Wazuh v4.2.0 Release Notes
Release Date: 2021-08-25 // over 2 years ago-
➕ Added
Core:
- Added support for bookmarks in Logcollector, allowing to follow the log file at the point where the agent stopped. (#3368)
- Improved support for multi-line logs with a variable number of lines in Logcollector. (#5652)
- Added an option to limit the number of files per second in FIM. (#6830)
- Added a statistics file to Logcollector. Such data is also available via API queries. (#7109)
- Allow statistical data queries to the agent. (#7239)
- Allowed quoting in commands to group arguments in the command wodle and SCA checks. (#7307)
- Let agents running on Solaris send their IP to the manager. (#7408)
- New option
<ip_update_interval>
to set how often the agent refresh its IP address. (#7444) - Added support for testing location information in Wazuh Logtest. (#7661)
- Added Vulnerability Detector reports to Wazuh DB to know which CVE’s affect an agent. (#7731)
- Introduced an option to enable or disable listening Authd TLS port. (#8755)
API:
- Added new endpoint to get agent stats from different components. (#7200)
- Added new endpoint to modify users' allow_run_as flag. (#7588)
- Added new endpoint to get vulnerabilities that affect an agent. (#7647)
- Added API configuration validator. (#7803)
- Added the capability to disable the max_request_per_minute API configuration option using 0 as value. (#8115)
Ruleset:
- Decoders
- Added support for UFW firewall to decoders. (#7100)
- Added Sophos firewall Decoders (#7289)
- Added Wazuh API Decoders (#7289)
- Added F5 BigIP Decoders. (#7289)
- Rules
- Added Sophos firewall Rules (#7289)
- Added Wazuh API Rules (#7289)
- Added Firewall Rules
- Added F5 BigIp Rules. (#7289)
- SCA
- Added CIS policy "Ensure XD/NX support is enabled" back for SCA. (#7316)
- Added Apple MacOS 10.14 SCA (#7035)
- Added Apple MacOS 10.15 SCA (#7036)
- Added Apple MacOS 11.11 SCA (#7037)
🔄 Changed
Cluster:
- Improved the cluster nodes integrity calculation process. It only calculates the MD5 of the files that have been modified since the last integrity check. (#8175)
- Changed the synchronization of agent information between cluster nodes to complete the synchronization in a single task for each worker. (#8182)
- Changed cluster logs to show more useful information. (#8002)
Core:
- Wazuh daemons have been renamed to a unified standard. (#6912)
- Wazuh CLIs have been renamed to a unified standard. (#6903)
- Wazuh internal directories have been renamed to a unified standard. (#6920)
- Prevent a condition in FIM that may lead to a memory error. (#6759)
- Let FIM switch to real-time mode for directories where who-data is not available (Audit in immutable mode). (#6828)
- Changed the Active Response protocol to receive messages in JSON format that include the full alert. (#7317)
- Changed references to the product name in logs. (#7264)
- Syscollector now synchronizes its database with the manager, avoiding full data delivery on each scan. (#7379)
- Remoted now supports both TCP and UDP protocols simultaneously. (#7541)
- Improved the unit tests for the os_net library. (#7595)
- FIM now removes the audit rules when their corresponding symbolic links change their target. (#6999)
- Compilation from sources now downloads the external dependencies prebuilt. (#7797)
- Added the old implementation of Logtest as
wazuh-logtest-legacy
. (#7807) - Improved the performance of Analysisd when running on multi-core hosts. (#7974)
- Agents now report the manager when they stop. That allows the manager to log an alert and immediately set their state to "disconnected". (#8021)
- Wazuh building is now independent from the installation directory. (#7327)
- The embedded python interpreter is provided in a preinstalled, portable package. (#7327)
- Wazuh resources are now accessed by a relative path to the installation directory. (#7327)
- The error log that appeared when the agent cannot connect to SCA has been switched to warning. (#8201)
- The agent now validates the Audit connection configuration when enabling whodata for FIM on Linux. (#8921)
API:
- Removed ruleset version from
GET /cluster/{node_id}/info
andGET /manager/info
as it was deprecated. (#6904) - Changed the
POST /groups
endpoint to specify the group name in a JSON body instead of in a query parameter. (#6909) - Changed the
PUT /active-response
endpoint function to create messages with the new JSON format. (#7312) - New parameters added to
DELETE /agents
endpoint andolder_than
field removed from response. (#6366) - Changed login security controller to avoid errors in Restful API reference links. (#7909)
- Changed the PUT /agents/group/{group_id}/restart response format when there are no agents assigned to the group. (#8123)
- Agent keys used when adding agents are now obscured in the API log. (#8149)
- Improved all agent restart endpoints by removing active-response check. (#8457)
- Improved API requests processing time by applying cache to token RBAC permissions extraction. It will be invalidated if any resource related to the token is modified. (#8615)
- Increased to 100000 the maximum value accepted for
limit
API parameter, default value remains at 500. (#8841)
- Removed ruleset version from
Framework:
- Improved agent insertion algorithm when Authd is not available. (#8682)
Ruleset:
- The ruleset was normalized according to the Wazuh standard. (#6867)
- Rules
- Changed Ossec Rules. (#7260)
- Changed Cisco IOS Rules. (#7289)
- Changed ID from 51000 to 51003 in Dropbear Rules. (#7289)
- Changed 6 new rules for Sophos Rules. (#7289)
- Decoders
- Changed Active Response Decoders. (#7317)
- Changed Auditd Decoders. (#7289)
- Changed Checkpoint Smart1 Decoders. (#8676)
- Changed Cisco ASA Decoders. (#7289)
- Changed Cisco IOS Decoders. (#7289)
- Changed Kernel Decoders. (#7837)
- Changed OpenLDAP Decoders. (#7289)
- Changed Ossec Decoders. (#7260)
- Changed Sophos Decoders. (#7289)
- Changed PFsense Decoders. (#7289)
- Changed Panda PAPS Decoders. (#8676)
External dependencies:
🛠 Fixed
Cluster:
- Fixed memory usage when creating cluster messages. (#6736)
- Fixed a bug when unpacking incomplete headers in cluster messages. (#8142)
- Changed error message to debug when iterating a file listed that is already deleted. (#8499)
- Fixed cluster timeout exceptions. (#8901)
- Fixed unhandled KeyError when an error command is received in any cluster node. (#8872)
- Fixed unhandled cluster error in send_string() communication protocol. (#8943)
Core:
- Fixed a bug in FIM when setting scan_time to "12am" or "12pm". (#6934)
- Fixed a bug in FIM that produced wrong alerts when the file limit was reached. (#6802)
- Fixed a bug in Analysisd that reserved the static decoder field name "command" but never used it. (#7105)
- Fixed evaluation of fields in the tag
<description>
of rules. (#7073) - Fixed bugs in FIM that caused symbolic links to not work correctly. (#6789)
- Fixed path validation in FIM configuration. (#7018)
- Fixed a bug in the "ignore" option on FIM where relative paths were not resolved. (#7018)
- Fixed a bug in FIM that wrongly detected that the file limit had been reached. (#7268)
- Fixed a bug in FIM that did not produce alerts when a domain user deleted a file. (#7265)
- Fixed Windows agent compilation with GCC 10. (#7359)
- Fixed a bug in FIM that caused to wrongly expand environment variables. (#7332)
- Fixed the inclusion of the rule description in archives when matched a rule that would not produce an alert. (#7476)
- Fixed a bug in the regex parser that did not accept empty strings. (#7495)
- Fixed a bug in FIM that did not report deleted files set with real-time in agents on Solaris. (#7414)
- Fixed a bug in Remoted that wrongly included the priority header in syslog when using TCP. (#7633)
- Fixed a stack overflow in the XML parser by limiting 1024 levels of recursion. (#7782)
