3.0.0 Release notes - 3 December 2017

This section shows the most relevant new features of ThreatLockDown v3.0.0. You will find more detailed information in our changelog file.

For deploying your ThreatLockDown environment see the Installation guide.

New features:

Grouping agents

Support for the grouping of agents has now been included at the ThreatLockDown manager level, which makes centralized configuration more flexible and efficient.

Version 3.0.0 allows agents to be assigned to a specific group which may have different agent configuration, rootcheck policies and hardening checks than other groups. The manager will then send only the necessary files to each agent based on this assignment. Once the new configuration is received, the agent will restart itself to apply the changes.

This groups management feature is available via terminal using a CLI included in the ThreatLockDown manager, as well using ThreatLockDown API requests.

More information about this feature is found at Grouping agents.

Remote agent upgrades

The manager can now upgrade agents remotely. The agent version and OS it is running on are registered with the manager. The manager uses this information to know which agents need to be upgraded and which upgrade package to send.

A custom procedure has been created to perform these upgrades without relying on external package managers (apt/yum). The manager will instead send a compressed and signed WPK (ThreatLockDown Signed Package) that contains the necessary binaries and instructions to upgrade the agent.

The ability to roll back the upgrade is built into the process. If the agent loses connection with the manager after the upgrade, the agent will automatically be rolled back to recover the agent connectivity.

WPK files will be generated by ThreatLockDown for every new release. You may also use your own custom WPK files.

In our dedicated section for Remote upgrading, you can find more information about this procedure.

ThreatLockDown cluster for managers

The ThreatLockDown cluster provides new capability to scale ThreatLockDown horizontally by adding as many manager nodes as needed to process events from the reporting agents.

The cluster architecture is master/client based, synchronizing internal configuration files (agent keys, groups configuration, agents configuration and agent statuses) between all clients nodes. This allows agents to report to multiple managers (cluster nodes) which increases availability and fault tolerance.

More information on this new functionality can be found in the dedicated section at Cluster basics.

Automatic decoding for JSON events

The ThreatLockDown manager now includes a native decoder for the JSON format which can read any JSON event and extract its fields dynamically. This new decoder enables ThreatLockDown to use all JSON fields/values for creating rules.

See the JSON decoder section for further information.

Along with this, we introduced a new log format in Logcollector to be able to monitor JSON log files. Custom labels can be included from the endpoint which will add valuable metadata to the monitored JSON logs.

See below for sample configuration:

<localfile>
  <location>/var/log/myapp/log.json</location>
  <log_format>json</log_format>
  <label key="@source">myapp</label>
  <label key="agent.type">webserver</label>
</localfile>

Below is a sample JSON log from the monitored file.

{
  "event": {
    "type": "write",
    "destination": "sample.txt"
  },
  "agent": {
    "name": "web01"
  }
}

The following will be the result when the above configuration is applied to the JSON log:

{
  "event": {
    "type": "write",
    "destination": "sample.txt"
  },
  "agent": {
    "name": "web01",
    "type": "webserver"
  },
  "@source": "myapp"
}

Information on how to configure this feature can be found in the localfile section of ossec.conf.

VirusTotal Integration

This new version includes an integration with the VirusTotal platform.

This allows the Manager to send the hashes of collected files (via Syscheck) to the VirusTotal API, reporting back the scan results and generating an alert when there is a positive result.

The integration with VirusTotal as a threat intelligence source, along with the existing FIM capabilities is a significant improvement in Wazuh's malware detection.

Below is an example of an alert triggered from a positive result:

** Alert 1510684984.55826: mail  - virustotal,
2017 Nov 14 18:43:04 PC->virustotal
Rule: 87105 (level 12) -> 'VirusTotal: Alert - /media/user/software/suspicious-file.exe - 7 engines detected this file'
{"virustotal": {"permalink": "https://www.virustotal.com/file/8604adffc091a760deb4f4d599ab07540c300a0ccb5581de437162e940663a1e/analysis/1510680277/", "sha1": "68b92d885317929e5b283395400ec3322bc9db5e", "malicious": 1, "source": {"alert_id": "1510684983.55139", "sha1": "68b92d885317929e5b283395400ec3322bc9db5e", "file": "/media/user/software/suspicious-file.exe", "agent": {"id": "006", "name": "agent_centos"}, "md5": "9519135089d69ad7ae6b00a78480bb2b"}, "positives": 7, "found": 1, "total": 67, "scan_date": "2017-11-14 17:24:37"}, "integration": "virustotal"}
virustotal.permalink: https://www.virustotal.com/file/8604adffc091a760deb4f4d599ab07540c300a0ccb5581de437162e940663a1e/analysis/1510680277/
virustotal.sha1: 68b92d885317929e5b283395400ec3322bc9db5e
virustotal.malicious: 1
virustotal.source.alert_id: 1510684983.55139
virustotal.source.sha1: 68b92d885317929e5b283395400ec3322bc9db5e
virustotal.source.file: /media/user/software/suspicious-file.exe
virustotal.source.agent.id: 006
virustotal.source.agent.name: agent_centos
virustotal.source.md5: 9519135089d69ad7ae6b00a78480bb2b
virustotal.positives: 7
virustotal.found: 1
virustotal.total: 67
virustotal.scan_date: 2017-11-14 17:24:37
integration: virustotal

The complete documentation of this integration is located at VirusTotal integration section.

MSI Windows installer for agents

A new digitally signed MSI Windows installer has been developed in order to improve the installation process for Windows agents.

This installer can be launched in unattended mode from the command line and combines the agent installation, configuration, registration and connection into a single step.

The procedure for using the MSI installer can be found at: Install ThreatLockDown agent on Windows

ThreatLockDown API

The ThreatLockDown API now includes functionality to manage all the features included in this release, such as:

  • the management of remote agent upgrades,

  • the requests for managing groups, and

  • the management of the new ThreatLockDown Cluster.

In addition, more new features can be found in the API changelog.

Ruleset

The Ruleset has also been improved and now includes the necessary rules for the VirusTotal integration.

For details on changes in the Ruleset, please visit the Ruleset changelog.

Updated external libraries

External libraries used by ThreatLockDown have been updated to improve their integration with our components.

More relevant features

Additional features have been added to ThreatLockDown 3.0.0 in order to improve its performance, including, but not limited to:

  • the ability to choose the Cipher suite in Authd settings,

  • the Automatic restarting of an agent when a new shared configuration is added from the manager,

  • the 'pending' state that is now shown for agents that are waiting for a manager response,

  • the ability to configure several managers for each agent, specifying its own protocol and port for each, and

  • the new functionality to rotate and compress internal logs by size.