wazuh v4.2 RC4 releases: Host and endpoint security

Wazuh

Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the following capabilities:

• Log management and analysis: Wazuh agents read the operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
• File integrity monitoring: Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on.
• Intrusion and anomaly detection: Agents scan the system looking for malware, rootkits or suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
• Policy and compliance monitoring: Wazuh monitors configuration files to ensure they are compliant with your security policies, standards or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.

This diverse set of capabilities is provided by integrating OSSEC, OpenSCAP and Elastic Stack, making them work together as a unified solution, and simplifying their configuration and management.

It provides an updated log analysis ruleset and a RESTful API that allows you to monitor the status and configuration of all Wazuh agents.

It also includes a rich web application (fully integrated as a Kibana app), for mining log analysis alerts and for monitoring and managing your Wazuh infrastructure.

Changelog v4.2

Added

• Core:
  • Added support for bookmarks in Logcollector, allowing to follow the log file at the point where the agent stopped. (#3368)
  • Improved support for multi-line logs with a variable number of lines in Logcollector. (#5652)
  • Added an option to limit the number of files per second in FIM. (#6830)
  • Added a statistics file to Logcollector. Such data is also available via API queries. (#7109)
  • Allow statistical data queries to the agent. (#7239)
  • Allowed quoting in commands to group arguments in the command wodle and SCA checks. (#7307)
  • Let agents running on Solaris send their IP to the manager. (#7408)
  • New option <ip_update_interval> to set how often the agent refresh its IP address. (#7444)
  • Added support for testing location information in Wazuh Logtest. (#7661)
  • Added Vulnerability Detector reports to Wazuh DB to know which CVE’s affect an agent. (#7731)
• API:
  • Added new endpoint to get agent stats from different components. (#7200)
  • Added new endpoint to modify users’ allow_run_as flag. (#7588)
  • Added new endpoint to get vulnerabilities that affect an agent. (#7647)
  • Added API configuration validator. (#7803)
  • Added the capability to disable the max_request_per_minute API configuration option using 0 as value. (#8115)
• Ruleset:
  • Added support for UFW firewall to decoders. (#7100)

Changed

• Core:
  • Wazuh daemons have been renamed to a unified standard. (#6912)
  • Wazuh CLIs have been renamed to a unified standard. (#6903)
  • Wazuh internal directories have been renamed to a unified standard. (#6920)
  • Prevent a condition in FIM that may lead to a memory error. (#6759)
  • Let FIM switch to real-time mode for directories where who-data is not available (Audit in immutable mode). (#6828)
  • Changed the Active Response protocol to receive messages in JSON format that include the full alert. (#7317)
  • Changed references to the product name in logs. (#7264)
  • Remoted now supports both TCP and UDP protocols simultaneously. (#7541)
  • Improved the unit tests for the os_net library. (#7595)
  • FIM now removes the audit rules when their corresponding symbolic links change their target. (#6999)
  • Compilation from sources now downloads the external dependencies prebuilt. (#7797)
  • Added the old implementation of Logtest as wazuh-logtest-legacy. (#7807)
  • Improved the performance of Analysisd when running on multi-core hosts. (#7974)
  • Agents now report the manager when they stop. That allows the manager to log an alert and immediately set their state to “disconnected”. (#8021)
  • Wazuh building is now independent from the installation directory. (#7327)
  • The embedded python interpreter is provided in a preinstalled, portable package. (#7327)
  • Wazuh resources are now accessed by a relative path to the installation directory. (#7327)
• API:
  • Removed ruleset version from GET /cluster/{node_id}/info and GET /manager/info as it was deprecated. (#6904)
  • Changed the POST /groups endpoint to specify the group name in a JSON body instead of in a query parameter. (#6909)
  • Changed the PUT /active-response endpoint function to create messages with the new JSON format. (#7312)
  • New parameters added to DELETE /agents endpoint and older_than field removed from response. (#6366)
  • Changed login security controller to avoid errors in Restful API reference links. (#7909)
  • Changed the PUT /agents/group/{group_id}/restart response format when there are no agents assigned to the group. (#8123)
  • Agent keys used when adding agents are now obscured in the API log. (#8149)
• Ruleset:
  • The ruleset was normalized according to the Wazuh standard. (#6867)
  • Added CIS policy “Ensure XD/NX support is enabled” back for SCA. (#7316)

Fixed

• Cluster:
  • Improved memory usage when creating cluster messages. (#6736)
• Core:
  • Fixed a bug in FIM when setting scan_time to “12am” or “12pm”. (#6934)
  • Fixed a bug in FIM that produced wrong alerts when the file limit was reached. (#6802)
  • Fixed a bug in Analysisd that reserved the static decoder field name “command” but never used it. (#7105)
  • Fixed evaluation of fields in the tag <description> of rules. (#7073)
  • Fixed bugs in FIM that caused symbolic links to not work correctly. (#6789)
  • Fixed path validation in FIM configuration. (#7018)
  • Fixed a bug in the “ignore” option on FIM where realtive paths were not resolved. (#7018)
  • Fixed a bug in FIM that wrongly detected that the file limit had been reached. (#7268)
  • Fixed a bug in FIM that did not produce alerts when a domain user deleted a file. (#7268)
  • Fixed Windows agent compilation with GCC 10. (#7359)
  • Fixed a bug in FIM that caused to wrongly expand environment variables. (#7332)
  • Fixed the inclusion of the rule description in archives when matched a rule that would not produce an alert. (#7476)
  • Fixed a bug in the regex parser that did not accept empty strings. (#7495)
  • Fixed a bug in FIM that did not report deleted files set with real-time in agents on Solaris. (#7414)
  • Fixed a bug in Remoted that wrongly included the priority header in syslog when using TCP. (#7633)
  • Fixed a stack overflow in the XML parser by limiting 1024 levels of recursion. (#7782)
  • Prevented Vulnerability Detector from scanning all the agents in the master node that are connected to another worker. (#7795)
  • Fixed an issue in the database sync module that left dangling agent group files. (#7858)
  • Fixed memory leaks in the regex parser in Analysisd. (#7919)
  • Fixed a typo in the initial value for the hotfix scan ID in the agents’ database schema. (#7905)
  • Fixed a segmentation fault in Vulnerability Detector when parsing an unsupported package version format. (#8003)
  • Fixed false positives in FIM when the inode of multiple files change, due to file inode collisions in the engine database. (#7990)
  • Fixed the error handling when wildcarded Redhat feeds are not found. (#6932)
  • Fixed the equals comparator for OVAL feeds in Vulnerability Detector. (#7862)
• API:
  • Fixed wrong API messages returned when getting agents’ upgrade results. (#7587)
  • Fixed wrong user string in API logs when receiving responses with status codes 308 or 404. (#7709)
  • Fixed API errors when cluster is disabled and node_type is worker. (#7867)
  • Fixed redundant paths and duplicated tests in API integration test mapping script. (#7798)
  • Fixed an API integration test case failing in test_rbac_white_all and added a test case for the enable/disable run_as endpoint.(8014)
  • Fixed a thread race condition when adding or deleting agents without authd (8148)
• Ruleset:
  • Fixed usb-storage-attached regex pattern to support blank spaces. (#7837)
  • Fixed SCA checks for RHEL7 and CentOS 7. Thanks to J. Daniel Medeiros (@jdmedeiros). (#7645)

Removed

• Core:
  • File /etc/ossec-init.conf does not exist anymore. (#7175)
  • Unused files have been removed from the repository, including TAP tests. (#7398)
• API:
  • Removed the allow_run_as parameter from endpoints POST /security/users and PUT /security/users/{user_id}. (#7588)
  • Removed behind_proxy_server option from configuration. (#7006)
• Framework:
  • Deprecated update_ruleset script. (#6904)

Download && Use

Portions Copyright (C) 2017 Wazuh, Inc.
Based on work Copyright (C) 2003 – 2013 Trend Micro, Inc.