Wazuh

Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the following capabilities:

• Log management and analysis: Wazuh agents read the operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
• File integrity monitoring: Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on.
• Intrusion and anomaly detection: Agents scan the system looking for malware, rootkits or suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
• Policy and compliance monitoring: Wazuh monitors configuration files to ensure they are compliant with your security policies, standards or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.

This diverse set of capabilities is provided by integrating OSSEC, OpenSCAP and Elastic Stack, making them work together as a unified solution, and simplifying their configuration and management.

It provides an updated log analysis ruleset and a RESTful API that allows you to monitor the status and configuration of all Wazuh agents.

It also includes a rich web application (fully integrated as a Kibana app), for mining log analysis alerts and for monitoring and managing your Wazuh infrastructure.

Changelog v3.10.0

Added

• Add framework function to obtain full summary of agents. (#3842)
• SCA improvements. (#3286)
  • Refactor de SCA internal logic and policy syntax. (#3249)
  • Support to follow symbolic links. (#3228)
  • Add numerical comparator for SCA rules. (#3374)
  • Add SCA decoded events count to global stats. (#3623)
• Extend duplicate file detection for LogCollector. (#3867)
• Add HIPAA and NIST 800 53 compliance mapping as rule groups.(#3411 & #3420)
• Add SCA compliance groups to rule groups in alerts. (#3427)
• Add IPv6 loopback address to localhost list in DB output module (by @aquerubin). (#3140)
• Accept ] and > as terminal prompt characters for Agentless. (#3209)

Changed

• Modify logs for agent authentication issues by Remoted. (#3662)
• Make Syscollector logging messages more user-friendly. (#3397)
• Make SCA load by default all present policies at the default location. (#3607)
• Increase IPSIZE definition for IPv6 compatibility (by @aquerubin). (#3259)
• Replace local protocol definitions with Socket API definitions (by @aquerubin). (#3260)
• Improved error message when some of required Wazuh daemons are down. Allow restarting cluster nodes except when ossec-execd is down. (#3496)
• Allow existing aws_profile argument to work with vpcflowlogs in AWS wodle configuration. Thanks to Adam Williams (@awill1988). (#3729)

Fixed

• Fix exception handling when using an invalid bucket in AWS wodle (#3652)
• Fix error message when an AWS bucket is empty (#3743)
• Fix error when getting profiles in custom AWS buckets (#3786)
• Fix SCA integrity check when switching between manager nodes. (#3884)
• Fix alert email sending when no_full_log option is set in a rule. (#3174)
• Fix error in Windows who-data when handling the directories list. (#3883)
• Fix error in the hardware inventory collector for PowerPC architectures. (#3624)
• Fix the use of mutexes in the OS_Regex library. (#3533)
• Fix invalid read in the OS_Regex library. (#3815)
• Fix compilation error on FreeBSD 13 and macOS 10.14. (#3832)
• Fix typo in the license of the files. (#3779)
• Fix error in execd when upgrading agents remotely while auto-restarting. (#3437)
• Prevent integrations from inheriting descriptors. (#3514)
• Overwrite rules label fix and rules features tests. (#3414)
• Fix typo: replace readed with read. (#3328)
• Introduce global mutex for Rootcheck decoder. (#3530)
• Fix errors reported by scan-build. (#3452 & #3785)
• Fix the handling of wm_exec() output.(#3486)
• Fix FIM duplicated entries in Windows. (#3504)
• Remove socket deletion from epoll. (#3432)
• Let the sources installer support NetBSD. (#3444)
• Fix error message from openssl v1.1.1. (#3413)
• Fix compilation issue for local installation. (#3339)
• Fix exception handling when /tmp have no permissions and tell the user the problem. (#3401)

Download && Use

Portions Copyright (C) 2017 Wazuh, Inc.
Based on work Copyright (C) 2003 – 2013 Trend Micro, Inc.