Manager
Added
- Added new unit tests for cluster python module and increased coverage to 99%. (#9995)
- Added file size limitation on cluster integrity sync. (#11190)
- Added unittests for CLIs script files. (#13424)
- Added support for SUSE in Vulnerability Detector. (#9962)
- Added support for Ubuntu Jammy in Vulnerability Detector. (#13263)
- Added a software limit to limit the number of EPS that a manager can process. (#13608)
- Added a new wazuh-clusterd task for agent-groups info synchronization. (#11753)
- Added unit tests for functions in charge of getting ruleset sync status. (#14950)
- Added auto-vacuum mechanism in wazuh-db. (#14950)
Changed
- wazuh-logtest now shows warnings about ruleset issues. (#10822)
- Modulesd memory is now managed by jemalloc, this helps reduce memory fragmentation. (#12206)
- The manager now refuses multiple connections from the same agent. (#11702)
- Updated the Vulnerability Detector configuration reporting to include MSU and skip JSON Red Hat feed. (#12117)
- Improved the shared configuration file handling performance. (#12352)
- The agent group data is now natively handled by Wazuh DB. (#11753)
- Improved security at cluster zip filenames creation. (#10710)
- Refactor of the core/common.py module. (#12390)
- Refactor format_data_into_dictionary method of WazuhDBQuerySyscheck class. (#12497)
- Limit the maximum zip size that can be created while synchronizing cluster Integrity. (#11124)
- Refactored the functions in charge of synchronizing files in the cluster. (#13065)
- Changed MD5 hash function to BLAKE2 for cluster file comparison. (#13079)
- Renamed wazuh-logtest and wazuh-clusterd scripts to follow the same scheme as the other scripts (spaces symbolized with _ instead of -). (#12926)
- The agent key polling module has been ported to wazuh-authd. (#10865)
- Added the update field in the CPE Helper for Vulnerability Detector. (#13741)
- Prevented agents with the same ID from connecting to the manager simultaneously. (#11702)
- wazuh-analysisd, wazuh-remoted and wazuh-db metrics have been extended. (#13713)
- Minimized and optimized wazuh-clusterd number of messages from workers to master related to agent-info and agent-groups tasks. (#11753)
- Improved performance of the
agent_groups
CLI when listing agents belonging to a group. (#14244 - Changed wazuh-clusterd binary behaviour to kill any existing cluster processes when executed. (#14475)
- Changed wazuh-clusterd tasks to wait asynchronously for responses coming from wazuh-db. (#14791)
- Use zlib for zip compression in cluster synchronization. (#11190)
- Added mechanism to dynamically adjust zip size limit in Integrity sync. (#12241)
Fixed
- Fixed wazuh-dbd halt procedure. (#10873)
- Fixed compilation warnings in the manager. (#12098)
- Fixed a bug in the manager that did not send shared folders correctly to agents belonging to multiple groups. (#12516)
- Fixed the Active Response decoders to support back the top entries for source IP in reports. (#12834)
- Fixed the feed update interval option of Vulnerability Detector for the JSON Red Hat feed. (#13338)
- Fixed several code flaws in the python framework. (#12127)
- Fixed framework datetime transformations to UTC. (#10782)
- Fixed a cluster error when Master-Worker tasks where not properly stopped after an exception occurred in one or both parts. (#11866)
- Fixed cluster logger issue printing 'NoneType: None' in error logs. (#12831)
- Fixed unhandled cluster error when reading a malformed configuration. (#13419)
- Fixed framework unit test failures when they are run by the root user. (#13368)
- Fixed a memory leak in analysisd when parsing a disabled Active Response. (#13405)
- Fixed Syscollector delta message handling. (#13590)
- Prevented wazuh-db from deleting queue/diff when cleaning databases. (#13892)
- Fixed multiple data race conditions in Remoted reported by ThreadSanitizer. (#14981)
- Fixed aarch64 OS collection in Remoted to allow WPK upgrades. (#15151)
- Fixed a race condition in Remoted that was blocking agent connections. (#15165)
- Fixed Virustotal integration to support non UTF-8 characters. (#13531)
- Fixed a bug masking as Timeout any error that might occur while waiting to receive files in the cluster. (#14922)
Removed
- Removed the unused internal option
wazuh_db.sock_queue_size
. (#12409) - Removed all the unused exceptions from the exceptions.py file. (#10940)
- Removed unused execute method from core/utils.py. (#10740)
- Removed unused set_user_name function in framework. (#13119)
- Unused internal calls to wazuh-db have been deprecated. (#12370)
- Debian Stretch support in Vulnerability Detector has been deprecated. (#14542)
Agent
Added
- Added support of CPU frequency data provided by Syscollector on Raspberry Pi. (#11756)
- Added support for IPv6 address collection in the agent. (#11450)
- Added the process startup time data provided by Syscollector on macOS. (#11833)
- Added support of package retrieval in Syscollector for OpenSUSE Tumbleweed and Fedora 34. (#11571)
- Added the process startup time data provided by Syscollector on macOS. Thanks to @LubinLew. (#11640)
- Added support for package data provided by Syscollector on Solaris. (#11796)
- Added support for delta events in Syscollector when data gets changed. (#10843)
- Added support for pre-installed Windows packages in Syscollector. (#12035)
- Added support for IPv6 on agent-manager connection and enrollment. (#11268)
- Added support for CIS-CAT Pro v3 and v4 to the CIS-CAT integration module. Thanks to @hustliyilin. (#12582)
- Added support for the use of the Azure integration module in Linux agents. (#10870)
- Added new error messages when using invalid credentials with the Azure integration. (#11852)
- Added reparse option to CloudWatchLogs and Google Cloud Storage integrations. (#12515)
- Wazuh Agent can now be built and run on Alpine Linux. (#14726)
- Added native Shuffle integration. (#15054)
Changed
- Improved the free RAM data provided by Syscollector. (#11587)
- The Windows installer (MSI) now provides signed DLL files. (#12752)
- Changed the group ownership of the Modulesd process to root. (#12748)
- Some parts of Agentd and Execd have got refactored. (#12750)
- Handled new exception in the external integration modules. (#10478)
- Optimized the number of calls to DB maintenance tasks performed by the AWS integration. (#11828)
- Improved the reparse performance by removing unnecessary queries from external integrations. (#12404)
- Updated and expanded Azure module logging functionality to use the ossec.log file. (#12478)
- Improved the error management of the Google Cloud integration. (#12647)
- Deprecated
logging
tag in GCloud integration. It now useswazuh_modules
debug value to set the verbosity level. (#12769) - The last_dates.json file of the Azure module has been deprecated in favour of a new ORM and database. (12849)
- Improved the error handling in AWS integration's
decompress_file
method. (#12929) - Use zlib for zip compression in cluster synchronization. (#11190)
- The exception handling on Wazuh Agent for Windows has been changed to DWARF2. (#11354)
- The root CA certificate for WPK upgrade has been updated. (#14696)
- Agents on macOS now report the OS name as "macOS" instead of "Mac OS X". (#14822)
- The Systemd service stopping policy has been updated. (#14816)
- Changed how the AWS module handles
ThrottlingException
adding default values for connection retries in case no config file is set.(#14793)
Fixed
- Fixed collection of maximum user data length. Thanks to @LubinLew. (#7687)
- Fixed missing fields in Syscollector on Windows 10. (#10772)
- Fixed the process startup time data provided by Syscollector on Linux. Thanks to @LubinLew. (#11227)
- Fixed network data reporting by Syscollector related to tunnel or VPN interfaces. (#11837)
- Skipped V9FS file system at Rootcheck to prevent false positives on WSL. (#12066)
- Fixed double file handle closing in Logcollector on Windows. (#9067)
- Fixed a bug in Syscollector that may prevent the agent from stopping when the manager connection is lost. (#11949)
- Fixed internal exception handling issues on Solaris 10. (#12148)
- Fixed duplicate error message IDs in the log. (#12300)
- Fixed compilation warnings in the agent. (#12691)
- Fixed the
skip_on_error
parameter of the AWS integration module, which was set toTrue
by default. (#1247) - Fixed AWS DB maintenance with Load Balancer Buckets. (#12381)
- Fixed AWS integration's
test_config_format_created_date
unit test. (#12650) - Fixed created_date field for LB and Umbrella integrations. (#12630)
- Fixed AWS integration database maintenance error managament. (#13185)
- The default delay at GitHub integration has been increased to 30 seconds. (#13674)
- Logcollector has been fixed to allow locations containing colons (:). (#14706)
- Fixed system architecture reporting in Logcollector on Apple Silicon devices. (#13835)
- The C++ standard library and the GCC runtime library is included with Wazuh. (#14190)
- Fixed missing inventory cleaning message in Syscollector. (#13877)
- Fixed WPK upgrade issue on Windows agents due to process locking. (#15322)
- Fixed FIM injection vulnerabilty when using
prefilter_cmd
option. (#13044) - Fixed the parse of ALB logs splitting
client_port
,target_port
andtarget_port_list
in separatedip
andport
for each key. (14525) - Fixed a bug that prevent processing Macie logs with problematic ipGeolocation values. (15335)
- Fixed GCP integration module error messages. (#15584)
Removed
- Deprecated Azure and AWS credentials in the configuration authentication option. (#14543)
RESTful API
Added
- Added new API integration tests for a Wazuh environment without a cluster configuration. (#10620)
- Added wazuh-modulesd tags to
GET /manager/logs
andGET /cluster/{node_id}/logs
endpoints. (#11731) - Added python decorator to soft deprecate API endpoints adding deprecation headers to their responses. (#12438)
- Added new exception to inform that /proc directory is not found or permissions to see its status are not granted. (#12486)
- Added new field and filter to
