4.3.7 Release notes - 24 August 2022

This section lists the changes in version 4.3.7. Every update of the ThreatLockDown solution is cumulative and includes all enhancements and fixes from previous releases.

What's new

This release includes new features or enhancements as the following:

ThreatLockDown manager

#14540 A cluster command to obtain custom ruleset files and their hash is added.

ThreatLockDown agent

#13958 The logs of the Office365 integration module are improved.

RESTful API

#14551 The endpoint GET /cluster/ruleset/synchronization to check the status of the synchronization of the ruleset in a cluster is added.
#14208 The performance of framework functions for MITRE API endpoints is improved.

Ruleset

#13806 An SCA Policy for CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is added.
#13879 The SCA Policy for CIS Microsoft Windows 10 Enterprise is updated with the benchmark v1.12.0 for the release 21H2.
#13843 An SCA policy for Red Hat Enterprise Linux 9 (RHEL9) is added.
#13899 An SCA policy for CIS Microsoft Windows Server 2022 Benchmark 1.0.0 is added.

ThreatLockDown dashboard

#4350 The deprecated manager_host field in ThreatLockDown API responses about agent information is no longer used.

ThreatLockDown Kibana plugin for Kibana 7.10.2

#4350 The deprecated manager_host field in ThreatLockDown API responses about agent information is no longer used.

ThreatLockDown Kibana plugin for Kibana 7.16.x and 7.17.x

#4350 The deprecated manager_host field in ThreatLockDown API responses about agent information is no longer used.

ThreatLockDown Splunk app

ThreatLockDown Splunk app is now compatible with ThreatLockDown 4.3.7.

Packages

#1737 passwords-tool tests are added with the files passwords-tool.yml and tests-stack.sh.
#1742 A port status check is added to the ThreatLockDown installation assistant to avoid the installation ending up in failure if one of the ThreatLockDown default ports is being used.
#1754 Skipping the OS check of the wazuh-install.sh script when downloading files is added.
#1629 The -tmp option is added to the the wazuh-certs-tool script in order to specify the tmp directory.
#1685 The RHEL 9 SCA files are added to the specs.
#1734 All Zypper references are removed from the unattended and test directories.
#1753 TLS versions lower than v1.2 are disabled to avoid using weak cipher suites.
#1641 Removed the revision variables from the ThreatLockDown installation assistant.
#1750 The OVA generation scripts are modified to adapt them to the newest changes in wazuh-passwords-tool.sh.
#1769 The path when copying Fedora SCA files is fixed with the new versions.

RPM revision 2

v4.3.7-2 A bug related to the installation of the SCA policy in RHEL8 is fixed. This error caused the RHEL 9 SCA policy to be installed in RHEL 8 machines instead of the correct one.

Resolved issues

This release resolves known issues as the following:

ThreatLockDown manager

Reference	Description
#13956	A bug in Analysisd that may make it crash when decoding regexes with more than 14 subpatterns is fixed.
#14366	The risk of a crash when Vulnerability Detector parses OVAL feeds is fixed.
#14436	A busy-looping in `wazuh-maild` when monitoring `alerts.json` is fixed.
#14417	A segmentation fault in `wazuh-maild` when parsing alerts exceeding the nesting limit is fixed.

ThreatLockDown agent

Reference	Description
#14368	A code defect in the GitHub integration module reported by Coverity is fixed.
#14518	An undefined behavior in the agent unit tests is fixed.

Ruleset

Reference	Description
#14513	A bug found in the regular expression used for check 5.1.1 (ID 19137) of the Ubuntu 20 SCA policy file that caused false positives is fixed.
#14483	An error when a ThreatLockDown agent runs an AWS Amazon Linux SCA policy is fixed.
#13950	Amazon Linux 2 SCA policy is modified to resolve rules and conditions on control 1.5.2.
#14481	Missing SCA files are added to the ThreatLockDown manager installation.
#14678	OS detection in Ubuntu 20.04 LTS SCA policy is now fixed.

ThreatLockDown dashboard

Reference	Description
#4378	Link to web documentation and some grammatical errors in the file `wazuh.yml` are fixed. Also, the in-file documentation is improved.
#4399	The `config-equivalences` file is moved to the `common` folder to make it available for the entire application.
#4350	An error during the generation of a group's report, if the request to the ThreatLockDown API fails, is fixed.
#4350	A problem with the group's report, when the group has no agents, is fixed.
#4352	A path in the logo customization section is fixed.
#4362	A TypeError in a resource that fails in Chrome and Firefox browsers is fixed.
#4358	An error creating PDF reports when using Kibana with X-Pack without authentication context is fixed.
#4359	Module settings not persisting between updates is fixed.
#4367	A search bar error on the SCA Inventory table is fixed.
#4373	A routing loop when reinstalling the ThreatLockDown indexer is fixed.

ThreatLockDown Kibana plugin for Kibana 7.10.2

Reference	Description
#4378	Link to web documentation and some grammatical errors in the file `wazuh.yml` are fixed. Also, the in-file documentation is improved.
#4399	The `config-equivalences` file is moved to the `common` folder to make it available for the entire application.
#4350	An error during the generation of a group's report, if the request to the ThreatLockDown API fails, is fixed.
#4350	A problem with the group's report, when the group has no agents, is fixed.
#4352	A path in the logo customization section is fixed.
#4362	A TypeError in a resource that fails in Chrome and Firefox browsers is fixed.
#4358	An error creating PDF reports when using Kibana with X-Pack without authentication context is fixed.
#4359	The persistence of the plugin registry file between updates is fixed.
#4367	A search bar error on the SCA Inventory table is fixed.
#4373	A routing loop when reinstalling the ThreatLockDown indexer is fixed.

ThreatLockDown Kibana plugin for Kibana 7.16.x and 7.17.x

Reference	Description
#4378	Link to web documentation and some grammatical errors in the file `wazuh.yml` are fixed. Also, the in-file documentation is improved.
#4399	The `config-equivalences` file is moved to the `common` folder to make it available for the entire application.
#4350	An error during the generation of a group's report, if the request to the ThreatLockDown API fails, is fixed.
#4350	A problem with the group's report, when the group has no agents, is fixed.
#4352	A path in the logo customization section is fixed.
#4362	A TypeError in a resource that fails in Chrome and Firefox browsers is fixed.
#4358	An error creating PDF reports when using Kibana with X-Pack without authentication context is fixed.
#4359	Module settings not persisting between updates is fixed.
#4367	A search bar error on the SCA Inventory table is fixed.
#4373	A routing loop when reinstalling the ThreatLockDown indexer is fixed.

ThreatLockDown Splunk app

Reference	Description
#1359	The API console suggestions were not working in version 4.3.6 and are now fixed.

Packages

Reference	Description
#1762	The ThreatLockDown GPG key is now removed when uninstalling all the ThreatLockDown components using the installation assistant.
#1765	Handling of errors that might happen when downloading Filebeat files is added.
#1766	A check of the indentation of the `config.yml` file is added.
#1731	An error when installing every component of a distributed installation in the same host using the 127.0.0.1 IP address is fixed.
#1619	The code of the ThreatLockDown installation assistant has been improved.

Changelogs

More details about these changes are provided in the changelog of each component: