4.8.0 Release notes - 12 June 2024
This section lists the changes in version 4.8.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.
Highlights
This release introduces a major refactor of the Vulnerability Detector module that increases coverage and improves reliability by using a centralized feed of curated vulnerabilities maintained by Wazuh. It introduces global queries for vulnerability detection information, allowing users to search through vulnerability detection data across all endpoints.
The Wazuh dashboard notifies users whenever there's a newer Wazuh version available and offers a revamped UX navigation experience by completely overhauling the menu layout.
To support the centralized vulnerability feed and update check services, Wazuh has developed a new platform aimed at integrating and distributing Cyber Threat Intelligence (CTI) data.
Package inventory can now collect information from expanded sources, including the Snap package manager.
The release also addresses hundreds of bugs of varying impacts, further stabilizing the platform and improving the overall user experience.
Vulnerability Detector refactor: Vulnerability detection uses a centralized feed maintained by Wazuh and introduces global queries, significantly improving vulnerability detection capabilities and performance.
Update check service UI: Users can now be notified whenever there's a new Wazuh version available.
Wazuh dashboard UX redesign: A significant overhaul aimed at enhancing the user interface and experience, making navigation and operation more intuitive.
Snap packages support & PYPI and Node packages support: Wazuh now includes support for inventorying packages installed through the Snap package manager, improving visibility into software management.
Breaking changes
Manager
The Vulnerability Detection module no longer downloads external vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). Instead, the vulnerability detection capability now uses the new Wazuh CTI platform. wazuh #14153
The Vulnerability Detection module requires setting up communication with the Wazuh indexer. wazuh #14153
The Vulnerability Detector module has been renamed to Vulnerability Detection. The
vulnerability-detector
configuration option has been renamed tovulnerability-detection
. wazuh #19781
Dashboard plugin
The Wazuh dashboard
disabled_roles
setting has been removed. Now, the Wazuh dashboard is visible to every Wazuh indexer role. wazuh-dashboard-plugins #5841The Wazuh dashboard
customization.logo.sidebar
setting has been removed, and the sidebar logo is no longer customizable. wazuh-dashboard-plugins #5841The
extensions.*
settings have been removed. Now, all Wazuh modules are visible in the main menu. wazuh-dashboard-plugins #5841The default Wazuh dashboard home URL has changed from
https://<WAZUH_DASHBOARD_URL>/app/wazuh
tohttps://<WAZUH_DASHBOARD_URL>/app/wz-home
. You can check the/etc/wazuh-dashboard/opensearch_dashboard.yml
configuration file and replace theuiSettings.overrides.defaultRoute: /app/wazuh
setting withuiSettings.overrides.defaultRoute: /app/wz-home
if needed. Anapp not found
error will appear if this value is incorrect. wazuh-packages #2497
What's new
This release includes new features or enhancements as the following:
Manager
#21201 Refactored vulnerability detection capability.
#18476 Improved
wazuh-db
detection of deleted database files.#16893 Added
timeout
andretry
parameters to the VirusTotal integration.#18988 Extended
wazuh-analysisd
EPS metrics with events dropped by overload and remaining credits in the previous cycle.#19819 Replaced Filebeat date index name processor to ensure the indices are identifiable by the index alias for auto-rollover.
#18466 Updated API and framework packages installation commands to use
pip
instead of direct invocation ofsetuptools
.#17015 Refactored how cluster status dates are treated in the cluster.
#21602 The log message about file rotation and signature from wazuh-monitord has been updated.
#21670 Implemented a dedicated keystore for indexer configuration to improve management of sensitive information.
#22774 Improved Wazuh-DB performance by adjusting SQLite synchronization policy.
#17750 Upgraded docker-compose V1 to V2 in API Integration test scripts.
Agent
#15740 Added snap package manager support to Syscollector.
#18574 Disabled host's IP query by Logcollector when
ip_update_interval=0
.#17932 Added event size validation for the external integrations.
#17623 Refactored and modularized the AWS integration code.
#17623 Added new unit tests for the AWS integration.
#19064 Added multiple tenants support to the MS Graph integration module.
#16200 FIM now buffers the Linux audit events for who-data to prevent side effects in other components.
#19720 The sub-process execution implementation has been improved.
#20649 Added geolocation mapping for the AWS WAF events.
#21530 Added a validation to reject unsupported regions when using the inspector service.
#21561 Added additional information on some AWS integration errors.
#21791 Replaced the usage of fopen with wfopen to avoid processing invalid characters on Windows.
#21637 Fixed installation script to prevent macOS agent to start automatically after installation.
RESTful API
#19952 Added new
GET /manager/version/check
API endpoint to obtain information about new releases of Wazuh.#20119 Removed
PUT /vulnerability
,GET /vulnerability/{agent_id}
,GET /vulnerability/{agent_id}/last_scan
andGET /vulnerability/{agent_id}/summary/{field}
API endpoints as they were deprecated in version 4.7.0. Use the Wazuh indexer REST API instead.#20420 Added the
auto
option to thessl_protocol
setting in the API configuration. This option enables automatic negotiation of the TLS certificate.#21572 Removed the
compilation_date
field fromGET /cluster/{node_id}/info
andGET /manager/info
endpoints.#22387 Deprecated the
cache
configuration option.#17048 Removed the
custom
parameter from thePUT /active-response
endpoint.#22727 Added API configuration option to protect the Wazuh indexer configuration from updates.
