4.4.0 Release notes - 28 March 2023

This section lists the changes in version 4.4.0. Every update of the ThreatLockDown solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

This new version of ThreatLockDown brings new features and adds support for some Linux distributions and integrations. For more details, the highlights of ThreatLockDown 4.4.0 are listed below:

  • IPv6 support for the enrollment process and the agent-manager connection

  • Vulnerability detection support for SUSE agents

  • ThreatLockDown indexer and dashboard are now based on OpenSearch 2.4.1 version

  • Rework of Ubuntu Linux 20.04 and 22.04 SCA policies

  • Support for Azure Integration in Linux agents

Below you can find more information about each of these highlights.

ThreatLockDown 4.4.0 brings IPv6 support when connecting and enrolling an agent to a manager. The IPv6 protocol can handle packets more effectively, enhance performance, and boost security. This new feature allows agents to register and connect through an IPv6 address.

SUSE agents now natively support vulnerabilities detection. ThreatLockDown added full support for SUSE Linux Enterprise Server and Desktop operating systems versions 11, 12, and 15. The vulnerability Detector now scans the programs identified by syscollector, looking to report vulnerabilities described in the SUSE OVAL and the NVD databases.

ThreatLockDown indexer and dashboard bump to OpenSearch 2.4.1. The ThreatLockDown indexer and the ThreatLockDown dashboard are based on OpenSearch, an open source search and analytics project derived from Elasticsearch and Kibana. We generated and tested the wazuh-indexer Debian and RPM packages with OpenSearch 2.4.1 and the wazuh-dashboard Debian and RPM packages with OpenSearch dashboards 2.4.1. This way, we avoid earlier version vulnerabilities and incorporate new functionalities.

To solve some errors in the previous Ubuntu Linux 20.04 SCA Policy, we reworked the Ubuntu Linux 20.04 and 22.04 SCA policies. As part of this task, we used the CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 to update Ubuntu Linux 22.04 SCA Policy.

ThreatLockDown added support for Azure Integration in Linux agents. Now this integration can run for both agents and managers. We modified the packages generation process to support Azure in those agents that are installed using the WPK packages. Each new WPK package contains all the updated binaries and source code, and the installer updates all files and binaries to support Azure integration.

Finally, it’s essential to remark that we maintain support for all installation alternatives. Indeed we maintain and extend this support by adding more recent versions.

Note

Starting with ThreatLockDown v4.5.0, the central components will only support the Amazon Linux, RHEL, CentOS, and Ubuntu operating systems whose versions are officially supported by their vendors. ThreatLockDown agents will maintain their current support status.

Breaking changes

This release includes some breaking changes, such as the following:

ThreatLockDown manager

  • #10865 The agent key polling module has been ported to wazuh-authd.

RESTful API

  • #14119 Added new setting upload_wazuh_configuration to the ThreatLockDown API configuration. The old parameter remote_commands is now part of this setting.

  • #14230 Deprecated GET /manager/stats/analysisd, GET /manager/stats/remoted, GET /cluster/{node_id}stats/analysisd, and GET /cluster/{node_id}stats/remoted API endpoints. Use new endpoints GET /manager/daemons/stats and /cluster/{node_id}/daemons/stats, respectively.

  • #16231 Removed RBAC group assignments' related permissions from DELETE /groups to improve performance and changed response structure.

Ruleset

  • ThreatLockDown ruleset has been updated, and you can check the changes in the following list. If you have a custom set of decoders and rules, please check the changes done.

What's new

This version includes new features or improvements, such as the following:

ThreatLockDown manager

  • #9995 Added new unit tests for cluster Python module and increased coverage to 99%.

  • #11190 Added file size limitation on cluster integrity sync.

  • #13424 Added unittests for CLIs script files.

  • #9962 Added support for SUSE in Vulnerability Detector.

  • #13263 Added support for Ubuntu Jammy in Vulnerability Detector.

  • #13608 Added a software limit to restrict the number of EPS a manager can process.

  • #11753 Added a new wazuh-clusterd task for agent-groups info synchronization.

  • #14950 Added unit tests for functions in charge of getting ruleset sync status.

  • #14950 Added auto-vacuum mechanism in wazuh-db.

  • #10843 Delta events in Syscollector when data gets changed may now produce alerts.

  • #10822 wazuh-logtest now shows warnings about ruleset issues.

  • #12206 Modulesd memory is now managed by jemalloc to help reduce memory fragmentation.

  • #12117 Updated the Vulnerability Detector configuration reporting to include MSU and skip JSON Red Hat feed.

  • #12352 Improved the shared configuration file handling performance.

  • #11753 The agent group data is now natively handled by ThreatLockDown DB.

  • #10710 Improved security at cluster zip filenames creation.

  • #12390 The core/common.py module is refactored.

  • #12497 The format_data_into_dictionary method of WazuhDBQuerySyscheck class is refactored.

  • #11124 The maximum zip size that can be created while synchronizing cluster Integrity is limited.

  • #13065 The functions in charge of synchronizing files in the cluster are refactored.

  • #13079 Changed MD5 hash function to BLAKE2 for cluster file comparison.

  • #12926 Renamed wazuh-logtest and wazuh-clusterd scripts to follow the same scheme as the other scripts (spaces symbolized with _ instead of -).

  • #13741 Added the update field in the CPE Helper for Vulnerability Detector.

