wazuh / wazuh

Changed

• Updated MSU catalog on 31/03/2020. (#4819)

Fixed

• Fixed compatibility with the Vulnerability Detector feeds for Ubuntu from Canonical, that are available in a compressed format. (#4834)
• Added missing field ‘database’ to the FIM on-demand configuration report. (#4785)
• Fixed a bug in Logcollector that made it forward a log to an external socket infinite times. (#4802)
• Fixed a buffer overflow when receiving large messages from Syslog over TCP connections. (#4778)
• Fixed a malfunction in the Integrator module when analyzing events without a certain field. (#4851)

Added

• Add synchronization capabilities for FIM. (#3319)
• Add SQL database for the FIM module. Its storage can be switched between disk and memory. (#3319)
• Add support for monitoring AWS S3 buckets in GovCloud regions. (#3953)
• Add support for monitoring Cisco Umbrella S3 buckets. (#3890)
• Add automatic reconnection with the Eventchannel service when it is restarted. (#3836)
• Add a status validation when starting Wazuh. (#4237)
• Add FIM module unit testing for Unix source code. (#4688)
• Add multi-target support for unit testing. (#4564)
• Add FIM module unit testing for Windows source code. (#4633)

Changed

• Move the FIM logic engine to the agent. (#3319)
• Make Logcollector continuously attempt to reconnect with the agent daemon. (#4435)
• Make Windows agents to send the keep-alive independently. (#4077)
• Do not enforce source IP checking by default in the registration process. (#4083)

Fixed

• Avoid reopening the current socket when Logcollector fails to send a event. (#4696)
• Prevent Logcollector from starving when has to reload files. (#4730)
• Fix a small memory leak in clusterd. (#4465)
• Fix a crash in the fluent forwarder when SSL is not enabled. (#4675)
• Replace non-reentrant functions to avoid race condition hazards. (#4081)
• Fixed the registration of more than one agent as any when forcing to use the source IP. (#2533)
• Fix Windows upgrades in custom directories. (#2534)
• Fix the format of the alert payload passed to the Slack integration. (#3978)

Changed

• Remove chroot in Agentd to allow it resolve DNS at any time. (#4652)

Fixed

• Fixed a bug in the Windows agent that made Rootcheck report false positives about file size mismatch. (#4493)

Changed

• Optimized memory usage in Vulnerability Detector when fetching the NVD feed. (#4427)

Fixed

• Rootcheck scan produced a 100% CPU peak in Syscheckd because it applied <readall> option even when disabled. (#4415)
• Fixed a handler leak in Rootcheck and SCA on Windows agents. (#4456)
• Prevent Remoted from exiting when a client closes a connection prematurely. (#4390)
• Fixed crash in Slack integration when handling an alert with no description. (#4426)
• Fixed Makefile to allow running scan-build for Windows agents. (#4314)
• Fixed a memory leak in Clusterd. (#4448)

Fixed

• The Windows Eventchannel log decoder in Analysisd maxed out CPU usage due to an infinite loop. (#4412)

Added

• Add support to Windows agents for vulnerability detector. (#2787)
• Add support to Debian 10 Buster for vulnerability detector (by @aderumier). (#4151)
• Make the Wazuh service to start after the network systemd unit (by @VAdamec). (#1106)
• Add process inventory support for Mac OS X agents. (#3322)
• Add port inventory support for MAC OS X agents. (#3349)
• Make Analysisd compile the CDB list upon start. (#3488)
• New rules option global_frequency to make frequency rules independent from the event source. (#3931)
• Add a validation for avoiding agents to keep trying to connect to an invalid address indefinitely. (#3951)
• Add the condition field of SCA checks to the agent databases. (#3631)
• Display a warning message when registering to an unverified manager. (#4207)
• Allow JSON escaping for logs on Logcollector's output format. (#4273)
• Add TCP keepalive support for Fluent Forwarder. (#4274)
• Add the host's primary IP to Logcollector's output format. (#4380)

Changed

• Now EventChannel alerts include the full message with the translation of coded fields. (#3320)
• Changed -G agent-auth description in help message. (#3856)
• Unified the Makefile flags allowed values. (#4034)
• Let Logcollector queue file rotation and keepalive messages. (#4222)
• Changed default paths for the OSQuery module in Windows agents. (#4148)
• Fluent Forward now packs the content towards Fluentd into an object. (#4334)

Fixed

• Fix frequency rules to be increased for the same agent by default. (#3931)
• Fix protocol, system_name, data and extra_data static fields detection. (#3591)
• Fix overwriting agents by Authd when force option is less than 0. (#3527)
• Fix Syscheck nodiff option for substring paths. (#3015)
• Fix Logcollector wildcards to not detect directories as log files. (#3788)
• Make Slack integration work with agentless alerts (by @dmitryax). (#3971)
• Fix bugs reported by Clang analyzer. (#3887)
• Fix compilation errors on OpenBSD platform. (#3105)
• Fix on-demand configuration labels section to obtain labels attributes. (#3490)
• Fixed race condition between wazuh-clusterd and wazuh-modulesd showing a 'No such file or directory' in cluster.log when synchronizing agent-info files in a cluster environment (#4007)
• Fixed 'ConnectionError object has no attribute code' error when package repository is not available (#3441)
• Fix the blocking of files monitored by Who-data in Windows agents. (#3872)
• Fix the processing of EventChannel logs with unexpected characters. (#3320)
• Active response Kaspersky script now logs the action request in active-responses.log (#2748)
• Fix service's installation path for CentOS 8. (#4060)
• Add macOS Catalina to the list of detected versions. (#4061)
• Prevent FIM from producing false negatives due to wrong checksum comparison. (#4066)
• Fix previous_output count for alerts when matching by group. (#4097)
• Fix event iteration when evaluating contextual rules. (#4106)
• Fix the use of prefilter_cmd remotely by a new local option allow_remote_prefilter_cmd. (#4178 & 4194)
• Fix restarting agents by group using the API when some of them are in a worker node. (#4226)
• Fix error in Fluent Forwarder that requests an user and pass although the server does not need it. (#3910)
• Fix FTS data length bound mishandling in Analysisd. (#4278)
• Fix a memory leak in Modulesd and Agentd when Fluent Forward parses duplicate options. #4334)
• Fix an invalid memory read in Agentd when checking a remote configuration containing an invalid stanza inside <labels>. #4334)
• Fix error using force_reload and the eventchannel format in UNIX systems. #4294)