Wazuh v4.3.0 Release Notes
Release Date: 2022-05-05 // almost 2 years ago-
Manager
➕ Added
- ➕ Added support for Arch Linux OS in Vulnerability Detector. Thanks to Aviel Warschawski (@avielw). (#8178)
- ➕ Added a log message in the
cluster.log
file to notify that wazuh-clusterd has been stopped. (#8749) - ➕ Added message with the PID of
wazuh-clusterd
process when launched in foreground mode. (#9077) - ➕ Added time calculation when extra information is requested to the
cluster_control
binary. (#10492) - ➕ Added a context variable to indicate origin module in socket communication messages. (#9209)
- ➕ Added unit tests for framework/core files to increase coverage. (#9733)
- ➕ Added a verbose mode in the wazuh-logtest tool. (#9204)
- ➕ Added Vulnerability Detector support for Amazon Linux. (#8830)
- Introduced new option
<force>
to set the behavior when Authd finds conflicts on agent enrollment requests. (#10693) - ➕ Added saniziters to the unit tests execution. (#9099)
- Vulnerability Detector introduces vulnerability inventory. (#8237)
- The manager will only deliver alerts when new vulnerabilities are detected in agents or when they stop applying.
- ➕ Added a mechanism to ensure the worker synchronization permissions is reset after a fixed period of time. (#11031)
- Included mechanism to create and handle PID files for each child process of the API and cluster. (#11799)
- ➕ Added support for Windows 11 in Vulnerability Detector. (#12446)
🔄 Changed
- 🔄 Changed the internal handling of agent keys in Remoted and Remoted to speed up key reloading. (#8083)
- 👍 The option
<server>
of the Syslog output now supports hostname resolution. (#7885) - The product's UNIX user and group have been renamed to "wazuh". (#7763)
- The MITRE database has been redesigned to provide full and searchable data. (#7865)
- The static fields related to FIM have been ported to dynamic fields in Analysisd. (7358)
- 🔄 Changed all randomly generated IDs used for cluster tasks. Now,
uuid4
is used to ensure IDs are not repeated. (8351) - 👌 Improved sendsync error log to provide more details of the used parameters. (#8873)
- 🔄 Changed
walk_dir
function to be iterative instead of recursive. (#9708) - 🔨 Refactored Integrity sync behavior so that new synchronizations do not start until extra-valid files are processed. (#10183)
- 🔄 Changed cluster synchronization, now the content of the
etc/shared
folder is synchronized. (#10101) - 🔄 Changed all XML file loads. Now,
defusedxml
library is used to avoid possible XML-based attacks. (8351) - 🔄 Changed configuration validation from execq socket to com socket. (#8535)
- ⚡️ Updated utils unittest to improve process_array function coverage. (#8392)
- 🔄 Changed
request_slice
calculation to improve efficiency when accessing wazuh-db data. (#8885) - 👌 Improved the retrieval of information from
wazuh-db
so it reaches the optimum size in a single iteration. (#9273) - ⚡️ Optimized the way framework uses context cached functions and added a note on context_cached docstring. (#9234)
- 👌 Improved framework regexes to be more specific and less vulnerable. (#9332)
- Unified framework exceptions for non-active agents. (#9423)
- 🔄 Changed RBAC policies to case insensitive. (#9433)
- 🔨 Refactored framework stats module into SDK and core components to comply with Wazuh framework code standards. (#9548)
- ⬆️ Changed the size of the agents chunks sent to the upgrade socket to make the upgrade endpoints faster. (#10309)
- 🔨 Refactored rootcheck and syscheck SDK code to make it clearer. (#9408)
- 🔊 Adapted Azure-logs module to use Microsoft Graph API instead of Active Directory Graph API. (#9738)
- Analysisd now reconnects to Active Response if Remoted or Execd get restarted. (#8060)
- 👍 Agent key polling now supports cluster environments. (#10335)
- 👍 Extended support of Vulnerability Detector for Debian 11 (Bullseye). (#10357)
- 👌 Improved Remoted performance with an agent TCP connection sending queue. (#10326)
- 🔀 Agent DB synchronization has been boosted by caching the last data checksum in Wazuh DB. (#9093)
- ✅ Logtest now scans new ruleset files when loading a new session. (#8892)
- CVE alerts by Vulnerability Detector now include the time of detection, severity, and score. (#8237)
- 🛠 Fixed manager startup when
<database_output>
is enabled. (#10849) - 👌 Improved cluster performance using multiprocessing.
- Changed the cluster
local_integrity
task to run in a separate process to improve overall performance. (#10767) - The cluster communication with the database for agent information synchronization runs in a parallel separate process. (#10807)
- The cluster processing of the extra-valid files in the master node is carried out in a parallel separate process. (#10920)
- The cluster's file compression task in the master node is carried out in a parallel separate process. (#11328)
- Now the processing of Integrity files in worker nodes is carried out in a parallel separate process (#11364)
- Use cluster and API single processing when the wazuh user doesn't have permissions to access
/dev/shm
. (#11386)
- Changed the cluster
- 📇 Changed the Ubuntu OVAL feed URL to security-metadata.canonical.com. (#12491)
- Let Analysisd warn about missing rule dependencies instead of rejecting the ruleset. (#12652)
🛠 Fixed
- 🛠 Fixed a memory defect in Remoted when closing connection handles. (#8223)
- 🛠 Fixed a timing problem in the manager that might prevent Analysisd from sending Active responses to agents. (#7625)
- 🛠 Fixed a bug in Analysisd that did not apply field lookup in rules that overwrite other ones. (#8210)
- Prevented the manager from leaving dangling agent database files. (#8902)
- Corrected remediation message for error code 6004. (#8254)
- 🛠 Fixed a bug when deleting non-existing users or roles in the security SDK. (#8157)
- 🛠 Fixed a bug with
agent.conf
file permissions when creating an agent group. (#8418) - 🛠 Fixed wrong exceptions with wdb pagination mechanism. (#8422)
- 🛠 Fixed error when loading some rules with the
\
character. (#8747) - 🔄 Changed
WazuhDBQuery
class to properly close socket connections and prevent file descriptor leaks. (#9216) - 🛠 Fixed error in the api configuration when using the
agent_upgrade
script. (#10320) - 🖐 Handle
JSONDecodeError
in Distributed API class methods. (#10341) - 🛠 Fixed an issue with duplicated logs in Azure-logs module and applied several improvements to it. (#9738)
- 🛠 Fixed the query parameter validation to allow usage of special chars in Azure module. (#10680)
- 🛠 Fix a bug running wazuh-clusterd process when it was already running. (#8394)
- 👍 Allow cluster to send and receive messages with size higher than request_chunk. (#8732)
- 🛠 Fixed a bug that caused
wazuh-clusterd
process to not delete its pidfile when running in foreground mode and it is stopped. (#9077) - 🛠 Fixed race condition due to lack of atomicity in the cluster synchronization mechanism. (#10376)
- 🛠 Fixed bug when displaying the dates of the cluster tasks that have not finished yet. Now
n/a
is displayed in these cases. (#10492) - 🛠 Fixed missing field
value_type
in FIM alerts. (#9196) - 🛠 Fixed a typo in the SSH Integrity Check script for Agentless. (#9292)
- 🛠 Fixed multiple race conditions in Remoted. (#10421)
- 🚚 The manager's agent database has been fixed to prevent dangling entries from removed agents. (#10390)
- 🛠 Fixed the alerts generated by FIM when a lookup operation on an SID fails. (#9765)
- 🛠 Fixed a bug that caused cluster agent-groups files to be synchronized multiple times unnecessarily. (#10866)
- 🛠 Fixed an issue in Wazuh DB that compiled the SQL statements multiple times unnecessarily. (#10922)
- 🛠 Fixed a crash in Analysisd when setting Active Response with agent_id = 0. (#10948)
- 🛠 Fixed an uninitialized Blowfish encryption structure warning. (#11161)
- 🛠 Fixed a memory overrun hazard in Vulnerability Detector. (#11262)
- 🛠 Fixed a bug when using a limit parameter higher than the total number of objects in the wazuh-db queries. (#11282)
- Prevented a false positive for MySQL in Vulnerability Detector. (#11440)
- 🛠 Fixed segmentation fault in Analysisd when setting the number of queues to zero. (#11448)
- 🛠 Fixed false positives in Vulnerability Detector when scanning OVAl for Ubuntu Xenial and Bionic. (#11440)
- 🛠 Fixed an argument injection hazard in the Pagerduty integration script. Reported by Jose Maria Zaragoza (@JoseMariaZ). (#11835)
- 🛠 Fixed memory leaks in the feed parser at Vulnerability Detector. (#11863)
- Architecture data member from the RHEL 5 feed.
