4.6.0 Release notes - 31 October 2023

This section lists the changes in version 4.6.0. Every update of the ThreatLockDown solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

  • Included support for the Microsoft Graph Security API. This addition enables users to integrate and fetch security alerts from multiple Microsoft products. It provides a cohesive security perspective.

  • Added the Webhook input API endpoint. It paves the way to dynamic integrations and real-time responses. It enhances automation capabilities and responsiveness.

  • Incorporated Office 365 support for GCC/GCCH. This addition extends monitoring coverage for organizations with a strong reliance on Office 365, particularly in GCC/GCCH environments. It ensures comprehensive compliance and security.

  • Support for AlmaLinux OS, Debian 12, and Amazon Linux 2022 is now included in Vulnerability Detector. Expanding support to newer OS versions demonstrates the platform adaptability to the evolving Linux ecosystem. It also highlights our commitment to user safety across diverse environments.

  • Included PCRE2 support in Security Configuration Assessment (SCA). This addition provides users with a more powerful pattern-matching tool. It enhances the software auditing and compliance capabilities

Breaking changes

  • The integration methods for Splunk, OpenSearch, and Elastic Stack have been changed. Please refer to the Integrations guide to learn more.

What's new

This release includes new features or enhancements as the following:

ThreatLockDown manager

  • #13559 wazuh-authd can now generate X509 certificates.

  • #13797 Introduced a new CLI to manage features related to the ThreatLockDown API RBAC resources.

  • #13034 Added support for Amazon Linux 2022 in Vulnerability Detector.

  • #16343 Added support for Alma Linux in Vulnerability Detector.

  • #18542 Added support for Debian 12 in Vulnerability Detector.

  • #14953 Added mechanism in wazuh-db to identify fragmentation and perform vacuum.

  • #19956 Adjusted the default settings for wazuh-db to perform database auto-vacuum more often.

  • #18333 Added an option to set whether the manager should ban newer agents.

  • #15661 Added mechanism to prevent ThreatLockDown agents connections to lower manager versions.

  • #14659 wazuh-remoted now checks the size of the files to avoid malformed merged.mg.

  • #14024 Added a limit option for the Rsync dispatch queue size.

  • #14026 Added a limit option for the Rsync thread pool.

  • #14549 wazuh-authd now shows a warning when deprecated forcing options are present in the configuration.

  • #14804 The agent now notifies the manager when Active Response fails to run netsh.

  • #13906 Use a new broadcast system to send agent group information from the master node of a cluster.

  • #15220 Changed cluster send_request method so that timeouts are treated as exceptions and not as responses.

  • #13065 Refactored methods responsible for file synchronization within the cluster.

  • #16065 Changed schema constraints for sys_hwinfo table.

  • #15709 The Auth process does not start when the registration password is empty.

  • #19400 Changed the message type for GetSecurityInfo from error to debug.

Agent

  • #15226 Added GuardDuty Native support to the AWS integration.

  • #14768 Added --prefix parameter to Azure Storage integration.

  • #16493 Added validations for empty and invalid values in AWS integration.

  • #13573 Added new unit tests for GCloud integration and increased coverage to 99%.

  • #14104 Added new unit tests for Azure Storage integration and increased coverage to 99%.

  • #14177 Added new unit tests for Docker Listener integration.

  • #18116 Added support for Microsoft Graph security API. Thanks to Bryce Shurts (@S-Bryce).

  • #15852 Added wildcard support in FIM Windows registers.

  • #15973 Added wildcards support for folders in the localfile configuration on Windows.

  • #14782 Added new settings ignore and restrict to logcollector.

  • #12745 Added RSync and DBSync to FIM.

  • #17124 Added PCRE2 regex for SCA policies.

  • #14763 Added mechanism to detect policy changes.

  • #13264 FIM option fim_check_ignore now applies to files and directories.

  • #16531 Changed AWS integration to take into account the user configuration found in the .aws/config file.

  • #14537 Changed the calculation of timestamps in AWS and Azure modules by using UTC timezone.

  • #15009 Changed the AWS integration to only show the Skipping file with another prefix message in debug mode.

  • #14999 Changed debug level required to display CloudWatch Logs event messages.

  • #17447 Changed syscollector database default permissions.

  • #17161 Changed agent IP lookup algorithm.

  • #14499 Changed InstallDate origin in Windows installed programs.

  • #14524 Enhanced clarity of certain error messages in the AWS integration for better exception tracing.

  • #13420 Improved external integrations SQLite queries.

  • #16325 Improved items iteration for Config and VPCFlow AWS integrations.

  • #14784 Unit tests have been added to the shared JSON handling library.

  • #14476 Unit tests have been added to the shared SQLite handling library.

  • #15032 Improved command to change user and group from version 4.2.x to 4.x.x.

  • #15647 Changed the internal value of the open_attemps configuration.

  • #13878 The unused option local_ip for agent configuration has been deleted.

  • #14684 Removed unused migration functionality from the AWS integration.

  • #17655 Deleted definitions of repeated classes in the AWS integration.

  • #15031 Removed duplicate methods in AWSBucket and reuse inherited ones from WazuhIntegration.

  • #16547 Added support for Office365 MS/Azure Government Community Cloud (GCC) and Government Community Cloud High (GCCH) API. Thanks to Bryce Shurts (@S-Bryce).

  • #19758 Reduced the default FIM event throughput to 50 EPS.

RESTful API

  • #17670 Added POST /events API endpoint to ingest logs through the API.

  • #17865 Added query, select and distinct parameters to multiple endpoints.

  • #13919 Added a new upgrade and migration mechanism for the RBAC database.

  • #13654 Added a new API configuration option to rotate log files based on a given size.

  • #15994 Added relative_dirname parameter to GET, PUT and DELETE methods of the /decoder/files/{filename} and /rule/files/{filename} endpoints.

  • #18212 Added a new configuration option to disable uploading configurations containing the new allow_higher_version setting.

  • #13615 Added API integration tests documentation.

  • #13646 Changed the API's response status code for ThreatLockDown cluster errors from 400 to 500.

  • #15934 Removed legacy code related to agent databases in /var/agents/db.

  • #19001 Changed Operational API error messages to include additional information.

Ruleset

  • #14138 The SSHD decoder has been improved to catch disconnection events.

ThreatLockDown dashboard

  • #5197 #5274 #5298 #5409 Added rel="noopener noreferrer" in documentation links.

  • #5203 Added ignore and restrict options to Syslog configuration.

  • #5376 Added the extensions.github and extensions.office settings to the default configuration file.

  • #4163 Added new global error treatment (client-side).

  • #5519 Added new CLI to generate API data from specification file.

  • #5551 Added specific RBAC permissions to the Security section.

  • #5443 Added Refresh and Export formatted button to panels in Agents > Inventory data.

  • #5491 Added Refresh and Export formatted buttons to Management > Cluster > Nodes.

  • #5201 Changed of regular expression in RBAC.

  • #5384 Migrated the timeFilter, metaFields, and maxBuckets health checks inside the pattern check.

  • #5485 Changed the query to search for an agent in Management > Configuration.

  • #5476 Changed the search bar in management/log to the one used in the rest of the app.

  • #5457 Changed the design of the wizard to add agents.

  • #5363 #5442 #5443 #5444 #5445 #5447 #5452 #5491 #5785 Introduced a new, enhanced search bar. It adds new features to all the searchable tables which leverages the ThreatLockDown API. It also addresses some of the issues found in the previous version.

  • #5451 Removed deprecated request and code in agent's view.

  • #5453 Removed unnecessary dashboard queries caused by the deploy agent view.

  • #5500 Removed repeated and unnecessary requests in the Security section.

  • #5519 Removed scripts to generate API data from live ThreatLockDown manager.

  • #5532 Removed the pretty parameter from cron job requests.

  • #5528 Removed unnecessary requests in the Management > Status section.

  • #5485 Removed obsolete code that caused duplicate requests to the API in Management.

  • #5592 Removed unused embedded jquery-ui.

Resolved issues

This release resolves known issues as the following:

ThreatLockDown manager

Reference

Description

#13979

Fixed wazuh-remoted not updating total bytes sent in UDP.

#14356

Fixed translation of packages with a missing version in CPE Helper for Vulnerability Detector.

#14174

Fixed undefined behavior issues in Vulnerability Detector unit tests.

#14019

Fixed permission error when producing FIM alerts.

#15164

Fixed memory leaks in wazuh-authd.

#14763

Fixed Audit policy change detection in FIM for Windows.

#14408

Fixed origin_module variable value when sending API or framework messages to core sockets.

#15715

Fixed an issue where an erroneous tag appeared in the cluster logs.

#15250

Fixed log error displayed when there's a duplicate worker node name within a cluster.

#15487

Resolved an issue in the agent_upgrade CLI when used from worker nodes.

#18047

Fixed error in the agent_upgrade CLI when displaying upgrade result.

#15277

Fixed error in which the connection with the cluster was broken in local clients for not sending keepalives messages.

#15298

Fixed error in which exceptions were not correctly handled when dapi_err command could not be sent to peers.

#16257

Fixed error in worker's Integrity sync task when a group folder was deleted in master.

#16506

Fixed error when trying to update an agent through the API or the CLI while pointing to a WPK file.

#15074

Fixed wazuh-remoted high CPU usage in a master node without agents.

#16101

Fixed race condition in wazuh-analysisd handling the rule ignore option.

#16000

Fixed missing rules and decoders in Analysisd JSON report.

#14356

Fixed translation of packages with missing version in CPE Helper.

#15826

Fixed log date parsing at predecoding stage.

#14019

Fixed permission error in JSON alert.

Agent

Reference

Description

#13534

Fixed the architecture of the dependency URL for macOS.

#13588

Fixed a path length limitation that prevented FIM from reporting changes on Windows.

#14993

Updated the AWS integration to use the regions specified in the AWS config file when no regions are provided in ossec.conf.

#14850

Corrected the error code #2 for the SIGINT signal within the AWS integration.

#14740

Fixed the discard_regex functionality for the AWS GuardDuty integration.

#14500

Fixed error messages in the AWS integration when there is a ClientError.

#14493

Fixed error that could lead to duplicate logs when using the same dates in the AWS integration.

#16116

Fixed check_bucket method in AWS integration to be able to find logs without a folder in root.

#16360

Added field validation for last_date.json in Azure Storage integration.

#15763

Improved handling of invalid regions given to the VPCFlow AWS integration, enhancing exception clarity.

#16070

Fixed error in the GCloud Subscriber unit tests.

#16410

Fixed the marker that AWS custom integrations use.

#16365

Fixed error messages when there are no logs to process in the WAF and Server Access AWS integrations.

#16463

Added region validation before instantiating AWS service class in the AWS integration.

#14161

Fixed InstallDate format in Windows installed programs.

#15428

Fixed syscollector default interval time when the configuration is empty.

#16268

Fixed agent starts with an invalid FIM configuration.

#15719

Fixed rootcheck scan trying to read deleted files.

#15739

Fixed compilation and build in Gentoo.

#19375

Fixed a crash when FIM scanned long Windows paths.

#19378

Fixed FIM who-data support for AArch64 platforms.

RESTful API

Reference

Description

#13421

Fixed an unexpected behavior when using the q and select parameters in some endpoints.

#15203

Resolved an issue in the GET /manager/configuration API endpoint when retrieving the vulnerability detector configuration section.

#15152

Fixed GET /agents/upgrade_result endpoint internal error with code 1814 in large environments.

#16756

Enhanced the alphanumeric_symbols regex to better accommodate specific SCA remediation fields.

#15967

Fixed bug that would not allow retrieving the ThreatLockDown logs if only the JSON format was configured.

#16310

Fixed error in GET /rules when variables are used inside id or level ruleset fields.

#16248

Fixed PUT /syscheck and PUT /rootcheck endpoints to exclude exception codes properly.

#16347

Adjusted test_agent_PUT_endpoints.tavern.yaml to resolve a race condition error.

#16844

Fixed some errors in API integration tests for RBAC white agents.

ThreatLockDown dashboard

Reference

Description

#4828

Fixed trailing hyphen character for OS value in the list of agents.

#4911

Fixed several typos in the code.

#4917

Fixed the display of more than one protocol in the Global configuration section.

#4918

Fixed uncaught error and wrong error message in the PCI DSS Control tab.

#4894

Fixed references to Elasticsearch in Wazuh-stack plugin.

#5135

Fixed the 2 errors that appeared in console in Settings > Configuration section.

#5376

Fixed the GitHub and Office 365 module visibility configuration for each API host that was not kept when changing/upgrading the plugin.

#5376

Fixed the GitHub and Office 365 modules appearing in the main menu when they were not configured.

#5364

Fixed TypeError in FIM Inventory using a new error handler.

#5423

Fixed error when using invalid group configuration.

#5460

Fixed repeated requests in inventory data and configurations of an agent.

#5465

Fixed repeated requests in the group table when adding a group or refreshing the table.

#5521

Fixed an error in the request body suggestions of API Console.

#5734

Fixed some errors related to relative dirname of rule and decoder files.

#5879

Fixed package URLs in the aarch64 commands.

#5888

Fixed the install macOS agent commands.

Packages

Reference

Description

#2495

Fixed debug redirection in packages installation in the ThreatLockDown installation assistant.

#2490

Fixed dashboard dependencies in RHEL systems.

#2498

Replaced requestHeadersWhitelist with requestHeadersAllowlist.

#2486

Fixed common WPK container.

Changelogs

More details about these changes are provided in the changelog of each component: