wazuh v3.6.0 releases: Host and endpoint security

Wazuh

Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the following capabilities:

  • Log management and analysis: Wazuh agents read operating system and application logs, and securely forward them to a central manager for rule-based analysis and storage.
  • File integrity monitoring: Wazuh monitors the file system, identifying changes in content, permissions, ownership, and attributes of files that you need to keep an eye on.
  • Intrusion and anomaly detection: Agents scan the system looking for malware, rootkits or suspicious anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as well as inconsistencies in system call responses.
  • Policy and compliance monitoring: Wazuh monitors configuration files to ensure they are compliant with your security policies, standards or hardening guides. Agents perform periodic scans to detect applications that are known to be vulnerable, unpatched, or insecurely configured.

This diverse set of capabilities is provided by integrating OSSEC, OpenSCAP and Elastic Stack, making them work together as a unified solution, and simplifying their configuration and management.

It provides an updated log analysis ruleset and a RESTful API that allows you to monitor the status and configuration of all Wazuh agents.

It also includes a rich web application (fully integrated as a Kibana app), for mining log analysis alerts and for monitoring and managing your Wazuh infrastructure.

Changelog v3.6.0

Added

  • Add rescanning of expanded files with wildcards in logcollector (#332)
  • Parallelization of logcollector (#627)
    • Now the input of logcollector is multithreaded, reading logs in parallel.
    • A thread is created for each type of output socket.
    • Periodically rescan of new files.
    • New options have been added to internal_options.conf file.
  • Added statistical functions to remoted. (#682)
  • Rootcheck and Syscheck (FIM) will run independently. (#991)
  • Add hash validation for binaries executed by the wodle command. (#1027)
  • Added a recursion level option to Syscheck to set the directory scanning depth. (#1081)
  • Added inactive agent filtering option to agent_control, syscheck_control and rootcheck control_tools. (#1088)
  • Added custom tags to FIM directories and registries. (#1096)
  • Improved AWS CloudTrail wodle by @UranusBytes (#913 & #1105).
  • Added support to process logs from more AWS services: Guard Duty, IAM, Inspector, Macie and VPC. (#1131).
  • Create script for blocking IP’s using netsh-advfirewall. (#1172).

Changed

  • The maximum log length has been extended up to 64 KiB. (#411)
  • Changed logcollector analysis message order. (#675)
  • Let hostname field be the name of the agent, without the location part. (#1080)
  • The internal option syscheck.max_depth has been renamed to syscheck.default_max_depth. (#1081)
  • Show warning message when configuring vulnerability-detector for an agent. (#1130)
  • Increase the minimum waiting time from 0 to 1 seconds in Vulnerability-Detector. (#1132)
  • Prevent Windows agent from not loading the configuration if an AWS module block is found. (#1143)
  • Set the timeout to consider an agent disconnected to 1800 seconds in the framework. (#1155)

Fixed

  • Fix agent ID zero-padding in alerts coming from Vulnerability Detector. (#1083)
  • Fix multiple warnings when agent is offline. (#1086)
  • Fixed minor issues in the Makefile and the sources installer on HP-UX, Solaris on SPARC and AIX systems. (#1089)
  • Fixed SHA256 changes messages in alerts when it is disabled. (#1100)
  • Fixed empty configuration blocks for Wazuh modules. (#1101)
  • Fix broken pipe error in Wazuh DB by Vulnerability Detector. (#1111)
  • Restored firewall-drop AR script for Linux. (#1114)
  • Fix unknown severity in Red Hat systems. (#1118)
  • Added a building flag to compile the SQLite library externally for the API. (#1119)
  • Fixed variables length when storing RAM information by Syscollector. (#1124)
  • Fix Red Hat vulnerability database update. (#1127)
  • Fix allowing more than one wodle command. (#1128)
  • Fixed after_regex offset for the decoding algorithm. (#1129)
  • Prevents some vulnerabilities from not being checked for Debian. (#1166)
  • Fixed legacy configuration for vulnerability-detector. (#1174)
  • Fix active-response scripts installation for Windows. (#1182).

Removed

  • The ‘T’ multiplier has been removed from option max_output_size. (#1089)

Download && Use

Portions Copyright (C) 2017 Wazuh, Inc.
Based on work Copyright (C) 2003 – 2013 Trend Micro, Inc.

 

Read more…

 

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

Leave a Reply

SC ProDefence SRL - Cyber Security Services