4.4.0 Release notes - 28 March 2023
This section lists the changes in version 4.4.0. Every update of the ThreatLockDown solution is cumulative and includes all enhancements and fixes from previous releases.
Highlights
This new version of ThreatLockDown brings new features and adds support for some Linux distributions and integrations. For more details, the highlights of ThreatLockDown 4.4.0 are listed below:
IPv6 support for the enrollment process and the agent-manager connection
Vulnerability detection support for SUSE agents
ThreatLockDown indexer and dashboard are now based on OpenSearch 2.4.1 version
Rework of Ubuntu Linux 20.04 and 22.04 SCA policies
Support for Azure Integration in Linux agents
Below you can find more information about each of these highlights.
ThreatLockDown 4.4.0 brings IPv6 support when connecting and enrolling an agent to a manager. The IPv6 protocol can handle packets more effectively, enhance performance, and boost security. This new feature allows agents to register and connect through an IPv6 address.
SUSE agents now natively support vulnerabilities detection. ThreatLockDown added full support for SUSE Linux Enterprise Server and Desktop operating systems versions 11, 12, and 15. The vulnerability Detector now scans the programs identified by syscollector, looking to report vulnerabilities described in the SUSE OVAL and the NVD databases.
ThreatLockDown indexer and dashboard bump to OpenSearch 2.4.1. The ThreatLockDown indexer and the ThreatLockDown dashboard are based on OpenSearch, an open source search and analytics project derived from Elasticsearch and Kibana. We generated and tested the wazuh-indexer Debian and RPM packages with OpenSearch 2.4.1 and the wazuh-dashboard Debian and RPM packages with OpenSearch dashboards 2.4.1. This way, we avoid earlier version vulnerabilities and incorporate new functionalities.
To solve some errors in the previous Ubuntu Linux 20.04 SCA Policy, we reworked the Ubuntu Linux 20.04 and 22.04 SCA policies. As part of this task, we used the CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 to update Ubuntu Linux 22.04 SCA Policy.
ThreatLockDown added support for Azure Integration in Linux agents. Now this integration can run for both agents and managers. We modified the packages generation process to support Azure in those agents that are installed using the WPK packages. Each new WPK package contains all the updated binaries and source code, and the installer updates all files and binaries to support Azure integration.
Finally, it’s essential to remark that we maintain support for all installation alternatives. Indeed we maintain and extend this support by adding more recent versions.
Note
Starting with ThreatLockDown v4.5.0, the central components will only support the Amazon Linux, RHEL, CentOS, and Ubuntu operating systems whose versions are officially supported by their vendors. ThreatLockDown agents will maintain their current support status.
Breaking changes
This release includes some breaking changes, such as the following:
ThreatLockDown manager
#10865 The agent key polling module has been ported to
wazuh-authd.
RESTful API
#14119 Added new setting
upload_wazuh_configurationto the ThreatLockDown API configuration. The old parameterremote_commandsis now part of this setting.#14230 Deprecated
GET /manager/stats/analysisd,GET /manager/stats/remoted,GET /cluster/{node_id}stats/analysisd, andGET /cluster/{node_id}stats/remotedAPI endpoints. Use new endpointsGET /manager/daemons/statsand/cluster/{node_id}/daemons/stats, respectively.#16231 Removed RBAC group assignments' related permissions from
DELETE /groupsto improve performance and changed response structure.
Ruleset
ThreatLockDown ruleset has been updated, and you can check the changes in the following list. If you have a custom set of decoders and rules, please check the changes done.
What's new
This version includes new features or improvements, such as the following:
ThreatLockDown manager
#9995 Added new unit tests for cluster Python module and increased coverage to 99%.
#11190 Added file size limitation on cluster integrity sync.
#13424 Added
unittestsfor CLIs script files.#9962 Added support for SUSE in Vulnerability Detector.
#13263 Added support for Ubuntu Jammy in Vulnerability Detector.
#13608 Added a software limit to restrict the number of
EPSa manager can process.#11753 Added a new
wazuh-clusterdtask foragent-groupsinfo synchronization.#14950 Added unit tests for functions in charge of getting ruleset sync status.
#14950 Added auto-vacuum mechanism in
wazuh-db.#10843 Delta events in Syscollector when data gets changed may now produce alerts.
#10822
wazuh-logtestnow shows warnings about ruleset issues.#12206
Modulesdmemory is now managed byjemallocto help reduce memory fragmentation.#12117 Updated the Vulnerability Detector configuration reporting to include MSU and skip JSON Red Hat feed.
#12352 Improved the shared configuration file handling performance.
#11753 The agent group data is now natively handled by ThreatLockDown DB.
#10710 Improved security at cluster
zipfilenames creation.#12390 The
core/common.pymodule is refactored.#12497 The
format_data_into_dictionarymethod ofWazuhDBQuerySyscheckclass is refactored.#11124 The maximum zip size that can be created while synchronizing cluster Integrity is limited.
#13065 The functions in charge of synchronizing files in the cluster are refactored.
#13079 Changed
MD5hash function toBLAKE2for cluster file comparison.#12926 Renamed
wazuh-logtestandwazuh-clusterdscripts to follow the same scheme as the other scripts (spaces symbolized with_instead of-).#13741 Added the update field in the CPE Helper for Vulnerability Detector.
#11702 The agents with the same ID are prevented from connecting to the manager simultaneously.
#13713
wazuh-analysisd,wazuh-remoted, andwazuh-dbmetrics have been extended.#11753
wazuh-clusterdnumber of messages are minimized and optimized from workers to master related toagent-infotasks.#14244 The performance of the
agent_groupsCLI is improved when listing agents belonging to a group.#14475 Changed
wazuh-clusterdbinary behavior to kill any existing cluster processes when executed.#14791 Changed
wazuh-clusterdtasks to wait asynchronously for responses coming fromwazuh-db.#11190 Use
zlibforzipcompression in cluster synchronization.#12241 Added mechanism to dynamically adjust
zipsize limit in Integrity sync.#12409 Removed the unused internal option
wazuh_db.sock_queue_size.#10940 Removed all the unused exceptions from the
exceptions.pyfile.#10740 Removed unused execute method from
core/utils.py.#13119 Removed unused
set_user_namefunction in framework.#12370 Unused internal calls to
wazuh-dbhave been deprecated.#14542 Debian Stretch support in Vulnerability Detector has been deprecated.
#15853 The status field in SCA is deprecated.
#16066 Agent group guessing now writes the new group directly on the master node based on the configuration hash.
#16098 Added cascading deletion of membership table entries when deleting a group.
#16499 Changed
agent_groupsCLI output so affected agents are not printed when deleting a group.
ThreatLockDown agent
#11756 Added support of CPU frequency data provided by Syscollector on Raspberry Pi.
#11450 Added support for IPv6 address collection in the agent.
#11833 Added the process startup time data provided by Syscollector on macOS.
#11571 Added support for package retrieval in Syscollector for openSUSE Tumbleweed and Fedora 34.
#11640 Added the process startup time data provided by Syscollector on macOS.
#11796 Added support for package data provided by Syscollector on Solaris.
#10843 Added support for delta events in Syscollector when data gets changed.
#12035 Added support for pre-installed Windows packages in Syscollector.
#11268 Added support for IPv6 on agent-manager connection and enrollment.
#12582 Added support for CIS-CAT Pro v3 and v4 to the CIS-CAT integration module.
#10870 Added support for using the Azure integration module in Linux agents.
#11852 Added new error messages when using invalid credentials with the Azure integration.
#12515 Added reparse option to CloudWatchLogs and Google Cloud Storage integrations.
#14726 ThreatLockDown Agent can now be built and run on Alpine Linux.
#15054 Added native Shuffle integration.
#11587 Improved the free RAM data provided by Syscollector.
#12752 The Windows installer (MSI) now provides signed DLL files.
#12748 Changed the group ownership of the
Modulesdprocess to root.#12750 Some parts of
Agentdand Execd were refactored.#10478 Handled new exceptions in the external integration modules.
#11828 Optimized the number of calls to DB maintenance tasks performed by the AWS integration.
#12404 Improved the reparse setting performance by removing unnecessary queries from external integrations.
#12478 Updated and expanded Azure module logging functionality to use the
ossec.logfile.#12647 Improved the error management of the Google Cloud integration.
#12769 The
loggingtag in GCloud integration is deprecated. It now useswazuh_modulesdebug value to set the verbosity level.#12849 The
last_dates.jsonfile of the Azure module was deprecated in favor of a new ORM and database.#12929 Improved the error handling in AWS integration's
decompress_filemethod.#11190 The compress/decompress Cluster's methods are now improved. Now we use
zlibforzipcompression in cluster synchronization.#11354 The exception handling on ThreatLockDown Agent for Windows was changed to DWARF2.
#14696 The root CA certificate for WPK upgrade has been updated.
#14822 Agents on macOS now report the OS name as "macOS" instead of "Mac OS X".
#14816 The Systemd service stopping policy has been updated.
#14793 Changed how the AWS module handles
ThrottlingExceptionadding default values for connection retries in case no config file is set.#15404 The agent for Windows now verifies its libraries to prevent side loading.
#14543 Azure and AWS credentials are deprecated in the configuration authentication option.
RESTful API
#10620 Added new API integration tests for a ThreatLockDown environment without a cluster configuration.
#11731 Added
wazuh-modulesdtags toGET /manager/logsandGET /cluster/{node_id}/logsendpoints.#12438 Added Python decorator to soft deprecate API endpoints adding deprecation headers to their responses.
#12486 Added new exception to inform that
/procdirectory is not found or permissions to see its status are not granted.#12362 Added new field and filter to
GET /agentsresponse to retrieve agent groups configuration synchronization status.#12498 Added agent groups configuration synchronization status to
GET /agents/summary/statusendpoint.#11171 Added JSON log handling.
#12029 Added integration tests for IPv6 agent's registration.
#12887 Enable ordering count in
/groupsendpoints by Agents.#12092 Added a hash to API logs to identify users logged in with authorization context.
#14295 Added logic to API logger to renew its streams if needed on every request.
#14401 Added
GET /manager/daemons/statsandGET /cluster/{node_id}/daemons/statsAPI endpoints.#14464 Added
GET /agents/{agent_id}/daemons/statsAPI endpoint.#14471 Added the possibility to get the configuration of the
wazuh-dbcomponent in active configuration endpoints.#15084 Added distinct and select parameters to
GET /sca/{agent_id}andGET /sca/{agent_id}/checks/{policy_id}endpoints.#15290 Added new endpoint to run vulnerability detector on-demand scans (
PUT /vulnerability).#11341 Improved
GET /cluster/healthcheckendpoint andcluster_control -i moreCLI call in loaded cluster environments.#12551 Changed API version and
upgrade_versionfilters to work with different version formats.#9413 Renamed
GET /agents/{agent_id}/group/is_syncendpoint toGET /agents/group/is_syncand added newagents_listparameter.#10397 Added
POST /security/user/authenticateendpoint and markedGET /security/user/authenticateendpoint as deprecated.#12526 Adapted framework code to
agent-groupchanges to use the newwazuh-dbcommands.#13791 Updated default timeout for
GET /mitre/softwareto avoid timing out in slow environments after the MITRE DB update to v11.2.#14119 Changed API settings related to remote commands. The
remote_commandssection will be held withinupload_wazuh_configuration.#14233 Improved API unauthorized responses to be more accurate.
#14259 Updated framework functions that communicate with the request socket to use remote instead.
#14766 Improved parameter validation for API endpoints that require component and configuration parameters.
#15017 Improved
GET /sca/{agent_id}/checks/{policy_id}API endpoint performance.#15334 Improved exception handling when connecting to ThreatLockDown sockets.
#15671 Modified
_group_names and _group_names_or_allregexes to avoid invalid group names.#15747 Changed
GET /sca/{agent_id}/checks/{policy_id}endpoint filters and response to remove thestatusfield.#12595 Removed
never_connectedagent status limitation when assigning agents to groups.#12053 Removed null remediations from failed API responses.
#12365
GET /agents/{agent_id}/group/is_syncendpoint is deprecated.
Ruleset
#13594 Added support for new sysmon events.
#13595 Added new detection rules using Sysmon ID 1 events.
#13596 Added new detection rules using Sysmon ID 3 events.
#13630 Added new detection rules using Sysmon ID 7 events.
#13637 Added new detection rules using Sysmon ID 8 events.
#13639 Added new detection rules using Sysmon ID 10 events.
#13631 Added new detection rules using Sysmon ID 11 events.
#13636 Added new detection rules using Sysmon ID 13 events.
#13673 Added new detection rules using Sysmon ID 20 events.
#13638 Added new PowerShell ScriptBlock detection rules.
#15157 Added HPUX 11i SCA policies using bastille and without bastille.
#15072 Updated ruleset according to new API log changes when the user is logged in with authorization context.
#13579 Updated
0580-win-security_rules.xmlrules.#13622 Updated ThreatLockDown MITRE ATT&CK database to version 11.3.
#13633 Updated detection rules in
0840-win_event_channel.xml.#15070 SCA policy for Ubuntu Linux 20.04 rework.
#15051 Updated Ubuntu Linux 22.04 SCA Policy with CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.
Other
#12733 Added unit tests to the component in
Analysisdthat extracts the IP address from events.#12518 Added
python-json-loggerdependency.#10773 The Ruleset test suite is prevented from restarting the manager.
#14839 The pthread's
rwlockwas replaced with a FIFO-queueing read-write lock.#15809 Updated Python dependency certifi to 2022.12.7.
#15896 Updated Python dependency future to 0.18.3.
#16317 Updated Werkzeug to 2.2.3.
#16317 Updated Flask to 2.0.0.
#16317 Updated itsdangerous to 2.0.0.
#16317 Updated Jinja2 to 3.0.0.
#16317 Updated MarkupSafe to 2.1.2.
ThreatLockDown dashboard
#4323 Added the option to sort by the agents count in the group table.
#3874 #5143 #5177 Added agent synchronization status in the agent module.
#4739 The input name was added so that when the user adds a value, the variable
WAZUH_AGENT_NAMEwith its value appears in the installation command.#4512 Redesign the SCA table from the agent's dashboard.
#4501 The plugin setting description displayed in the UI, and the configuration file are enhanced.
#4503 #4785 Added validation to the plugin settings in the form of
Settings/Configurationand the endpoint to update the plugin configuration.#4505 #4798 #4805 Added new plugin settings to customize the header and footer on the PDF reports.
#4507 Added a new plugin setting to enable or disable the customization.
#4504 Added the ability to upload an image for the
customization.logo.*settings inSettings/Configuration.#4867 Added macOS version to wizard deploy agent.
#4833 Added PowerPC architecture in Red Hat 7, in the section Deploy new agent.
#4831 Added a centralized service to handle the requests.
#4873 Added
data-test-subjcreate policy.#4933 Added extra steps message and a new command for Windows XP and Windows server 2008, added Alpine agent with all its steps.
#4933 Deploy new agent section: Added link for additional steps to Alpine OS.
#4970 Added file saving conditions in File Editor.
#5021 #5028 Added character validation to avoid invalid agent names in the section Deploy new agent.
#5063 Added default selected options in Deploy Agent page.
#5166 Added the server address and ThreatLockDown protocol definition in the Deploy new agent section.
#4103 Changed the HTTP verb from
GETtoPOSTin the requests to login to the ThreatLockDown API.#4529 #4964 Improved the message displayed when a version mismatches between the ThreatLockDown API and the ThreatLockDown APP.
#4363 Independently load each dashboard from the
Agents Overviewpage.#3874 The endpoint
/agents/summary/statusresponse was adapted.#4458 Updated and added operating systems, versions, architectures commands of Install and enroll the agent and commands of Start the agent in the deploy new agent section.
#4776 #4954 Added cluster's IP and protocol as suggestions in the agent deployment wizard.
#4851 Show the OS name and OS version in the agent installation wizard.
#4501 Changed the endpoint that updates the plugin configuration to support multiple settings.
#4985 Updated the
winstondependency to3.5.1.#4985 Updated the
pdfmakedependency to0.2.6.#4992 The button to export the app logs is now disabled when there are no results instead of showing an error toast.
#5031 Unify the SCA check result label name.
#5062 Updated
mochadependency to10.1.0.#5062 Updated
pdfmakedependency to0.2.7.#4491 Removed custom styles from Kibana 7.9.0.
#4985 Removed the
angular-chart.jsdependency.
ThreatLockDown Kibana plugin for Kibana 7.10.2
#4323 Added the option to sort by the agents count in the group table.
#3874 #5143 #5177 Added agent synchronization status in the agent module.
#4739 Added the ability to set the name of the agent using the deployment wizard.
#4739 The input name was added so that when the user adds a value, the variable
WAZUH_AGENT_NAMEwith its value appears in the installation command.#4512 Redesign the SCA table from the agent's dashboard.
#4501 The plugin setting description displayed in the UI, and the configuration file are enhanced.
#4503 #4785 Added validation to the plugin settings in the form of
Settings/Configurationand the endpoint to update the plugin configuration.#4505 #4798 #4805 Added new plugin settings to customize the header and footer on the PDF reports.
#4507 Added a new plugin setting to enable or disable the customization.
#4504 Added the ability to upload an image for the
customization.logo.*settings inSettings/Configuration.#4867 Added macOS version to wizard deploy agent.
#4833 Added PowerPC architecture in Red Hat 7, in the section Deploy new agent.
#4831 Added a centralized service to handle the requests.
#4873 Added
data-test-subjcreate policy.#4933 Added extra steps message and a new command for Windows XP and Windows Server 2008, added Alpine agent with all its steps.
#4933 Deploy new agent section: Added link for additional steps to Alpine os.
#4970 Added file saving conditions in File Editor.
#5021 #5028 Added character validation to avoid invalid agent names in the section Deploy new agent.
#5063 Added default selected options in Deploy Agent page.
#5166 Added the server address and ThreatLockDown protocol definition in the Deploy new agent section.
#4103 Changed the HTTP verb from
GETtoPOSTin the requests to login to the ThreatLockDown API.#4529 #4964 Improved the message displayed when a version mismatches between the ThreatLockDown API and the ThreatLockDown APP.
#4363 Independently load each dashboard from the
Agents Overviewpage.#3874 The endpoint
/agents/summary/statusresponse was adapted.#4458 Updated and added operating systems, versions, architectures commands of Install and enroll the agent and commands of Start the agent in the deploy new agent section.
#4776 #4954 Added cluster's IP and protocol as suggestions in the agent deployment wizard.
#4851 Show the OS name and OS version in the agent installation wizard.
#4501 Changed the endpoint that updates the plugin configuration to support multiple settings.
