ยซ Changelog History


OSSEC v3.0.0 Release Notes

Release Date: 2018-07-17 // almost 6 years ago

  • Changelog

    ๐Ÿš€ Release Maintainers

    Dan Parriott
    Scott R. Shinn (Atomicorp, Inc.)

    Whats New

    ๐Ÿ‘ SQLite support for syscheck

    • PR #1091 - whitelist for files in sqlite DB

    - PR #1364 - add some ifdefs for the md5 whitelist database (USE_SQLITE)

    โšก๏ธ Update cJSON 1.7.0

    - #1351

    โž• Add Pagerduty Active response

    - #1302

    OSSEC-authd

    • #890 / #873 - Dichotomic search to add agents with authd
    • #1154 / #1210 - password support
    • #1161 - avoid IP duplication, time limit agent deletion with duplicate IP, and option for re-using an agent ID
    • #1190 - Exit handler for authd to delete PID file

    - #1208 - add cipher configuration support

    โšก๏ธ zlib update to 1.2.11

    - #1198

    ๐Ÿง ossec-agent selinux module

    - #1193

    ๐Ÿ windows agent

    ๐Ÿ‘ #1170 - add agent-auth.exe support

    ๐Ÿ‘ tcp support for agent communications

    #1162

    ๐Ÿ‘ GeoIP support in rules and events

    • #840 - Support in alerts
    • #927 - add geoip support to JSON output analysisd.geoip_jsonout=0
    • #929 - Modify rule token different_geoip rule to different_srcgeoip
    • #984 - fix some geoIP bugs

    - #1108 - decoder fixes

    ๐Ÿ‘ Slack support

    • #947 - Escape the '.' in the grep for '.ALERTLAST' #947

    - #959 - silent curl in ossec-slack

    Decoders filename attribute

    • #915 - A few fixes, but most importantly the ability to set the filename attribute from a decoder. This will help create automated pipelines for FIM Verification. I currently need to compare FIM events against 1) Puppet, 2) GIT, and 3) RPM. This patch allows FIM events to be intercepted by my custom FIM Verification script, which generates logging events which OSSEC can read and turn back into an event with the filename attribute set.

    ๐Ÿ†• New Rules / Decoders

    • โšก๏ธ PR #1297 / #1335 - update named rules
    • PR #1324 - Bitcoin wallet scans to suspicious URLs
    • PR #1356 - Openbsd DHCP rules

    General

    ๐Ÿ›  Bugfix #42 - Add option to use unaltered hashes with Windows syscheck

    ๐Ÿ›  Bugfix #210 - Time option in rules is rejecting valid syntax.

    ๐Ÿ›  Bugfix #425 - manage_agents unable to access /dev/random due to chroot

    ๐Ÿ›  Bugfix #454 - Prevent manage_agents from chrooting in bulk mode

    Bugfix #780 - Compile warning (and potential segfault) after merge from calve/do_not_show_diff

    ๐Ÿ›  Bugfix #829 - Segmentation fault at logcollector

    ๐Ÿ›  Bugfix #888 - Pull Request #840 reverts some ipv6 support

    ๐Ÿ›  Bugfix #869 - ossec-agentd is unable to unmerge files

    ๐Ÿ›  Bugfix #892 - Contrib tools need to be updated for IPv6.

    ๐Ÿ›  Bugfix #911 - "any" is broken after change to sacmp for ipv4 networks #911

    ๐Ÿ›  Bugfix #913 - logcollector goes into loop when a NULL is in the log

    ๐Ÿ›  Bugfix #960 - do not attempt to start ossec-maild when it is enabled

    ๐Ÿ›  Bugfix #961 - fix for open file handle when rotating alerts.json

    ๐Ÿ›  Bugfix #976 - win32: 2 values in internal_options.conf ignored

    ๐Ÿ›  Bugfix #994 - rootcheck, fix for false positive trojaned /bin/grep

    ๐Ÿ›  Bugfix #998 - IPv6 triggers Rule 1002

    ๐Ÿ›  Bugfix #1065 - fix for negating IP/CIDR rules

    ๐Ÿ›  Bugfix #1084 - fix a double free

    ๐Ÿ›  Bugfix #1106 - ossec-remoted, Fix for clang checks, and a potential DOS caused by a warning

    ๐Ÿ›  Bugfix #1142 - CEF field uniqueness fix

    ๐Ÿ›  Bugfix #1145 - if getaddrinfo fails with WAI_FAMILY try ipv4

    ๐Ÿ›  Bugfix #1165 - rpm spec files generate ossec user and group in user space

    ๐Ÿ›  Bugfix #1180 - Add last events (previous output) to JSON output

    ๐Ÿ›  Bugfix #1205 - Avoid EOL conversion of received files in the windows receiver

    ๐Ÿ›  Bugfix #1227 - Fix for daily reports not being sent

    ๐Ÿ›  Bugfix #1237 - Custom CFLAGS/CXXFLAGS/LDFLAGS support

    ๐Ÿ›  Bugfix #1274 - ossec-authd, ipv6 returns an invalid key

    ๐Ÿ›  Bugfix #1278 - Use getent to check for users/group

    ๐Ÿ›  Bugfix #1366 - Update to rule ID map

    ๐Ÿ›  Bugfix #1370 - Bugfix for full subject handling

    ๐Ÿ›  PR #770 - ossec-dbd, postgresql fixes on the user colume, schema, and not null conditions

    PR #778 - syscheck, Selective opening mode to extract file hash #778

    PR #792 - Check for a null from malloc

    PR #802 - ossec-dbd, allow for longer entries in the system.information column

    PR #804 - ossec-dbd, allow for mysql/postgres format changing based on MYSQLDB/POSTGDB

    ๐Ÿ›  PR #806 - ossec-reportd, report fixes on IP and user fields

    ๐Ÿ‘€ PR #808 - Igngore openBSD's random seed

    PR #824 - ossec-dbd, fix for mysql/postgres insert condition

    PR #839 - JSON output, Add group field to json output

    ๐Ÿ‘ PR #843 - Add support for CZMQ v3

    ๐Ÿ›  PR #848 - Fixed bug at logcollector that inhibited alerts about file reduction

    ๐Ÿ”’ PR #849 - ossec-maild, Format string security fix

    ๐Ÿ›  PR #855 - Fixed memory error on CDB lists management

    PR #859 - added utils to rename an agent or change its IP address (rename_agent.sh, renumber_agent.sh)

    ๐Ÿ›  PR #862 - ossec-analysisd, fixed memory leaks

    โœ… PR #864 - There is an error when running ossec-logtest to test rules with check_diff, since it doesn't change root directory and tries to create a directory at/queue/diff`.

    PR #866 - JSON output, Add timestamp for events

    PR #881 - Add debugging output to active repsonse xml config read

    ๐Ÿ›  PR #883 - Bugfix for agents failing to bind to a specific local IP address and the server is specified by hostname.

    PR #887 - agent status needs to be verified before using agt->lip

    ๐Ÿ‘ PR #893 - Prelude IDS support, Do not use absolute indexes in prelude fields

    PR #899 - manage_agents, OSSEC agent IDs can only be numbers but they are treated as strings. Because of this, it's possible to add the agent "00" and "000", or "1" and "00001" at the same time, and they can be confused on extracting keys or on deleting agents.

    ๐Ÿ›  PR #909 - ossec-logtest, Bugfix for decoders.d/rules.d segfault

    โšก๏ธ PR #910 - Update intcheck_op.c

    โšก๏ธ PR #912 - update validate_op.c

    โœ… PR #918 - ossec-logtest, add -q "quiet" flag support

    PR #920 - Bugfixes for OS_IPFound, OS_IPFoundList, OS_IsValidIP. #920

    ๐Ÿšš PR #921 - JSON output, This removes the double addition of the 'action' field and adds a few other interesting fields that I need for my analysis in ELK. Most notably, the rule.group is now passed out via the zmq output.

    PR #923 - ossec-dbd, fix SQLi in al_data->location

    โœ… PR #928 - ossec-logtest, add geoip to logtest output

    PR #930 - fix memory leak in decode-xml.c

    PR #931 - Custom output, fix common realloc mistake in custom_output_search_replace.

    PR #934 - Create OSSEC users and group as system members

    ๐Ÿ–จ PR #944 - Don't pass null variables to snprintf.

    PR #950 - Exclude btrfs-Filesystem from searching for hidden files inside directorie

    PR #953 - Prevent manage_agents from doing invalid actions on interactive mode

    PR #964 - Csyslogd patch for sending additional FIM event information

    0๏ธโƒฃ PR #991 - set default AR level to 7

    ๐Ÿ›  PR #1003 - JSON output, bugfix for duplicated group field

    ๐Ÿ›  PR #1004 - memory fixes in XML decoding, no-terminated strings, and searchAndReplace()

    ๐Ÿ›  PR #1016 - bugfix that prevents ossec-control from starting ossec-maild on server

    PR #1017 - ossec-remoted, fix for openbsd canary violation

    ๐Ÿ”ง PR #1020 - Allow notify_timeout to be configured server-side. #1020

    ๐Ÿ PR #1021 - Windows Agent, fix for build related issues

    PR #1027 -Fx for the "USER_AGENT_CONFIG_PROFILE" preloaded-vars.conf file usage. This fixes that and adds a profile config line if the variable is defined. Very useful for unattended installs or binary installs.

    ๐Ÿ‘ PR #1089 - Retire picviz support

    ๐ŸŒฒ PR #1090 - JSON output, add "id" to the json log

    โšก๏ธ PR #1093 - pf.sh, update support FreeBSD, OpenBSD, and Darwein

    ๐Ÿ‘ PR #1097 - ossec-batch-manager.pl, support "any" IP address

    PR #1099 - AR, prevent duplication in hosts.deny

    ๐Ÿ PR #1100 - Windows agent, Open received files in binary mode cause of cr/lf and let hashes match.

    PR #1102 - JSON ouput, Fix timestamp

    ๐Ÿ‘ PR #1116 - ossec-remoted, systemd support

    PR #1135 - ossec-dbd, UMYSQL_DATABASE_ENABLED does not exist in the tree except this one place.

    ๐Ÿ PR #1137 - Windows agent, administrators group might not be present on non-english installs

    โšก๏ธ PR #1148 - Update for gmake to compile on Solaris 11.2

    โšก๏ธ PR #1149 - Update adduser.sh for Solaris 11.2

    โšก๏ธ PR #1158 - Update shell on ossec-hids-solaris.init Solaris 11.2

    โšก๏ธ PR #1159 - Update Makefile for Solaris

    PR #1179 - ossec-dbd, fix readme display IP as string

    ๐Ÿ›  PR #1235 - spelling fixes

    PR #1238 - fix for edead oop in hash_op.c

    โšก๏ธ PR #1255 - syscheck, update windows syscheck directories

    PR #1256 - ossec-dbd, use port for postgresql connections

    ๐Ÿ”ง PR #1257 - rootcheck, make sleep interval configurable (rootcheck.sleep)

    PR #1258 - adduser.sh, fix the useradd and groupadd script for openbsd

    ๐Ÿšš PR #1262 - agentless ssh.exp, remove the P's entirely to support upper and lower case

    PR #1304 - syscheck, Don't display the errno, show the error message

    โช PR #1307 - Allow alerts.log to be turned off (DOUBLE CHECK, THIS WAS REVERTED)

    PR #1322 - rootcheck, mysql/mariadb auditing checks

    โš  PR #1336 - Disable warning on OS_PassEmptyKeyfile

    ๐Ÿšš PR #1342 - remove execute flag on rules and config files

    โš  PR #1343 - Makefile fix ar warning

    PR #1344 - add option to exclude lua and use system zlib

    PR #1345 - gitignore, Ignore zlib paths

    โš  PR #1347 - Fix compiler warnings: Wall, Wextra

    ๐Ÿ›  PR #1374 - Bugfix for AIX building

    PR #1382 - added rootcheck file for apache 2.2/2.4