 64 KiB. (#1062)
- Fixed invalid alerts reported by Syscollector when the event contains the word "error". (#461)
- Silenced Vuls integration starting and ending alerts. (#541)
- Fix problem comparing releases of ubuntu packages. (#556)
- Windows delete pending active-responses before reset agent. (#563)
- Fix bug in Rootcheck for Windows that searches for keys in 32-bit mode only. (#566)
- Alert when unmerge files fails on agent. (#731)
- Fixed bugs reading logs in framework. (#856)
- Ignore uppercase and lowercase sorting an array in framework. (#814)
- Cluster: reject connection if the client node has a different cluster name. (#892)
- Prevent
the JSON object must be str, not 'bytes'
error. (#997) - Fix long sleep times in vulnerability detector.
- Fix inconsistency in the alerts format for the manager in vulnerability-detector.
- Fix bug when processing the packages in vulnerability-detector.
- Prevent to process Syscollector events by the JSON decoder. (#674)
- Stop Syscollector data storage into Wazuh DB when an error appears. (#674)
- Fix bug in Syscheck that reported false positive about removed files. (#1044)
- Fix bug in Syscheck that misinterpreted no_diff option. (#1046)
- Fixes in file integrity monitoring for Windows. (#1062)
- Fix Windows agent crash if FIM fails to extract the file owner.
- Prevent FIM real-time mode on Windows from stopping if the internal buffer gets overflowed.
- Prevent large logs from flooding the log file by Logcollector. (#1067)
- Fix allowing more than one wodle command and compute command timeout when ignore_output is enabled. (#1102)
- Deleted Lua language support.
- Deleted integration with Vuls. (#879)
- Deleted agent_list tool, replaced by agent_control. (ba0265b)
- Support for SHA256 checksum in Syscheck (by @arshad01). (#410)
- Added an internal option for Syscheck to tune the RT alerting delay. (#434)
- Added two options in the tag <auto_ignore>
frequency
andtimeframe
to hide alerts when they are played several times in a given period of time. (#857) - Include who-data in Syscheck for file integrity monitoring. (#756)
- Linux Audit setup and monitoring to watch directories configured with who-data.
- Direct communication with Auditd on Linux to catch who-data related events.
- Setup of SACL for monitored directories on Windows.
- Windows Audit events monitoring through Windows Event Channel.
- Auto setup of audit configuration and reset when the agent quits.
- Syscheck in frequency time show alerts from deleted files. (#857)
- Added an option
target
to customize output format per-target in Logcollector. (#863) - New option for the JSON decoder to choose the treatment of NULL values. (#677)
- Remove old snapshot files for FIM. (#872)
- Distinct operation in agents. (#920)
- Added support for unified WPK. (#865)
- Added missing debug options for modules in the internal options file. (#901)
- Added recursion limits when reading directories. (#947)
- Renamed cluster client node type to worker (#850).
- Changed a descriptive message in the alert showing what attributes changed. (#857)
- Change visualization of Syscheck alerts. (#857)
- Add all the available fields in the Syscheck messages from the Wazuh configuration files. (#857)
- Now the no_full_log option only affects JSON alerts. (#881)
- Delete temporary files when stopping Wazuh. (#732)
- Send OpenSCAP checks results to a FIFO queue instead of temporary files. (#732)
- Default behavior when starting Syscheck and Rootcheck components. (#829)
- They are disabled if not appear in the configuration.
- They can be set up as empty blocks in the configuration, applying their default values.
- Improvements of error and information messages when they start.
- Improve output of
DELETE/agents
when no agents were removed. (#868) - Include the file owner SID in Syscheck alerts.
- Change no previous checksum error message to information log. (#897)
- Changed default Syscheck scan speed: 100 files per second. (#975)
- Show network protocol used by the agent when connecting to the manager. (#980)
- Syscheck RT process granularized to make frequency option more accurate. (#434)
- Fixed registry_ignore problem on Syscheck for Windows when arch="both" was used. (#525)
- Allow more than 256 directories in real-time for Windows agent using recursive watchers. (#540)
- Fix weird behavior in Syscheck when a modified file returns back to its first state. (#434)
- Replace hash value xxx (not enabled) for n/a if the hash couldn't be calculated. (#857)
- Do not report uid, gid or gname on Windows (avoid user=0). (#857)
- Several fixes generating sha256 hash. (#857)
- Fixed the option report_changes configuration. (#857)
- Fixed the 'report_changes' configuration when 'sha1' option is not set. (#857)
- Fix memory leak reading logcollector config. (#884)
- Fixed crash in Slack integration for alerts that don't have full log. (#880)
- Fixed active-responses.log definition path on Windows configuration. (#739)
- Added warning message when updating Syscheck/Rootcheck database to restart the manager. (#817)
- Fix PID file creation checking. (#822)
- Check that the PID file was created and written.
- This would prevent service from running multiple processes of the same daemon.
- Fix reading of Windows platform for 64 bits systems. (#832)
- Fixed Syslog output parser when reading the timestamp from the alerts in JSON format. (#843)
- Fixed filter for
gpg-pubkey
packages in Syscollector. (#847) - Fixed bug in configuration when reading the
repeated_offenders
option in Active Response. (#873) - Fixed variables parser when loading rules. (#855)
- Fixed parser files names in the Rootcheck scan. (#840)
- Removed frequency offset in rules. (#827).
- Fix memory leak reading logcollector config. (#884)
- Fixed sort agents by status in
GET/agents
API request. (#810) - Added exception when no agents are selected to restart. (#870)
- Prevent files from remaining open in the cluster. (#874)
- Fix network unreachable error when cluster starts. (#800)
- Fix empty rules and decoders file check. (#887)
- Prevent to access an unexisting hash table from 'whodata' thread. (#911)
- Fix CA verification with more than one 'ca_store' definitions. (#927)
- Fix error in syscollector API calls when Wazuh is installed in a directory different than
/var/ossec
. (#942). - Fix error in CentOS 6 when
wazuh-cluster
is disabled. (#944). - Fix Remoted connection failed warning in TCP mode due to timeout. (#958)
- Fix option 'rule_id' in syslog client. (#979)
- Fixed bug in legacy agent's server options that prevented it from setting port and protocol.
- Added
total_affected_agents
andtotal_failed_ids
to theDELETE/agents
API request. (#795)
- Management of empty blocks in the configuration files. (#781)
- Verify WPK with Wazuh CA by default. (#799)
- Windows prevents agent from renaming file. (#773)
- Fix manager-agent version comparison in remote upgrades. (#765)
- Fix log flooding when restarting agent while the merged file is being receiving. (#788)
- Fix issue when overwriting rotated logs in Windows agents. (#776)
- Prevent OpenSCAP module from running on Windows agents (incompatible). (#777)
- Fix issue in file changes report for FIM on Linux when a directory contains a backslash. (#775)
- Fixed missing
minor
field in agent data managed by the framework. (#771) - Fixed missing
build
andkey
fields in agent data managed by the framework. (#802) - Fixed several bugs in upgrade agents (#784):
- Error upgrading an agent with status
Never Connected
. - Fixed API support.
- Sockets were not closing properly.
- Error upgrading an agent with status
- Cluster exits showing an error when an error occurs. (#790)
- Fixed bug when cluster control or API cannot request the list of nodes to the master. (#762)
- Fixed bug when the
agent.conf
contains an unrecognized module. (#796) - Alert when unmerge files fails on agent. (#731)
- Fix invalid memory access when parsing ruleset configuration. (#787)
- Check version of python in cluster control. (#760)
- Removed duplicated log message when Rootcheck is disabled. (#783)
- Avoid infinite attempts to download CVE databases when it fails. (#792)
- Supporting multiple socket output in Logcollector. (#395)
- Allow inserting static field parameters in rule comments. (#397)
- Added an output format option for Logcollector to build custom logs. (#423)
- Included millisecond timing in timestamp to JSON events. (#467)
- Added an option in Analysisd to set input event offset for plugin decoders. (#512)
- Allow decoders mix plugin and multiregex children. (#602)
- Added the option to filter by any field in
get_agents_overview
,get_agent_group
andget_agents_without_group
functions of the Python framework. (#743)
- Add default value for option -x in agent_upgrade tool.
- Changed output of agents in cluster control. (#741)
- Fix bug in Logcollector when removing duplicate localfiles. (#402)
- Fix memory error in Logcollector when using wildcards.
- Prevent command injection in Agentless daemon. (#600)
- Fixed bug getting the agents in cluster control. (#741)
- Prevent Logcollector from reporting an error when a path with wildcards matches no files.
- Fixes the feature to group with the option multi-line. (#754)
- Fixed segmentation fault in maild when
<queue-size>
is included in the global configuration. - Fixed bug in Framework when retrieving mangers logs. (#644)
- Fixed bug in clusterd to prevent the synchronization of
.swp
files. (#694) - Fixed bug in Framework parsing agent configuration. (#681)
- Fixed several bugs using python3 with the Python framework. (#701)
- New internal option to enable merged file creation by Remoted. (#603)
- Created alert item for GDPR and GPG13. (#608)
- Add support for Amazon Linux in vulnerability-detector.
- Created an input queue for Analysisd to prevent Remoted starvation. (#661)
- Set default agent limit to 14.000 and file descriptor limit to 65.536 per process. (#624)
- Cluster improvements.
- New protocol for communications.
- Inverted communication flow: clients start communications with the master.
- Just the master address is required in the
<nodes>
list configuration. - Improved synchronization algorithm.
- Reduced the number of processes to one:
wazuh-clusterd
.
- Cluster control tool improvements: outputs are the same regardless of node type.
- The default input queue for remote events has been increased to 131072 events. (#660)
- Disconnected agents will no longer report vulnerabilities. (#666)
- Fixed agent wait condition and improve logging messages. (#550)
- Fix race condition in settings load time by Windows agent. (#551)
- Fix bug in Authd that prevented it from deleting agent-info files when removing agents.
- Fix bug in ruleset that did not overwrite the
<info>
option. (#584) - Fixed bad file descriptor error in Wazuh DB (#588)
- Fixed unpredictable file sorting when creating merged files. (#599)
- Fixed race condition in Remoted when closing connections.
- Fix epoch check in vulnerability-detector.
- Fixed hash sum in logs rotation. (#636)
- Fixed cluster CPU usage.
- Fixed invalid deletion of agent timestamp entries. (#639)
- Fixed segmentation fault in logcollector when multi-line is applied to a remote configuration. (#641)
- Fixed issue in Syscheck that may leave the process running if the agent is stopped quickly. (#671)
- Removed cluster database and internal cluster daemon.
- Created an input queue for Remoted to prevent agent connection starvation. (#509)
- Updated Slack integration. (#443)
- Increased connection timeout for remote upgrades. (#480)
- Vulnerability-detector does not stop agents detection if it fails to find the software for one of them.
- Improve the version comparator algorithm in vulnerability-detector. (#508)
- Fixed bug in labels settings parser that may make Agentd or Logcollector crash.
- Fixed issue when setting multiple
<server-ip>
stanzas in versions 3.0 - 3.2.1. (#433) - Fixed bug when socket database messages are not sent correctly. (#435)
- Fixed unexpected stop in the sources installer when overwriting a previous corrupt installation.
- Added a synchronization timeout in the cluster to prevent it from blocking (#447)
- Fixed issue in CSyslogd when filtering by rule group. (#446)
- Fixed error on DB daemon when parsing rules with options introduced in version 3.0.0.
- Fixed unrecognizable characters error in Windows version name. (#478)
- Fix Authd client in old versions of Windows (#479)
- Cluster's socket management improved to use persistent connections (#481)
- Fix memory corruption in Syscollector decoder and memory leaks in Vulnerability Detector. (#482)
- Fixed memory corruption in Wazuh DB autoclosing procedure.
- Fixed dangling db files at DB Sync module folder. (#489)
- Fixed agent group file deletion when using Authd.
- Fix memory leak in Maild with JSON input. (#498)
- Fixed remote command switch option. (#504)
- Added option in Makefile to disable CIS-CAT module. (#381)
- Added field
totalItems
toGET/agents/purgeable/:timeframe
API call. (#385)
- Giving preference to use the selected Java over the default one in CIS-CAT wodle.
- Added delay between message delivery for every module. (#389)
- Verify all modules for the shared configuration. (#408)
- Updated OpenSSL library to 1.1.0g.
- Insert agent labels in JSON archives no matter the event matched a rule.
- Support for relative/full/network paths in the CIS-CAT configuration. (#419)
- Improved cluster control to give more information. (#421)
- Updated rules for CIS-CAT.
- Removed unnecessary compilation of vulnerability-detector in agents.
- Increased wazuh-modulesd's subprocess pool.
- Improved the agent software recollection by Syscollector.
- Fixed crash in Agentd when testing Syscollector configuration from agent.conf file.
- Fixed duplicate alerts in Vulnerability Detector.
- Fixed compiling issues in Solaris and HP-UX.
- Fixed bug in Framework when listing directories due to permissions issues.
- Fixed error handling in CIS-CAT module. (#401)
- Fixed some defects reported by Coverity. (#406)
- Fixed OS name detection in macOS and old Linux distros. (#409)
- Fixed linked in HP-UX.
- Fixed Red Hat detection in vulnerability-detector.
- Fixed segmentation fault in wazuh-cluster when files path is too long.
- Fixed a bug getting groups and searching by them in
GET/agents
API call. (#390) - Several fixes and improvements in cluster.
- Fixed bug in wazuh-db when closing exceeded databases in transaction.
- Fixed bug in vulnerability-detector that discarded valid agents.
- Fixed segmentation fault in Windows agents when getting OS info.
- Fixed memory leaks in vulnerability-detector and CIS-CAT wodle.
- Fixed behavior when working directory is not found in CIS-CAT wodle.
- Added support to synchronize custom rules and decoders in the cluster.(#344)
- Add field
status
toGET/agents/groups/:group_id
API call.(#338) - Added support for Windows to CIS-CAT integration module (#369)
- New Wazuh Module "aws-cloudtrail" fetching logs from S3 bucket. (#351)
- New Wazuh Module "vulnerability-detector" to detect vulnerabilities in agents and managers.
- Fixed oscap.py to support new versions of OpenSCAP scanner.(#331)
- Fixed timeout bug when the cluster port was closed. (#343)
- Improve exception handling in
cluster_control
. (#343) - Fixed bug in cluster when receive an error response from client. (#346)
- Fixed bug in framework when the manager is installed in different path than /var/ossec. (#335)
- Fixed predecoder hostname field in JSON event output.
- Several fixes and improvements in cluster.
- New Wazuh Module "command" for asynchronous command execution.
- New field "predecoder.timestamp" for JSON alerts including timestamp from logs.
- Added reload action to ossec-control in local mode.
- Add duration control of a cluster database synchronization.
- New internal option for agents to switch applying shared configuration.
- Added GeoIP address finding for input logs in JSON format.
- Added alert and archive output files rotation capabilities.
- Added rule option to discard field "firedtimes".
- Added VULS integration for running vulnerability assessments.
- CIS-CAT Wazuh Module to scan CIS policies.
- Keepping client.keys file permissions when modifying it.
- Improve Rootcheck formula to select outstanding defects.
- Stop related daemon when disabling components in ossec-control.
- Prevented cluster daemon from starting on RHEL 5 or older.
- Let Syscheck report file changes on first scan.
- Allow requests by node name in cluster_control binary.
- Improved help of cluster_control binary.
- Integrity control of files in the cluster.
- Fixed netstat command in localfile configuration.
- Fixed error when searching agents by ID.
- Fixed syslog format pre-decoder for logs with missing (optional) space after tag.
- Fixed alert ID when plain-text alert output disabled.
- Fixed Monitord freezing when a sendmail-like executable SMTP server is set.
- Fixed validation of Active Response used by agent_control.
- Allow non-ASCII characters in Windows version string.
- Added group property for agents to customize shared files set.
- Send shared files to multiple agents in parallel.
- New decoder plugin for logs in JSON format with dynamic fields definition.
- Brought framework from API to Wazuh project.
- Show merged files MD5 checksum by agent_control and framework.
- New reliable request protocol for manager-agent communication.
- Remote agent upgrades with signed WPK packages.
- Added option for Remoted to prevent it from writing shared merged file.
- Added state for Agentd and Windows agent to notify connection state and metrics.
- Added new JSON log format for local file monitoring.
- Added OpenSCAP SSG datastream content for Ubuntu Trusty Tahr.
- Field "alert_id" in JSON alerts (by Dan Parriott).
- Added support of "any" IP address to OSSEC batch manager (by Jozef Reisinger).
- Added ossec-agent SElinux module (by kreon).
- Added previous output to JSON output (by João Soares).
- Added option for Authd to specify the allowed cipher list (by James Le Cuirot).
- Added option for cipher suites in Authd settings.
- Added internal option for Remoted to set the shared configuration reloading time.
- Auto restart agents when new shared configuration is pushed from the manager.
- Added native support for Systemd.
- Added option to register unlimited agents in Authd.
- New internal option to limit the number of file descriptors in Analysisd and Remoted.
- Added new state "pending" for agents.
- Added internal option to disable real-time DB synchronization.
- Allow multiple manager stanzas in Agentd settings.
- New internal option to limit the receiving time in TCP mode.
- Added manager hostname data to agent information.
- New option for rotating internal logs by size.
- Added internal option to enable or disable daily rotation of internal logs.
- Added command option for Monitord to overwrite 'day_wait' parameter.
- Adding templates and sample alert for Elasticsearch 6.0.
- Added option to enable/disable Authd on install and auto-generate certificates.
- Pack secure TCP messages into a single packet.
- Added function to install SCAP policies depending on OS version.
- Added integration with Virustotal.
- Added timeout option for TCP sockets in Remoted and Agentd.
- Added option to start the manager after installing.
- Added a cluster of managers (
wazuh-clusterd
) and a script to control it (cluster_control
).
- Increased shared file delivery speed when using TCP.
- Increased TCP listening socket backlog.
- Changed Windows agent UI panel to show revision number instead of installation date.
- Group every decoded field (static and dynamic fields) into a data object for JSON alerts.
- Reload shared files by Remoted every 10 minutes.
- Increased string size limit for XML reader to 4096 bytes.
- Updated Logstash configuration and Elasticsearch mappings.
- Changed template fields structure for Kibana dashboards.
- Increased dynamic field limit to 1024, and default to 256.
- Changed agent buffer 'length' parameter to 'queue_size'.
- Changed some Rootcheck error messages to verbose logs.
- Removed unnecessary message by manage_agents advising to restart Wazuh manager.
- Update PF tables Active response (by d31m0).
- Create the users and groups as system users and groups in specs (by Dan Parriott).
- Show descriptive errors when an agent loses the connection using TCP.
- Prevent agents with the same name as the manager host from getting added.
- Changed 'message' field to 'data' for successful agent removing response in Authd API.
- Changed critical error to standard error in Syslog Remoted when no access list has been configured.
- Ignore hidden files in shared folder for merged file.
- Changed agent notification time values: notify time to 1 minute and reconnect time to 5 minutes.
- Prevent data field from being inserted into JSON alerts when it's empty.
- Spelling corrections (by Josh Soref).
- Moved debug messages when updating shared files to level 2.
- Do not create users ossecm or ossecr on agents.
- Upgrade netstat command in Logcollector.
- Prevent Monitord and DB sync module from dealing with agent files on local installations.
- Speed up DB syncing by keeping databases opened and an inotify event queue.
- Merge server's IP and hostname options to one setting.
- Enabled Active Response by default in both Windows and UNIX.
- Make Monitord 'day_wait' internal option affect log rotation.
- Extend Monitord 'day_wait' internal option range.
- Prevent Windows agent from log error when the manager disconnected.
- Improve Active Response filtering options.
- Use init system (Systemd/SysVinit) to restart Wazuh when upgrading.
- Added possibility of filtering agents by manager hostname in the Framework.
- Prevent installer from overwriting agent.conf file.
- Cancel file sending operation when agent socket is closed.
- Clean up agent shared folder before unmerging shared configuration.
- Print descriptive error when request socket refuses connection due to AR disabled.
- Extend Logcollector line burst limit range.
- Fix JSON alert file reloading when the file is rotated.
- Merge IP and Hostname server configuration into "Address" field.
- Improved TCP transmission performance by packing secure messages.
- Fixed wrong queries to get last Syscheck and Rootcheck date.
- Prevent Logcollector keep-alives from being stored on archives.json.
- Fixed length of random message within keep-alives.
- Fixed Windows version detection for Windows 8 and newer.
- Fixed incorrect CIDR writing on client.keys by Authd.
- Fixed missing buffer flush by Analysisd when updating Rootcheck database.
- Stop Wazuh service before removing folder to reinstall.
- Fixed Remoted service for Systemd (by Phil Porada).
- Fixed Administrator account mapping in Windows agent installation (by [email protected]).
- Fixed MySQL support in dbd (by [email protected]).
- Fixed incorrect warning when unencrypting messages (by Dan Parriott).
- Fixed Syslog mapping for alerts via Csyslogd (by Dan Parriott).
- Fixed syntax error in the creation of users in Solaris 11.2 (by Pedro Flor).
- Fixed some warnings that appeared when compiling on Fedora 26.
- Fixed permission issue in logs folder.
- Fixed issue in Remoted that prevented it from send shared configuration when it changed.
- Fixed Windows agent compilation compability with CentOS.
- Supporting different case from password prompt in Agentless (by Jesus Fidalgo).
- Fix bad detection of inotify queue overflowed.
- Fix repetitive error when a rule's diff file is empty.
- Fixed log group permission when created by a daemon running as root.
- Prevented Agentd from logging too many errors when restarted while receiving the merged file.
- Prevented Remoted from sending data to disconnected agents in TCP mode.
- Fixed alerts storage in PostgreSQL databases.
- Fixed invalid previous output data in JSON alerts.
- Fixed memory error in modulesd for invalid configurations.
- Fixed default Auth configuration to support custom install directory.
- Fixed directory transversal vulnerability in Active response commands.
- Fixed Active response timeout accuracy.
- Fixed race conditions in concurrent transmissions over TCP.
- Removed Picviz support (by Dan Parriott).
- Improved errors messages related to TCP connection queue.
- Changed info log about unsupported FS checking in Rootcheck scan to debug messages.
- Prevent Modules daemon from giving critical error when no wodles are enabled.
- Fix endianess incompatibility in agents on SPARC when connecting via TCP.
- Fix bug in Authd that made it crash when removing keys.
- Fix race condition in Remoted when writing logs.
- Avoid repeated errors by Remoted when sending data to a disconnected agent.
- Prevented Monitord from rotating non-existent logs.
- Some fixes to support HP-UX.
- Prevent processes from sending events when TCP connection is lost.
- Fixed output header by Syslog client when reading JSON alerts.
- Fixed bug in Integrator settings parser when reading rules list.
- Rotate and compress log feature.
- Labeling data for agents to be shown in alerts.
- New 'auth' configuration template.
- Make manage_agents capable of add and remove agents via Authd.
- Implemented XML configuration for Authd.
- Option -F for Authd to force insertion if it finds duplicated name.
- Local auth client to manage agent keys.
- Added OS name and version into global.db.
- Option for logging in JSON format.
- Allow maild to send through a sendmail-like executable (by James Le Cuirot).
- Leaky bucket-like buffer for agents to prevent network flooding.
- Allow Syslog client to read JSON alerts.
- Allow Mail reporter to read JSON alerts.
- Added internal option to tune Rootcheck sleep time.
- Added route-null Active Response script for Windows 2012 (by @CrazyLlama).
- Updated SQLite library to 3.19.2.
- Updated zlib to 1.2.11.
- Updated cJSON library to 1.4.7.
- Change some manage_agents option parameters.
- Run Auth in background by default.
- Log classification as debug, info, warning, error and critical.
- Limit number of reads per cycle by Logcollector to prevent log starvation.
- Limit OpenSCAP module's event forwarding speed.
- Increased debug level of repeated Rootcheck messages.
- Send events when OpenSCAP starts and finishes scans.
- Delete PID files when a process exits not due to a signal.
- Change error messages due to SSL handshake failure to debug messages.
- Force group addition on installation for compatibility with LDAP (thanks to Gary Feltham).
- Fixed compiling error on systems with no OpenSSL.
- Fixed compiling warning at manage_agents.
- Fixed ossec-control enable/disable help message.
- Fixed unique aperture of random device on Unix.
- Fixed file sum comparison bug at Syscheck realtime engine. (Thanks to Arshad Khan)
- Close analysisd if alert outputs are disabled for all formats.
- Read Windows version name for versions newer than Windows 8 / Windows Server 2012.
- Fixed error in Analysisd that wrote Syscheck and Rootcheck databases of re-added agents on deleted files.
- Fixed internal option to configure the maximum labels' cache time.
- Fixed Auth password parsing on client side.
- Fix bad agent ID assignation in Authd on i686 architecture.
- Fixed Logcollector misconfiguration in Windows agents.
- Remove unused message queue to send alerts from Authd.
- Changed random data generator for a secure OS-provided generator.
- Changed Windows installer file name (depending on version).
- Linux distro detection using standard os-release file.
- Changed some URLs to documentation.
- Disable synchronization with SQLite databases for Syscheck by default.
- Minor changes at Rootcheck formatter for JSON alerts.
- Added debugging messages to Integrator logs.
- Show agent ID when possible on logs about incorrectly formatted messages.
- Use default maximum inotify event queue size.
- Show remote IP on encoding format errors when unencrypting messages.
- Remove temporary files created by Syscheck changes reports.
- Remove temporary Syscheck files for changes reporting by Windows installer when upgrading.
- Fixed resource leaks at rules configuration parsing.
- Fixed memory leaks at rules parser.
- Fixed memory leaks at XML decoders parser.
- Fixed TOCTOU condition when removing directories recursively.
- Fixed insecure temporary file creation for old POSIX specifications.
- Fixed missing agentless devices identification at JSON alerts.
- Fixed FIM timestamp and file name issue at SQLite database.
- Fixed cryptographic context acquirement on Windows agents.
- Fixed debug mode for Analysisd.
- Fixed bad exclusion of BTRFS filesystem by Rootcheck.
- Fixed compile errors on macOS.
- Fixed option -V for Integrator.
- Exclude symbolic links to directories when sending FIM diffs (by Stephan Joerrens).
- Fixed daemon list for service reloading at ossec-control.
- Fixed socket waiting issue on Windows agents.
- Fixed PCI_DSS definitions grouping issue at Rootcheck controls.
- Fixed segmentation fault bug when stopping on CentOS 5.
- Fixed compatibility with AIX.
- Fixed race conditions in ossec-control script.
- Fixed compiling issue on Windows.
- Fixed compatibility with Solaris.
- Fixed XML parsing error due to byte stashing issue.
- Fixed false error by Syscheck when creating diff snapshots of empty files.
- Fixed segmentation fault in Authd on i386 platform.
- Fixed agent-auth exit code for controlled server's errors.
- Fixed incorrect OVAL patch results classification.
- Wazuh modules manager.
- Wazuh module for OpenSCAP.
- Ruleset for OpenSCAP alerts.
- Kibana dashboards for OpenSCAP.
- Option at agent_control to restart all agents.
- Dynamic fields to rules and decoders.
- Dynamic fields to JSON in alerts/archives.
- CDB list lookup with dynamic fields.
- FTS for dynamic fields.
- Logcollector option to set the frequency of file checking.
- GeoIP support in Alerts (by Scott R Shinn).
- Internal option to output GeoIP data on JSON alerts.
- Matching pattern negation (by Daniel Cid).
- Syscheck and Rootcheck events on SQLite databases.
- Data migration tool to SQLite databases.
- Jenkins QA.
- 64-bit Windows registry keys support.
- Complete FIM data output to JSON and alerts.
- Username, date and inode attributes to FIM events on Unix.
- Username attribute to FIM events on Windows.
- Report changes (FIM file diffs) to Windows agent.
- File diffs to JSON output.
- Elastic mapping updated for new FIM events.
- Title and file fields extracted at Rootcheck alerts.
- Rule description formatting with dynamic field referencing.
- Multithreaded design for Authd server for fast and reliable client dispatching, with key caching and write scheduling.
- Auth registration client for Windows (by Gael Muller).
- Auth password authentication for Windows client.
- New local decoder file by default.
- Show server certificate and key paths at Authd help.
- New option for Authd to verify agent's address.
- Added support for new format at predecoder (by Brad Lhotsky).
- Agentless passlist encoding to Base64.
- New Auditd-specific log format for Logcollector.
- Option for Authd to auto-choose TLS/SSL method.
- Compile option for Authd to make it compatible with legacy OSs.
- Added new templates layout to auto-compose configuration file.
- New wodle for SQLite database syncing (agent information and fim/pm data).
- Added XML settings options to exclude some rules or decoders files.
- Option for agent_control to broadcast AR on all agents.
- Extended FIM event information forwarded by csyslogd (by Sivakumar Nellurandi).
- Report Syscheck's new file events on real time.
- Isolated logtest directory from analysisd.
- Remoted informs Analysisd about agent ID.
- Updated Kibana dashboards.
- Syscheck FIM attributes to dynamic fields.
- Force services to exit if PID file creation fails.
- Atomic writing of client.keys through temporary files.
- Disabled remote message ID verification by default.
- Show actual IP on debug message when agents get connected.
- Enforce rules IDs to max 6 digits.
- OSSEC users and group as system (UI-hidden) users (by Dennis Golden).
- Increases Authd connection pool size.
- Use general-purpose version-flexible SSL/TLS methods for Authd registration.
- Enforce minimum 3-digit agent ID format.
- Exclude BTRFS from Rootcheck searching for hidden files inside directories (by Stephan Joerrens).
- Moved OSSEC and Wazuh decoders to one directory.
- Prevent manage_agents from doing invalid actions (such methods for manager at agent).
- Disabled capturing of security events 5145 and 5156 on Windows agent.
- Utilities to rename an agent or change the IP address (by Antonio Querubin).
- Added quiet option for Logtest (by Dan Parriott).
- Output decoder information onto JSON alerts.
- Enable mail notifications by default for server installation.
- Agent control option to restart all agents' Syscheck will also restart manager's Syscheck.
- Make ossec-control to check Authd PID.
- Enforce every rule to contain a description.
- JSON output won't contain field "agentip" if tis value is "any".
- Don't broadcast Active Response messages to disconnected agents.
- Don't print Syscheck logs if it's disabled.
- Set default Syscheck and Rootcheck frequency to 12 hours.
- Generate FIM new file alert by default.
- Added option for Integrator to set the maximum log length.
- JSON output nested objects modelling through dynamic fields.
- Disable TCP for unsupported OSs.
- Show previous log on JSON alert.
- Removed confirmation prompt when importing an agent key successfully.
- Made Syscheck not to ignore files that change more than 3 times by default.
- Enabled JSON output by default.
- Updated default syscheck configuration for Windows agents.
- Limited agent' maximum connection time for notification time.
- Improved client.keys changing detection method by remoted: use date and inode.
- Changed boot service name to Wazuh.
- Active response enabled on Windows agents by default.
- New folder structure for rules and decoders.
- More descriptive logs about syscheck real-time monitoring.
- Renamed XML tags related to rules and decoders inclusion.
- Set default maximum agents to 8000.
- Removed FTS numeric bitfield from JSON output.
- Fixed ID misassignment by manage_agents when the greatest ID exceeds 32512.
- Run Windows Registry Syscheck scan on first stage when scan_on_start enabled.
- Set all Syscheck delay stages to a multiple of internal_options.conf/syscheck.sleep value.
- Changed JSON timestamp format to ISO8601.
- Overwrite @timestamp field from Logstash with the alert timestamp.
- Moved timestamp JSON field to the beginning of the object.
- Changed random data generator for a secure OS-provided generator.
- Logcollector bug that inhibited alerts about file reduction.
- Memory issue on string manipulation at JSON.
- Memory bug at JSON alerts.
- Fixed some CLang warnings.
- Issue on marching OSSEC user on installing.
- Memory leaks at configuration.
- Memory leaks at Analysisd.
- Bugs and memory errors at agent management.
- Mistake with incorrect name for PID file (by Tickhon Clearscale).
- Agent-auth name at messages (it appeared to be the server).
- Avoid Monitord to log errors when the JSON alerts file doesn't exists.
- Agents numbering issue (minimum 3 digits).
- Avoid no-JSON message at agent_control when client.keys empty.
- Memory leaks at manage_agents.
- Authd error messages about connection to queue passed to warning.
- Issue with Authd password checking.
- Avoid ossec-control to use Dash.
- Fixed false error about disconnected agent when trying to send it the shared files.
- Avoid Authd to close when it reaches the maximum concurrency.
- Fixed memory bug at event diff execution.
- Fixed resource leak at file operations.
- Hide help message by useadd and groupadd on OpenBSD.
- Fixed error that made Analysisd to crash if it received a missing FIM file entry.
- Fixed compile warnings at cJSON library.
- Fixed bug that made Active Response to disable all commands if one of them was disabled (by Jason Thomas).
- Fixed segmentation fault at logtest (by Dan Parriott).
- Fixed SQL injection vulnerability at Database.
- Fixed Active Response scripts for Slack and Twitter.
- Fixed potential segmentation fault at file queue operation.
- Fixed file permissions.
- Fixed failing test for Apache 2.2 logs (by Brad Lhotsky).
- Fixed memory error at net test.
- Limit agent waiting time for retrying to connect.
- Fixed compile warnings on i386 architecture.
- Fixed Monitord crash when sending daily report email.
- Fixed script to null route an IP address on Windows Server 2012+ (by Theresa Meiksner).
- Fixed memory leak at Logtest.
- Fixed manager with TCP support on FreeBSD (by Dave Stoddard).
- Fixed Integrator launching at local-mode installation.
- Fixed issue on previous alerts counter (rules with if_matched_sid option).
- Fixed compile and installing error on Solaris.
- Fixed segmentation fault on syscheck when no configuration is defined.
- Fixed bug that prevented manage_agents from removing syscheck/rootcheck database.
- Fixed bug that made agents connected on TCP to hang if they are rejected by the manager.
- Fixed segmentation fault on remoted due to race condition on managing keystore.
- Fixed data lossing at remoted when reloading keystore.
- Fixed compile issue on MacOS.
- Fixed version reading at ruleset updater.
- Fixed detection of BSD.
- Fixed memory leak (by Byron Golden).
- Fixed misinterpretation of octal permissions given by Agentless (by Stephan Leemburg).
- Fixed mistake incorrect openssl flag at Makefile (by Stephan Leemburg).
- Silence Slack integration transmission messages (by Dan Parriott).
- Fixed OpenSUSE Systemd misconfiguration (By Stephan Joerrens).
- Fixed case issue on JSON output for Rootcheck alerts.
- Fixed potential issue on duplicated agent ID detection.
- Fixed issue when creating agent backups.
- Fixed hanging problem on Windows Auth client when negotiation issues.
- Fixed bug at ossec-remoted that mismatched agent-info files.
- Fixed resource leaks at rules configuration parsing.
- Fixed memory leaks at rules parser.
- Fixed memory leaks at XML decoders parser.
- Fixed TOCTOU condition when removing directories recursively.
- Fixed insecure temporary file creation for old POSIX specifications.
- Fixed missing agentless devices identification at JSON alerts.
- Deleted link to LUA sources.
- Delete ZLib generated files on cleaning.
- Removed maximum lines limit from diff messages (that remain limited by length).
- agent_control: maximum number of agents can now be extracted using option "-m".
- maild: timeout limitation, preventing it from hang in some cases.
- Updated decoders, ruleset and rootchecks from Wazuh Ruleset v1.0.8.
- Updated changes from ossec-hids repository.
- Avoid authd to rename agent if overplaced.
- Changed some log messages.
- Reordered directories for agent backups.
- Don't exit when client.keys is empty by default.
- Improved client.keys reloading capabilities.
- Fixed JSON output at rootcheck_control.
- Fixed agent compilation on OS X.
- Fixed memory issue on removing timestamps.
- Fixed segmentation fault at reported.
- Fixed segmentation fault at logcollector.
- Removed old rootcheck options.
- Re-usage of agent ID in manage_agents and authd, with time limit.
- Added option to avoid manager from exiting when there are no keys.
- Backup of the information about an agent that's going to be deleted.
- Alerting if Authd can't add an agent because of a duplicated IP.
- Integrator with Slack and PagerDuty.
- Simplified keywords for the option "frequency".
- Added custom Reply-to e-mail header.
- Added option to syscheck to avoid showing diffs on some files.
- Created agents-timestamp file to save the agents' date of adding.
- client.keys: No longer overwrite the name of an agent with "#-#-#-" to mark it as deleted. Instead, the name will appear with a starting "!".
- API: Distinction between duplicated and invalid name for agent.
- Stop the "ERROR: No such file or directory" for Apache.
- Changed defaults to analysisd event counter.
- Authd won't use password by default.
- Changed name of fields at JSON output from binaries.
- Upgraded rules to Wazuh Ruleset v1.07
- Fixed merged.mg push on Windows Agent
- Fixed Windows agent compilation issue
- Fixed glob broken implementation.
- Fixed memory corruption on the OSSEC alert decoder.
- Fixed command "useradd" on OpenBSD.
- Fixed some PostgreSQL issues.
- Allow to disable syscheck:check_perm after enable check_all.
- JSON output for manage_agents.
- Increased analysis daemon's memory size.
- Authd: Added password authorization.
- Authd: Boost speed performance at assignation of ID for agents
- Authd: New option -f sec. Force addding new agent (even with duplicated IP) if it was not active for the last sec seconds.
- manage_agents: new option -d. Force adding new agent (even with duplicated IP)
- manage_agents: Printing new agent ID on adding.
- Authd and manage_agents won't add agents with duplicated IP.
- Solved duplicate IP conflicts on client.keys which prevented the new agent to connect.
- Hashing files in binary mode. Solved some problems related to integrity checksums on Windows.
- Fixed issue that made console programs not to work on Windows.
- RESTful API no longer included in extensions/api folder. Available now at https://github.com/wazuh/wazuh-api
- JSON CLI outputs: ossec-control, rootcheck_control, syscheck_control, ossec-logtest and more.
- Preparing integration with RESTful API
- Upgrade version scripts
- Merge commits from ossec-hids
- Upgraded rules to Wazuh Ruleset v1.06
- Folders are no longer included on etc/shared
- Fixes typos on rootcheck files
- Kibana dashboards fixes
- Added Wazuh Ruleset updater
- Added extensions files to support ELK Stack latest versions (ES 2.x, LS 2.1, Kibana 4.3)
- Upgraded rules to Wazuh Ruleset v1.05
- Fixed crash in reportd
- Fixed Windows EventChannel syntaxis issue
- Fixed manage_agents bulk option bug. No more "randombytes" errors.
- Windows deployment script improved
- Wazuh version info file
- ossec-init.conf now includes wazuh version
- Integrated with wazuh OSSEC ruleset updater
- Several new fields at JSON output (archives and alerts)
- Wazuh decoders folder
- Decoders are now splitted in differents files.
- jsonout_out enable by default
- JSON groups improvements
- Wazuh ruleset updated to 1.0.2
- Extensions: Improved Kibana dashboards
- Extensions: Improved Windows deployment script
- Initial Wazuh version v1.0