  • #11702 The agents with the same ID are prevented from connecting to the manager simultaneously.

  • #13713 wazuh-analysisd, wazuh-remoted, and wazuh-db metrics have been extended.

  • #11753 wazuh-clusterd number of messages are minimized and optimized from workers to master related to agent-info tasks.

  • #14244 The performance of the agent_groups CLI is improved when listing agents belonging to a group.

  • #14475 Changed wazuh-clusterd binary behavior to kill any existing cluster processes when executed.

  • #14791 Changed wazuh-clusterd tasks to wait asynchronously for responses coming from wazuh-db.

  • #11190 Use zlib for zip compression in cluster synchronization.

  • #12241 Added mechanism to dynamically adjust zip size limit in Integrity sync.

  • #12409 Removed the unused internal option wazuh_db.sock_queue_size.

  • #10940 Removed all the unused exceptions from the exceptions.py file.

  • #10740 Removed unused execute method from core/utils.py.

  • #13119 Removed unused set_user_name function in framework.

  • #12370 Unused internal calls to wazuh-db have been deprecated.

  • #14542 Debian Stretch support in Vulnerability Detector has been deprecated.

  • #15853 The status field in SCA is deprecated.

  • #16066 Agent group guessing now writes the new group directly on the master node based on the configuration hash.

  • #16098 Added cascading deletion of membership table entries when deleting a group.

  • #16499 Changed agent_groups CLI output so affected agents are not printed when deleting a group.

ThreatLockDown agent

  • #11756 Added support of CPU frequency data provided by Syscollector on Raspberry Pi.

  • #11450 Added support for IPv6 address collection in the agent.

  • #11833 Added the process startup time data provided by Syscollector on macOS.

  • #11571 Added support for package retrieval in Syscollector for openSUSE Tumbleweed and Fedora 34.

  • #11640 Added the process startup time data provided by Syscollector on macOS.

  • #11796 Added support for package data provided by Syscollector on Solaris.

  • #10843 Added support for delta events in Syscollector when data gets changed.

  • #12035 Added support for pre-installed Windows packages in Syscollector.

  • #11268 Added support for IPv6 on agent-manager connection and enrollment.

  • #12582 Added support for CIS-CAT Pro v3 and v4 to the CIS-CAT integration module.

  • #10870 Added support for using the Azure integration module in Linux agents.

  • #11852 Added new error messages when using invalid credentials with the Azure integration.

  • #12515 Added reparse option to CloudWatchLogs and Google Cloud Storage integrations.

  • #14726 ThreatLockDown Agent can now be built and run on Alpine Linux.

  • #15054 Added native Shuffle integration.

  • #11587 Improved the free RAM data provided by Syscollector.

  • #12752 The Windows installer (MSI) now provides signed DLL files.

  • #12748 Changed the group ownership of the Modulesd process to root.

  • #12750 Some parts of Agentd and Execd were refactored.

  • #10478 Handled new exceptions in the external integration modules.

  • #11828 Optimized the number of calls to DB maintenance tasks performed by the AWS integration.

  • #12404 Improved the reparse setting performance by removing unnecessary queries from external integrations.

  • #12478 Updated and expanded Azure module logging functionality to use the ossec.log file.

  • #12647 Improved the error management of the Google Cloud integration.

  • #12769 The logging tag in GCloud integration is deprecated. It now uses wazuh_modules debug value to set the verbosity level.

  • #12849 The last_dates.json file of the Azure module was deprecated in favor of a new ORM and database.

  • #12929 Improved the error handling in AWS integration's decompress_file method.

  • #11190 The compress/decompress Cluster's methods are now improved. Now we use zlib for zip compression in cluster synchronization.

  • #11354 The exception handling on ThreatLockDown Agent for Windows was changed to DWARF2.

  • #14696 The root CA certificate for WPK upgrade has been updated.

  • #14822 Agents on macOS now report the OS name as "macOS" instead of "Mac OS X".

  • #14816 The Systemd service stopping policy has been updated.

  • #14793 Changed how the AWS module handles ThrottlingException adding default values for connection retries in case no config file is set.

  • #15404 The agent for Windows now verifies its libraries to prevent side loading.

  • #14543 Azure and AWS credentials are deprecated in the configuration authentication option.

RESTful API

  • #10620 Added new API integration tests for a ThreatLockDown environment without a cluster configuration.

  • #11731 Added wazuh-modulesd tags to GET /manager/logs and GET /cluster/{node_id}/logs endpoints.

  • #12438 Added Python decorator to soft deprecate API endpoints adding deprecation headers to their responses.

  • #12486 Added new exception to inform that /proc directory is not found or permissions to see its status are not granted.

  • #12362 Added new field and filter to GET /agents response to retrieve agent groups configuration synchronization status.

  • #12498 Added agent groups configuration synchronization status to GET /agents/summary/status endpoint.

  • #11171 Added JSON log handling.

  • #12029 Added integration tests for IPv6 agent's registration.

  • #12887 Enable ordering count in /groups endpoints by Agents.

  • #12092 Added a hash to API logs to identify users logged in with authorization context.

  • #14295 Added logic to API logger to renew its streams if needed on every request.

  • #14401 Added GET /manager/daemons/stats and GET /cluster/{node_id}/daemons/stats API endpoints.

