3.5.0 Release notes - 10 August 2018
This section shows the most relevant improvements and fixes in version 3.5.0. More details about these changes are provided in each component changelog.
Wazuh core
A new integration with osquery is shown, this will provide new scheduled results for the manager:
The osquery daemon will be launched in background.
Filter events by osquery by adding a new option in
<location>
rules.Enrich osquery configuration with pack files aggregation and agent labels.
Support folders in shared configuration.
Parallelized remoted daemon:
Up to 16 parallel threads to decrypt messages from agents.
Frequency of agent keys reloading limited.
Message input buffer in Analysisd to prevent control messages starvation in Remoted.
Vulnerability Detector has been enhanced, adding support for other operating systems and improving the configuration of OVAL updates.
Added
feed
tag for updating each operating system OVAL, allowing to set a different configuration for each of them.Packages already scanned won't be checked unless no Syscollector scans are detected in a period longer than 24 hours.
Added arch check for Red Hat's OVAL.
Force the vulnerability detection in unsupported OS with the
<allow>
attribute.
Fixed alerts format in Vulnerability Detector. When showing Vulnerability Detector alerts from a Red Hat agent, an RHSA patch was shown instead of a CVE. This patch consists in various CVEs compressed. The RHSA patches are unpackaged and alerts manifest that the system is vulnerable to each of the CVEs contained in that RHSA.
Added new support for AES encryption for manager and agent.
Enhanced active response process. Added a new feature which allows the user to customize the parameters sent to the agent's active response script.
Added synchronization for remoted counters (rids), being reloaded if the inode of the file has changed.
Windows deletes pending active-responses when an output signal is received.
Rootcheck searchs for 32-bit and 64-bit keys. As Windows agent only runs in 32-bit mode, by default Rootcheck was searching only for 32-bit keys.
Get Linux packages, DEB and RPM, for Syscollector.
Added a new module for downloading shared files for agent groups dynamically.
Get running processes, opened ports, network interfaces, Linux (DEB/RPM) and Windows inventories natively for Syscollector.
Added field to the hardware inventory about the RAM usage, without using
wmic
.Storage of multiple addresses/netmasks/broadcasts per interface in the DB.
CentOS 5 compatibility to run the network scan.
Wazuh API
Added information about the user who made the request in the API logs.
New option for downloading the wpk using HTTP in
agent_upgrade
.Rotation of log files at midnight.
Added new API requests for syscollector.
Ignore uppercase and lowercase sorting an array.
Wazuh ruleset
Added rules for the new osquery integration.
Improved CIS-CAT rules.
Ignoring syscollector events rule added.
Wazuh app for Kibana
As part of the Elastic Stack v6.3.x compatibility process, now we have support for Kuery as query language for the app search bars.
Added new tab on Configuration to show the current Wazuh app configuration file values.
Added new tab on Configuration to show the latest Wazuh app logs.
Added XML/JSON viewer to Management → Configuration.
Improved reports, now with a better design and document structure.
Human-readability improvements for visualizations, tables and CSV files.
Now it’s possible to remove all the API entries from Settings.
More design improvements for the Welcome tab on some app sections.
More bug fixes, code refactoring and performance improvements.
In addition to this, the documentation now has a dedicated section for the Wazuh app, where you can learn more about its capabilities, how to configure it and install the X-Pack Security plugin.