#4985 Updated the
winstondependency to3.5.1.#4992 The button to export the app logs is now disabled when there are no results, instead of showing an error toast.
#5062 Updated
mochadependency to10.1.0.#5031 Unify the SCA check result label name.
#5014 Removed the
angular-chart.jsdependency.#5062 Removed the
pug-loaderdependency.#5102 Removed unused file related to agent menu.
ThreatLockDown Kibana plugin for Kibana 7.16.x and 7.17.x
#4323 Added the option to sort by the agents count in the group table.
#3874 #5143 #5177 Added agent synchronization status in the agent module.
#4739 The input name was added so that when the user adds a value, the variable
WAZUH_AGENT_NAMEwith its value appears in the installation command.#4512 Redesign the SCA table from the agent's dashboard.
#4501 The plugin setting description displayed in the UI, and the configuration file are enhanced.
#4503 #4785 Added validation to the plugin settings in the form of
Settings/Configurationand the endpoint to update the plugin configuration.#4505 #4798 #4805 Added new plugin settings to customize the header and footer on the PDF reports.
#4507 Added a new plugin setting to enable or disable the customization.
#4504 Added the ability to upload an image for the
customization.logo.*settings inSettings/Configuration.#4867 Added macOS version to wizard deploy agent.
#4833 Added PowerPC architecture in Red Hat 7, in the section Deploy new agent.
#4831 Added a centralized service to handle the requests.
#4873 Added
data-test-subjcreate policy.#4933 Added extra steps message and a new command for Windows XP and Windows server 2008, added Alpine agent with all its steps.
#4933 Deploy new agent section: Added link for additional steps to Alpine os.
#4970 Added file saving conditions in File Editor.
#5021 #5028 Added character validation to avoid invalid agent names in the section Deploy new agent.
#5063 Added default selected options in Deploy Agent page.
#5166 Added the server address and ThreatLockDown protocol definition in the Deploy new agent section.
#4103 Changed the HTTP verb from
GETtoPOSTin the requests to login to the ThreatLockDown API.#4529 #4964 Improved the message displayed when a version mismatches between the ThreatLockDown API and the ThreatLockDown APP.
#4363 Independently load each dashboard from the
Agents Overviewpage.#3874 The endpoint
/agents/summary/statusresponse was adapted.#4458 Updated and added operating systems, versions, architectures commands of Install and enroll the agent and commands of Start the agent in the deploy new agent section.
#4776 #4954 Added cluster's IP and protocol as suggestions in the agent deployment wizard.
#4851 Show the OS name and OS version in the agent installation wizard.
#4501 Changed the endpoint that updates the plugin configuration to support multiple settings.
#4972 The button to export the app logs is now disabled when there are no results instead of showing an error toast.
#4985 Updated the
winstondependency to3.5.1.#4985 Updated the
pdfmakedependency to0.2.6.#4992 The button to export the app logs is now disabled when there are no results instead of showing an error toast.
#5062 Updated
mochadependency to10.1.0.#5062 Updated
pdfmakedependency to0.2.7.#5031 Unify the SCA check result label name.
#4985 Removed the
angular-chart.jsdependency.#5062 Removed the
pug-loaderdependency.#5103 Removed unused file related to agent menu.
ThreatLockDown Splunk app
Packages
#1980 The ThreatLockDown dashboard is now based on OpenSearch dashboards 2.4.1.
#1979 The ThreatLockDown indexer is now based on OpenSearch 2.4.1.
#1715 Added the Alpine package build.
#1770 The
wazuh-certs-tool.shnow supports multiple IP addresses for each node.#1167 Added the Azure wodle files to the Solaris 11 and RPM agent SPEC files.
#1379 Added the new
wodles/gcloudfiles and folders to the Solaris 11 SPEC file.#1453 Added
orm.pyto the Solaris 11 SPEC file.#1299 Applied the changes required for the new
agent-groupmechanism.#1569 Removed unnecessary plugins from the default ThreatLockDown dashboard.
#1602 Simplified the Splunk packages builder.
#1687 Installed
open-vm-toolsin the OVA.#1699 Added a custom path option for the ThreatLockDown indexer packages.
#1751 Updated the ThreatLockDown dashboard loading screen.
#1823 The
indexer-security-init.shnow accepts DNS names as network hosts.#1154 The ThreatLockDown passwords tool is now able to obtain the IP address of an interface from the configuration file.
#1839 The ThreatLockDown installation assistant now uses
apt-getinstead ofapt.#1831 The base creation is now integrated within the
build_packages.shscript.#1838 Changed the internal directory in the base container.
#1473 Changed method from
GETtoPOSTin the API login requests.#1882 Added changes to distribute the
libstdc++andlibgcc_sto wazuh-packages.#1890 Updated permissions in the ThreatLockDown indexer and ThreatLockDown dashboard.
#1876 Removed the deprecated
apt-keyutility from the ThreatLockDown installation assistant.#1904 Parameterized the ThreatLockDown dashboard script.
#1929 Added the ThreatLockDown dashboard light loading screen logo in dark mode.
#1930 Added the Distribution version matrix section in the wazuh-packages
README.mdfile.#1961 Added
ossec.conffile generation and improved SPECs on the Alpine packages.#1343 Signed the Windows dynamic link library files.
Resolved issues
This release resolves known issues, such as the following:
ThreatLockDown manager
Reference |
Description |
|---|---|
Fixed |
|
Fixed compilation warnings in the manager. |
|
Fixed a bug in the manager that did not send shared folders correctly to agents belonging to multiple groups. |
|
Fixed the Active Response decoders to support back the top entries for source IP in reports. |
|
Fixed the feed update interval option of Vulnerability Detector for the JSON Red Hat feed. |
|
Fixed several code flaws in the Python framework. |
|
Fixed code flaw regarding the use of XML package. |
|
Fixed code flaw regarding permissions at group directories. |
|
Fixed code flaw regarding temporary directory names. |
|
Fixed code flaw regarding |
|
Fixed framework datetime transformations to UTC. |
|
Fixed a cluster error when Master-Worker tasks were not properly stopped after an exception occurred in one or both parts. |
|
Fixed cluster logger issue printing |
|
Fixed unhandled cluster error when reading a malformed configuration. |
|
Fixed framework unit test failures when run by the root user. |
|
Fixed a memory leak in |
|
|
|
Fixed multiple data race conditions in Remoted reported by ThreadSanitizer. |
|
Fixed |
|
Fixed a race condition in Remoted that was blocking agent connections. |
|
Fixed Virustotal integration to support non UTF-8 characters. |
|
Fixed a bug masking as Timeout any error that might occur while waiting to receive files in the cluster. |
|
Fixed a read buffer overflow in |
|
Applied workaround for |
|
Let the database module synchronize the agent group data before assignments. |
|
Fixed memory leaks in wazuh-analysisd when parsing and matching rules. |
ThreatLockDown agent
Reference |
Description |
|---|---|
Fixed collection of maximum user data length. |
|
Fixed missing fields in Syscollector on Windows 10. |
|
Fixed the process startup time data provided by Syscollector on Linux. |
|
Fixed network data reporting by Syscollector related to tunnel or VPN interfaces. |
|
V9FS file system is skipped at Rootcheck to prevent false positives on WSL. |
|
Fixed double file handle closing in Logcollector on Windows. |
|
Fixed a bug in Syscollector that may prevent the agent from stopping when the manager connection is lost. |
|
Fixed internal exception handling issues on Solaris 10. |
|
Fixed duplicate error message IDs in the log. |
|
Fixed compilation warnings in the agent. |
|
Fixed the |
|
Fixed AWS DB maintenance with Load Balancer Buckets. |
|
Fixed AWS integration's |
|
Fixed |
|
Fixed AWS integration database maintenance error management. |
|
The default delay at GitHub integration has been increased to 30 seconds. |
|
Logcollector has been fixed to allow locations containing colons (:). |
|
Fixed system architecture reporting in Syscollector on Apple Silicon devices. |
|
The C++ standard library and the GCC runtime library are now included with Wazuh. |
|
Fixed missing inventory cleaning message in Syscollector. |
|
Fixed WPK upgrade issue on Windows agents due to process locking. |
|
Fixed FIM injection vulnerability when using |
|
Fixed the parse of ALB logs splitting |
|
Fixed a bug that prevents processing Macie logs with problematic ipGeolocation values. |
|
Fixed GCP integration module error messages. |
|
Fixed an error that prevented the agent on Windows from stopping correctly. |
|
Fixed Azure integration credentials link. |
RESTful API
Reference |
Description |
|---|---|
Fixed copy functions used for the backup files and upload endpoints to prevent incorrect metadata. |
|
Fixed a bug regarding ids not being sorted with cluster disabled in Active Response and Agent endpoints. |
|
Fixed a bug where |
|
Connections through |
|
Fixed exception handling when trying to get the active configuration of a valid but not configured component. |
|
Fixed |
|
Fixed |
|
The API will return an exception when the user asks for agent inventory information, and there is no database for it (never connected agents). |
|
Improved regex used for the |
|
Removed |
|
Removed cmd field from expected responses of syscollector integration tests. |
|
Reduced the maximum number of groups per agent to 128 and adjusted group name validation. |
|
Reduced amount of memory required to read CDB lists using the API. |
|
Fixed a bug where the cluster health check endpoint and CLI would add an extra active agent to the master node. |
|
Fixed bug that prevents updating the configuration when using various |
|
Fixed vulnerability API integration tests' healthcheck. |
Ruleset
Reference |
Description |
|---|---|
Fixed |
|
Bug fix in |
|
Fixed deprecated MITRE tags in rules. |
|
SCA checks IDs are not unique. |
|
Fixed regex in check 5.1.1 of Ubuntu 20.04 SCA. |
|
Removed wrong Fedora Linux SCA default policies. |
|
SUSE Linux Enterprise 15 SCA Policy duplicated check ids 7521 and 7522. |
Other
Reference |
Description |
|---|---|
Fixed Makefile to detect CPU architecture on Gentoo Linux. |
ThreatLockDown dashboard
Reference |
Description |
|---|---|
Fixed nested fields filtering in dashboards tables and KPIs. |
|
Fixed nested field rendering in security alerts table details. |
|
Fixed a bug where the ThreatLockDown logo was used instead of the custom one. |
|
Fixed rendering problems of the |
|
Fixed issue when logging out from ThreatLockDown when SAML is enabled. |
|
Fixed server errors with code 500 when the ThreatLockDown API is not reachable / up. |
|
Fixed pagination to SCA table. |
|
Fixed |
|
Raspbian OS, Ubuntu, Amazon Linux, and Amazon Linux 2 commands now change when a different architecture is selected in the wizard deploy agent. |
|
Disabled unmapped fields filter in Security Events alerts table. |
|
Deploy new agent section: Fixed how macOS versions and architectures were displayed, fixed how agents were displayed, and fixed how Ubuntu versions were displayed. |
|
Fixed agent deployment instructions for HP-UX and Solaris. |
|
Fixed a bug that caused the flyouts to close when clicking inside them. |
|
Fixed the manager option in the agent deployment section. |
|
Fixed Inventory checks table filters by stats. |
|
Fixed commands in the deploy new agent section(most of the commands are missing |
|
Fixed agent installation command for macOS in the deploy new agent section. |
|
Fixed agent graph in OpenSearch dashboard. |
|
Fixed commands in the deploy new agent section(most of the commands are missing |
|
Fixed default last scan date parser to be able to catch dates returned by ThreatLockDown API when no vulnerabilities scan has been made. |
|
A solaris command has been fixed. |
|
Fixed commands: AIX, openSUSE, Alpine, SUSE 11, Fedora, HP-UX, Oracle Linux 5, Amazon Linux 2, CentOS 5. Changed the word |
|
Fixed error in Github module PDF report. |
|
Fixed password input in deploy new agent section. |
|
Fixed error when clicking on the selectors of agents in the group agents management. |
|
Fixed menu content panel is displayed in the wrong place. |
|
Fixed greyed and disabled menu section names. |
|
Fixed misspelling in the NIST module. |
|
Fixed Statistic cronjob bulk document insert. |
|
Fixed the style of the buttons showing more event information in the event view table. |
|
Fixed Inventory module for Solaris agents. |
|
Fixed the module information button in Office365 and Github Panel tab to open the nav drawer. |
|
Fixed a UI crash due to |
|
Fixed the ThreatLockDown main menu is not displayed when the navigation menu is locked. |
|
The event view is now working correctly after fixing a problem that occurred when Lucene language was selected in the search bar. |
|
Fixed the incorrect use of the connection secure property by Deploy Agent. |
|
Head rendering in the agent view has been corrected. |
ThreatLockDown Kibana plugin for Kibana 7.10.2
Reference |
Description |
|---|---|
Fixed nested fields filtering in dashboards tables and KPIs. |
|
Fixed nested field rendering in security alerts table details. |
|
Fixed a bug where the ThreatLockDown logo was used instead of the custom one. |
|
Fixed rendering problems of the |
|
Fixed issue when logging out from ThreatLockDown when SAML is enabled. |
|
Fixed server errors with code 500 when the ThreatLockDown API is not reachable / up. |
|
Fixed pagination to SCA table. |
|
Fixed |
|
Raspbian OS, Ubuntu, Amazon Linux, and Amazon Linux 2 commands now change when a different architecture is selected in the wizard deploy agent. |
|
Disabled unmapped fields filter in Security Events alerts table. |
|
Fixed the manager option in the agent deployment section. |
|
Fixed Inventory checks table filters by stats. |
|
Fixed commands in the deploy new agent section(most of the commands are missing |
|
Fixed agent installation command for macOS in the deploy new agent section. |
|
Deploy new agent section: Fixed how macOS versions and architectures were displayed, fixed how agents were displayed, and fixed how Ubuntu versions were displayed. |
|
Fixed agent deployment instructions for HP-UX and Solaris. |
|
Fixed Inventory checks table filters by stats. |
|
Fixed default last scan date parser to be able to catch dates returned by ThreatLockDown API when no vulnerabilities scan has been made. |
|
A Solaris command has been fixed. |
|
Fixed commands: AIX, openSUSE, Alpine, SUSE 11, Fedora, HP-UX,Oracle Linux 5, Amazon Linux 2, CentOS 5. Changed the word |
|
Fixed error in Github module PDF report. |
|
Fixed password input in deploy new agent section. |
|
Fixed error when clicking on the selectors of agents in the group agents management. |
|
Fixed misspelling in the NIST module. |
|
Fixed Statistic cronjob bulk document insert. |
|
Fixed the style of the buttons showing more event information in the event view table. |
|
Fixed Inventory module for Solaris agents. |
|
Fixed a UI crash due to |
|
Fixed the incorrect use of the connection secure property by Deploy Agent. |
|
Head rendering in the agent view has been corrected. |
ThreatLockDown Kibana plugin for Kibana 7.16.x and 7.17.x
Reference |
Description |
|---|---|
Fixed nested fields filtering in dashboards tables and KPIs. |
|
Fixed nested field rendering in security alerts table details. |
|
Fixed a bug where the ThreatLockDown logo was used instead of the custom one. |
|
Fixed rendering problems of the |
|
Fixed issue when logging out from ThreatLockDown when SAML is enabled. |
|
Fixed server errors with code 500 when the ThreatLockDown API is not reachable / up. |
|
Fixed pagination to SCA table. |
|
Fixed |
|
Raspbian OS, Ubuntu, Amazon Linux, and Amazon Linux 2 commands now change when a different architecture is selected in the wizard deploy agent. |
|
Disabled unmapped fields filter in Security Events alerts table. |
|
Fixed the agents wizard OS styles and their versions. |
|
Fixed the manager option in the agent deployment section. |
|
Fixed Inventory checks table filters by stats #4999 #5031 |
|
Fixed commands in the deploy new agent section(most of the commands are missing |
|
Fixed agent installation command for macOS in the deploy new agent section. |
|
Deploy new agent section: Fixed how macOS versions and architectures were displayed, fixed how agents were displayed, and fixed how Ubuntu versions were displayed. |
|
Fixed agent deployment instructions for HP-UX and Solaris. |
|
Fixed Inventory checks table filters by stats. |
|
Fixed agent installation command for macOS in the deploy new agent section. |
|
Fixed default last scan date parser to be able to catch dates returned by ThreatLockDown API when no vulnerabilities scan has been made. |
|
A Solaris command has been fixed. |
|
Fixed commands: AIX, openSUSE, Alpine, SUSE 11, Fedora, HP-UX, Oracle Linux 5, Amazon Linux 2, CentOS 5. Changed the word |
|
Fixed error in Github module PDF report. |
|
Fixed password input in deploy new agent section. |
|
Fixed error when clicking on the selectors of agents in the group agents management. |
|
Fixed misspelling in the NIST module. |
|
Fixed Statistic cronjob bulk document insert. |
|
Fixed the style of the buttons showing more event information in the event view table. |
|
Fixed Inventory module for Solaris agents. |
|
Fixed a UI crash due to |
|
Fixed the incorrect use of the connection secure property by Deploy Agent. |
|
Head rendering in the agent view has been corrected. |
Packages
Reference |
Description |
|---|---|
Updated |
|
Added the missing |
|
Fixed the RPM wazuh-agent package build. |
|
Fixed a compilation error on CentOS 5 and CentOS 7, as well as the building of the Docker images for CentOS 5 on the i386 architecture. |
|
Fixed the Solaris 11 generation branch. |
|
Fixed the log cleaning command in the OVA generation. |
|
Fixed the |
|
Fixed RHEL9 |
|
Fixed RHEL9 |
|
Fixed the package building for Arch Linux. |
|
Updated the |
|
Removed error logs from the OVA. |
|
Fixed service enablement in SUSE packages. |
|
Fixed package conflicts between the |
|
Fixed the ThreatLockDown installation assistant all-in-one deployment on Fedora 36. |
|
Fixed the RHEL and CentOS SCA template generation. |
|
Fixed the |
|
Added |
|
Fixed the ThreatLockDown offline installation messages. |
|
Removed ThreatLockDown dashboard and ThreatLockDown indexer init.d service for RHEL9. |
|
Removed a black square icon from the ThreatLockDown dashboard. |
|
An issue that didn't allow the ThreatLockDown installation assistant to create certificates for more than 9 nodes is now fixed. |
|
Removed the |
|
requestHeadersWhitelist is deprecated and has been replaced by requestHeadersAllowlist. |
|
The ThreatLockDown installation assistant now shows a message indicating that the ThreatLockDown indexer was removed. |
|
Disabled the expanded header by default in the ThreatLockDown dashboard. |
|
Added flag mechanism to configure the protection for untrusted libraries verification. |
|
Added a fix to avoid GLIBC crash. |
Changelogs
More details about these changes are provided in the changelog of each component: