4.3.7 Release notes - 24 August 2022

This section lists the changes in version 4.3.7. Every update of the ThreatLockDown solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

ThreatLockDown manager

  • #14540 A cluster command to obtain custom ruleset files and their hash is added.

ThreatLockDown agent

  • #13958 The logs of the Office365 integration module are improved.

RESTful API

  • #14551 The endpoint GET /cluster/ruleset/synchronization to check the status of the synchronization of the ruleset in a cluster is added.

  • #14208 The performance of framework functions for MITRE API endpoints is improved.

Ruleset

  • #13806 An SCA Policy for CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is added.

  • #13879 The SCA Policy for CIS Microsoft Windows 10 Enterprise is updated with the benchmark v1.12.0 for the release 21H2.

  • #13843 An SCA policy for Red Hat Enterprise Linux 9 (RHEL9) is added.

  • #13899 An SCA policy for CIS Microsoft Windows Server 2022 Benchmark 1.0.0 is added.

ThreatLockDown dashboard

  • #4350 The deprecated manager_host field in ThreatLockDown API responses about agent information is no longer used.

ThreatLockDown Kibana plugin for Kibana 7.10.2

  • #4350 The deprecated manager_host field in ThreatLockDown API responses about agent information is no longer used.

ThreatLockDown Kibana plugin for Kibana 7.16.x and 7.17.x

  • #4350 The deprecated manager_host field in ThreatLockDown API responses about agent information is no longer used.

ThreatLockDown Splunk app

  • ThreatLockDown Splunk app is now compatible with ThreatLockDown 4.3.7.

Packages

  • #1737 passwords-tool tests are added with the files passwords-tool.yml and tests-stack.sh.

  • #1742 A port status check is added to the ThreatLockDown installation assistant to avoid the installation ending up in failure if one of the ThreatLockDown default ports is being used.

  • #1754 Skipping the OS check of the wazuh-install.sh script when downloading files is added.

  • #1629 The -tmp option is added to the the wazuh-certs-tool script in order to specify the tmp directory.

  • #1685 The RHEL 9 SCA files are added to the specs.

  • #1734 All Zypper references are removed from the unattended and test directories.

  • #1753 TLS versions lower than v1.2 are disabled to avoid using weak cipher suites.

  • #1641 Removed the revision variables from the ThreatLockDown installation assistant.

  • #1750 The OVA generation scripts are modified to adapt them to the newest changes in wazuh-passwords-tool.sh.

  • #1769 The path when copying Fedora SCA files is fixed with the new versions.

RPM revision 2

  • v4.3.7-2 A bug related to the installation of the SCA policy in RHEL8 is fixed. This error caused the RHEL 9 SCA policy to be installed in RHEL 8 machines instead of the correct one.

Resolved issues

This release resolves known issues as the following:

ThreatLockDown manager

Reference

Description

#13956

A bug in Analysisd that may make it crash when decoding regexes with more than 14 subpatterns is fixed.

#14366

The risk of a crash when Vulnerability Detector parses OVAL feeds is fixed.

#14436

A busy-looping in wazuh-maild when monitoring alerts.json is fixed.

#14417

A segmentation fault in wazuh-maild when parsing alerts exceeding the nesting limit is fixed.

ThreatLockDown agent

Reference

Description

#14368

A code defect in the GitHub integration module reported by Coverity is fixed.

#14518

An undefined behavior in the agent unit tests is fixed.

Ruleset

Reference

Description

#14513

A bug found in the regular expression used for check 5.1.1 (ID 19137) of the Ubuntu 20 SCA policy file that caused false positives is fixed.

#14483

An error when a ThreatLockDown agent runs an AWS Amazon Linux SCA policy is fixed.

#13950

Amazon Linux 2 SCA policy is modified to resolve rules and conditions on control 1.5.2.

#14481

Missing SCA files are added to the ThreatLockDown manager installation.

#14678

OS detection in Ubuntu 20.04 LTS SCA policy is now fixed.

ThreatLockDown dashboard

Reference

Description

#4378

Link to web documentation and some grammatical errors in the file wazuh.yml are fixed. Also, the in-file documentation is improved.

#4399

The config-equivalences file is moved to the common folder to make it available for the entire application.

#4350

An error during the generation of a group's report, if the request to the ThreatLockDown API fails, is fixed.

#4350

A problem with the group's report, when the group has no agents, is fixed.

#4352

A path in the logo customization section is fixed.

#4362

A TypeError in a resource that fails in Chrome and Firefox browsers is fixed.

#4358

An error creating PDF reports when using Kibana with X-Pack without authentication context is fixed.

#4359

Module settings not persisting between updates is fixed.

#4367

A search bar error on the SCA Inventory table is fixed.

#4373

A routing loop when reinstalling the ThreatLockDown indexer is fixed.

ThreatLockDown Kibana plugin for Kibana 7.10.2

Reference

Description

#4378

Link to web documentation and some grammatical errors in the file wazuh.yml are fixed. Also, the in-file documentation is improved.

#4399

The config-equivalences file is moved to the common folder to make it available for the entire application.

#4350

An error during the generation of a group's report, if the request to the ThreatLockDown API fails, is fixed.

#4350

A problem with the group's report, when the group has no agents, is fixed.

#4352

A path in the logo customization section is fixed.

#4362

A TypeError in a resource that fails in Chrome and Firefox browsers is fixed.

#4358

An error creating PDF reports when using Kibana with X-Pack without authentication context is fixed.

#4359

The persistence of the plugin registry file between updates is fixed.

#4367

A search bar error on the SCA Inventory table is fixed.

#4373

A routing loop when reinstalling the ThreatLockDown indexer is fixed.

ThreatLockDown Kibana plugin for Kibana 7.16.x and 7.17.x

Reference

Description

#4378

Link to web documentation and some grammatical errors in the file wazuh.yml are fixed. Also, the in-file documentation is improved.

#4399

The config-equivalences file is moved to the common folder to make it available for the entire application.

#4350

An error during the generation of a group's report, if the request to the ThreatLockDown API fails, is fixed.

#4350

A problem with the group's report, when the group has no agents, is fixed.

#4352

A path in the logo customization section is fixed.

#4362

A TypeError in a resource that fails in Chrome and Firefox browsers is fixed.

#4358

An error creating PDF reports when using Kibana with X-Pack without authentication context is fixed.

#4359

Module settings not persisting between updates is fixed.

#4367

A search bar error on the SCA Inventory table is fixed.

#4373

A routing loop when reinstalling the ThreatLockDown indexer is fixed.

ThreatLockDown Splunk app

Reference

Description

#1359

The API console suggestions were not working in version 4.3.6 and are now fixed.

Packages

Reference

Description

#1762

The ThreatLockDown GPG key is now removed when uninstalling all the ThreatLockDown components using the installation assistant.

#1765

Handling of errors that might happen when downloading Filebeat files is added.

#1766

A check of the indentation of the config.yml file is added.

#1731

An error when installing every component of a distributed installation in the same host using the 127.0.0.1 IP address is fixed.

#1619

The code of the ThreatLockDown installation assistant has been improved.

Changelogs

More details about these changes are provided in the changelog of each component: