v4.8.1 RC1

Manager

Added

• Added dedicated RSA keys for keystore encryption (#24357)

Fixed

• Fixed bug in upgrade_agent CLI where it would sometimes hang without showing a response. (#24308)
• Fixed bug in upgrade_agent CLI where it would sometimes raise an unhandled exception. (#24341)

Agent

Fixed

• Fixed incorrect macOS agent name retrieval (#23989)

RESTful API

Changed

• Changed GET /manager/version/check endpoint response to always show the uuid field. (#24173)

Other

Added

• Added external azure-core and isodate library dependencies. (#24292)

Changed

• Upgraded external Jinja2 library dependency version to 3.1.4. (#24108)
• Upgraded external requests library dependency version to 2.32.2. (#23925)
• Upgraded external azure-storage-blob library dependency version to 12.19.1. (#24292)
• Upgraded external typing-extensions library dependency version to 4.12.2. (#24292)

Wazuh v4.9.0 Alpha 1

Manager

Added

• The manager now supports alert forwarding to Fluentd. (#17306)

Fixed

• Fixed compilation issue for local installation. (#20505)
• Fixed malformed JSON error in wazuh-analysisd. (#16666)

Changed

• Changed error messages about recv() messages from wazuh-db to debug logs. (#20285)

Agent

Added

• Added debug logging in FIM to detect invalid report change registry values. Thanks to Zafer Balkan (@zbalkan). (#21690)
• Added Amazon Linux 1 and 2023 support for the installation script. (#21287)
• Added Journald support in Logcollector. (#23137)

Fixed

• Fixed loading of whodata through timeouts and retries. (#21455)
• Avoided backup failures during WPK update by adding dependency checking for the tar package. (#21729)
• Fixed using memmove instead of memcpy to avoid unwanted behavior. (#21595)
• Fixed a crash in the agent due to a library incompatibility. (#22210)
• Fixed an error in the osquery integration on Windows that avoided loading osquery.conf. (#21728)
• Fixed a crash in the agent's Rootcheck component when using <ignore>. (#22588)
• Fixed command wodle to support UTF-8 characters on windows agent. (#19146)
• Fixed Windows agent to delete wazuh-agent.state file when stopped. (#20425)
• Fixed Windows Agent 4.8.0 permission errors on Windows 11 after upgrade. (#20727)
• Fixed Syscollector not checking if there's a scan in progress before starting a new one. (#22440)
• Fixed alerts are created when syscheck diff DB is full. (#16487)
• Fixed Wazuh deb uninstallation to remove non-config files. (#2195)
• Fixed Auditd issue on newer OSs caused by the default audit rule "-a never,task". (#7283)
• Fixed improper Windows agent ACL on non-default installation directory. (#23273)
• Fixed socket configuration of an agent is displayed. (#17664)
• Fixed wazuh-modulesd printing child process not found error. (#18494)
• Fixed issue with an agent starting automatically without reason. (#23848)
• Fixed GET /syscheck to properly report size for files larger than 2GB. (#17415)

Changed

• The directory /boot has been removed from the default FIM settings for AIX. (#19753)

Ruleset

Changed

• The solved vulnerability rule has been clarified. (#19754)

Fixed

• Fixed audit decoders to parse the new heading field "node=". (#22178)

Other

Changed

• Upgraded external OpenSSL library dependency version to 3.0. (#20778)
• Migrated QA framework. (#17427)
• Improved WPKs. (#21152)
• Migrated and adapted Wazuh subsystem repositories as part of Wazuh packages redesign. (#23508)

Fixed

• Fixed a buffer overflow hazard in HMAC internal library. (#19794)

Wazuh v4.8.0

Manager

Added

• Transition to Wazuh Keystore for Indexer Configuration. (#21670)

Changed

• Vulnerability Detection refactor. (#21201)
• Improved wazuh-db detection of deleted database files. (#18476)
• Added timeout and retry parameters to the VirusTotal integration. (#16893)
• Extended wazuh-analysisd EPS metrics with events dropped by overload and remaining credits in the previous cycle. (#18988)
• Updated API and framework packages installation commands to use pip instead of direct invocation of setuptools. (#18466)
• Upgraded docker-compose V1 to V2 in API Integration test scripts. (#17750)
• Refactored how cluster status dates are treated in the cluster. (#17015)
• The log message about file rotation and signature from wazuh-monitord has been updated. (#21602)
• Improved Wazuh-DB performance by adjusting SQLite synchronization policy. (#22774)

