3.13.0 Release notes - 22 June 2020
This section lists the changes in version 3.13.0. More details about these changes are provided in each component changelog:
Wazuh core
Added
Included the NVD as a feed for Linux agents in vulnerability detector.
Improved the vulnerability detector engine to correlate alerts between different feeds.
Added vulnerability detector module unit testing for Unix source code.
Added a timeout to the updates of the vulnerability detector's feeds to prevent hangings.
Added option for the JSON decoder to choose the treatment of array structures.
Added
mode
value (real-time, Who-data, or scheduled) as a dynamic field in FIM alerts.Added a field to configure the maximum files to be monitored by the FIM module.
New module to pull and process logs from Google Cloud Pub/Sub service.
Added support for mapping rules with MITRE ATT&CK framework.
Added as a dependency Microsoft's Software Update Catalog used by vulnerability detector.
Added support for
aarch64
andarmhf
architectures.
Changed
Decreased event fetching delay from 10 miliseconds to 5 miliseconds in FIM modes real-time and whodata (
rt_delay
).Who-data includes new fields: process CWD, parent process id, and CWD of parent process.
FIM now allows to rename/delete files while calculating their hash.
Extended the statics fields comparison in the ruleset options.
The state field has been removed from vulnerability alerts.
The NVD is now the primary feed for the vulnerability detector in Linux.
Removed OpenSCAP policies installation and configuration block.
Changed
same/different_systemname
forsame/different_system_name
in Analysisd static filters.Updated the internal Python interpreter from v3.7.2 to v3.8.2.
Other fixes and improvements
Fixed a bug that occasionally, kept the memory reserved when deleting monitored directories in FIM.
Fixed and issue regarding inotify watchers allocation when modifying directories in FIM real-time.
Fixed an error that caused the alerts deletion with a wrong path in Who-data mode.
Fixed an issue that did not generate alerts in Who-data mode when a subdirectory was added to the monitored directory in Windows.
Avoided the truncation of the full log field of the alert when the path is too long.
When there is a failure setting policies in Windows, FIM will automatically change from Who-data to real-time mode.
Fixed an error that prevented from restarting Windows agents from the manager.
Fixed an error that did not allow the usage of the tag
URL
by configuring the NVD in a vulnerability detector module.Fixed TOCTOU condition in Clusterd when merging agent-info files.
Fixed race condition in Analysisd when handling accumulated events.
Avoided to count links when generating alerts for ignored directories in Rootcheck.
Fixed typo in the path used for logging when disabling an account.
Fixed an error when receiving different Syslog events in the same TCP packet.
Fixed a bug in vulnerability detector on Modulesd when comparing Windows software versions.
Fixed a bug that caused an agent's disconnection time not to be displayed correctly.
Optimized the function to obtain the default gateway.
Fixed host verification when signing a certificate for the manager.
Fixed possible duplicated ID on
client.keys
adding new agent through the API with a specific ID.Avoid duplicate descriptors using wildcards in
localfile
configuration.Guaranteed that all processes are killed when service stops.
Fixed mismatch in integration scripts when the debug flag is set to active.
Wazuh Kibana App
Added
Support for Wazuh v3.13.0.
Support for Kibana v7.7.1
Support for Open Distro 1.8
Added new navigation experience with a global menu.
Added a breadcrumb in Kibana top nav.
Added a new Agents Summary Screen.
Added a new feature to add sample data to dashboards.
Added MITRE integration.
Added Google Cloud Platform integration.
Added TSC integration.
Added a new integrity monitoring state view for agent.
Added a new integrity monitoring files detail view.
Added a new component to explore compliance requirements.
Changed
Code migration to React.js.
Global review of styles.
Unified Overview and Agent dashboards into new Modules.
Changed vulnerabilities' dashboard visualizations.
Fixed
Fixed Open Distro tenants to be functional.
Improved navigation performance.
Avoid creating the
wazuh-monitoring
index pattern if it is disabled.SCA checks without compliance field could not be expanded.
Wazuh API
Added
- Added new API requests:
GET/mitre
GET/rules/mitre
GET/rules/tsc
- Added new filters in request
GET/rules
: mitre
: Filters the rules by mitre requirement.tsc
: Filters the rules by tsc requirement.
- Added new filters in request
Changed
Increased the maximum allowed size of the files to be uploaded from 1MB to 10MB. This change applies to:
POST /manager/files
POST /cluster/:node_id/files
POST /agents/groups/:group_id/configuration
POST /agents/groups/:group_id/files/:file_name
Wazuh ruleset
Added
Added rules and decoders for macOS sshd logs.
Added TSC/SOC compliance mapping.
Added rules and decoders for PaloAlto logs.
Added rules and decoder to monitor the FIM database status.
Added rules for WAF.
Changed
Changed description of vulnerability detector rules.
Changed squid decoders.
Fixed
Fixed the provider name so that Windows Eventlog's logs match with the Wazuh rules.
Fixed static filters related to the
system_name
field.Removed trailing whitespaces in the group name section of the ruleset.
Removed invalid zeroes from rules id.
Wazuh Splunk
Support for Wazuh v3.13.0