GET /agents
response to retrieve agent groups configuration synchronization status. (#12362) - Added agent groups configuration synchronization status to
GET /agents/summary/status
endpoint. (12498) - Added JSON log handling. (#11171)
- Added integration tests for IPv6 agent's registration. (#12029)
- Enable ordering by Agents count in
/groups
endpoints. (#12887) - Added hash to API logs to identify users logged in with authorization context. (#12092)
- Added new
limits
section to theupload_wazuh_configuration
section in the Wazuh API configuration. (#14119) - Added logic to API logger to renew its streams if needed on every request. (#14295)
- Added
GET /manager/daemons/stats
andGET /cluster/{node_id}/daemons/stats
API endpoints. (#14401) - Added
GET /agents/{agent_id}/daemons/stats
API endpoint. (#14464) - Added the possibility to get the configuration of the
wazuh-db
component in active configuration endpoints. (#14471) - Added distinct and select parameters to GET /sca/{agent_id} and GET /sca/{agent_id}/checks/{policy_id} endpoints. (#15084)
- Added new endpoint to run vulnerability detector on-demand scans (
PUT /vulnerability
). (#15290)
Changed
- Improved
GET /cluster/healthcheck
endpoint andcluster_control -i more
CLI call in loaded cluster environments. (#11341) - Removed
never_connected
agent status limitation when trying to assign agents to groups. (#12595) - Changed API version and upgrade_version filters to work with different version formats. (#12551)
- Renamed
GET /agents/{agent_id}/group/is_sync
endpoint toGET /agents/group/is_sync
and added newagents_list
parameter. (#9413) - Added
POST /security/user/authenticate
endpoint and markedGET /security/user/authenticate
endpoint as deprecated. (#10397) - Adapted framework code to agent-group changes to use the new wazuh-db commands. (#12526)
- Updated default timeout for
GET /mitre/software
to avoid timing out in slow environments after the MITRE DB update to v11.2. (#13791) - Changed API settings related to remote commands. The
remote_commands
section will be hold withinupload_wazuh_configuration
. (#14119) - Improved API unauthorized responses to be more accurate. (#14233)
- Updated framework functions that communicate with the
request
socket to useremote
instead. (#14259) - Improved parameter validation for API endpoints that require component and configuration parameters. (#14766)
- Improved
GET /sca/{agent_id}/checks/{policy_id}
API endpoint performance. (#15017) - Improved exception handling when trying to connect to Wazuh sockets. (#15334)
- Modified _group_names and _group_names_or_all regexes to avoid invalid group names. (#15671)
Fixed
- Fixed copy functions used for the backup files and upload endpoints to prevent incorrent metadata. (#12302)
- Fixed a bug regarding ids not being sorted with cluster disabled in Active Response and Agent endpoints. (#11010)
- Fixed a bug where
null
values from wazuh-db where returned in API responses. (#10736) - Connections through
WazuhQueue
will be closed gracefully in all situations. (#12063) - Fixed exception handling when trying to get the active configuration of a valid but not configured component. (#12450)
- Fixed api.yaml path suggested as remediation at exception.py (#12700)
- Fixed /tmp access error in containers of API integration tests environment. (#12768)
- The API will return an exception when the user asks for agent inventory information and there is no database for it (never connected agents). (#13096)
- Improved regex used for the
q
parameter on API requests with special characters and brackets. (#13171) (#13386) - Removed board_serial from syscollector integration tests expected responses. (#12592)
- Removed cmd field from expected responses of syscollector integration tests. (#12557)
- Reduced maximum number of groups per agent to 128 and adjusted group name validation. (#12611)
- Reduced amount of memory required to read CDB lists using the API. (#14204)
- Fixed a bug where the cluster health check endpoint and CLI would add an extra active agent to the master node. (#14237)
- Fixed bug that prevent updating the configuration when using various <ossec_conf> blocks from the API (#15311)
- Fixed vulnerability API integration tests' healthcheck. (#15194)
Removed
- Removed null remediations from failed API responses. (#12053)
- Deprecated
GET /agents/{agent_id}/group/is_sync
endpoint. (#12365) - Deprecated
GET /manager/stats/analysisd
,GET /manager/stats/remoted
,GET /cluster/{node_id}stats/analysisd
, andGET /cluster/{node_id}stats/remoted
API endpoints. (#14230)
Ruleset
Fixed
- Fixed OpenWRT decoder fixed to parse UFW logs. (#11613)
Other
Added
- Added unit tests to the component in Analysisd that extracts the IP address from events. (#12733)
- Added
python-json-logger
dependency. (#12518)
Changed
- Prevented the Ruleset test suite from restarting the manager. (#10773)
- The pthread's rwlock has been replaced with a FIFO-queueing read-write lock. (#14839)
Fixed
- Fixed Makefile to detect CPU archivecture on Gentoo Linux. (#14165)