4.8.0 Release notes - TBD
This section lists the changes in version 4.8.0. Every update of the ThreatLockDown solution is cumulative and includes all enhancements and fixes from previous releases.
What's new
This release includes new features or enhancements as the following:
Manager
#21201 Refactored vulnerability detection capability.
#16058 Added new
rollbackquery towazuh-db.#18476 Improved
wazuh-dbdetection of deleted database files.#16893 Added
timeoutandretryparameters to the VirusTotal integration.#18988 Extended
wazuh-analysisdEPS metrics with events dropped by overload and remaining credits in the previous cycle.#19819 Replaced Filebeat date index name processor to ensure the indices are identifiable by the index alias for auto-rollover.
#18466 Updated API and framework packages installation commands to use
pipinstead of direct invocation ofsetuptools.#17015 Refactored how cluster status dates are treated in the cluster.
Agent
#15740 Added snap package manager support to Syscollector.
#18574 Disabled host's IP query by Logcollector when
ip_update_interval=0.#17932 Added event size validation for the external integrations.
#17623 Refactored and modularized the AWS integration code.
#19064 Added multiple tenants support to the MS Graph integration module.
#16200 FIM now buffers the Linux audit events for who-data to prevent side effects in other components.
#19720 The sub-process execution implementation has been improved.
#20649 Added geolocation mapping for the AWS WAF events.
RESTful API
#19952 Added new
GET /manager/version/checkAPI endpoint to obtain information about new releases of Wazuh.#20119 Removed
PUT /vulnerability,GET /vulnerability/{agent_id},GET /vulnerability/{agent_id}/last_scanandGET /vulnerability/{agent_id}/summary/{field}API endpoints as they were deprecated in version 4.7.0. Use the ThreatLockDown indexer REST API instead.#20420 Added the
autooption to thessl_protocolsetting in the API configuration. This option enables automatic negotiation of the TLS certificate.
Ruleset
#19528 Added rules to detect IcedID attacks.
#17780 Added new SCA policy for Amazon Linux 2023.
#17784 Added new SCA policy for Rocky Linux 8.
#18721 Revised SCA policy for Ubuntu Linux 18.04.
#17515 Revised SCA policy for Ubuntu Linux 22.04.
#18440 Revised SCA policy for Red Hat Enterprise Linux 7.
#17770 Revised SCA policy for Red Hat Enterprise Linux 8.
#17412 Revised SCA policy for Red Hat Enterprise Linux 9.
#17624 Revised SCA policy for CentOS 7.
#18439 Revised SCA policy for CentOS 8.
#18010 Revised SCA policy for Debian 8.
#17922 Revised SCA policy for Debian 10.
#18695 Revised SCA policy for Amazon Linux 2.
#18985 Revised SCA policy for SUSE Linux Enterprise 15.
#19037 Revised SCA policy for macOS 13.0 Ventura.
#19515 Revised SCA policy for Microsoft Windows 10 Enterprise.
#20044 Revised SCA policy for Microsoft Windows 11 Enterprise.
#17518 Updated MITRE DB to v13.1.
Other
#20003 Upgraded external
aiohttplibrary dependency version to3.8.5.#20003 Upgraded external
cryptographylibrary dependency version to41.0.4.#20003 Upgraded external
numpylibrary dependency version to1.26.0.#20003 Upgraded external
pyarrowlibrary dependency version to14.0.1.#20003 Upgraded external
grpciolibrary dependency version to1.58.0.#20003 Upgraded embedded Python version to
3.10.13.
ThreatLockDown dashboard
#5791 Added remember server address check.
#6093 Added a notification about new ThreatLockDown updates and a button to check their availability. #6256 #6328
#6083 Added the
ssl_agent_caconfiguration to the SSL Settings form.#5896 Added global vulnerability dashboards. #6179 #6173 #6147 #6231 #6246 #6321 #6338 #6356
#5840 Added an agent selector to the IT Hygiene module.
#5840 Moved the ThreatLockDown menu into the side menu. #6226
#5840 Removed the
disabled_rolesandcustomization.logo.sidebarsettings.#5840 Removed module visibility configuration and removed the
extensions.*settings.#6106 Added query results limit of 10000 hits.
#6035 Improved the implementation of module dashboards.
#6067 Reorganized tabs order in all modules.
#6174 Removed the implicit filter of WQL language of the search bar UI.
#6176 Added a redirection button to Endpoint Summary from IT Hygiene application.
#6176 Removed the application menu in the IT Hygiene application.
#6373 Changed the API configuration title to API Connections.
#6366 Removed Compilation date field from the Status view.
#6361 Removed
WAZUH_REGISTRATION_SERVERvariable from Windows agent deployment command.#6354 Added a dash character and a tooltip element to Run as in the API configuration table to indicate it's been disabled.
#6364 Added tooltip element to Most active agent in Details in the Endpoint summary view and renamed a label element.
Packages
#2332 Added check into the installation assistant to prevent the use of public IP addresses.
#2582 Added the ISM init script to the ThreatLockDown indexer package to handle the creation of ISM policies.
#2584 Added ISM init script to the installation assistant.
#2365 Removed the
postProvision.shscript. It's no longer used in OVA generation.#2364 Added
curlerror messages in downloads.#2469 Improved debug output in the installation assistant.
#2422 Enabled
localhostdomain registration in the installation assistant andcert-tool.#2300 Added SCA policy for Rocky Linux 8 in SPECS.
#2557 Added SCA policy for Amazon Linux 2023 in SPECS.
#2558 ThreatLockDown password tool now recognizes UI created users.
#2562 Bumped ThreatLockDown indexer to OpenSearch 2.10.0.
#2563 Bumped ThreatLockDown dashboard to OpenSearch Dashboards 2.10.0.
#2577 Addedd APT and YUM lock logic to the ThreatLockDown instalaltion assistant.
#2553 Added new role to grant ISM API permissions.
#2164 Deprecated CentOS 6 and Debian 7 for the ThreatLockDown manager compilation, while still supporting them in the ThreatLockDown agent compilation.
#2588 Added logic to the installation assistant to check for clean ThreatLockDown central components removal.
#2615 Added branding images to the header of ThreatLockDown dashboard.
#2696 Updated Filebeat module version to 0.4 in ThreatLockDown installation assistant.
#2695 Added content database in RPM and DEB packages.
#2669 Upgraded
botocoredependency in WPK package Docker containers.
Resolved issues
This release resolves known issues as the following:
ThreatLockDown manager
Reference |
Description |
|---|---|
Updated cluster connection cleanup to remove temporary files when the connection between a worker and a master is broken. |
Agent
Reference |
Description |
|---|---|
Fixed process path retrieval in Syscollector on Windows XP. |
|
Fixed the OS version detection on Alpine Linux. |
|
Fixed Solaris 10 name not showing in the dashboard. |
RESTful API
Reference |
Description |
|---|---|
Fixed a warning from SQLAlchemy involving detached Roles instances in RBAC. |
ThreatLockDown dashboard
Reference |
Description |
|---|---|
Fixed a problem with the agent menu header when the side menu is docked. |
|
Fixed how the query filters apply on the Security Alerts table. |
|
Fixed exception in IT-Hygiene when an agent doesn't have policies. |
|
Fixed exception in Inventory when agents don't have operating system information. |
|
Fixed pinned agent state in URL. |
|
Fixed invalid date format in About and Agents views. |
|
Fixed issue with script to install agents on macOS if using the registration password deployment variable. |
|
Fixed an issue preventing the use of a hostname as the Server address in Deploy New Agent. |
|
Fixed unnecessary scrolling in the vulnerability Inventory table. |
|
Fixed wrong Queue Usage values in Server management > Statistics. |
|
Fixed Statistics view errors when cluster mode is disabled. |
Packages
Reference |
Description |
|---|---|
Fixed DNS validation in the Installation Assistant. |
|
Fixed debug redirection in Installation Assistant. |
Changelogs
More details about these changes are provided in the changelog of each component: