3.2.0 Release Notes

This section shows the most relevant new features of Wazuh v3.2.0. You will find more detailed information in our changelog file.

New features:

Vulnerability detection

A native vulnerability detector has been implemented, making use of agents new feature to report inventory data (e.g. applications installed, network configuration, hardware information). The manager is now capable of building a vulnerability database, making use of public OVAL repositories (published and maintained by different vendors). This database is used to do correlation with agents reported applications inventory data, identifying packages with a CVE.

In version 3.1.0, detecting vulnerabilities was already possible using Wazuh agents integration with Vuls (a third party open source project), but this integration required the installation of additional software on the monitored hosts (adding extra complexity, and making it difficult to manage in a centralized way). Now, in this version, Vuls is not required anymore as this capability is now natively supported using the new agent and manager features.

The new architecture design keeps agents footprint small, not impacting monitored hosts performance or consuming unnecessary resources. Agents just read and report applications installed (RPM, Deb or MSI packages), while the manager is the one that uses the vulnerability database to identify CVEs.

See below an example of results when an application vulnerability is identified:

** Alert 1518102634.685428: - vulnerability-detector,
2018 Feb 08 16:10:34 (PC) ->vulnerability-detector
Rule: 23504 (level 7) -> 'CVE-2017-7226 on Ubuntu 16.04 LTS (xenial) - medium.'
vulnerability.cve: CVE-2017-7226
vulnerability.title: CVE-2017-7226 on Ubuntu 16.04 LTS (xenial) - medium.
vulnerability.severity: Medium
vulnerability.published: 2017-03-22
vulnerability.updated: 2017-03-22
vulnerability.reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7226
vulnerability.rationale: The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.
vulnerability.state: Unfixed
vulnerability.affected_package: binutils
vulnerability.version: 2.26.1-1ubuntu1~16.04.6

You can read more about this new module in the Vulnerability detection section.

Module for AWS Cloudtrail integration

This module provides the ability to read your AWS CloudTrail logs directly from an AWS S3 bucket. Amazon CloudTrail support is now a built-in Wazuh capability, giving you the ability to search, analyze, and alert on AWS CloudTrail events.

Below is an example of the JSON alert generated by this module:

** Alert 1518488581.32874246: - amazon,authentication_success,pci_dss_10.2.5,
2018 Feb 13 02:23:01 manager->Wazuh-AWS
Rule: 80253 (level 3) -> 'Amazon: signin.amazonaws.com - ConsoleLogin - User Login Success.'
aws.eventVersion: 1.05
aws.eventID: 2fb29f0f-4d7f-4384-8170-xxxx
aws.eventTime: 2018-02-13T02:12:26Z
aws.log_file: 1661xxx_CloudTrail_us-east-1_20180xxx_S4Wouyxxx.json.gz
aws.additionalEventData.MFAUsed: No
aws.additionalEventData.LoginTo: https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true
aws.additionalEventData.MobileVersion: No
aws.eventType: AwsConsoleSignIn
aws.responseElements.ConsoleLogin: Success
aws.awsRegion: us-east-1
aws.eventName: ConsoleLogin
aws.userIdentity.userName: wazuh
aws.userIdentity.type: IAMUser
aws.userIdentity.arn: arn:aws:iam::166157441623:user/wazuh
aws.userIdentity.principalId: AIDAJxxx
aws.userIdentity.accountId: 1661xx4xxx
aws.eventSource: signin.amazonaws.com
aws.userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
aws.sourceIPAddress: 67.161.xx.xx
aws.recipientAccountId: 166157441623
integration: aws

You can read more about this new module in the AWS CloudTrail section.

CIS-CAT integration now supports Windows OS

In our previous release, the module for integration with CIS-CAT scanner only supported Linux systems. Now, it also supports Windows systems.

CIS-CAT alerts have been also enriched and reports are parsed natively now, improving its efficiency considerably. See below an example of an alert:

** Alert 1518508994.718592: - ciscat,
2018 Feb 13 00:03:14 (Windows7) 192.168.1.201->wodle_cis-cat
Rule: 87409 (level 7) -> ’CIS-CAT: (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’ (failed)'
type: scan_result
scan_id: 589117374
cis.rule_id: 19.7.43.2.1
cis.rule_title: (L2) Ensure ‘Prevent Codec Download’ is set to ‘Enabled’
cis.group: Administrative Templates (User)
cis.description: This setting controls whether Windows Media Player is allowed to download additional codecs for decoding media files it does not already understand. The recommended state for this setting is: Enabled.
cis.rationale: This has some potential for risk if a malicious data file is opened in Media Player that requires an additional codec to be installed. If a special codec is required for a necessary job function, then that codec should be tested and supplied by the IT department in the organization.
cis.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: User Configuration\Policies\Administrative Templates\Windows Components\Windows Media Player\Playback\Prevent Codec Download  Impact: The Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available.
cis.result: fail

Cluster: Ruleset synchronization and performance improvements

Several bugs have been fixed in the cluster. Also, its general performance has been improved.

The cluster is now able to synchronize decoders, rules and CDB lists. It also makes use of ossec-logtest tool to test that new rules, decoders or CDB lists are correctly formatted, before sending those to the rest of the cluster nodes.

The full list of files synchronized across cluster nodes is:

  • /etc/client.keys
  • /etc/shared
  • /etc/decoders*
  • /etc/rules*
  • /etc/lists*
  • /queue/agent-groups
  • /queue/agent-info

(*) Nodes are restarted when these files are updated.