diff --git a/CHANGELOG.md b/CHANGELOG.md
index a3db58bea28..ff64b017d06 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -235,6 +235,7 @@ All notable changes to this project will be documented in this file.
- Added `POST /security/user/authenticate/run_as` endpoint to API bruteforce blocking system. ([#12085](https://github.com/wazuh/wazuh/pull/12085))
- Added new API endpoint to obtain summaries of agent vulnerabilities' inventory items. ([#12638](https://github.com/wazuh/wazuh/pull/12638))
- Added fields external_references, condition, title, published and updated to GET /vulnerability/{agent_id} API endpoint. ([#12727](https://github.com/wazuh/wazuh/pull/12727))
+- Added the possibility to include strings in brackets in values of the `q` parameter. ([#13262](https://github.com/wazuh/wazuh/pull/13262]))
#### Changed
@@ -356,6 +357,7 @@ All notable changes to this project will be documented in this file.
- Updated SCA policy for CentOS 8. ([#8751](https://github.com/wazuh/wazuh/pull/8751))
- Updated SonicWall rules decoder. ([#11263](https://github.com/wazuh/wazuh/pull/11263))
- Updated SSHD ruleset. ([#11388](https://github.com/wazuh/wazuh/pull/11388))
+- From file 0580-win-security_rules.xml, rules with id 60198 and 60199 are moved to file 0585-win-application_rules.xml, with rule ids 61071 and 61072 respectively. ([#8552](https://github.com/wazuh/wazuh/pull/8552))
#### Fixed
diff --git a/framework/wazuh/tests/data/schema_cve_test.sql b/framework/wazuh/tests/data/schema_cve_test.sql
index 67ea9999e8b..8309424af4f 100644
--- a/framework/wazuh/tests/data/schema_cve_test.sql
+++ b/framework/wazuh/tests/data/schema_cve_test.sql
@@ -78,5 +78,14 @@ VALUES ('Smokedetector', '-', 'x86', 'CVE-2019-1020011', 'PACKAGE', 'PENDING', '
'SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority.',
'2019-07-29', '2021-07-21');
+INSERT INTO vuln_cves (name, version, architecture, cve, type, status, detection_time, severity, cvss2_score,
+ cvss3_score, reference, external_references, condition, title, published, updated)
+VALUES ('Mozilla Firefox 53.0 (x64 en-US)', '53.0', 'x64', 'CVE-2021-38503', 'PACKAGE', 'OBSOLETE', '1623656949', 'High', 7.5, 10,
+ 'ab712fb636baccbb7484f7b3daf5b4c0ce485960',
+ '["https://www.mozilla.org/security/advisories/mfsa2021-48/","https://bugzilla.mozilla.org/show_bug.cgi?id=1729517","https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html"]',
+ 'Package unfixed',
+ 'The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.',
+ '2021-08-12', '2022-03-16');
+
INSERT INTO vuln_metadata (LAST_PARTIAL_SCAN, LAST_FULL_SCAN)
VALUES (1623656949, 1623656751);
diff --git a/framework/wazuh/tests/test_vulnerability.py b/framework/wazuh/tests/test_vulnerability.py
index 4cd7db132e8..180e6303eb7 100644
--- a/framework/wazuh/tests/test_vulnerability.py
+++ b/framework/wazuh/tests/test_vulnerability.py
@@ -39,17 +39,20 @@ def send_msg_to_wdb(msg, raw=False):
@pytest.mark.parametrize('params, field_name, expected_items', [
- ({}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2019-1020018', 'CVE-2019-1020019', 'CVE-2019-1020011']),
+ ({}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2019-1020018', 'CVE-2019-1020019', 'CVE-2021-38503',
+ 'CVE-2019-1020011']),
({'limit': 2}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014']),
- ({'offset': 4, 'limit': 1}, 'cve', ['CVE-2019-1020011']),
+ ({'offset': 5, 'limit': 1}, 'cve', ['CVE-2019-1020011']),
({'sort': parse_api_param('+name', 'sort')}, 'name', ['Ash-aio', 'Credential Helpers', 'Discourse',
- 'Invenio-previewer', 'Smokedetector']),
- ({'sort': parse_api_param('-name', 'sort')}, 'name', ['Smokedetector', 'Invenio-previewer', 'Discourse',
- 'Credential Helpers', 'Ash-aio']),
+ 'Invenio-previewer', 'Mozilla Firefox 53.0 (x64 en-US)',
+ 'Smokedetector']),
+ ({'sort': parse_api_param('-name', 'sort')}, 'name', ['Smokedetector', 'Mozilla Firefox 53.0 (x64 en-US)',
+ 'Invenio-previewer', 'Discourse', 'Credential Helpers',
+ 'Ash-aio']),
({'sort': parse_api_param('+cve', 'sort')}, 'cve', ['CVE-2019-1020011', 'CVE-2019-1020014', 'CVE-2019-1020016',
- 'CVE-2019-1020018', 'CVE-2019-1020019']),
- ({'sort': parse_api_param('-cve', 'sort')}, 'cve', ['CVE-2019-1020019', 'CVE-2019-1020018', 'CVE-2019-1020016',
- 'CVE-2019-1020014', 'CVE-2019-1020011']),
+ 'CVE-2019-1020018', 'CVE-2019-1020019', 'CVE-2021-38503']),
+ ({'sort': parse_api_param('-cve', 'sort')}, 'cve', ['CVE-2021-38503', 'CVE-2019-1020019', 'CVE-2019-1020018',
+ 'CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2019-1020011']),
({'search': parse_api_param('PowerPC', 'search')}, 'cve', ['CVE-2019-1020018']),
({'search': parse_api_param('x86', 'search')}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2019-1020011']),
({'search': parse_api_param('-x86', 'search')}, 'cve', ['CVE-2019-1020018', 'CVE-2019-1020019']),
@@ -60,11 +63,11 @@ def send_msg_to_wdb(msg, raw=False):
({'filters': {'version': '0.1.0', 'architecture': 'ARM'}}, 'cve', ['CVE-2019-1020019']),
({'filters': {'cve': 'CVE-2019-1020016'}}, 'cve', ['CVE-2019-1020016']),
({'filters': {'cve': 'CVE-2019-1020016', 'architecture': 'ARM'}}, 'cve', []),
- ({'filters': {'status': 'OBSOLETE'}}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014']),
+ ({'filters': {'status': 'OBSOLETE'}}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2021-38503']),
({'filters': {'status': 'VALID'}}, 'cve', ['CVE-2019-1020018', 'CVE-2019-1020019']),
({'filters': {'status': 'PENDING'}}, 'cve', ['CVE-2019-1020011']),
({'filters': {'type': 'OS'}}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020018', 'CVE-2019-1020019']),
- ({'filters': {'type': 'PACKAGE'}}, 'cve', ['CVE-2019-1020014', 'CVE-2019-1020011']),
+ ({'filters': {'type': 'PACKAGE'}}, 'cve', ['CVE-2019-1020014', 'CVE-2021-38503', 'CVE-2019-1020011']),
({'q': 'name=Ash-aio;version>1.5'}, 'cve', ['CVE-2019-1020016']),
({'q': 'name=Ash-aio;version>2.5'}, 'cve', []),
({'q': 'architecture=ARM,architecture=PowerPC'}, 'cve', ['CVE-2019-1020018', 'CVE-2019-1020019']),
@@ -73,7 +76,9 @@ def send_msg_to_wdb(msg, raw=False):
({'q': 'condition!=Package unfixed'}, 'cve', []),
({'q': 'published>2019-07-28;updated<2019-08-31'}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020019']),
({'q': 'title~docker-credential-helpers before 0.6.3'}, 'cve', ['CVE-2019-1020014']),
- ({'select': ['architecture'], 'distinct': False}, 'architecture', ['x86', 'x86', 'PowerPC', 'ARM', 'x86']),
+ ({'q': 'name=Mozilla Firefox 53.0 (x64 en-US)'}, 'cve', ['CVE-2021-38503']),
+ ({'q': '(name=Mozilla Firefox 53.0 (x64 en-US),version!=53.0);architecture=x64'}, 'cve', ['CVE-2021-38503']),
+ ({'select': ['architecture'], 'distinct': False}, 'architecture', ['x86', 'x86', 'PowerPC', 'ARM', 'x64', 'x86']),
({'select': ['architecture'], 'distinct': True}, 'architecture', ['x86', 'PowerPC', 'ARM']),
])
@patch('wazuh.core.utils.path.exists', return_value=True)
@@ -132,5 +137,5 @@ def test_vulnerability_get_inventory_summary(socket_mock, send_mock, exists_mock
# Check that result is sorted by count values
result = get_inventory_summary(agent_list=[agent_id], field=field, limit=limit)
- assert result['data'][field] == {'High': 2}, f'Expected "High" to be the severity with the most entries based on ' \
+ assert result['data'][field] == {'High': 3}, f'Expected "High" to be the severity with the most entries based on ' \
'our testing database'
diff --git a/ruleset/rules/0085-pam_rules.xml b/ruleset/rules/0085-pam_rules.xml
index bf88982f8eb..20f098a3d23 100644
--- a/ruleset/rules/0085-pam_rules.xml
+++ b/ruleset/rules/0085-pam_rules.xml
@@ -34,6 +34,9 @@
5500
authentication failure; logname=
PAM: User login failed.
+
+ T1110.001
+
authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
@@ -110,6 +113,9 @@
5556
password check failed
unix_chkpwd: Password check failed.
+
+ T1110.001
+
authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_4.3,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
diff --git a/ruleset/rules/0095-sshd_rules.xml b/ruleset/rules/0095-sshd_rules.xml
index 964859f2b8d..859276e189e 100644
--- a/ruleset/rules/0095-sshd_rules.xml
+++ b/ruleset/rules/0095-sshd_rules.xml
@@ -91,7 +91,9 @@
illegal user|invalid user
sshd: Attempt to login using a non-existent user
- T1110
+ T1110.001
+ T1021.004
+ T1078
authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
@@ -455,6 +457,10 @@
5700,5716
Failed password|Failed keyboard|authentication error
sshd: authentication failed.
+
+ T1110.001
+ T1021.004
+
authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
diff --git a/ruleset/rules/0580-win-security_rules.xml b/ruleset/rules/0580-win-security_rules.xml
index c891b7937c6..f8d6bd6185a 100644
--- a/ruleset/rules/0580-win-security_rules.xml
+++ b/ruleset/rules/0580-win-security_rules.xml
@@ -238,6 +238,10 @@
^529$|^4625$
no_full_log
Logon failure - Unknown user or bad password.
+
+ T1078
+ T1531
+
authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
diff --git a/src/client-agent/buffer.c b/src/client-agent/buffer.c
index e1af9bd3359..0b949d86a55 100644
--- a/src/client-agent/buffer.c
+++ b/src/client-agent/buffer.c
@@ -235,7 +235,10 @@ void *dispatch_buffer(__attribute__((unused)) void * arg){
gettime(&ts1);
time_sub(&ts1, &ts0);
- delay(&ts1);
+
+ if (ts1.tv_sec >= 0) {
+ delay(&ts1);
+ }
}
}
diff --git a/src/error_messages/error_messages.h b/src/error_messages/error_messages.h
index a76d7694bea..8d5d9762662 100644
--- a/src/error_messages/error_messages.h
+++ b/src/error_messages/error_messages.h
@@ -450,7 +450,7 @@
#define FIM_ERROR_WHODATA_AUDIT_SUPPORT "(6620): Audit support not built. Whodata is not available."
#define FIM_ERROR_WHODATA_EVENTCHANNEL "(6621): Event Channel subscription could not be made. Whodata scan is disabled."
#define FIM_ERROR_WHODATA_RESTORE_POLICIES "(6622): There is no backup of audit policies. Policies will not be restored."
-
+#define FIM_ERROR_WHODATA_UNINITIALIZED "(6623): Trying to monitor '%s' in who-data mode, but who-data is not initialized."
#define FIM_ERROR_WHODATA_NOTFIND_DIRPOS "(6625): The '%s' file does not have an associated directory."
#define FIM_ERROR_WHODATA_HANDLER_REMOVE "(6626): The handler '%s' could not be removed from the whodata hash table."
diff --git a/src/syscheckd/main.c b/src/syscheckd/main.c
index 00f8bbe6e48..9748e4ee0c7 100644
--- a/src/syscheckd/main.c
+++ b/src/syscheckd/main.c
@@ -294,6 +294,15 @@ int main(int argc, char **argv)
dir_it->options |= REALTIME_ACTIVE;
}
}
+
+ OSList_foreach(node_it, syscheck.wildcards) {
+ dir_it = node_it->data;
+ if (dir_it->options & WHODATA_ACTIVE) {
+ dir_it->options &= ~WHODATA_ACTIVE;
+ dir_it->options |= REALTIME_ACTIVE;
+ }
+ }
+
w_mutex_lock(&syscheck.fim_realtime_mutex);
if (syscheck.realtime == NULL) {
realtime_start();
diff --git a/src/syscheckd/whodata/audit_rule_handling.c b/src/syscheckd/whodata/audit_rule_handling.c
index 91efa6165e1..80b7be99591 100644
--- a/src/syscheckd/whodata/audit_rule_handling.c
+++ b/src/syscheckd/whodata/audit_rule_handling.c
@@ -32,6 +32,11 @@ static void _add_whodata_directory(const char *path) {
OSListNode *node;
whodata_directory_t *directory;
+ if (whodata_directories == NULL) {
+ merror(FIM_ERROR_WHODATA_UNINITIALIZED, path);
+ return;
+ }
+
// Search for duplicates
for (node = OSList_GetFirstNode(whodata_directories); node != NULL;
node = OSList_GetNextNode(whodata_directories)) {