- RHSA items containing no CVEs.
- Unused RHSA data member when parsing Debian feeds.
- 🚦 Prevented Authd from exiting due to a pipe signal if Wazuh DB gets closed. (#12368)
- 🛠 Fixed a buffer handling bug in Remoted that left the syslog TCP server stuck. (#12415)
- 🛠 Fixed a memory leak in Vulnerability Detector when discarding kernel packages. (#12644)
- 🛠 Fixed a memory leak at wazuh-logtest-legacy when matching a level-0 rule. (#12655)
- 🛠 Fixed a bug in the Vulnerability Detector CPE helper that may lead to produce false positives about Firefox ESR. (#13067)
✂ Removed
- 🗄 The data reporting for Rootcheck scans in the agent_control tool has been deprecated. (#8399)
- ✂ Removed old framework functions used to calculate agent status. (#8846)
Agent
➕ Added
- ➕ Added an option to allow the agent to refresh the connection to the manager. (#8016)
- 🔊 Introduced a new module to collect audit logs from GitHub. (#8532)
- 🏁 FIM now expands wildcarded paths in the configuration on Windows agents. (8461)
- FIM reloads wildcarded paths on full scans. (8754)
- ➕ Added new
path_suffix
option to AWS module configuration. (#8306) - ➕ Added new
discard_regex
option to AWS module configuration. (8331) - ➕ Added support for the S3 Server Access bucket type in AWS module. (#8482)
- ➕ Added support for Google Cloud Storage buckets using a new GCP module called
gcp-bucket
. (#9119) - ➕ Added support for VPC endpoints in AWS module. (#9420)
- ➕ Added support for GCS access logs in the GCP module. (#9279)
- ➕ Added an iam role session duration parameter to AWS module. (#10198)
- ➕ Added support for variables in SCA policies. (#8826)
- 👍 FIM now fills an audit rule file to support who-data although Audit is in immutable mode. (#7721)
- 🔊 Introduced an integration to collect audit logs from Office365. (#8957)
- ➕ Added a new field
DisplayVersion
to Syscollector to help Vulnerability Detector match vulnerabilities for Windows. (#10168) - ➕ Added support for macOS agent upgrade via WPK. (#10148)
- ➕ Added Logcollector support for macOS logs (Unified Logging System). (#8632)
🔄 Changed
- The agent now reports the version of the running AIX operating system to the manager. (#8381)
- 👌 Improved the reliability of the user ID parsing in FIM who-data mode on Linux. (#8604)
- 🔊 Extended support of Logcollector for MySQL 4.7 logs. Thanks to @YoyaYOSHIDA. (#5047)
- Agents running on FreeBSD and OpenBSD now report their IP address. (#9887)
- ⬇️ Reduced verbosity of FIM debugging logs. (#8202)
- The agent's IP resolution frequency has been limited to prevent high CPU load. (#9992)
- ⚡️ Syscollector has been optimized to use lees memory. (#10236)
- ➕ Added support of ZscalerOS system information in the agent. (#10337)
- 🚑 Syscollector has been extended to collect missing Microsoft product hotfixes. (#10259)
- ⚡️ Updated the osquery integration to find the new osqueryd location as of version 5.0. (#10396)
- The internal FIM data handling has been simplified to find files by their path instead of their inode. (#9123)
- 🏁 Reimplemented the WPK installer rollback on Windows. (#9764)
- 🏁 Active responses for Windows agents now support native fields from Eventchannel. (#10208)
- 🔊 Error logs by Logcollector when a file is missing have been changed to info logs. (#10651)
- 🏁 The agent MSI installer for Windows now detects the platform version to install the default configuration. (#8724)
- 🔊 Agent logs for inability to resolve the manager hostname now have info level. (#3659)
- ➕ Added ID number to connection enrollment logs. (#11276)
- 🔊 Standardized the use of the
only_logs_after
parameter in the external integration modules. (#10838) - ⚡️ Updated DockerListener integration shebang to python3 for Wazuh agents. (#12150)
- ⚡️ Updated the Windows installer ico and png assets to the new logo. (#12779)
🛠 Fixed
- 🛠 Fixed a bug in FIM that did not allow monitoring new directories in real-time mode if the limit was reached at some point. (#8784)
- 🛠 Fixed a bug in FIM that threw an error when a query to the internal database returned no data. (#8941)
- 🛠 Fixed an error where the IP address was being returned along with the port for Amazon NLB service.(#8362)
- 🛠 Fixed AWS module to properly handle the exception raised when processing a folder without logs. (#8372
- 🛠 Fixed a bug with AWS module when pagination is needed in the bucket. (#8433)
- 🛠 Fixed an error with the ipGeoLocation field in AWS Macie logs. (#8672)
- 🔄 Changed an incorrect debug message in the GCloud integration module. (#10333)
- 🛠 Data race conditions have been fixed in FIM. (#7848)
- 🛠 Fixed wrong command line display in the Syscollector process report on Windows. (#10011)
- Prevented Modulesd from freezing if Analysisd or Agentd get stopped before it. (#10249)
- 🛠 Fixed wrong keepalive message from the agent when file merged.mg is missing. (#10405)
- 🛠 Fixed missing logs from the Windows agent when it's getting stopped. (#10381)
- 🛠 Fixed missing packages reporting in Syscollector for macOS due to empty architecture data. (#10524)
- 🛠 Fixed FIM on Linux to parse audit rules with multiple keys for who-data. (#7506)
- 🛠 Fixed Windows 11 version collection in the agent. (#10639)
- 🛠 Fixed missing Eventchannel location in Logcollector configuration reporting. (#10602)
- ⚡️ Updated CloudWatch Logs integration to avoid crashing when AWS raises Throttling errors. (#10794)
- 🛠 Fixed AWS modules' log file filtering when there are logs with and without a prefix mixed in a bucket. (#10718)
- 🛠 Fixed a bug on the installation script that made upgrades not to update the code of the external integration modules. (#10884)
- 🛠 Fixed issue with AWS integration module trying to parse manually created folders as if they were files. (#10921)
- 🛠 Fixed installation errors in OS with no subversion. (#11086)
- 🛠 Fixed a typo in an error log about enrollment SSL certificate. (#11115)
- 🛠 Fixed unit tests for Windows agent when built on MinGW 10. (#11121)
- 🛠 Fixed Windows agent compilation warnings. (#10942)
- 🛠 Fixed the OS version reported by the agent on OpenSUSE Tumbleweed. (#11207)
- 🐧 Prevented Syscollector from truncating the open port inode numbers on Linux. (#11329)
- 🛠 Fixed agent auto-restart on configuration changes when started via
wazuh-control
on a Systemd based Linux OS. (#11365) - 🛠 Fixed a bug in the AWS module resulting in unnecessary API calls when trying to obtain the different Account IDs for the bucket. (#10952)
- 🛠 Fixed Azure integration's configuration parsing to allow omitting optional parameters. (#11278)
- 🛠 Fixed Azure Storage credentials validation bug. (#11296)
- 🛠 Fixed the read of the hostname in the installation process for openSUSE. (#11455)
- 🛠 Fixed the graceful shutdown when agent loses connection. (#11425)
- 🛠 Fixed error "Unable to set server IP address" on the Windows agent. (#11736)
- 🛠 Fixed reparse option in the AWS VPCFlow and Config integrations. (#11608)
- ✂ Removed unnecessary calls to the AWS API made by the VPCFlow and Config integration modules. (#11644)
- 🛠 Fixed how the AWS Config module parses the dates used to request logs from AWS. (#12324)
- 🔊 Let Logcollector audit format parse logs with a custom name_format. (#12676)
- 🛠 Fixed Agent bootstrap issue that might lead to startup timeout when it cannot resolve a manager hostname. (#12704)
- 🛠 Fixed a bug in the agent's leaky bucket throughput regulator that could leave it stuck if the time is advanced on Windows. (#13088)
✂ Removed
- ✂ Removed oscap module files as it was already deprecated since v4.0.0. (#10900)
RESTful API
➕ Added
- ➕ Added new
PUT /agents/reconnect
endpoint to force agents reconnection to the manager. (#7988) - ➕ Added
select
parameter to theGET /security/users
,GET /security/roles
,GET /security/rules
andGET /security/policies
endpoints. (#6761) - ➕ Added type and status filters to
GET /vulnerability/{agent_id}
endpoint. (#8100) - ➕ Added an option to configure SSL ciphers. (#7490)
- ➕ Added an option to configure the maximum response time of the API. (#8919)
- ➕ Added new
DELETE /rootcheck/{agent_id}
endpoint. (#8945) - Added new
GET /vulnerability/{agent_id}/last_scan
endpoint to check the latest vulnerability scan of an agent. (#9028) - ➕ Added new
cvss
andseverity
fields and filters toGET /vulnerability/{agent_id}
endpoint. (#9028) - ➕ Added an option to configure the maximum allowed API upload size. (#9100)
- ➕ Added new unit and integration tests for API models. (#9142)
- ➕ Added message with the PID of
wazuh-apid
process when launched in foreground mode. (#9077) - ➕ Added
external id
,source
andurl
to the MITRE endpoints responses. (#9144) - ➕ Added custom healthchecks for legacy agents in API integration tests, improving maintainability. (#9297)
- ➕ Added new unit tests for the API python module to increase coverage. (#9914)
- ➕ Added docker logs separately in API integration tests environment to get cleaner reports. (#10238)
- ➕ Added new
disconnection_time
field toGET /agents
response. (#10437) - ➕ Added new filters to agents upgrade endpoints. (#10457)
- ➕ Added new API endpoints to access all the MITRE information. (#8288)
- 👉 Show agent-info permissions flag when using cluster_control and in the
GET /cluster/healthcheck
API endpoint. (#10947) - 💾 Save agents' ossec.log if an API integration test fails. (#11931)
- ➕ Added
POST /security/user/authenticate/run_as
endpoint to API bruteforce blocking system. (#12085) - ➕ Added new API endpoint to obtain summaries of agent vulnerabilities' inventory items. (#12638)
- ⚡️ Added fields external_references, condition, title, published and updated to GET /vulnerability/{agent_id} API endpoint. (#12727)
- ➕ Added the possibility to include strings in brackets in values of the
q
parameter. (#13262)
🔄 Changed
- 🔧 Renamed SSL protocol configuration parameter. (#7490)
- ⚡️ Reviewed and updated API spec examples and JSON body examples. (#8827)
- 👌 Improved the performance of several API endpoints. This is specially appreciable in environments with a big number of agents.
- Improved
PUT /agents/group
endpoint. (#8937) - Improved
PUT /agents/restart
endpoint. (#8938) - Improved
DELETE /agents
endpoint. (#8950) - Improved
PUT /rootcheck
endpoint. (#8959) - Improved
PUT /syscheck
endpoint. (#8966) - Improved
DELETE /groups
endpoint and changed API response to be more consistent. (#9046)
- Improved
- 🔄 Changed
DELETE /rootcheck
endpoint toDELETE /experimental/rootcheck
. (#8945) - ⬇️ Reduced the time it takes for
wazuh-apid
process to check its configuration when using the-t
parameter. (#9012) - 🛠 Fixed malfunction in the
sort
parameter of syscollector endpoints. (#9019) - 👌 Improved API integration tests stability when failing in entrypoint. (#9113)
- ✅ Made SCA API integration tests dynamic to validate responses coming from any agent version. (#9228)
- 🔨 Refactored and standardized all the date fields in the API responses to use ISO8601. (#9227)
- ✂ Removed
Server
header from API HTTP responses. (#9263) - 👌 Improved JWT implementation by replacing HS256 signing algorithm with RS256. (#9371)
- ✂ Removed limit of agents to upgrade using the API upgrade endpoints. (#10009)
- 🔄 Changed Windows agents FIM responses to return permissions as JSON. (#10158)
- Adapted API endpoints to changes in
wazuh-authd
daemonforce
parameter. (#10389) - Deprecated
use_only_authd
API configuration option and related functionality.wazuh-authd
will always be required for creating and removing agents. (#10512) - 👌 Improved API validators and related unit tests. (#10745)
- 👌 Improved specific module healthchecks in API integration tests environment. (#10905)
- 🔄 Changed thread pool executors for process pool executors to improve API availability. (#10916)
- 🔄 Changed HTTPS options to use files instead of relative paths. (#11410)
🛠 Fixed
- 🛠 Fixed inconsistency in RBAC resources for
group:create
,decoders:update
, andrules:update
actions. (#8196) - 🛠 Fixed the handling of an API error message occurring when Wazuh is started with a wrong
ossec.conf
. Now the execution continues and raises a warning. (8378) - 🛠 Fixed a bug with
sort
parameter that caused a wrong response when sorting by several fields.(#8548) - 🛠 Fixed the description of
force_time
parameter in the API spec reference. (#8597) - 🛠 Fixed API incorrect path in remediation message when maximum number of requests per minute is reached. (#8537)
- 🛠 Fixed agents' healthcheck error in the API integration test environment. (#9071)
- 🛠 Fixed a bug with
wazuh-apid
process handling of pidfiles when running in foreground mode. (#9077) - 🛠 Fixed a bug with RBAC
group_id
matching. (#9192) - ✂ Removed temporal development keys and values from
GET /cluster/healthcheck
response. (#9147) - 🛠 Fixed several errors when filtering by dates. (#9227)
- 🛠 Fixed limit in some endpoints like
PUT /agents/group/{group_id}/restart
and added a pagination method. (#9262) - 🛠 Fixed bug with the
search
parameter resulting in invalid results. (#9320) - 🛠 Fixed wrong values of
external_id
field in MITRE resources. (#9368) - 🛠 Fixed how the API integration testing environment checks that
wazuh-apid
daemon is running before starting the tests. (#9399) - ➕ Add healthcheck to verify that
logcollector
stats are ready before starting the API integration test. (#9777) - 🛠 Fixed API integration test healthcheck used in the
vulnerability
test cases. (#10159) - 🛠 Fixed an error with
PUT /agents/node/{node_id}/restart
endpoint when no agents are present in selected node. (#10179) - 🛠 Fixed RBAC experimental API integration tests expecting a 1760 code in implicit requests. (#10322)
- 🛠 Fixed cluster race condition that caused API integration test to randomly fail. (#10289)
- 🛠 Fixed
PUT /agents/node/{node_id}/restart
endpoint to exclude exception codes properly. (#10619) - 🛠 Fixed
PUT /agents/group/{group_id}/restart
endpoint to exclude exception codes properly. (#10666) - 🛠 Fixed agent endpoints
q
parameter to allow more operators when filtering by groups. (#10656) - 🛠 Fixed API integration tests related to rule, decoder and task endpoints. (#10830)
- 👌 Improved exceptions handling when starting the Wazuh API service. (#11411)
- 🛠 Fixed race condition while creating RBAC database. (#11598)
- 🛠 Fixed API integration tests failures caused by race conditions. (#12102)
✂ Removed
- ✂ Removed select parameter from GET /agents/stats/distinct endpoint. (#8599)
- ✂ Removed
GET /mitre
endpoint. (#8099) - 🔧 Deprecated the option to set log
path
in the configuration. (#11410)
Ruleset
➕ Added
- ➕ Added Carbanak detection rules. (#11306)
- ➕ Added Cisco FTD rules and decoders. (#11309)
- ➕ Added decoders for AWS EKS service. (#11284)
- ➕ Added F5 BIG IP ruleset. (#11394)
- ➕ Added GCP VPC Storage, Firewall and Flow rules. (#11191)
- ➕ Added Gitlab v12 ruleset. (#11323)
- ➕ Added Microsoft Exchange Server rules and decoders. (#11289)
- ➕ Added Microsoft Windows persistence by using registry keys detection. (#11390)
- ➕ Added Oracle Database 12c rules and decoders. (#11274)
- ➕ Added rules for Carbanak step 1.A - User Execution: Malicious File. (#8476)
- ➕ Added rules for Carbanak step 2.A - Local Discovery. (#11212)
- ➕ Added rules for Carbanak step 2.B - Screen Capture. (#9075)
- ➕ Added rules for Carbanak step 5.B - Lateral Movement via SSH. (#9097)
- ➕ Added rules for Carbanak step 9.A - User Monitoring. (#11342)
- ➕ Added rules for Cloudflare WAF. (#11373)
- ➕ Added ruleset for ESET Remote console. (#11013)
- ➕ Added ruleset for GITHUB audit logs. (#8532)
- ➕ Added ruleset for Palo Alto v8.X - v10.X. (#11137)
- ➕ Added SCA policy for Amazon Linux 1. (#11431)
- ➕ Added SCA policy for Amazon Linux 2. (#11480)
- ➕ Added SCA policy for apple macOS 10.14 Mojave. (#7035)
- ➕ Added SCA policy for apple macOS 10.15 Catalina. (#7036)
- ➕ Added SCA policy for macOS Big Sur. (#11454)
- ➕ Added SCA policy for Microsoft IIS 10. (#11250)
- ➕ Added SCA policy for Microsoft SQL 2016. (#11249)
- ➕ Added SCA policy for Mongo Database 3.6. (#11247)
- ➕ Added SCA policy for NGINX. (#11248)
- ➕ Added SCA policy for Oracle Database 19c. (#11245)
- ➕ Added SCA policy for PostgreSQL 13. (#11154)
- ➕ Added SCA policy for SUSE Linux Enterprise Server 15. (#11223)
- ➕ Added SCA policy for Ubuntu 14. (#11432)
- ➕ Added SCA policy for Ubuntu 16. (#11452)
- ➕ Added SCA policy for Ubuntu 18. (#11453)
- ➕ Added SCA policy for Ubuntu 20. (#11430)
- ➕ Added SCA policy for. Solaris 11.4. (#11286)
- ➕ Added Sophos UTM Firewall ruleset. (#11122)
- ➕ Added Wazuh-api ruleset. (#11357)
🔄 Changed
- ⚡️ Updated audit rules. (#11016)
- ⚡️ Updated AWS s3 ruleset. (#11177)
- ⚡️ Updated Exim 4 decoder and rules to latest format. (#11344)
- ⚡️ Updated MITRE DB with latest MITRE JSON specification. (#8738)
- Updated multiple rules to remove alert_by_email option. (#11255)
- ⚡️ Updated NextCloud ruleset. (#11795)
- ⚡️ Updated ProFTPD decoder. (#11232)
- ⚡️ Updated RedHat Enterprise Linux 8 SCA up to version 1.0.1. (#11242)
- ⚡️ Updated rules and decoders for FortiNet products. (#11100)
- ⚡️ Updated SCA policy for CentOS 7. (#11429)
- ⚡️ Updated SCA policy for CentOS 8. (#8751)
- ⚡️ Updated SonicWall rules decoder. (#11263)
- ⚡️ Updated SSHD ruleset. (#11388)
- 🚚 From file 0580-win-security_rules.xml, rules with id 60198 and 60199 are moved to file 0585-win-application_rules.xml, with rule ids 61071 and 61072 respectively. (#8552)
🛠 Fixed
- 🛠 Fixed bad character on rules 60908 and 60884 - win-application rules. (#11117)
- 🛠 Fixed Microsoft logs rules. (#11369)
- 🛠 Fixed PHP rules for MITRE and groups. (#11405)
- 🛠 Fixed rules id for Microsoft Windows Powershell. (#11214)
Other
🔄 Changed
- ⬆️ Upgraded external SQLite library dependency version to 3.36. (#10247)
- ⬆️ Upgraded external BerkeleyDB library dependency version to 18.1.40. (#10247)
- ⬆️ Upgraded external OpenSSL library dependency version to 1.1.1l. (#10247)
- ⬆️ Upgraded external Google Test library dependency version to 1.11. (#10927)
- ⬆️ Upgraded external Aiohttp library dependency version to 3.8.1. ([11436]([https://github.com/wazuh/wazuh/pull/11436))
- ⬆️ Upgraded external Werkzeug library dependency version to 2.0.2. ([11436]([https://github.com/wazuh/wazuh/pull/11436))
- ⬆️ Upgraded embedded Python version to 3.9.9. ([11436]([https://github.com/wazuh/wazuh/pull/11436))
🛠 Fixed
- 🛠 Fixed error detection in the CURL helper library. (#9168)
- 🛠 Fixed external BerkeleyDB library support for GCC 11. (#10899)
- 🛠 Fixed an installation error due to missing OS minor version on CentOS Stream. (#11086)
- 🛠 Fixed an installation error due to missing command
hostname
on OpenSUSE Tumbleweed. (#11455)