Ruleset
#19528 Added rules to detect IcedID attacks.
#17780 Added new SCA policy for Amazon Linux 2023.
#18721 Revised SCA policy for Ubuntu Linux 18.04.
#17515 Revised SCA policy for Ubuntu Linux 22.04.
#18440 Revised SCA policy for Red Hat Enterprise Linux 7.
#17770 Revised SCA policy for Red Hat Enterprise Linux 8.
#17412 Revised SCA policy for Red Hat Enterprise Linux 9.
#17624 Revised SCA policy for CentOS 7.
#18439 Revised SCA policy for CentOS 8.
#18010 Revised SCA policy for Debian 8.
#17922 Revised SCA policy for Debian 10.
#18695 Revised SCA policy for Amazon Linux 2.
#18985 Revised SCA policy for SUSE Linux Enterprise 15.
#19037 Revised SCA policy for macOS 13.0 Ventura.
#19515 Revised SCA policy for Microsoft Windows 10 Enterprise.
#20044 Revised SCA policy for Microsoft Windows 11 Enterprise.
#17518 Updated MITRE DB to v13.1.
Other
#20003 Upgraded embedded Python version to
3.10.13
.#23112 Upgraded external
aiohttp
library dependency version to3.9.5
.#22221 Upgraded external
cryptography
library dependency version to42.0.4
.#21710 Upgraded external
curl
library dependency version to8.5.0
.#20003 Upgraded external
grpcio
library dependency version to1.58.0
.#23112 Upgraded external
idna
library dependency version to3.7
.#21684 Upgraded external
Jinja2
library dependency version to3.1.3
.#21710 Upgraded external
libarchive
library dependency version to3.7.2
.#20003 Upgraded external
numpy
library dependency version to1.26.0
.#21710 Upgraded external
pcre2
library dependency version to10.42
.#20493 Upgraded external
pyarrow
library dependency version to14.0.1
.#21710 Upgraded external
rpm
library dependency version to4.18.2
.#20741 Upgraded external
SQLAlchemy
library dependency version to2.0.23
.#21710 Upgraded external
sqlite
library dependency version to3.45.0
.#20630 Upgraded external
urllib3
library dependency version to1.26.18
.#21710 Upgraded external
zlib
library dependency version to1.3.1
.#21710 Added external
lua
library dependency version5.3.6
.#21749 Added external
PyJWT
library dependency version2.8.0
.#21749 Removed external
python-jose
andecdsa
library dependencies.
Dashboard plugin
#5791 Added remember server address check.
#6093 Added a notification about new Wazuh updates and a button to check their availability. #6256 #6328
#6083 Added the
ssl_agent_ca
configuration to the SSL Settings form.#5896 Added global vulnerabilities dashboards.
#5840 Added an agent selector to the agent view.
#5840 Moved the Wazuh menu into the side menu. #6226 #6423 #6510 #6591
#5840 Removed the
disabled_roles
andcustomization.logo.sidebar
settings.#5840 Removed module visibility configuration and removed the
extensions.*
settings.#6035 Updated all dashboard visualization definitions. #6632 #6690
#6067 Reorganized tabs order in all modules.
#6174 Removed the implicit filter of WQL language of the search bar UI.
#6373 Changed the API configuration title to API Connections.
#6366 Removed Compilation date field from the Status view.
#6361 Removed
WAZUH_REGISTRATION_SERVER
variable from Windows agent deployment command.#6354 Added a dash character and a tooltip element to Run as in the API configuration table to indicate it's been disabled.
#6364 Added tooltip element to Most active agent in Details in the Endpoint summary view and renamed a label element. #6421
#6341 Removed notice of old Discover deprecation.
#6492 Updated the PDF report year number to 2024.
#6702 Adjusted font style of Endpoints summary KPIs, Index pattern, and API selectors, as well as adjusted the Dev Tools column widths.
Packages
#2332 Added check into the installation assistant to prevent the use of public IP addresses.
#2365 Removed the
postProvision.sh
script. It's no longer used in OVA generation.#2364 Added
curl
error messages in downloads.#2469 Improved debug output in the installation assistant.
#2557 Added SCA policy for Amazon Linux 2023 in SPECS.
#2558 Wazuh password tool now recognizes UI created users.
#2562 Bumped Wazuh indexer to OpenSearch 2.10.0.
#2563 Bumped Wazuh dashboard to OpenSearch Dashboards 2.10.0.
#2577 Added APT and YUM lock logic to the Wazuh installation assistant.
#2164 Deprecated CentOS 6 and Debian 7 for the Wazuh manager compilation, while still supporting them in the Wazuh agent compilation.
#2588 Added logic to the installation assistant to check for clean Wazuh central components removal.
#2615 Added branding images to the header of Wazuh dashboard.
#2696 Updated Filebeat module version to 0.4 in Wazuh installation assistant.
#2695 Added content database in RPM and DEB packages.
#2669 Upgraded
botocore
dependency in WPK package Docker containers.#2738 Added
xz utils
as requirement.#2777 Added support for refactored vulnerability detector in the installation assistant.
#2797 The Wazuh installation assistant now uses
127.0.0.1
instead oflocalhost
in the Wazuh dashboard configuration. #2808#2801 Added check into the installation assistant to ensure
sudo
package is installed.#2802 Added the Wazuh keystore functionality to the passwords tool.
#2809 Upgrade scripts to support building Wazuh with OpenSSL 3.0.
#2784 Added rollback and exit in case the Wazuh indexer security admin fails.
#2804 Added the keystore tool for both RPM and DEB manager packages creation. #2802
#2798 Add compression for the Wazuh manager due to inclusion of Vulnerability Detection databases.
#2796 Simplified the Wazuh dashboard help menu entries.
#2792 Improved certificates generation output when using the Wazuh Installation Assistant and the Wazuh Certs Tool.
#2891 Skipped certificate validation for CentOS 5 package generation.
#2890 Updated the file permissions of vulnerability detection-related directories.
#2966 Added Ubuntu 24 support to the Wazuh installation assistant.
#2422 Added the possibility of registering the
localhost
domain in the installation assistant and in the cert-tool.#2408 Added new AWS files to Solaris SPECS.
#2553 Added new role to grant ISM API permissions.
#2578 Changed the order of Explore category and Indexer/dashboard management title on dashboard.
#2582 Added the ISM init script to the Wazuh indexer package.
#2584 Added ISM script in installation assistant.
#2586 Moved ISM scripts from package to base.
#2590 Extended
indexer-init.sh
to accept arguments.#2592 Updated the initialize cluster script in the offline installation workflow.
#2598 Updated
min_doc_count
value.#2606 Improved ISM init script.
#2609 Adapted wazuhapp and Wazuh dashboard to install the Wazuh
CheckUpdates
andCore
plugins.#2639 Changed check yum lock function.
#2653 Collapsed initially the application categories in the side menu of Wazuh dashboard.
#2687 Added
common_checkAptLock
function.#2700 Updated
indexer-ism-init.sh
.#2711 Ensured
config
is present inossec.conf
after upgrade via rpm.#2712 Added
wazuh-filebeat
template to Wazuh indexer.#2713 Removed
wazuh-template
json.#2726 Updated
indexer-ism-init.sh
.#2733 Updated
indexer-ism-init.sh
.#2742 Vulnerability detection refactor.
#2748 Removed flag
--download-content
.#2782 Split CentOS and RHEL check.
#2789 Updated Wazuh favicon for Safari.
#2795 Replaced category management description.
#2792 Improved certificates generation output when using the Wazuh Installation Assistant and the Wazuh Certs Tool.
#2807 Silenced sudo package check.
#2821 Removed debug variable in Admin certificate generation.
#2822 Do not decompress .tar.xz file, remove xz dependency.
#2827 Added step for restore
ossec.conf
file in backup/restore scripts.#2838 Removed
download-content.sh
anddownload.rules
files.
Resolved issues
This release resolves known issues as the following:
Manager
Agent
RESTful API
Dashboard plugin
#5840 Fixed a problem with the agent menu header when the side menu is docked.
#6102 Fixed how the query filters apply on the Security Alerts table.
#6177 Fixed exception in agent view when an agent doesn't have policies.
#6177 Fixed exception in Inventory when agents don't have operating system information.
#6177 Fixed pinned agent state in URL.
#6234 Fixed invalid date format in About and Agents views.
#6305 Fixed issue with script to install agents on macOS if using the registration password deployment variable.
#6327 Fixed an issue preventing the use of a hostname as the Server address in Deploy New Agent.
#6342 Fixed wrong Queue Usage values in Server management > Statistics.
#6352 Fixed Statistics view errors when cluster mode is disabled.
#6374 Fixed the help menu, to be consistent and avoid duplication.
#6378 Fixed the axis label visual bug from dashboards.
#6431 Fixed error displaying when clicking Refresh in MITRE ATT&CK if the the Wazuh indexer service is down.
#6617 Fixed error when clicking Log collection in Configuration of a disconnected agent.
#6333 Fixed a typo in an abbreviation for Fully Qualified Domain Name.
#6553 Fixed "View alerts of this Rule" link.
Packages
#2381 Fixed DNS validation in the installation assistant.
#2401 Fixed debug redirection in the installation assistant.
#2850 Fixed certificates generation output for certificates not created.
#2906 Moved up the hardware check of the installation assistant. Now dependencies don't get installed if it fails.
#2380 Fixed
source_branch
variable inmaster
branch.#2535 Fixed
mkdir wazuh-install-files
error.#2560 Fixed
internalusers-backup
directory owner and permissions.#2585 Fixed bug with
-i
option.#2646 Fixed
wazuh-indexer.spec
duplicated information.#2723 Fixed Filebeat template URL in Wazuh indexer.
#2796 Fixed duplicated help menu.
Changelogs
The repository changelogs provide more details about the changes.