Added
- Added enrollment capability. Agents are now able to request a key from the manager if current key is missing or wrong. (#5609)
- Migrated the agent-info data to Wazuh DB. (#5541)
- Wazuh API:
- Embedded Wazuh API with Wazuh Manager, there is no need to install Wazuh API. (9860823)
- Migrated Wazuh API server from nodejs to python. (#2640)
- Added asynchronous aiohttp server for the Wazuh API. (#4474)
- New Wazuh API is approximately 5 times faster on average. (#5834)
- Added OpenAPI based Wazuh API specification. (#2413)
- Improved Wazuh API reference documentation based on OpenAPI spec using redoc. (#4967)
- Added new yaml Wazuh API configuration file. (#2570)
- Added new endpoints to manage API configuration and deprecated configure_api.sh. (#2570)
- Added RBAC support to Wazuh API. (#3287)
- Added new endpoints for Wazuh API security management. (#3410)
- Added SQLAlchemy ORM based database for RBAC. (#3375)
- Added new JWT authentication method. (7080ac3)
- Wazuh API up and running by default in all nodes for a clustered environment.
- Added new and improved error handling. (#2843 (#5345)
- Added tavern and docker based Wazuh API integration tests. (#3612)
- Added new and unified Wazuh API responses structure. (3421015)
- Added new endpoints for Wazuh API users management. (#3280)
- Added new endpoint to restart agents which belong to a node. (#5381)
- Added and improved q filter in several endpoints. (#5431)
- Tested and improved Wazuh API security. (#5318)
- Vulnerability Detector:
- Redhat vulnerabilities are now fetched from OVAL benchmarks. (#5352)
- Debian vulnerable packages are now fetched from the Security Tracker. (#5304)
- The Debian Security Tracker feed can be loaded from a custom location. (#5449)
- The package vendor is used to discard vulnerabilities. (#5330)
- Allow compressed feeds for offline updates. (#5745)
- The manager now updates the MSU feed automatically. (#5678)
- CVEs with no affected version defined in all the feeds are now reported. (#5284)
- CVEs vulnerable for the vendor and missing in the NVD are now reported. (#5305)
- File Integrity Monitoring:
- Added options to limit disk usage using report changes option in the FIM module. (#5157)
- Added and updated framework unit tests to increase coverage. (#3287)
- Added improved support for monitoring paths from environment variables. (#4961)
- Added
base64_log
format to the log builder for Logcollector. (#5273)
Changed
- Changed the default manager-agent connection protocol to TCP. (#5696)
- Disable perpetual connection attempts to modules. (#5622)
- Unified the behaviour of Wazuh daemons when reconnecting with unix sockets. (#4510)
- Changed multiple Wazuh API endpoints. (#2640) (#2413)
- Refactored framework module in SDK and core. (#5263)
- Refactored FIM Windows events handling. (#5144)
- Changed framework to access global.db using wazuh-db. (#6095)
- Changed agent-info synchronization task in Wazuh cluster. (#5585)
- Use the proper algorithm name for SHA-256 inside Prelude output. Thanks to François Poirotte (@fpoirotte). (#5004)
- Elastic Stack configuration files have been adapted to Wazuh v4.x. (#5796)
- Explicitly use Bash for the Pagerduty integration. Thanks to Chris Kruger (@montdidier). (#4641)
Fixed
- Vulnerability Detector:
- Vulnerabilities of Windows Server 2019 which not affect Windows 10 were not being reported. (#5524)
- Vulnerabilities patched by a Microsoft update with no supersedence were not being reported. (#5524)
- Vulnerabilities patched by more than one Microsoft update were not being evaluated against all the patches. (#5717)
- Duplicated alerts in Windows 10. (#5600)
- Syscollector now discards hotfixes that are not fully installed. (#5792)
- Syscollector now collects hotfixes that were not being parsed. (#5792)
- Update Windows databases when
run_on_start
is disabled. (#5335) - Fixed the NVD version comparator to remove undesired suffixes. (#5362)
- Fixed not escaped single quote in vuln detector SQL query. (#5570)
- Unified alerts title. (#5826)
- Fixed potential error in the GZlib when uncompressing NVD feeds. (#5989)
- File Integrity Monitoring:
- Fixed an error with last scan time in Syscheck API endpoints. (a9acd3a)
- Fixed support for monitoring directories which contain commas. (#4961)
- Fixed a bug where configuring a directory to be monitored as real-time and whodata resulted in real-time prevailing. (#4961)
- Fixed using an incorrect mutex while deleting inotify watches. (#5126)
- Fixed a bug which could cause multiple FIM threads to request the same temporary file. (#5213)
- Fixed a bug where deleting a file permanently in Windows would not trigger an alert. (#5144)
- Fixed a typo in the file monitoring options log entry. (#5591)
- Fixed an error where monitoring a drive in Windows under scheduled or real-time mode would generate alerts from the recycle bin. (#4771)
- When monitoring a drive in Windows in the format
U:
, it will monitorU:\
instead of the agent's working directory. (#5259) - Fixed a bug where monitoring a drive in Windows with
recursion_level
set to 0 would trigger alerts from files inside its subdirectories. (#5235)
- Fixed an Azure wodle dependency error. The package azure-storage-blob>12.0.0 does not include a component used. (#6109)
- Fixed bugs reported by GCC 10.1.0. (#5119)
- Fixed compilation errors with
USE_PRELUDE
enabled. Thanks to François Poirotte (@fpoirotte). (#5003) - Fixed default gateway data gathering in Syscollector on Linux 2.6. (#5548)
- Fixed the Eventchannel collector to keep working when the Eventlog service is restarted. (#5496)
- Fixed the OpenSCAP script to work over Python 3. (#5317)
- Fixed the launcher.sh generation in macOS source installation. (#5922)
Removed
- Removed Wazuh API cache endpoints. (#3042)
- Removed Wazuh API rootcheck endpoints. (#5246)
- Deprecated Debian Jessie and Wheezy for Vulnerability Detector (EOL). (#5660)
- Removed references to
manage_agents
in the installation process. (#5840) - Removed compatibility with deprecated configuration at Vulnerability Detector. (#5879)