4.8.0 Release notes - 12 June 2024

This section lists the changes in version 4.8.0. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.

Highlights

This release introduces a major refactor of the Vulnerability Detector module that increases coverage and improves reliability by using a centralized feed of curated vulnerabilities maintained by Wazuh. It introduces global queries for vulnerability detection information, allowing users to search through vulnerability detection data across all endpoints.

The Wazuh dashboard notifies users whenever there's a newer Wazuh version available and offers a revamped UX navigation experience by completely overhauling the menu layout.

To support the centralized vulnerability feed and update check services, Wazuh has developed a new platform aimed at integrating and distributing Cyber Threat Intelligence (CTI) data.

Package inventory can now collect information from expanded sources, including the Snap package manager.

The release also addresses hundreds of bugs of varying impacts, further stabilizing the platform and improving the overall user experience.

  • Vulnerability Detector refactor: Vulnerability detection uses a centralized feed maintained by Wazuh and introduces global queries, significantly improving vulnerability detection capabilities and performance.

  • Update check service UI: Users can now be notified whenever there's a new Wazuh version available.

  • Wazuh dashboard UX redesign: A significant overhaul aimed at enhancing the user interface and experience, making navigation and operation more intuitive.

  • Snap packages support & PYPI and Node packages support: Wazuh now includes support for inventorying packages installed through the Snap package manager, improving visibility into software management.

Breaking changes

Manager

  • The Vulnerability Detection module no longer downloads external vulnerability feeds indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). Instead, the vulnerability detection capability now uses the new Wazuh CTI platform. wazuh #14153

  • The Vulnerability Detection module requires setting up communication with the Wazuh indexer. wazuh #14153

  • The Vulnerability Detector module has been renamed to Vulnerability Detection. The vulnerability-detector configuration option has been renamed to vulnerability-detection. wazuh #19781

Dashboard plugin

  • The Wazuh dashboard disabled_roles setting has been removed. Now, the Wazuh dashboard is visible to every Wazuh indexer role. wazuh-dashboard-plugins #5841

  • The Wazuh dashboard customization.logo.sidebar setting has been removed, and the sidebar logo is no longer customizable. wazuh-dashboard-plugins #5841

  • The extensions.* settings have been removed. Now, all Wazuh modules are visible in the main menu. wazuh-dashboard-plugins #5841

  • The default Wazuh dashboard home URL has changed from https://<WAZUH_DASHBOARD_URL>/app/wazuh to https://<WAZUH_DASHBOARD_URL>/app/wz-home. You can check the /etc/wazuh-dashboard/opensearch_dashboard.yml configuration file and replace the uiSettings.overrides.defaultRoute: /app/wazuh setting with uiSettings.overrides.defaultRoute: /app/wz-home if needed. An app not found error will appear if this value is incorrect. wazuh-packages #2497

What's new

This release includes new features or enhancements as the following:

Manager

  • #21201 Refactored vulnerability detection capability.

  • #18476 Improved wazuh-db detection of deleted database files.

  • #16893 Added timeout and retry parameters to the VirusTotal integration.

  • #18988 Extended wazuh-analysisd EPS metrics with events dropped by overload and remaining credits in the previous cycle.

  • #19819 Replaced Filebeat date index name processor to ensure the indices are identifiable by the index alias for auto-rollover.

  • #18466 Updated API and framework packages installation commands to use pip instead of direct invocation of setuptools.

  • #17015 Refactored how cluster status dates are treated in the cluster.

  • #21602 The log message about file rotation and signature from wazuh-monitord has been updated.

  • #21670 Implemented a dedicated keystore for indexer configuration to improve management of sensitive information.

  • #22774 Improved Wazuh-DB performance by adjusting SQLite synchronization policy.

  • #17750 Upgraded docker-compose V1 to V2 in API Integration test scripts.

Agent

  • #15740 Added snap package manager support to Syscollector.

  • #18574 Disabled host's IP query by Logcollector when ip_update_interval=0.

  • #17932 Added event size validation for the external integrations.

  • #17623 Refactored and modularized the AWS integration code.

  • #17623 Added new unit tests for the AWS integration.

  • #19064 Added multiple tenants support to the MS Graph integration module.

  • #16200 FIM now buffers the Linux audit events for who-data to prevent side effects in other components.

  • #19720 The sub-process execution implementation has been improved.

  • #20649 Added geolocation mapping for the AWS WAF events.

  • #21530 Added a validation to reject unsupported regions when using the inspector service.

  • #21561 Added additional information on some AWS integration errors.

  • #21791 Replaced the usage of fopen with wfopen to avoid processing invalid characters on Windows.

  • #21637 Fixed installation script to prevent macOS agent to start automatically after installation.

RESTful API

  • #19952 Added new GET /manager/version/check API endpoint to obtain information about new releases of Wazuh.

  • #20119 Removed PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints as they were deprecated in version 4.7.0. Use the Wazuh indexer REST API instead.

  • #20420 Added the auto option to the ssl_protocol setting in the API configuration. This option enables automatic negotiation of the TLS certificate.

  • #21572 Removed the compilation_date field from GET /cluster/{node_id}/info and GET /manager/info endpoints.

  • #22387 Deprecated the cache configuration option.

  • #17048 Removed the custom parameter from the PUT /active-response endpoint.

  • #22727 Added API configuration option to protect the Wazuh indexer configuration from updates.

Ruleset

  • #19528 Added rules to detect IcedID attacks.

  • #17780 Added new SCA policy for Amazon Linux 2023.

  • #17784 Added new SCA policy for Rocky Linux 8.

  • #18721 Revised SCA policy for Ubuntu Linux 18.04.

  • #17515 Revised SCA policy for Ubuntu Linux 22.04.

  • #18440 Revised SCA policy for Red Hat Enterprise Linux 7.

  • #17770 Revised SCA policy for Red Hat Enterprise Linux 8.

  • #17412 Revised SCA policy for Red Hat Enterprise Linux 9.

  • #17624 Revised SCA policy for CentOS 7.

  • #18439 Revised SCA policy for CentOS 8.

  • #18010 Revised SCA policy for Debian 8.

  • #17922 Revised SCA policy for Debian 10.

  • #18695 Revised SCA policy for Amazon Linux 2.

  • #18985 Revised SCA policy for SUSE Linux Enterprise 15.

  • #19037 Revised SCA policy for macOS 13.0 Ventura.

  • #19515 Revised SCA policy for Microsoft Windows 10 Enterprise.

  • #20044 Revised SCA policy for Microsoft Windows 11 Enterprise.

  • #17518 Updated MITRE DB to v13.1.

Other

  • #20003 Upgraded embedded Python version to 3.10.13.

  • #23112 Upgraded external aiohttp library dependency version to 3.9.5.

  • #22221 Upgraded external cryptography library dependency version to 42.0.4.

  • #21710 Upgraded external curl library dependency version to 8.5.0.

  • #20003 Upgraded external grpcio library dependency version to 1.58.0.

  • #23112 Upgraded external idna library dependency version to 3.7.

  • #21684 Upgraded external Jinja2 library dependency version to 3.1.3.

  • #21710 Upgraded external libarchive library dependency version to 3.7.2.

  • #20003 Upgraded external numpy library dependency version to 1.26.0.

  • #21710 Upgraded external pcre2 library dependency version to 10.42.

  • #20493 Upgraded external pyarrow library dependency version to 14.0.1.

  • #21710 Upgraded external rpm library dependency version to 4.18.2.

  • #20741 Upgraded external SQLAlchemy library dependency version to 2.0.23.

  • #21710 Upgraded external sqlite library dependency version to 3.45.0.

  • #20630 Upgraded external urllib3 library dependency version to 1.26.18.

  • #21710 Upgraded external zlib library dependency version to 1.3.1.

  • #21710 Added external lua library dependency version 5.3.6.

  • #21749 Added external PyJWT library dependency version 2.8.0.

  • #21749 Removed external python-jose and ecdsa library dependencies.

Dashboard plugin

  • #5791 Added remember server address check.

  • #6093 Added a notification about new Wazuh updates and a button to check their availability. #6256 #6328

  • #6083 Added the ssl_agent_ca configuration to the SSL Settings form.

  • #5896 Added global vulnerabilities dashboards.

  • #5840 Added an agent selector to the agent view.

  • #5840 Moved the Wazuh menu into the side menu. #6226 #6423 #6510 #6591

  • #5840 Removed the disabled_roles and customization.logo.sidebar settings.

  • #5840 Removed module visibility configuration and removed the extensions.* settings.

  • #6035 Updated all dashboard visualization definitions. #6632 #6690

  • #6067 Reorganized tabs order in all modules.

  • #6174 Removed the implicit filter of WQL language of the search bar UI.

  • #6373 Changed the API configuration title to API Connections.

  • #6366 Removed Compilation date field from the Status view.

  • #6361 Removed WAZUH_REGISTRATION_SERVER variable from Windows agent deployment command.

  • #6354 Added a dash character and a tooltip element to Run as in the API configuration table to indicate it's been disabled.

  • #6364 Added tooltip element to Most active agent in Details in the Endpoint summary view and renamed a label element. #6421

  • #6379 Changed overview home top KPIs. #6408 #6569

  • #6341 Removed notice of old Discover deprecation.

  • #6492 Updated the PDF report year number to 2024.

  • #6702 Adjusted font style of Endpoints summary KPIs, Index pattern, and API selectors, as well as adjusted the Dev Tools column widths.

Packages

  • #2332 Added check into the installation assistant to prevent the use of public IP addresses.

  • #2365 Removed the postProvision.sh script. It's no longer used in OVA generation.

  • #2364 Added curl error messages in downloads.

  • #2469 Improved debug output in the installation assistant.

  • #2300 Added SCA policy for Rocky Linux 8 in SPECS.

  • #2557 Added SCA policy for Amazon Linux 2023 in SPECS.

  • #2558 Wazuh password tool now recognizes UI created users.

  • #2562 Bumped Wazuh indexer to OpenSearch 2.10.0.

  • #2563 Bumped Wazuh dashboard to OpenSearch Dashboards 2.10.0.

  • #2577 Added APT and YUM lock logic to the Wazuh installation assistant.

  • #2164 Deprecated CentOS 6 and Debian 7 for the Wazuh manager compilation, while still supporting them in the Wazuh agent compilation.

  • #2588 Added logic to the installation assistant to check for clean Wazuh central components removal.

  • #2615 Added branding images to the header of Wazuh dashboard.

  • #2696 Updated Filebeat module version to 0.4 in Wazuh installation assistant.

  • #2695 Added content database in RPM and DEB packages.

  • #2669 Upgraded botocore dependency in WPK package Docker containers.

  • #2738 Added xz utils as requirement.

  • #2777 Added support for refactored vulnerability detector in the installation assistant.

  • #2797 The Wazuh installation assistant now uses 127.0.0.1 instead of localhost in the Wazuh dashboard configuration. #2808

  • #2801 Added check into the installation assistant to ensure sudo package is installed.

  • #2802 Added the Wazuh keystore functionality to the passwords tool.

  • #2809 Upgrade scripts to support building Wazuh with OpenSSL 3.0.

  • #2784 Added rollback and exit in case the Wazuh indexer security admin fails.

  • #2804 Added the keystore tool for both RPM and DEB manager packages creation. #2802

  • #2798 Add compression for the Wazuh manager due to inclusion of Vulnerability Detection databases.

  • #2796 Simplified the Wazuh dashboard help menu entries.

  • #2792 Improved certificates generation output when using the Wazuh Installation Assistant and the Wazuh Certs Tool.

  • #2891 Skipped certificate validation for CentOS 5 package generation.

  • #2890 Updated the file permissions of vulnerability detection-related directories.

  • #2966 Added Ubuntu 24 support to the Wazuh installation assistant.

  • #2422 Added the possibility of registering the localhost domain in the installation assistant and in the cert-tool.

  • #2408 Added new AWS files to Solaris SPECS.

  • #2553 Added new role to grant ISM API permissions.

  • #2578 Changed the order of Explore category and Indexer/dashboard management title on dashboard.

  • #2582 Added the ISM init script to the Wazuh indexer package.

  • #2584 Added ISM script in installation assistant.

  • #2586 Moved ISM scripts from package to base.

  • #2590 Extended indexer-init.sh to accept arguments.

  • #2592 Updated the initialize cluster script in the offline installation workflow.

  • #2598 Updated min_doc_count value.

  • #2606 Improved ISM init script.

  • #2609 Adapted wazuhapp and Wazuh dashboard to install the Wazuh CheckUpdates and Core plugins.

  • #2639 Changed check yum lock function.

  • #2653 Collapsed initially the application categories in the side menu of Wazuh dashboard.

  • #2687 Added common_checkAptLock function.

  • #2700 Updated indexer-ism-init.sh.

  • #2711 Ensured config is present in ossec.conf after upgrade via rpm.

  • #2712 Added wazuh-filebeat template to Wazuh indexer.

  • #2713 Removed wazuh-template json.

  • #2726 Updated indexer-ism-init.sh.

  • #2733 Updated indexer-ism-init.sh.

  • #2742 Vulnerability detection refactor.

  • #2748 Removed flag --download-content.

  • #2782 Split CentOS and RHEL check.

  • #2789 Updated Wazuh favicon for Safari.

  • #2795 Replaced category management description.

  • #2792 Improved certificates generation output when using the Wazuh Installation Assistant and the Wazuh Certs Tool.

  • #2807 Silenced sudo package check.

  • #2821 Removed debug variable in Admin certificate generation.

  • #2822 Do not decompress .tar.xz file, remove xz dependency.

  • #2827 Added step for restore ossec.conf file in backup/restore scripts.

  • #2838 Removed download-content.sh and download.rules files.

Resolved issues

This release resolves known issues as the following:

Manager

  • #17886 Updated cluster connection cleanup to remove temporary files when the connection between a worker and a master is broken.

  • #23371 Added a mechanism to prevent cluster errors from an expected wazuh-db exception.

  • #23216 Fixed a race condition when creating agent database files from a template.

Agent

  • #16839 Fixed process path retrieval in Syscollector on Windows XP.

  • #16056 Fixed the OS version detection on Alpine Linux.

  • #18642 Fixed Solaris 10 name not showing in the dashboard.

  • #21932 Fixed an error in macOS Ventura compilation from sources.

  • #23532 Fixed PyPI package gathering on macOS Sonoma.

RESTful API

  • #20527 Fixed a warning from SQLAlchemy involving detached Roles instances in RBAC.

  • #23120 Fixed an issue in GET /manager/configuration where only the last of multiple <ignore> items in the configuration file was displayed.

Dashboard plugin

  • #5840 Fixed a problem with the agent menu header when the side menu is docked.

  • #6102 Fixed how the query filters apply on the Security Alerts table.

  • #6177 Fixed exception in agent view when an agent doesn't have policies.

  • #6177 Fixed exception in Inventory when agents don't have operating system information.

  • #6177 Fixed pinned agent state in URL.

  • #6234 Fixed invalid date format in About and Agents views.

  • #6305 Fixed issue with script to install agents on macOS if using the registration password deployment variable.

  • #6327 Fixed an issue preventing the use of a hostname as the Server address in Deploy New Agent.

  • #6342 Fixed wrong Queue Usage values in Server management > Statistics.

  • #6352 Fixed Statistics view errors when cluster mode is disabled.

  • #6374 Fixed the help menu, to be consistent and avoid duplication.

  • #6378 Fixed the axis label visual bug from dashboards.

  • #6431 Fixed error displaying when clicking Refresh in MITRE ATT&CK if the the Wazuh indexer service is down.

  • #6484 Fixed minor style issues. #6489 #6587

  • #6617 Fixed error when clicking Log collection in Configuration of a disconnected agent.

  • #6333 Fixed a typo in an abbreviation for Fully Qualified Domain Name.

  • #6553 Fixed "View alerts of this Rule" link.

Packages

  • #2381 Fixed DNS validation in the installation assistant.

  • #2401 Fixed debug redirection in the installation assistant.

  • #2850 Fixed certificates generation output for certificates not created.

  • #2906 Moved up the hardware check of the installation assistant. Now dependencies don't get installed if it fails.

  • #2380 Fixed source_branch variable in master branch.

  • #2535 Fixed mkdir wazuh-install-files error.

  • #2560 Fixed internalusers-backup directory owner and permissions.

  • #2585 Fixed bug with -i option.

  • #2646 Fixed wazuh-indexer.spec duplicated information.

  • #2723 Fixed Filebeat template URL in Wazuh indexer.

  • #2796 Fixed duplicated help menu.

Changelogs

The repository changelogs provide more details about the changes.

Product repositories

Auxiliary repositories