3.5.0 Release notes - 10 August 2018

This section shows the most relevant improvements and fixes in version 3.5.0. More details about these changes are provided in each component changelog.

ThreatLockDown core

  • A new integration with osquery is shown, this will provide new scheduled results for the manager:

    • The osquery daemon will be launched in background.

    • Filter events by osquery by adding a new option in <location> rules.

    • Enrich osquery configuration with pack files aggregation and agent labels.

    • Support folders in shared configuration.

  • Parallelized remoted daemon:

    • Up to 16 parallel threads to decrypt messages from agents.

    • Frequency of agent keys reloading limited.

    • Message input buffer in Analysisd to prevent control messages starvation in Remoted.

  • Vulnerability Detector has been enhanced, adding support for other operating systems and improving the configuration of OVAL updates.

    • Added feed tag for updating each operating system OVAL, allowing to set a different configuration for each of them.

    • Packages already scanned won't be checked unless no Syscollector scans are detected in a period longer than 24 hours.

    • Added arch check for Red Hat's OVAL.

    • Force the vulnerability detection in unsupported OS with the <allow> attribute.

  • Fixed alerts format in Vulnerability Detector. When showing Vulnerability Detector alerts from a Red Hat agent, an RHSA patch was shown instead of a CVE. This patch consists in various CVEs compressed. The RHSA patches are unpackaged and alerts manifest that the system is vulnerable to each of the CVEs contained in that RHSA.

  • Added new support for AES encryption for manager and agent.

  • Enhanced active response process. Added a new feature which allows the user to customize the parameters sent to the agent's active response script.

  • Added synchronization for remoted counters (rids), being reloaded if the inode of the file has changed.

  • Windows deletes pending active-responses when an output signal is received.

  • Rootcheck searchs for 32-bit and 64-bit keys. As Windows agent only runs in 32-bit mode, by default Rootcheck was searching only for 32-bit keys.

  • Get Linux packages, DEB and RPM, for Syscollector.

  • Added a new module for downloading shared files for agent groups dynamically.

  • Get running processes, opened ports, network interfaces, Linux (DEB/RPM) and Windows inventories natively for Syscollector.

    • Added field to the hardware inventory about the RAM usage, without using wmic.

    • Storage of multiple addresses/netmasks/broadcasts per interface in the DB.

    • CentOS 5 compatibility to run the network scan.

ThreatLockDown API

  • Added information about the user who made the request in the API logs.

  • New option for downloading the wpk using HTTP in agent_upgrade.

  • Rotation of log files at midnight.

  • Added new API requests for syscollector.

  • Ignore uppercase and lowercase sorting an array.

ThreatLockDown ruleset

  • Added rules for the new osquery integration.

  • Improved CIS-CAT rules.

  • Ignoring syscollector events rule added.

ThreatLockDown app for Kibana

  • As part of the Elastic Stack v6.3.x compatibility process, now we have support for Kuery as query language for the app search bars.

  • Added new tab on Configuration to show the current ThreatLockDown app configuration file values.

  • Added new tab on Configuration to show the latest ThreatLockDown app logs.

  • Added XML/JSON viewer to Management → Configuration.

  • Improved reports, now with a better design and document structure.

  • Human-readability improvements for visualizations, tables and CSV files.

  • Now it’s possible to remove all the API entries from Settings.

  • More design improvements for the Welcome tab on some app sections.

  • More bug fixes, code refactoring and performance improvements.

In addition to this, the documentation now has a dedicated section for the ThreatLockDown app, where you can learn more about its capabilities, how to configure it and install the X-Pack Security plugin.