- Prevented Vulnerability Detector from scanning all the agents in the master node that are connected to another worker. (#7795)
- Fixed an issue in the database sync module that left dangling agent group files. (#7858)
- Fixed memory leaks in the regex parser in Analysisd. (#7919)
- Fixed a typo in the initial value for the hotfix scan ID in the agents' database schema. (#7905)
- Fixed a segmentation fault in Vulnerability Detector when parsing an unsupported package version format. (#8003)
- Fixed false positives in FIM when the inode of multiple files change, due to file inode collisions in the engine database. (#7990)
- Fixed the error handling when wildcarded Redhat feeds are not found. (#6932)
- Fixed the
equals
comparator for OVAL feeds in Vulnerability Detector. (#7862) - Fixed a bug in FIM that made the Windows agent crash when synchronizing a Windows Registry value that starts with a colon (
:
). (#8098 #8143) - Fixed a starving hazard in Wazuh DB that might stall incoming requests during the database commitment. (#8151)
- Fixed a race condition in Remoted that might make it crash when closing RID files. (#8224)
- Fixed a descriptor leak in the agent when failed to connect to Authd. (#8789)
- Fixed a potential error when starting the manager due to a delay in the creation of Analysisd PID file. (#8828)
- Fixed an invalid memory access hazard in Vulnerability Detector. (#8551)
- Fixed an error in the FIM decoder at the manager when the agent reports a file with an empty ACE list. (#8571)
- Prevented the agent on macOS from getting corrupted after an operating system upgrade. (#8620)
- Fixed an error in the manager that could not check its configuration after a change by the API when Active response is disabled. (#8357)
- Fixed a problem in the manager that left remote counter and agent group files when removing an agent. (#8630)
- Fixed an error in the agent on Windows that could corrupt the internal FIM databas due to disabling the disk sync. (#8905)
- Fixed a crash in Logcollector on Windows when handling the position of the file. (#9364)
- Fixed a buffer underflow hazard in Remoted when handling input messages. Thanks to Johannes Segitz (@jsegitz). (#9285)
- Fixed a bug in the agent that tried to verify the WPK CA certificate even when verification was disabled. (#9547)
API:
- Fixed wrong API messages returned when getting agents' upgrade results. (#7587)
- Fixed wrong
user
string in API logs when receiving responses with status codes 308 or 404. (#7709) - Fixed API errors when cluster is disabled and node_type is worker. (#7867)
- Fixed redundant paths and duplicated tests in API integration test mapping script. (#7798)
- Fixed an API integration test case failing in test_rbac_white_all and added a test case for the enable/disable run_as endpoint.(8014)
- Fixed a thread race condition when adding or deleting agents without authd (8148)
- Fixed CORS in API configuration. (#8496)
- Fixed api.log to avoid unhandled exceptions on API timeouts. (#8887)
Ruleset:
- Fixed usb-storage-attached regex pattern to support blank spaces. (#7837)
- Fixed SCA checks for RHEL7 and CentOS 7. Thanks to J. Daniel Medeiros (@jdmedeiros). (#7645)
- Fixed the match criteria of the AWS WAF rules. (#8111)
- Fixed sample log in sudo decoders.
- Fixed Pix Decoders match regex. (#7485)
- Fixed regex in Syslog Rules. (#7289)
- Fixed category in PIX Rules. (#7289)
- Fixed authentication tag in group for MSauth Rules. (#7289)
- Fixed match on Nginx Rules. (#7122)
- Fixed sample log on Netscaler Rules. (#7783)
- Fixed match field for rules 80441 and 80442 in Amazon Rules. (#8111)
- Fixed sample logs in Owncloud Rules. (#7122)
- Fixed authentication tag in group for Win Security Rules. (#7289)
- Fixed sample log in Win Security Rules. (#7783)
- Fixed sample log in Win Application Rules. (#7783)
- Fixed mitre block in Paloalto Rules. (#7783)
Modules:
- Fixed an error when trying to use a non-default aws profile with CloudWatchLogs (#9331)
✂ Removed