  • #14464 Added GET /agents/{agent_id}/daemons/stats API endpoint.

  • #14471 Added the possibility to get the configuration of the wazuh-db component in active configuration endpoints.

  • #15084 Added distinct and select parameters to GET /sca/{agent_id} and GET /sca/{agent_id}/checks/{policy_id} endpoints.

  • #15290 Added new endpoint to run vulnerability detector on-demand scans (PUT /vulnerability).

  • #11341 Improved GET /cluster/healthcheck endpoint and cluster_control -i more CLI call in loaded cluster environments.

  • #12551 Changed API version and upgrade_version filters to work with different version formats.

  • #9413 Renamed GET /agents/{agent_id}/group/is_sync endpoint to GET /agents/group/is_sync and added new agents_list parameter.

  • #10397 Added POST /security/user/authenticate endpoint and marked GET /security/user/authenticate endpoint as deprecated.

  • #12526 Adapted framework code to agent-group changes to use the new wazuh-db commands.

  • #13791 Updated default timeout for GET /mitre/software to avoid timing out in slow environments after the MITRE DB update to v11.2.

  • #14119 Changed API settings related to remote commands. The remote_commands section will be held within upload_wazuh_configuration.

  • #14233 Improved API unauthorized responses to be more accurate.

  • #14259 Updated framework functions that communicate with the request socket to use remote instead.

  • #14766 Improved parameter validation for API endpoints that require component and configuration parameters.

  • #15017 Improved GET /sca/{agent_id}/checks/{policy_id} API endpoint performance.

  • #15334 Improved exception handling when connecting to ThreatLockDown sockets.

  • #15671 Modified _group_names and _group_names_or_all regexes to avoid invalid group names.

  • #15747 Changed GET /sca/{agent_id}/checks/{policy_id} endpoint filters and response to remove the status field.

  • #12595 Removed never_connected agent status limitation when assigning agents to groups.

  • #12053 Removed null remediations from failed API responses.

  • #12365 GET /agents/{agent_id}/group/is_sync endpoint is deprecated.

Ruleset

  • #13594 Added support for new sysmon events.

  • #13595 Added new detection rules using Sysmon ID 1 events.

  • #13596 Added new detection rules using Sysmon ID 3 events.

  • #13630 Added new detection rules using Sysmon ID 7 events.

  • #13637 Added new detection rules using Sysmon ID 8 events.

  • #13639 Added new detection rules using Sysmon ID 10 events.

  • #13631 Added new detection rules using Sysmon ID 11 events.

  • #13636 Added new detection rules using Sysmon ID 13 events.

  • #13673 Added new detection rules using Sysmon ID 20 events.

  • #13638 Added new PowerShell ScriptBlock detection rules.

  • #15157 Added HPUX 11i SCA policies using bastille and without bastille.

  • #15072 Updated ruleset according to new API log changes when the user is logged in with authorization context.

  • #13579 Updated 0580-win-security_rules.xml rules.

  • #13622 Updated ThreatLockDown MITRE ATT&CK database to version 11.3.

  • #13633 Updated detection rules in 0840-win_event_channel.xml.

  • #15070 SCA policy for Ubuntu Linux 20.04 rework.

  • #15051 Updated Ubuntu Linux 22.04 SCA Policy with CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.

Other

  • #12733 Added unit tests to the component in Analysisd that extracts the IP address from events.

  • #12518 Added python-json-logger dependency.

  • #10773 The Ruleset test suite is prevented from restarting the manager.

  • #14839 The pthread's rwlock was replaced with a FIFO-queueing read-write lock.

  • #15809 Updated Python dependency certifi to 2022.12.7.

  • #15896 Updated Python dependency future to 0.18.3.

  • #16317 Updated Werkzeug to 2.2.3.

  • #16317 Updated Flask to 2.0.0.

  • #16317 Updated itsdangerous to 2.0.0.

  • #16317 Updated Jinja2 to 3.0.0.

  • #16317 Updated MarkupSafe to 2.1.2.

ThreatLockDown dashboard

  • #4323 Added the option to sort by the agents count in the group table.

  • #3874 #5143 #5177 Added agent synchronization status in the agent module.

  • #4739 The input name was added so that when the user adds a value, the variable WAZUH_AGENT_NAME with its value appears in the installation command.

  • #4512 Redesign the SCA table from the agent's dashboard.

  • #4501 The plugin setting description displayed in the UI, and the configuration file are enhanced.

  • #4503 #4785 Added validation to the plugin settings in the form of Settings/Configuration and the endpoint to update the plugin configuration.

  • #4505 #4798 #4805 Added new plugin settings to customize the header and footer on the PDF reports.

  • #4507 Added a new plugin setting to enable or disable the customization.

  • #4504 Added the ability to upload an image for the customization.logo.* settings in Settings/Configuration.

  • #4867 Added macOS version to wizard deploy agent.

  • #4833 Added PowerPC architecture in Red Hat 7, in the section Deploy new agent.

  • #4831 Added a centralized service to handle the requests.

  • #4873 Added data-test-subj create policy.

  • #4933 Added extra steps message and a new command for Windows XP and Windows server 2008, added Alpine agent with all its steps.

  • #4933 Deploy new agent section: Added link for additional steps to Alpine OS.

  • #4970 Added file saving conditions in File Editor.

  • #5021 #5028 Added character validation to avoid invalid agent names in the section Deploy new agent.

  • #5063 Added default selected options in Deploy Agent page.

  • #5166 Added the server address and ThreatLockDown protocol definition in the Deploy new agent section.

  • #4103 Changed the HTTP verb from GET to POST in the requests to login to the ThreatLockDown API.

  • #4376 #5071 5131 Improved alerts summary performance.

  • #4363 #5076 Improved Agents Overview performance.

  • #4529 #4964 Improved the message displayed when a version mismatches between the ThreatLockDown API and the ThreatLockDown APP.

  • #4363 Independently load each dashboard from the Agents Overview page.

  • #3874 The endpoint /agents/summary/status response was adapted.

  • #4458 Updated and added operating systems, versions, architectures commands of Install and enroll the agent and commands of Start the agent in the deploy new agent section.

  • #4776 #4954 Added cluster's IP and protocol as suggestions in the agent deployment wizard.

  • #4851 Show the OS name and OS version in the agent installation wizard.

  • #4501 Changed the endpoint that updates the plugin configuration to support multiple settings.

  • #4985 Updated the winston dependency to 3.5.1.

  • #4985 Updated the pdfmake dependency to 0.2.6.

  • #4992 The button to export the app logs is now disabled when there are no results instead of showing an error toast.

  • #5031 Unify the SCA check result label name.

  • #5062 Updated mocha dependency to 10.1.0.

  • #5062 Updated pdfmake dependency to 0.2.7.

  • #4491 Removed custom styles from Kibana 7.9.0.

  • #4985 Removed the angular-chart.js dependency.

  • #5062 #5089 Remove the pug-loader dependency.

ThreatLockDown Kibana plugin for Kibana 7.10.2

  • #4323 Added the option to sort by the agents count in the group table.

  • #3874 #5143 #5177 Added agent synchronization status in the agent module.

  • #4739 Added the ability to set the name of the agent using the deployment wizard.

  • #4739 The input name was added so that when the user adds a value, the variable WAZUH_AGENT_NAME with its value appears in the installation command.

  • #4512 Redesign the SCA table from the agent's dashboard.

  • #4501 The plugin setting description displayed in the UI, and the configuration file are enhanced.

  • #4503 #4785 Added validation to the plugin settings in the form of Settings/Configuration and the endpoint to update the plugin configuration.

  • #4505 #4798 #4805 Added new plugin settings to customize the header and footer on the PDF reports.

  • #4507 Added a new plugin setting to enable or disable the customization.

  • #4504 Added the ability to upload an image for the customization.logo.* settings in Settings/Configuration.

  • #4867 Added macOS version to wizard deploy agent.

  • #4833 Added PowerPC architecture in Red Hat 7, in the section Deploy new agent.

  • #4831 Added a centralized service to handle the requests.

  • #4873 Added data-test-subj create policy.

  • #4933 Added extra steps message and a new command for Windows XP and Windows Server 2008, added Alpine agent with all its steps.

  • #4933 Deploy new agent section: Added link for additional steps to Alpine os.

  • #4970 Added file saving conditions in File Editor.

  • #5021 #5028 Added character validation to avoid invalid agent names in the section Deploy new agent.

  • #5063 Added default selected options in Deploy Agent page.

  • #5166 Added the server address and ThreatLockDown protocol definition in the Deploy new agent section.

  • #4103 Changed the HTTP verb from GET to POST in the requests to login to the ThreatLockDown API.

  • #4376 #5071 #5131 Improved alerts summary performance.

  • #4363 #5076 Improved Agents Overview performance.

  • #4529 #4964 Improved the message displayed when a version mismatches between the ThreatLockDown API and the ThreatLockDown APP.

  • #4363 Independently load each dashboard from the Agents Overview page.

  • #3874 The endpoint /agents/summary/status response was adapted.

  • #4458 Updated and added operating systems, versions, architectures commands of Install and enroll the agent and commands of Start the agent in the deploy new agent section.

  • #4776 #4954 Added cluster's IP and protocol as suggestions in the agent deployment wizard.

  • #4851 Show the OS name and OS version in the agent installation wizard.

  • #4501 Changed the endpoint that updates the plugin configuration to support multiple settings.

  • #4985 Updated the winston dependency to 3.5.1.

  • #4992 The button to export the app logs is now disabled when there are no results, instead of showing an error toast.

  • #5062 Updated mocha dependency to 10.1.0.

  • #5031 Unify the SCA check result label name.

  • #5014 Removed the angular-chart.js dependency.

  • #5062 Removed the pug-loader dependency.

  • #5102 Removed unused file related to agent menu.

ThreatLockDown Kibana plugin for Kibana 7.16.x and 7.17.x

  • #4323 Added the option to sort by the agents count in the group table.

  • #3874 #5143 #5177 Added agent synchronization status in the agent module.

  • #4739 The input name was added so that when the user adds a value, the variable WAZUH_AGENT_NAME with its value appears in the installation command.

  • #4512 Redesign the SCA table from the agent's dashboard.

  • #4501 The plugin setting description displayed in the UI, and the configuration file are enhanced.

  • #4503 #4785 Added validation to the plugin settings in the form of Settings/Configuration and the endpoint to update the plugin configuration.

  • #4505 #4798 #4805 Added new plugin settings to customize the header and footer on the PDF reports.

  • #4507 Added a new plugin setting to enable or disable the customization.

  • #4504 Added the ability to upload an image for the customization.logo.* settings in Settings/Configuration.

  • #4867 Added macOS version to wizard deploy agent.

  • #4833 Added PowerPC architecture in Red Hat 7, in the section Deploy new agent.

  • #4831 Added a centralized service to handle the requests.

  • #4873 Added data-test-subj create policy.

  • #4933 Added extra steps message and a new command for Windows XP and Windows server 2008, added Alpine agent with all its steps.

  • #4933 Deploy new agent section: Added link for additional steps to Alpine os.

  • #4970 Added file saving conditions in File Editor.

  • #5021 #5028 Added character validation to avoid invalid agent names in the section Deploy new agent.

  • #5063 Added default selected options in Deploy Agent page.

  • #5166 Added the server address and ThreatLockDown protocol definition in the Deploy new agent section.

  • #4103 Changed the HTTP verb from GET to POST in the requests to login to the ThreatLockDown API.

  • #4376 #5071 #5131 Improved alerts summary performance.

  • #4363 #5076 Improved Agents Overview performance.

  • #4529 #4964 Improved the message displayed when a version mismatches between the ThreatLockDown API and the ThreatLockDown APP.

  • #4363 Independently load each dashboard from the Agents Overview page.

  • #3874 The endpoint /agents/summary/status response was adapted.

  • #4458 Updated and added operating systems, versions, architectures commands of Install and enroll the agent and commands of Start the agent in the deploy new agent section.

  • #4776 #4954 Added cluster's IP and protocol as suggestions in the agent deployment wizard.

  • #4851 Show the OS name and OS version in the agent installation wizard.

  • #4501 Changed the endpoint that updates the plugin configuration to support multiple settings.

  • #4972 The button to export the app logs is now disabled when there are no results instead of showing an error toast.

  • #4985 Updated the winston dependency to 3.5.1.

  • #4985 Updated the pdfmake dependency to 0.2.6.

  • #4992 The button to export the app logs is now disabled when there are no results instead of showing an error toast.

  • #5062 Updated mocha dependency to 10.1.0.

  • #5062 Updated pdfmake dependency to 0.2.7.

  • #5031 Unify the SCA check result label name.

  • #4985 Removed the angular-chart.js dependency.

  • #5062 Removed the pug-loader dependency.

  • #5103 Removed unused file related to agent menu.

ThreatLockDown Splunk app

  • #1355 Added agent's synchronization statistics.

  • #1355 Updated the response handlers for the /agents/summary/status endpoint.

Packages

  • #1980 The ThreatLockDown dashboard is now based on OpenSearch dashboards 2.4.1.

  • #1979 The ThreatLockDown indexer is now based on OpenSearch 2.4.1.

  • #1715 Added the Alpine package build.

  • #1770 The wazuh-certs-tool.sh now supports multiple IP addresses for each node.

  • #1167 Added the Azure wodle files to the Solaris 11 and RPM agent SPEC files.

  • #1379 Added the new wodles/gcloud files and folders to the Solaris 11 SPEC file.

  • #1453 Added orm.py to the Solaris 11 SPEC file.

  • #1299 Applied the changes required for the new agent-group mechanism.

  • #1569 Removed unnecessary plugins from the default ThreatLockDown dashboard.

  • #1602 Simplified the Splunk packages builder.

  • #1687 Installed open-vm-tools in the OVA.

  • #1699 Added a custom path option for the ThreatLockDown indexer packages.

  • #1751 Updated the ThreatLockDown dashboard loading screen.

  • #1823 The indexer-security-init.sh now accepts DNS names as network hosts.

  • #1154 The ThreatLockDown passwords tool is now able to obtain the IP address of an interface from the configuration file.

  • #1839 The ThreatLockDown installation assistant now uses apt-get instead of apt.

  • #1831 The base creation is now integrated within the build_packages.sh script.

  • #1838 Changed the internal directory in the base container.

  • #1473 Changed method from GET to POST in the API login requests.

  • #1882 Added changes to distribute the libstdc++ and libgcc_s to wazuh-packages.

  • #1890 Updated permissions in the ThreatLockDown indexer and ThreatLockDown dashboard.

  • #1876 Removed the deprecated apt-key utility from the ThreatLockDown installation assistant.

  • #1904 Parameterized the ThreatLockDown dashboard script.

  • #1929 Added the ThreatLockDown dashboard light loading screen logo in dark mode.

  • #1930 Added the Distribution version matrix section in the wazuh-packages README.md file.

  • #1961 Added ossec.conf file generation and improved SPECs on the Alpine packages.

  • #1343 Signed the Windows dynamic link library files.

Resolved issues

This release resolves known issues, such as the following:

ThreatLockDown manager

Reference

Description

#10873

Fixed wazuh-dbd halt procedure.

#12098

Fixed compilation warnings in the manager.

#12516

Fixed a bug in the manager that did not send shared folders correctly to agents belonging to multiple groups.

#12834

Fixed the Active Response decoders to support back the top entries for source IP in reports.

#13338

Fixed the feed update interval option of Vulnerability Detector for the JSON Red Hat feed.

#12127

Fixed several code flaws in the Python framework.

#10635

Fixed code flaw regarding the use of XML package.

#10636

Fixed code flaw regarding permissions at group directories.

