@snaow snaow released this Apr 24, 2017 · 112 commits to 2.0 since this release

Assets 5

Added

  • Wazuh modules manager.
  • Wazuh module for OpenSCAP.
  • Ruleset for OpenSCAP alerts.
  • Kibana dashboards for OpenSCAP.
  • Option at agent_control to restart all agents.
  • Dynamic fields to rules and decoders.
  • Dynamic fields to JSON in alerts/archives.
  • CDB list lookup with dynamic fields.
  • FTS for dynamic fields.
  • Logcollector option to set the frequency of file checking.
  • GeoIP support in Alerts (by Scott R Shinn).
  • Internal option to output GeoIP data on JSON alerts.
  • Matching pattern negation (by Daniel Cid).
  • Syscheck and Rootcheck events on SQLite databases.
  • Data migration tool to SQLite databases.
  • Jenkins QA.
  • 64-bit Windows registry keys support.
  • Complete FIM data output to JSON and alerts.
  • Username, date and inode attributes to FIM events on Unix.
  • Username attribute to FIM events on Windows.
  • Report changes (FIM file diffs) to Windows agent.
  • File diffs to JSON output.
  • Elastic mapping updated for new FIM events.
  • Title and file fields extracted at Rootcheck alerts.
  • Rule description formatting with dynamic field referencing.
  • Multithreaded design for Authd server for fast and reliable client dispatching, with key caching and write scheduling.
  • Auth registration client for Windows (by Gael Muller).
  • Auth password authentication for Windows client.
  • New local decoder file by default.
  • Show server certificate and key paths at Authd help.
  • New option for Authd to verify agent's address.
  • Added support for new format at predecoder (by Brad Lhotsky).
  • Agentless passlist encoding to Base64.
  • New Auditd-specific log format for Logcollector.
  • Option for Authd to auto-choose TLS/SSL method.
  • Compile option for Authd to make it compatible with legacy OSs.
  • Added new templates layout to auto-compose configuration file.
  • New wodle for SQLite database syncing (agent information and fim/pm data).
  • Added XML settings options to exclude some rules or decoders files.
  • Option for agent_control to broadcast AR on all agents.
  • Extended FIM event information forwarded by csyslogd (by Sivakumar Nellurandi).
  • Report Syscheck's new file events on real time.

Changed

  • Isolated logtest directory from analysisd.
  • Remoted informs Analysisd about agent ID.
  • Updated Kibana dashboards.
  • Syscheck FIM attributes to dynamic fields.
  • Force services to exit if PID file creation fails.
  • Atomic writing of client.keys through temporary files.
  • Disabled remote message ID verification by default.
  • Show actual IP on debug message when agents get connected.
  • Enforce rules IDs to max 6 digits.
  • OSSEC users and group as system (UI-hidden) users (by Dennis Golden).
  • Increases Authd connection pool size.
  • Use general-purpose version-flexible SSL/TLS methods for Authd registration.
  • Enforce minimum 3-digit agent ID format.
  • Exclude BTRFS from Rootcheck searching for hidden files inside directories (by Stehpan Joerrens).
  • Moved OSSEC and Wazuh decoders to one directory.
  • Prevent manage_agents from doing invalid actions (such methods for manager at agent).
  • Disabled capturing of security events 5145 and 5156 on Windows agent.
  • Utilities to rename an agent or change the IP address (by Antonio Querubin).
  • Added quiet option for Logtest (by Dan Parriot).
  • Output decoder information onto JSON alerts.
  • Enable mail notifications by default for server installation.
  • Agent control option to restart all agents' Syscheck will also restart manager's Syscheck.
  • Make ossec-control to check Authd PID.
  • Enforce every rule to contain a description.
  • JSON output won't contain field "agentip" if tis value is "any".
  • Don't broadcast Active Response messages to disconnected agents.
  • Don't print Syscheck logs if it's disabled.
  • Set default Syscheck and Rootcheck frequency to 12 hours.
  • Generate FIM new file alert by default.
  • Added option for Integrator to set the maximum log length.
  • JSON output nested objects modelling through dynamic fields.
  • Disable TCP for unsupported OSs.
  • Show previous log on JSON alert.
  • Removed confirmation prompt when importing an agent key successfully.
  • Made Syscheck not to ignore files that change more than 3 times by default.
  • Enabled JSON output by default.
  • Updated default syscheck configuration for Windows agents.
  • Limited agent' maximum connection time for notification time.
  • Improved client.keys changing detection method by remoted: use date and inode.
  • Changed boot service name to Wazuh.
  • Active response enabled on Windows agents by default.
  • New folder structure for rules and decoders.
  • More descriptive logs about syscheck real-time monitoring.
  • Renamed XML tags related to rules and decoders inclusion.
  • Set default maximum agents to 8000.
  • Removed FTS numeric bitfield from JSON output.
  • Fixed ID misasignation by manage_agents when the gratest ID exceeds 32512.
  • Run Windows Registry Syscheck scan on first stage when scan_on_start enabled.
  • Set all Syscheck delay stages to a multiple of internal_options.conf/syscheck.sleep value.
  • Changed JSON timestamp format to ISO8601.
  • Overwrite @timestamp field from Logstash with the alert timestamp.
  • Moved timestamp JSON field to the beginning of the object.
  • Changed random data generator for a secure OS-provided generator.

Fixed

  • Logcollector bug that inhibited alerts about file reduction.
  • Memory issue on string manipulation at JSON.
  • Memory bug at JSON alerts.
  • Fixed some CLang warnings.
  • Issue on marching OSSEC user on installing.
  • Memory leaks at configuration.
  • Memory leaks at Analysisd.
  • Bugs and memory errors at agent management.
  • Mistake with incorrect name for PID file (by Tickhon Clearscale).
  • Agent-auth name at messages (it appeared to be the server).
  • Avoid Monitord to log errors when the JSON alerts file doesn't exists.
  • Agents numberig issue (minimum 3 digits).
  • Avoid no-JSON message at agent_control when client.keys empty.
  • Memory leaks at manage_agents.
  • Authd error messages about connection to queue passed to warning.
  • Issue with Authd password checking.
  • Avoid ossec-control to use Dash.
  • Fixed false error about disconnected agent when trying to send it the shared files.
  • Avoid Authd to close when it reaches the maximum concurrency.
  • Fixed memory bug at event diff execution.
  • Fixed resource leak at file operations.
  • Hide help message by useadd and groupadd on OpenBSD.
  • Fixed error that made Analysisd to crash if it received a missing FIM file entry.
  • Fixed compile warnings at cJSON library.
  • Fixed bug that made Active Response to disable all commands if one of them was disabled (by Jason Thomas).
  • Fixed segmentation fault at logtest (by Dan Parriot).
  • Fixed SQL injection vulnerability at Database.
  • Fixed Active Response scripts for Slack and Twitter.
  • Fixed potential segmentation fault at file queue operation.
  • Fixed file permissions.
  • Fixed failing test for Apache 2.2 logs (by Brad Lhotsky).
  • Fixed memory error at net test.
  • Limit agent waiting time for retrying to connect.
  • Fixed compile warnings on i386 architecture.
  • Fixed Monitord crash when sending daily report email.
  • Fixed script to null route an IP address on Windows Server 2012+ (by Theresa Meiksner).
  • Fixed memory leak at Logtest.
  • Fixed manager with TCP support on FreeBSD (by Dave Stoddard).
  • Fixed Integrator launching at local-mode installation.
  • Fixed issue on previous alerts counter (rules with if_matched_sid option).
  • Fixed compile and installing error on Solaris.
  • Fixed segmentation fault on syscheck when no configuration is defined.
  • Fixed bug that prevented manage_agents from removing syscheck/rootcheck database.
  • Fixed bug that made agents connected on TCP to hang if they are rejected by the manager.
  • Fixed segmentation fault on remoted due to race condition on managing keystore.
  • Fixed data lossing at remoted when reloading keystore.
  • Fixed compile issue on MacOS.
  • Fixed version reading at ruleset updater.
  • Fixed detection of BSD.
  • Fixed memory leak (by Byron Golden).
  • Fixed misinterpretation of octal permissions given by Agentless (by Stephan Leemburg).
  • Fixed mistake incorrect openssl flag at Makefile (by Stephan Leemburg).
  • Silence Slack integration transmission messages (by Dan Parriot).
  • Fixed OpenSUSE Systemd misconfiguration (By Stephan Joerrens).
  • Fixed case issue on JSON output for Rootcheck alerts.
  • Fixed potential issue on duplicated agent ID detection.
  • Fixed issue when creating agent backups.
  • Fixed hanging problem on Windows Auth client when negotiation issues.
  • Fixed bug at ossec-remoted that mismatched agent-info files.
  • Fixed resource leaks at rules configuration parsing.
  • Fixed memory leaks at rules parser.
  • Fixed memory leaks at XML decoders parser.
  • Fixed TOCTOU condition when removing directories recursively.
  • Fixed insecure temporary file creation for old POSIX specifications.
  • Fixed missing agentless devices identification at JSON alerts.

Removed

  • Deleted link to LUA sources.
  • Delete ZLib generated files on cleaning.
  • Removed maximum lines limit from diff messages (that remain limited by length).