This section shows the most relevant new features of Wazuh v3.2.0. You will find more detailed information in our changelog file.
A native vulnerability detector has been implemented, making use of agents new feature to report inventory data (e.g. applications installed, network configuration, hardware information). The manager is now capable of building a vulnerability database, making use of public OVAL repositories (published and maintained by different vendors). This database is used to do correlation with agents reported applications inventory data, identifying packages with a CVE.
In version 3.1.0, detecting vulnerabilities was already possible using Wazuh agents integration with Vuls (a third party open source project), but this integration required the installation of additional software on the monitored hosts (adding extra complexity, and making it difficult to manage in a centralized way). Now, in this version, Vuls is not required anymore as this capability is now natively supported using the new agent and manager features.
The new architecture design keeps agents footprint small, not impacting monitored hosts performance or consuming unnecessary resources. Agents just read and report applications installed (RPM, Deb or MSI packages), while the manager is the one that uses the vulnerability database to identify CVEs.
See below an example of results when an application vulnerability is identified:
** Alert 1518102634.685428: - vulnerability-detector, 2018 Feb 08 16:10:34 (PC) ->vulnerability-detector Rule: 23504 (level 7) -> 'CVE-2017-7226 on Ubuntu 16.04 LTS (xenial) - medium.' vulnerability.cve: CVE-2017-7226 vulnerability.title: CVE-2017-7226 on Ubuntu 16.04 LTS (xenial) - medium. vulnerability.severity: Medium vulnerability.published: 2017-03-22 vulnerability.updated: 2017-03-22 vulnerability.reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7226 vulnerability.rationale: The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well. vulnerability.state: Unfixed vulnerability.affected_package: binutils vulnerability.version: 2.26.1-1ubuntu1~16.04.6
You can read more about this new module in the Vulnerability detection section.
This module provides the ability to read your AWS CloudTrail logs directly from an AWS S3 bucket. Amazon CloudTrail support is now a built-in Wazuh capability, giving you the ability to search, analyze, and alert on AWS CloudTrail events.
Below is an example of the JSON alert generated by this module:
** Alert 1518488581.32874246: - amazon,authentication_success,pci_dss_10.2.5, 2018 Feb 13 02:23:01 manager->Wazuh-AWS Rule: 80253 (level 3) -> 'Amazon: signin.amazonaws.com - ConsoleLogin - User Login Success.' aws.eventVersion: 1.05 aws.eventID: 2fb29f0f-4d7f-4384-8170-xxxx aws.eventTime: 2018-02-13T02:12:26Z aws.log_file: 1661xxx_CloudTrail_us-east-1_20180xxx_S4Wouyxxx.json.gz aws.additionalEventData.MFAUsed: No aws.additionalEventData.LoginTo: https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true aws.additionalEventData.MobileVersion: No aws.eventType: AwsConsoleSignIn aws.responseElements.ConsoleLogin: Success aws.awsRegion: us-east-1 aws.eventName: ConsoleLogin aws.userIdentity.userName: wazuh aws.userIdentity.type: IAMUser aws.userIdentity.arn: arn:aws:iam::166157441623:user/wazuh aws.userIdentity.principalId: AIDAJxxx aws.userIdentity.accountId: 1661xx4xxx aws.eventSource: signin.amazonaws.com aws.userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 aws.sourceIPAddress: 67.161.xx.xx aws.recipientAccountId: 166157441623 integration: aws
You can read more about this new module in the AWS CloudTrail section.
In our previous release, the module for integration with CIS-CAT scanner only supported Linux systems. Now, it also supports Windows systems.
CIS-CAT alerts have been also enriched and reports are parsed natively now, improving its efficiency considerably. See below an example of an alert:
** Alert 1518508994.718592: - ciscat, 2018 Feb 13 00:03:14 (Windows7) 192.168.1.201->wodle_cis-cat Rule: 87409 (level 7) -> ’CIS-CAT: (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’ (failed)' type: scan_result scan_id: 589117374 cis.rule_id: 126.96.36.199.1 cis.rule_title: (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’ cis.group: Administrative Templates (User) cis.description: This setting controls whether Windows Media Player is allowed to download additional codecs for decoding media files it does not already understand. The recommended state for this setting is: Enabled. cis.rationale: This has some potential for risk if a malicious data file is opened in Media Player that requires an additional codec to be installed. If a special codec is required for a necessary job function, then that codec should be tested and supplied by the IT department in the organization. cis.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: User Configuration\Policies\Administrative Templates\Windows Components\Windows Media Player\Playback\Prevent Codec Download Impact: The Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. cis.result: fail
Several bugs have been fixed in the cluster. Also, its general performance has been improved.
The cluster is now able to synchronize decoders, rules and CDB lists. It also makes use of
ossec-logtest tool to test that new rules, decoders or CDB lists are correctly formatted, before sending those to the rest of the cluster nodes.
The full list of files synchronized across cluster nodes is:
(*) Nodes are restarted when these files are updated.