#10544

Fixed code flaw regarding temporary directory names.

#11951

Fixed code flaw regarding try, except and pass code block in wazuh-clusterd.

#10782

Fixed framework datetime transformations to UTC.

#11866

Fixed a cluster error when Master-Worker tasks were not properly stopped after an exception occurred in one or both parts.

#12831

Fixed cluster logger issue printing NoneType: None in error logs.

#13419

Fixed unhandled cluster error when reading a malformed configuration.

#13368

Fixed framework unit test failures when run by the root user.

#13405

Fixed a memory leak in analysisd when parsing a disabled Active Response.

#13892

wazuh-db is prevented from deleting queue/diff when cleaning databases.

#14981

Fixed multiple data race conditions in Remoted reported by ThreadSanitizer.

#15151

Fixed aarch64 OS collection in Remoted to allow WPK upgrades.

#15165

Fixed a race condition in Remoted that was blocking agent connections.

#13531

Fixed Virustotal integration to support non UTF-8 characters.

#14922

Fixed a bug masking as Timeout any error that might occur while waiting to receive files in the cluster.

#15876

Fixed a read buffer overflow in wazuh-authd when parsing requests.

#16012

Applied workaround for bpo-46309 used in a cluster to wazuh-db communication.

#16233

Let the database module synchronize the agent group data before assignments.

#16321

Fixed memory leaks in wazuh-analysisd when parsing and matching rules.

ThreatLockDown agent

Reference

Description

#7687

Fixed collection of maximum user data length.

#10772

Fixed missing fields in Syscollector on Windows 10.

#11227

Fixed the process startup time data provided by Syscollector on Linux.

#11837

Fixed network data reporting by Syscollector related to tunnel or VPN interfaces.

#12066

V9FS file system is skipped at Rootcheck to prevent false positives on WSL.

#9067

Fixed double file handle closing in Logcollector on Windows.

#11949

Fixed a bug in Syscollector that may prevent the agent from stopping when the manager connection is lost.

#12148

Fixed internal exception handling issues on Solaris 10.

#12300

Fixed duplicate error message IDs in the log.

#12691

Fixed compilation warnings in the agent.

#12147

Fixed the skip_on_error parameter of the AWS integration module, which was set to True by default.

#12381

Fixed AWS DB maintenance with Load Balancer Buckets.

#12650

Fixed AWS integration's test_config_format_created_date unit test.

#12630

Fixed created_date field for LB and Umbrella integrations.

#13185

Fixed AWS integration database maintenance error management.

#13674

The default delay at GitHub integration has been increased to 30 seconds.

#14706

Logcollector has been fixed to allow locations containing colons (:).

#13835

Fixed system architecture reporting in Syscollector on Apple Silicon devices.

#14190

The C++ standard library and the GCC runtime library are now included with Wazuh.

#13877

Fixed missing inventory cleaning message in Syscollector.

#15322

Fixed WPK upgrade issue on Windows agents due to process locking.

#13044

Fixed FIM injection vulnerability when using prefilter_cmd option.

#14525

Fixed the parse of ALB logs splitting client_port, target_port and target_port_list in separated ip and port for each key.

#15335

Fixed a bug that prevents processing Macie logs with problematic ipGeolocation values.

#15584

Fixed GCP integration module error messages.

#15575

Fixed an error that prevented the agent on Windows from stopping correctly.

#16140

Fixed Azure integration credentials link.

RESTful API

Reference

Description

#12302

Fixed copy functions used for the backup files and upload endpoints to prevent incorrect metadata.

#11010

Fixed a bug regarding ids not being sorted with cluster disabled in Active Response and Agent endpoints.

#10736

Fixed a bug where null values from wazuh-db were returned in API responses.

#12063

Connections through WazuhQueue will be closed gracefully in all situations.

#12450

Fixed exception handling when trying to get the active configuration of a valid but not configured component.

#12700

Fixed api.yaml path suggested as remediation at exception.py.

#12768

Fixed /tmp access error in containers of API integration tests environment.

#13096

The API will return an exception when the user asks for agent inventory information, and there is no database for it (never connected agents).

#13171 #13386

Improved regex used for the q parameter on API requests with special characters and brackets.

#12592

Removed board_serial from syscollector integration tests expected responses.

#12557

Removed cmd field from expected responses of syscollector integration tests.

#12611

Reduced the maximum number of groups per agent to 128 and adjusted group name validation.

#14204

Reduced amount of memory required to read CDB lists using the API.

#14237

Fixed a bug where the cluster health check endpoint and CLI would add an extra active agent to the master node.

#15311

Fixed bug that prevents updating the configuration when using various <ossec_conf> blocks from the API.

#15194

Fixed vulnerability API integration tests' healthcheck.

Ruleset

Reference

Description

#11613

Fixed OpenWRT decoder fixed to parse UFW logs.

#14807

Bug fix in wazuh-api-fields decoder.

#13567

Fixed deprecated MITRE tags in rules.

#15241

SCA checks IDs are not unique.

#14513

Fixed regex in check 5.1.1 of Ubuntu 20.04 SCA.

#15251

Removed wrong Fedora Linux SCA default policies.

#15156

SUSE Linux Enterprise 15 SCA Policy duplicated check ids 7521 and 7522.

Other

Reference

Description

#14165

Fixed Makefile to detect CPU architecture on Gentoo Linux.

ThreatLockDown dashboard

Reference

Description

#4425

Fixed nested fields filtering in dashboards tables and KPIs.

#4428

Fixed nested field rendering in security alerts table details.

#4539

Fixed a bug where the ThreatLockDown logo was used instead of the custom one.

#4516

Fixed rendering problems of the Agent Overview section in low resolutions.

#4595

Fixed issue when logging out from ThreatLockDown when SAML is enabled.

#4710 #4728 #4971

Fixed server errors with code 500 when the ThreatLockDown API is not reachable / up.

#4653 #5010

Fixed pagination to SCA table.

#4849

Fixed WAZUH_PROTOCOL param suggestion.

#4876 #4880

Raspbian OS, Ubuntu, Amazon Linux, and Amazon Linux 2 commands now change when a different architecture is selected in the wizard deploy agent.

#4929

Disabled unmapped fields filter in Security Events alerts table.

#4933

Deploy new agent section: Fixed how macOS versions and architectures were displayed, fixed how agents were displayed, and fixed how Ubuntu versions were displayed.

#4943

Fixed agent deployment instructions for HP-UX and Solaris.

#4638 #5046

Fixed a bug that caused the flyouts to close when clicking inside them.

#4981

Fixed the manager option in the agent deployment section.

#4999 #5031

Fixed Inventory checks table filters by stats.

#4962

Fixed commands in the deploy new agent section(most of the commands are missing -1).

#4968

Fixed agent installation command for macOS in the deploy new agent section.

#4942

Fixed agent graph in OpenSearch dashboard.

#4984

Fixed commands in the deploy new agent section(most of the commands are missing -1).

#4975

Fixed default last scan date parser to be able to catch dates returned by ThreatLockDown API when no vulnerabilities scan has been made.

#5035

A solaris command has been fixed.

#5045

Fixed commands: AIX, openSUSE, Alpine, SUSE 11, Fedora, HP-UX, Oracle Linux 5, Amazon Linux 2, CentOS 5. Changed the word or higher in buttons to +.Fixed validations for HP-UX, Solaris and Alpine.

#5069

Fixed error in Github module PDF report.

#5098

Fixed password input in deploy new agent section.

#5094

Fixed error when clicking on the selectors of agents in the group agents management.

#5092

Fixed menu content panel is displayed in the wrong place.

#5101

Fixed greyed and disabled menu section names.

#5107

Fixed misspelling in the NIST module.

#5150

Fixed Statistic cronjob bulk document insert.

#5137

Fixed the style of the buttons showing more event information in the event view table.

#5144

Fixed Inventory module for Solaris agents.

#5167

Fixed the module information button in Office365 and Github Panel tab to open the nav drawer.

#5200

Fixed a UI crash due to external_references field could be missing in some vulnerability data.

#5273

Fixed the ThreatLockDown main menu is not displayed when the navigation menu is locked.

#5286

The event view is now working correctly after fixing a problem that occurred when Lucene language was selected in the search bar.

#5285 #5295

Fixed the incorrect use of the connection secure property by Deploy Agent.

#5291

Head rendering in the agent view has been corrected.

ThreatLockDown Kibana plugin for Kibana 7.10.2

Reference

Description

#4425

Fixed nested fields filtering in dashboards tables and KPIs.

#4428

Fixed nested field rendering in security alerts table details.

#4539

Fixed a bug where the ThreatLockDown logo was used instead of the custom one.

#4516

Fixed rendering problems of the Agent Overview section in low resolutions.

#4595

Fixed issue when logging out from ThreatLockDown when SAML is enabled.

#4710 #4728 #4971

Fixed server errors with code 500 when the ThreatLockDown API is not reachable / up.

#4653 #5010

Fixed pagination to SCA table.

#4849

Fixed WAZUH_PROTOCOL param suggestion.

#4876 #4880

Raspbian OS, Ubuntu, Amazon Linux, and Amazon Linux 2 commands now change when a different architecture is selected in the wizard deploy agent.

#4929

Disabled unmapped fields filter in Security Events alerts table.

#4981

Fixed the manager option in the agent deployment section.

#4999 #5031

Fixed Inventory checks table filters by stats.

#4962

Fixed commands in the deploy new agent section(most of the commands are missing -1).

#4968

Fixed agent installation command for macOS in the deploy new agent section.

#4933

Deploy new agent section: Fixed how macOS versions and architectures were displayed, fixed how agents were displayed, and fixed how Ubuntu versions were displayed.

#4943

Fixed agent deployment instructions for HP-UX and Solaris.

#4999

Fixed Inventory checks table filters by stats.

#4975

Fixed default last scan date parser to be able to catch dates returned by ThreatLockDown API when no vulnerabilities scan has been made.

#5035

A Solaris command has been fixed.

#5045

Fixed commands: AIX, openSUSE, Alpine, SUSE 11, Fedora, HP-UX,Oracle Linux 5, Amazon Linux 2, CentOS 5. Changed the word or higher in buttons to +.Fixed validations for HP-UX, Solaris and Alpine.

#5069

Fixed error in Github module PDF report.

#5098

Fixed password input in deploy new agent section.

#5094

Fixed error when clicking on the selectors of agents in the group agents management.

#5107

Fixed misspelling in the NIST module.

#5150

Fixed Statistic cronjob bulk document insert.

#5137

Fixed the style of the buttons showing more event information in the event view table.

#5144

Fixed Inventory module for Solaris agents.

#5200

Fixed a UI crash due to external_references field could be missing in some vulnerability data.

#5285 #5295

Fixed the incorrect use of the connection secure property by Deploy Agent.

#5291

Head rendering in the agent view has been corrected.

ThreatLockDown Kibana plugin for Kibana 7.16.x and 7.17.x

Reference

Description

#4425

Fixed nested fields filtering in dashboards tables and KPIs.

#4428 #4925

Fixed nested field rendering in security alerts table details.

#4539

Fixed a bug where the ThreatLockDown logo was used instead of the custom one.

#4516

Fixed rendering problems of the Agent Overview section in low resolutions.

#4595

Fixed issue when logging out from ThreatLockDown when SAML is enabled.

#4710 #4728 #4971

Fixed server errors with code 500 when the ThreatLockDown API is not reachable / up.

#4653 #5010

Fixed pagination to SCA table.

#4849

Fixed WAZUH_PROTOCOL param suggestion.

#4876 #4880

Raspbian OS, Ubuntu, Amazon Linux, and Amazon Linux 2 commands now change when a different architecture is selected in the wizard deploy agent.

#4929

Disabled unmapped fields filter in Security Events alerts table.

#4832 #4838

Fixed the agents wizard OS styles and their versions.

#4981

Fixed the manager option in the agent deployment section.

#4999 #5031

Fixed Inventory checks table filters by stats #4999 #5031

#4962

Fixed commands in the deploy new agent section(most of the commands are missing -1).

#4968

Fixed agent installation command for macOS in the deploy new agent section.

#4933

Deploy new agent section: Fixed how macOS versions and architectures were displayed, fixed how agents were displayed, and fixed how Ubuntu versions were displayed.

#4943

Fixed agent deployment instructions for HP-UX and Solaris.

#4999

Fixed Inventory checks table filters by stats.

#4983

Fixed agent installation command for macOS in the deploy new agent section.

#4975

Fixed default last scan date parser to be able to catch dates returned by ThreatLockDown API when no vulnerabilities scan has been made.

#5035

A Solaris command has been fixed.

#5045

Fixed commands: AIX, openSUSE, Alpine, SUSE 11, Fedora, HP-UX, Oracle Linux 5, Amazon Linux 2, CentOS 5. Changed the word or higher in buttons to +.Fixed validations for HP-UX, Solaris and Alpine.

#5069

Fixed error in Github module PDF report.

#5098

Fixed password input in deploy new agent section.

#5094

Fixed error when clicking on the selectors of agents in the group agents management.

#5107

Fixed misspelling in the NIST module.

#5150

Fixed Statistic cronjob bulk document insert.

#5137

Fixed the style of the buttons showing more event information in the event view table.

#5144

Fixed Inventory module for Solaris agents.

#5200

Fixed a UI crash due to external_references field could be missing in some vulnerability data.

#5285 #5295

Fixed the incorrect use of the connection secure property by Deploy Agent.

#5291

Head rendering in the agent view has been corrected.

Packages

Reference

Description

#1091

Updated g++ to fix an undefined behavior on openSUSE Tumbleweed.

#976

Added the missing tar dependency in the ThreatLockDown installation assistant.

#1196

Fixed the RPM wazuh-agent package build.

#1431

Fixed a compilation error on CentOS 5 and CentOS 7, as well as the building of the Docker images for CentOS 5 on the i386 architecture.

#1611

Fixed the Solaris 11 generation branch.

#1653

Fixed the log cleaning command in the OVA generation.

#1661

Fixed the invoke.rc call.

#1674

Fixed RHEL9 init.d file installation.

#1675

Fixed RHEL9 sysv-init error.

#1650

Fixed the package building for Arch Linux.

#1688

Updated the generate_ova.sh script.

#2019

Removed error logs from the OVA.

#1905

Fixed service enablement in SUSE packages.

#1877

Fixed package conflicts between the wazuh-manager and azure-cli on CentOS 8.

#1779

Fixed the ThreatLockDown installation assistant all-in-one deployment on Fedora 36.

#1812

Fixed the RHEL and CentOS SCA template generation.

#1826

Fixed the wazuh-certs-tool.sh behavior when the given command does not match the content of the config.yml file.

#1824

Added daemon-reload at the end of the rollback function.

#1836

Fixed the ThreatLockDown offline installation messages.

#1898

Removed ThreatLockDown dashboard and ThreatLockDown indexer init.d service for RHEL9.

#1925

Removed a black square icon from the ThreatLockDown dashboard.

#1963

An issue that didn't allow the ThreatLockDown installation assistant to create certificates for more than 9 nodes is now fixed.

#1987

Removed the init.d service for ThreatLockDown dashboard RPM.

#1983

requestHeadersWhitelist is deprecated and has been replaced by requestHeadersAllowlist.

#1986

The ThreatLockDown installation assistant now shows a message indicating that the ThreatLockDown indexer was removed.

#2018

Disabled the expanded header by default in the ThreatLockDown dashboard.

#1932

Added flag mechanism to configure the protection for untrusted libraries verification.

#1727

Added a fix to avoid GLIBC crash.

Changelogs

More details about these changes are provided in the changelog of each component: