Wazuh

Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the following capabilities:

• Log management and analysis: Wazuh agents read the operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
• File integrity monitoring: Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on.
• Intrusion and anomaly detection: Agents scan the system looking for malware, rootkits or suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
• Policy and compliance monitoring: Wazuh monitors configuration files to ensure they are compliant with your security policies, standards or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.

This diverse set of capabilities is provided by integrating OSSEC, OpenSCAP and Elastic Stack, making them work together as a unified solution, and simplifying their configuration and management.

It provides an updated log analysis ruleset and a RESTful API that allows you to monitor the status and configuration of all Wazuh agents.

It also includes a rich web application (fully integrated as a Kibana app), for mining log analysis alerts and for monitoring and managing your Wazuh infrastructure.

Changelog v4.0 RC1

Added

• Wazuh API:
  • Embedded Wazuh API with Wazuh Manager, there is no need to install Wazuh API (9860823)
  • Migrated Wazuh API server from nodejs to python (#2640)
  • Added asynchronous aiohttp server for the Wazuh API (#4474)
  • New Wazuh API is approximately 5 times faster on average (#5834)
  • Added OpenApi based Wazuh API specification (#2413)
  • Improved Wazuh API reference documentation based on OpenApi spec using redoc (#4967)
  • Added new yaml Wazuh API configuration file (#2570)
  • Added new endpoints to manage API configuration and deprecated configure_api.sh (#2570)
  • Added RBAC support to Wazuh API (#3287)
  • Added new endpoints for Wazuh API security management (#3410)
  • Added SQLAlchemy ORM based database for RBAC (#3375)
  • Added new JWT authentication method (7080ac3)
  • Wazuh API up and running by default in all nodes for a clustered environment
  • Added new and improved error handling (#2843 (#5345)
  • Added tavern and docker based Wazuh API integration tests (#3612)
  • Added new and unified Wazuh API responses structure (3421015)
  • Added new endpoints for Wazuh API users management (#3280)
  • Added new endpoint to restart agents which belong to a node (#5381)
  • Added and improved q filter in several endpoints (#5431)
  • Tested and improved Wazuh API security (#5318)
    • Added DDOS blocking system (#5318)
    • Added brute force attack blocking system (#5318)
    • Added content-type validation (#5318)
• Added and updated framework unit tests to increase coverage (#3287)
• Added improved support for monitoring paths from environment variables. (#4961)
• Added auto enrollment capability. Agents are now able to request a key from the manager if current key is missing or wrong. (#5609)

Changed

• Changed multiple Wazuh API endpoints (#2640) (#2413)
• Refactored framework module in SDK and core (#5263)
• FIM Windows events handling refactored. (#5144)

Fixed

• Fixed an error with last scan time in syscheck endpoints (a9acd3a)
• Added support for monitoring directories which contain commas. (#4961)
• Fixed a bug where configuring a directory to be monitored as realtime and whodata resulted in realtime prevailing. (#4961)
• Fixed using an incorrect mutex while deleting inotify watches. (#5126)
• Fixed a bug which could cause multiple FIM threads to request the same temporary file. (#5213)
• Fixed a bug where deleting a file permanently in Windows would not trigger an alert. (#5144)
• Fixed a typo in the file monitoring options log entry. (#5591)
• Fixed an error where monitoring a drive in Windows under scheduled or realtime mode would generate alerts from the recycle bin. (#4771)
• When monitoring a drive in Windows in the format U:, it will monitor U:\ instead of the agent’s working directory. (#5259)
• Fixed a bug where monitoring a drive in Windows with recursion_level set to 0 would trigger alerts from files inside its subdirectories. (#5235)

Removed

• Removed Wazuh API cache endpoints (#3042)
• Removed Wazuh API rootcheck endpoints (#5246)

Download && Use

Portions Copyright (C) 2017 Wazuh, Inc.
Based on work Copyright (C) 2003 – 2013 Trend Micro, Inc.