Wazuh v3.4.0 Release Notes
Release Date: 2018-07-24 // almost 6 years ago-
โ Added
- ๐ Support for SHA256 checksum in Syscheck (by @arshad01). (#410)
- โ Added an internal option for Syscheck to tune the RT alerting delay. (#434)
- โ Added two options in the tag
frequency
andtimeframe
to hide alerts when they are played several times in a given period of time. (#857) - Include who-data in Syscheck for file integrity monitoring. (#756)
- Linux Audit setup and monitoring to watch directories configured with who-data.
- Direct communication with Auditd on Linux to catch who-data related events.
- Setup of SACL for monitored directories on Windows.
- Windows Audit events monitoring through Windows Event Channel.
- Auto setup of audit configuration and reset when the agent quits.
- Syscheck in frequency time show alerts from deleted files. (#857)
- โ Added an option
target
to customize output format per-target in Logcollector. (#863) - ๐ New option for the JSON decoder to choose the treatment of NULL values. (#677)
- โ Remove old snapshot files for FIM. (#872)
- Distinct operation in agents. (#920)
- โ Added support for unified WPK. (#865)
- โ Added missing debug options for modules in the internal options file. (#901)
- โ Added recursion limits when reading directories. (#947)
๐ Changed
- Renamed cluster client node type to worker (#850).
- ๐ Changed a descriptive message in the alert showing what attributes changed. (#857)
- ๐ Change visualization of Syscheck alerts. (#857)
- โ Add all the available fields in the Syscheck messages from the Wazuh configuration files. (#857)
- Now the no_full_log option only affects JSON alerts. (#881)
- โ Delete temporary files when stopping Wazuh. (#732)
- Send OpenSCAP checks results to a FIFO queue instead of temporary files. (#732)
- 0๏ธโฃ Default behavior when starting Syscheck and Rootcheck components. (#829)
- They are disabled if not appear in the configuration.
- They can be set up as empty blocks in the configuration, applying their default values.
- Improvements of error and information messages when they start.
- ๐ Improve output of
DELETE/agents
when no agents were removed. (#868) - Include the file owner SID in Syscheck alerts.
- ๐ Change no previous checksum error message to information log. (#897)
- ๐ Changed default Syscheck scan speed: 100 files per second. (#975)
- ๐ Show network protocol used by the agent when connecting to the manager. (#980)
๐ Fixed
- Syscheck RT process granularized to make frequency option more accurate. (#434)
- ๐ Fixed registry_ignore problem on Syscheck for Windows when arch="both" was used. (#525)
- ๐ Allow more than 256 directories in real-time for Windows agent using recursive watchers. (#540)
- ๐ Fix weird behavior in Syscheck when a modified file returns back to its first state. (#434)
- Replace hash value xxx (not enabled) for n/a if the hash couldn't be calculated. (#857)
- ๐ Do not report uid, gid or gname on Windows (avoid user=0). (#857)
- ๐ Several fixes generating sha256 hash. (#857)
- ๐ Fixed the option report_changes configuration. (#857)
- ๐ Fixed the 'report_changes' configuration when 'sha1' option is not set. (#857)
- ๐ Fix memory leak reading logcollector config. (#884)
- ๐ Fixed crash in Slack integration for alerts that don't have full log. (#880)
- ๐ Fixed active-responses.log definition path on Windows configuration. (#739)
- โ Added warning message when updating Syscheck/Rootcheck database to restart the manager. (#817)
- ๐ Fix PID file creation checking. (#822)
- Check that the PID file was created and written.
- This would prevent service from running multiple processes of the same daemon.
- ๐ Fix reading of Windows platform for 64 bits systems. (#832)
- ๐ Fixed Syslog output parser when reading the timestamp from the alerts in JSON format. (#843)
- ๐ Fixed filter for
gpg-pubkey
packages in Syscollector. (#847) - ๐ Fixed bug in configuration when reading the
repeated_offenders
option in Active Response. (#873) - ๐ Fixed variables parser when loading rules. (#855)
- ๐ Fixed parser files names in the Rootcheck scan. (#840)
- โ Removed frequency offset in rules. (#827).
- ๐ Fix memory leak reading logcollector config. (#884)
- ๐ Fixed sort agents by status in
GET/agents
API request. (#810) - โ Added exception when no agents are selected to restart. (#870)
- Prevent files from remaining open in the cluster. (#874)
- ๐ Fix network unreachable error when cluster starts. (#800)
- ๐ Fix empty rules and decoders file check. (#887)
- Prevent to access an unexisting hash table from 'whodata' thread. (#911)
- ๐ Fix CA verification with more than one 'ca_store' definitions. (#927)
- ๐ Fix error in syscollector API calls when Wazuh is installed in a directory different than
/var/ossec
. (#942). - ๐ Fix error in CentOS 6 when
wazuh-cluster
is disabled. (#944). - ๐ Fix Remoted connection failed warning in TCP mode due to timeout. (#958)
- ๐ Fix option 'rule_id' in syslog client. (#979)
- ๐ Fixed bug in legacy agent's server options that prevented it from setting port and protocol.