Fixed

• Updated cluster connection cleanup to remove temporary files when the connection between a worker and a master is broken. (#17886)
• Added a mechanism to avoid cluster errors to raise from expected wazuh-db exceptions. (#23371)
• Fixed race condition when creating agent database files from a template. (#23216)

Agent

Added

• Added snap package manager support to Syscollector. (#15740)
• Added event size validation for the external integrations. (#17932)
• Added new unit tests for the AWS integration. (#17623)
• Added mapping geolocation for AWS WAF integration. (#20649)
• Added a validation to reject unsupported regions when using the inspector service. (#21530)
• Added additional information on some AWS integration errors. (#21561)

Changed

• Disabled host's IP query by Logcollector when ip_update_interval=0. (#18574)
• The MS Graph integration module now supports multiple tenants. (#19064)
• FIM now buffers the Linux audit events for who-data to prevent side effects in other components. (#16200)
• The sub-process execution implementation has been improved. (#19720)
• Refactored and modularized the AWS integration code. (#17623)
• Replace the usage of fopen with wfopen to avoid processing invalid characters on Windows. (#21791)
• Prevent macOS agent to start automatically after installation. (#21637)

Fixed

• Fixed process path retrieval in Syscollector on Windows XP. (#16839)
• Fixed detection of the OS version on Alpine Linux. (#16056)
• Fixed Solaris 10 name not showing in the Dashboard. (#18642)
• Fixed macOS Ventura compilation from sources. (#21932)
• Fixed PyPI package gathering on macOS Sonoma. (#23532)

RESTful API

Added

• Added new GET /manager/version/check endpoint to obtain information about new releases of Wazuh. (#19952)
• Introduced an auto option for the ssl_protocol setting in the API configuration. This enables automatic negotiation of the TLS certificate to be used. (#20420)
• Added API indexer protection to allow uploading new configuration files if the <indexer> section is not modified. (#22727)

Fixed

• Fixed a warning from SQLAlchemy involving detached Roles instances in RBAC. (#20527)
• Fixed an issue where only the last <ignore> item was displayed in GET /manager/configuration. (#23095)

Removed

• Removed PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints as they were deprecated in version 4.7.0. Use the Wazuh indexer REST API instead. (#20119)
• Removed the compilation_date field from GET /cluster/{node_id}/info and GET /manager/info endpoints. (#21572)
• Deprecated the cache configuration option. (#22387)
• Removed custom parameter from PUT /active-response endpoint. (#17048)

Ruleset

Added

• Added new SCA policy for Amazon Linux 2023. (#17780)
• Added new SCA policy for Rocky Linux 8. (#17784)
• Added rules to detect IcedID attacks. (#19528)

Changed

• SCA policy for Ubuntu Linux 18.04 rework. (#18721)
• SCA policy for Ubuntu Linux 22.04 rework. (#17515)
• SCA policy for Red Hat Enterprise Linux 7 rework. (#18440)
• SCA policy for Red Hat Enterprise Linux 8 rework. (#17770)
• SCA policy for Red Hat Enterprise Linux 9 rework. (#17412)
• SCA policy for CentOS 7 rework. (#17624)
• SCA policy for CentOS 8 rework. (#18439)
• SCA policy for Debian 8 rework. (#18010)
• SCA policy for Debian 10 rework. (#17922)
• SCA policy for Amazon Linux 2 rework. (#18695)
• SCA policy for SUSE Linux Enterprise 15 rework. (#18985)
• SCA policy for macOS 13.0 Ventura rework. (#19037)
• SCA policy for Microsoft Windows 10 Enterprise rework. (#19515)
• SCA policy for Microsoft Windows 11 Enterprise rework. (#20044)
• Update MITRE DB to v13.1. (#17518)

Other

Added

• Added external lua library dependency version 5.3.6. (#21710)
• Added external PyJWT library dependency version 2.8.0. (#21749)

Changed

• Upgraded external aiohttp library dependency version to 3.9.5. (#23112)
• Upgraded external idna library dependency version to 3.7. (#23112)
• Upgraded external cryptography library dependency version to 42.0.4. (#22221)
• Upgraded external numpy library dependency version to 1.26.0. (#20003)
• Upgraded external grpcio library dependency version to 1.58.0. (#20003)
• Upgraded external pyarrow library dependency version to 14.0.1. (#20493)
• Upgraded external urllib3 library dependency version to 1.26.18. (#20630)
• Upgraded external SQLAlchemy library dependency version to 2.0.23. (#20741)
• Upgraded external Jinja2 library dependency version to 3.1.3. (#21684)
• Upgraded embedded Python version to 3.10.13. (#20003)
• Upgraded external curl library dependency version to 8.5.0. (#21710)
• Upgraded external pcre2 library dependency version to 10.42. (#21710)
• Upgraded external libarchive library dependency version to 3.7.2. (#21710)
• Upgraded external rpm library dependency version to 4.18.2. (#21710)
• Upgraded external sqlite library dependency version to 3.45.0. (#21710)
• Upgraded external zlib library dependency version to 1.3.1. (#21710)

Deleted

• Removed external python-jose and ecdsa library dependencies. (#21749)

Wazuh v4.7.5

Manager

Added

• Added a database endpoint to recalculate the hash of agent groups. (#23441)

Fixed

• Fixed an issue in a cluster task where full group synchronization was constantly triggered. (#23447)
• Fixed a race condition in wazuh-db that might create corrupted database files. (#23467)

Agent

Fixed

• Fixed segmentation fault in logcollector multiline-regex configuration. (#23468)
• Fixed crash in fim when processing paths with non UTF-8 characters. (#23543)

Wazuh v4.7.4

Manager

Fixed

• Fixed an issue where wazuh-db was retaining labels of deleted agents. (#22933)
• Improved stability by ensuring workers resume normal operations even during master node downtime. (#22994)

Wazuh v4.7.3

Manager

Fixed

• Resolved a transitive mutex locking issue in wazuh-db that was impacting performance. (#21997)
• Wazuh DB internal SQL queries have been optimized by tuning database indexes to improve performance. (#21977)

Wazuh v4.7.2

Manager

Added

• Added minimum time constraint of 1 hour for Vulnerability Detector feed downloads. (#21142)

Fixed

• wazuh-remoted now includes the offending bytes in the warning about invalid message size from agents. (#21011)
• Fixed a bug in the Windows Eventchannel decoder on handling Unicode characters. (#20658)
• Fixed data validation at Windows Eventchannel decoder. (#20735)

Agent

Added

• Added timeouts to external and Cloud integrations to prevent indefinite waiting for a response. (#20638)

Fixed

• The host_deny Active response now checks the IP parameter format. (#20656)
• Fixed a bug in the Windows agent that might lead it to crash when gathering forwarded Windows events. (#20594)
• The AWS integration now finds AWS configuration profiles that do not contain the profile prefix. (#20447)
• Fixed parsing for regions argument of the AWS integration. (#20660)

Ruleset

Added

• Added new SCA policy for Debian 12. (#17565)

Fixed

• Fixed AWS Macie fields used in some rules and removed unused AWS Macie Classic rules. (#20663)

Other

Changed

• Upgraded external aiohttp library dependency version to 3.9.1. (#20798)
• Upgraded pip dependency version to 23.3.2. (#20632)

Wazuh v4.7.1

Manager

Changed

• Improved WPK upgrade scripts to ensure safe execution and backup generation in various circumstances. (#20616)

Fixed

• Fixed a bug causing the Canonical feed parser to fail in Vulnerability Detector. (#20580)
• Fixed a bug that allowed two simultaneous updates to occur through WPK. (#20545)
• Fixed a thread lock bug that slowed down wazuh-db performance. (#20178)
• Fixed a bug in Vulnerability detector that skipped vulnerabilities for Windows 11 21H2. (#20386)
• The installer now updates the merged.mg file permissions on upgrade. (#5941)
• Fixed an insecure request warning in the shuffle integration. (#19993)
• Fixed a bug that corrupted cluster logs when they were rotated. (#19888)

Agent

Fixed

• Fixed a bug that prevented the local IP from appearing in the port inventory from macOS agents. (#20332)
• Fixed the default Logcollector settings on macOS to collect logs out-of-the-box. (#20180)
• Fixed a bug in the FIM decoder at wazuh-analysisd that ignored Windows Registry events from agents under 4.6.0. (#20169)
• Fixed multiple bugs in the Syscollector decoder at wazuh-analysisd that did not sanitize the input data properly. (#20250)
• Added the pyarrow_hotfix dependency to fix the pyarrow CVE-2023-47248 vulnerability in the AWS integration. (#20284)

RESTful API

Fixed

• Fixed inconsistencies in the behavior of the q parameter of some endpoints. (#18423)
• Fixed a bug in the q parameter of the GET /groups/{group_id}/agents endpoint. (#18495)
• Fixed bug in the regular expression used to to reject non ASCII characters in some endpoints. (#19533)

Other

Changed

• Upgraded external certifi library dependency version to 2023.07.22. (#20149)
• Upgraded external requests library dependency version to 2.31.0. (#20149)
• Upgraded embedded Python version to 3.9.18. (#18800)

Wazuh v4.7.0

Manager

Added

• Introduced native Maltiverse integration. Thanks to David Gil (@dgilm). (#18026)
• Added a file detailing the dependencies for the Wazuh RESTful API and wodles tests. (#16513)
• Added unit tests for the Syscollector legacy decoder. (#15985)
• Added unit tests for the manage_agents tool. (#15999)
• Added an option to customize the Slack integration. (#16090)
• Added support for Amazon Linux 2023 in Vulnerability Detector. (#17617)

Changed

• An unnecessary sanity check related to Syscollector has been removed from wazuh-db. (#16008)
• The manager now rejects agents with a higher version by default. (#20367)

Fixed

• Fixed an unexpected error by the Cluster when a worker gets restarted. (#16683)
• Fixed an issue that let the manager validate wrong XML configurations. (#16681)
• Fixed syscollector packages multiarch values (#19722)
• Fixed wazuh-agent crash randomly when RPCRT4.dll is loaded (#18591)

Deleted

• Delete unused framework RBAC migration folder. (#17225)

Agent

Added

• Added support for Custom Logs in Buckets via AWS SQS. (#17951)
• Added geolocation for aws.data.client_ip field. Thanks to @rh0dy. (#16198)
• Added package inventory support for Alpine Linux in Syscollector. (#15699)
• Added package inventory support for MacPorts in Syscollector. (#15877)
• Added package inventory support for PYPI and node in Syscollector. (#17982)
• Added related process information to the open ports inventory in Syscollector. (#15000)

Changed

• The shared modules' code has been sanitized according to the convention. (#17966)
• The package inventory internal messages have been modified to honor the schema compliance. (#18006)
• The agent connection log has been updated to clarify that the agent must connect to an agent with the same or higher version. (#20360)

Fixed

• Fixed detection of osquery 5.4.0+ running outside the integration. (#17006)
• Fixed vendor data in package inventory for Brew packages on macOS. (#16089)
• Fixed WPK rollback restarting host in Windows agent (#20081)

RESTful API

Added

• Added new status_code field to GET /agents response. (#19726)

Fixed

• Addressed error handling for non-utf-8 encoded file readings. (#16489)
• Resolved an issue in the WazuhException class that disrupted the API executor subprocess. (#16914)
• Corrected an empty value problem in the API specification key. (#16918)

Deleted

• Deprecated PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints. In future versions, the Wazuh indexer REST API can be used instead. (#20126)

Other

Fixed

• Fixed the signature of the internal function OSHash_GetIndex(). (#17040)

Wazuh v4.6.0

Manager

Added

• wazuh-authd can now generate X509 certificates. (#13559)
• Introduced a new CLI to manage features related to the Wazuh API RBAC resources. (#13797)
• Added support for Amazon Linux 2022 in Vulnerability Detector. (#13034)
• Added support for Alma Linux in Vulnerability Detector. (#16343)
• Added support for Debian 12 in Vulnerability Detector. (#18542)
• Added mechanism in wazuh-db to identify fragmentation and perform vacuum. (#14953)
• Added an option to set whether the manager should ban newer agents. (#18333)
• Added mechanism to prevent wazuh agents connections to lower manager versions. (#15661)

Changed

• wazuh-remoted now checks the size of the files to avoid malformed merged.mg. (#14659)
• Added a limit option for the Rsync dispatch queue size. (#14024)
• Added a limit option for the Rsync thread pool. (#14026)
• wazuh-authd now shows a warning when deprecated forcing options are present in the configuration. (#14549)
• The agent now notifies the manager when Active Reponse fails to run netsh. (#14804)
• Use new broadcast system to send agent groups information from the master node of a cluster. (#13906)
• Changed cluster send_request method so that timeouts are treated as exceptions and not as responses. (#15220)
• Refactored methods responsible for file synchronization within the cluster. (#13065)
• Changed schema constraints for sys_hwinfo table. (#16065)
• Auth process not start when registration password is empty. (#15709)
• Changed error messages about corrupt GetSecurityInfo messages from FIM to debug logs. (#19400)
• Changed the default settings for wazuh-db to perform database auto-vacuum more often. (#19956)

Fixed

• Fixed wazuh-remoted not updating total bytes sent in UDP. (#13979)
• Fixed translation of packages with a missing version in CPE Helper for Vulnerability Detector. (#14356)
• Fixed undefined behavior issues in Vulnerability Detector unit tests. (#14174)
• Fixed permission error when producing FIM alerts. (#14019)
• Fixed memory leaks wazuh-authd. (#15164)
• Fixed Audit policy change detection in FIM for Windows. (#14763)
• Fixed origin_module variable value when sending API or framework messages to core sockets. (#14408)
• Fixed an issue where an erroneous tag appeared in the cluster logs. (#15715)
• Fixed log error displayed when there's a duplicate worker node name within a cluster. (#15250)
• Resolved an issue in the agent_upgrade CLI when used from worker nodes. (#15487)
• Fixed error in the agent_upgrade CLI when displaying upgrade result. (#18047)
• Fixed error in which the connection with the cluster was broken in local clients for not sending keepalives messages. (#15277)
• Fixed error in which exceptions were not correctly handled when dapi_err command could not be sent to peers. (#15298)
• Fixed error in worker's Integrity sync task when a group folder was deleted in master. (#16257)
• Fixed error when trying tu update an agent through the API or the CLI while pointing to a WPK file. (#16506)
• Fixed wazuh-remoted high CPU usage in master node without agents. (#15074)
• Fixed race condition in wazuh-analysisd handling rule ignore option. (#16101)
• Fixed missing rules and decoders in Analysisd JSON report. (#16000)
• Fixed translation of packages with missing version in CPE Helper. (#14356)
• Fixed log date parsing at predecoding stage. (#15826)
• Fixed permission error in JSON alert. (#14019)

Agent

Added

• Added GuardDuty Native support to the AWS integration. (#15226)
• Added --prefix parameter to Azure Storage integration. (#14768)
• Added validations for empty and invalid values in AWS integration. (#16493)
• Added new unit tests for GCloud integration and increased coverage to 99%. (#13573)
• Added new unit tests for Azure Storage integration and increased coverage to 99%. (#14104)
• Added new unit tests for Docker Listener integration. (#14177)
• Added support for Microsoft Graph security API. Thanks to Bryce Shurts (@S-Bryce). (#18116)
• Added wildcard support in FIM Windows registers. (#15852)
• Added wildcards support for folders in the localfile configuration on Windows. (#15973)
• Added new settings ignore and restrict to logcollector. (#14782)
• Added RSync and DBSync to FIM. (#12745)
• Added PCRE2 regex for SCA policies. (#17124)
• Added mechanism to detect policy changes. (#14763)
• Added support for Office365 MS/Azure Government Community Cloud (GCC) and Government Community Cloud High (GCCH) API. Thanks to Bryce Shurts (@S-Bryce). (#16547)

Changed

• FIM option fim_check_ignore now applies to files and directories. (#13264)
• Changed AWS integration to take into account user config found in the .aws/config file. (#16531)
• Changed the calculation of timestamps in AWS and Azure modules by using UTC timezone. (#14537)
• Changed the AWS integration to only show the Skipping file with another prefix message in debug mode. (#15009)
• Changed debug level required to display CloudWatch Logs event messages. (#14999)
• Changed syscollector database default permissions. (#17447)
• Changed agent IP lookup algorithm. (#17161)
• Changed InstallDate origin in windows installed programs. (#14499)
• Enhanced clarity of certain error messages in the AWS integration for better exception tracing. (#14524)
• Improved external integrations SQLite queries. (#13420)
• Improved items iteration for Config and VPCFlow AWS integrations. (#16325)
• Unit tests have been added to the shared JSON handling library. (#14784)
• Unit tests have been added to the shared SQLite handling library. (#14476)
• Improved command to change user and group from version 4.2.x to 4.x.x. (#15032)
• Changed the internal value of the open_attemps configuration. (#15647)
• Reduced the default FIM event throughput to 50 EPS. (#19758)

Fixed

• Fixed the architecture of the dependency URL for macOS. (#13534)
• Fixed a path length limitation that prevented FIM from reporting changes on Windows. (#13588)
• Updated the AWS integration to use the regions specified in the AWS config file when no regions are provided in ossec.conf. (#14993)
• Corrected the error code #2 for the SIGINT signal within the AWS integration. (#14850)
• Fixed the discard_regex functionality for the AWS GuardDuty integration. (#14740)
• Fixed error messages in the AWS integration when there is a ClientError. (#14500)
• Fixed error that could lead ...