Manager

Fixed

• Added support for multiple Certificate Authorities files in the indexer connector. (#24620)
• Removed hardcoded cipher text size from the RSA decryption method. (#24529)
• Avoid infinite loop while updating the vulnerability detector content. (#25094)
• Fixed repeated OS vulnerability reports. (#26223)
• Fixed inconsistencies between reported context and vulnerability data. (#25479)
• Fixed concurrency issues in LRU caches (#26073)
• Removed all CVEs related to a deleted agent from the indexer. (#26232)
• Prevented an infinite loop when indexing events in the Vulnerability Detector. (#26922)
• Fixed segmentation fault in DescriptionsHelper::vulnerabilityDescription. (#26842)
• Fixed vulnerability scanner re-scan triggers in cluster environment. (#24034)

Changed

• Added self-recovery mechanism for rocksDB databases. (#24333)
• Improve logging for indexer connector monitoring class. (#25189)
• Added generation of debug symbols. (#23760)
• Updated CURL version to 8.10.0. (#23266)

Agent

Fixed

• Fixed macOS agent upgrade timeout. (#25452)
• Fixed macOS agent startup error by properly redirecting cat command errors in wazuh-control. (#24531)
• Fixed inconsistent package inventory size information in Syscollector across operating systems (#24516)
• Fixed missing Python path locations for macOS in Data Provider. (#24125)
• Fixed permission error on Windows 11 agents after remote upgrade. (#25429)
• Fixed increase of the variable containing file size in FIM for Windows. (#24387)
• Fixed timeout issue when upgrading Windows agent via WPK. (#25699)
• Allowed unknown syslog identifiers in Logcollector's journald reader. (#26748)
• Prevented agent termination during package upgrades in containers by removing redundant kill commands. (#26828)
• Fixed handle leak in FIM's realtime mode on Windows. (#26861)
• Fixed errors on AIX 7.2 by adapting the blibpath variable. (#26900)
• Sanitized agent paths to prevent issues with parent folder references. (#26944)
• Fixed an issue in the DEB package that prevented the agent from restarting after an upgrade. (#26633)
• Improved file path handling in agent communications to avoid references to parent folders. (#26944)
• Set RPM package vendor to UNKNOWN_VALUE when the value is missing. (#27054)
• Updated Solaris package generation to use the correct wazuh-packages reference. (#27059)

Changed

• Added generation of debug symbols. (#23760)
• Changed how the AWS module handles non-existent regions. (#23998)
• Changed macOS packages building tool. (#2006)
• Enhance Wazuh macOS agent installation instructions (#7498)
• Enhance Windows agent signing procedure. (#2826)
• Enhance security by implementing a mechanism to prevent unauthorized uninstallation of Wazuh agent on Linux endpoints. (#23466)
• Enhance integration with Microsoft Intune MDM to pull audit logs for security alert generation. (#24498)
• Updated rootcheck old signatures. (#26137)

RESTful API

Added

• Created new endpoint for agent uninstall process. (#24621)

Other

Changed

• Updated the embedded Python version up to 3.10.15. (#25374)
• Upgraded certifi and removed unused packages. (#25324)
• Upgraded external cryptography library dependency version to 43.0.1. (#25893)
• Upgraded external starlette and uvicorn dependencies. (#26252)

Ruleset

Added

• Create SCA Policy for Windows Server 2012 (non R2). (#21794)

Changed

• Rework SCA Policy for Windows Server 2019. (#21434)
• Rework SCA Policy for Red Hat Enterprise Linux 9. (#24667)
• Rework SCA Policy for Microsoft Windows Server 2012 R2. (#24991)
• Rework SCA Policy for Ubuntu Linux 18.04 LTS. Fix incorrect checks in Ubuntu 22.04 LTS. (#24957)
• Rework SCA Policy for Amazon Linux 2 SCA. (#24969)
• Rework SCA for SUSE Linux Enterprise 15 SCA. (#24975)
• Rework SCA Policy for Apple macOS 13.0 Ventura. (#24992)
• Rework SCA Policy for Microsoft Windows 11 Enterprise. (#25710)

Fixed

• Fixed Logical errors in Windows Server 2022 SCA checks. (#22597)
• Fixed wrong regulatory compliance in several Windows rules. (#25224)
• Fixed incorrect checks in Ubuntu 22.04 LTS. (#24733)
• Removal of check with high CPU utilization in multiple SCA. (#25190)

Manager

Fixed

• Added support for multiple Certificate Authorities files in the indexer connector. (#24620)
• Removed hardcoded cipher text size from the RSA decryption method. (#24529)
• Avoid infinite loop while updating the vulnerability detector content. (#25094)
• Fixed repeated OS vulnerability reports. (#26223)
• Fixed inconsistencies between reported context and vulnerability data. (#25479)
• Fixed concurrency issues in LRU caches (#26073)
• Removed all CVEs related to a deleted agent from the indexer. (#26232)
• Prevented an infinite loop when indexing events in the Vulnerability Detector. (#26922)
• Fixed segmentation fault in DescriptionsHelper::vulnerabilityDescription. (#26842)
• Fixed vulnerability scanner re-scan triggers in cluster environment. (#24034)

Changed

• Added self-recovery mechanism for rocksDB databases. (#24333)
• Improve logging for indexer connector monitoring class. (#25189)
• Added generation of debug symbols. (#23760)
• Updated CURL version to 8.10.0. (#23266)

Agent

Fixed

• Fixed macOS agent upgrade timeout. (#25452)
• Fixed macOS agent startup error by properly redirecting cat command errors in wazuh-control. (#24531)
• Fixed inconsistent package inventory size information in Syscollector across operating systems (#24516)
• Fixed missing Python path locations for macOS in Data Provider. (#24125)
• Fixed permission error on Windows 11 agents after remote upgrade. (#25429)
• Fixed increase of the variable containing file size in FIM for Windows. (#24387)
• Fixed timeout issue when upgrading Windows agent via WPK. (#25699)
• Allowed unknown syslog identifiers in Logcollector's journald reader. (#26748)
• Prevented agent termination during package upgrades in containers by removing redundant kill commands. (#26828)
• Fixed handle leak in FIM's realtime mode on Windows. (#26861)
• Fixed errors on AIX 7.2 by adapting the blibpath variable. (#26900)
• Sanitized agent paths to prevent issues with parent folder references. (#26944)
• Fixed an issue in the DEB package that prevented the agent from restarting after an upgrade. (#26633)

Changed

• Added generation of debug symbols. (#23760)
• Changed how the AWS module handles non-existent regions. (#23998)
• Changed macOS packages building tool. (#2006)
• Enhance Wazuh macOS agent installation instructions (#7498)
• Enhance Windows agent signing procedure. (#2826)
• Enhance security by implementing a mechanism to prevent unauthorized uninstallation of Wazuh agent on Linux endpoints. (#23466)
• Enhance integration with Microsoft Intune MDM to pull audit logs for security alert generation. (#24498)
• Updated rootcheck old signatures. (#26137)

RESTful API

Added

• Created new endpoint for agent uninstall process. (#24621)

Other

Changed

• Updated the embedded Python version up to 3.10.15. (#25374)
• Upgraded certifi and removed unused packages. (#25324)
• Upgraded external cryptography library dependency version to 43.0.1. (#25893)
• Upgraded external starlette and uvicorn dependencies. (#26252)

Ruleset

Added

• Create SCA Policy for Windows Server 2012 (non R2). (#21794)

Changed

• Rework SCA Policy for Windows Server 2019. (#21434)
• Rework SCA Policy for Red Hat Enterprise Linux 9. (#24667)
• Rework SCA Policy for Microsoft Windows Server 2012 R2. (#24991)
• Rework SCA Policy for Ubuntu Linux 18.04 LTS. Fix incorrect checks in Ubuntu 22.04 LTS. (#24957)
• Rework SCA Policy for Amazon Linux 2 SCA. (#24969)
• Rework SCA for SUSE Linux Enterprise 15 SCA. (#24975)
• Rework SCA Policy for Apple macOS 13.0 Ventura. (#24992)
• Rework SCA Policy for Microsoft Windows 11 Enterprise. (#25710)

Fixed

• Fixed Logical errors in Windows Server 2022 SCA checks. (#22597)
• Fixed wrong regulatory compliance in several Windows rules. (#25224)
• Fixed incorrect checks in Ubuntu 22.04 LTS. (#24733)
• Removal of check with high CPU utilization in multiple SCA. (#25190)

Manager

Fixed

• Added support for multiple Certificate Authorities files in the indexer connector. (#24620)
• Removed hardcoded cipher text size from the RSA decryption method. (#24529)
• Avoid infinite loop while updating the vulnerability detector content. (#25094)
• Fixed repeated OS vulnerability reports. (#26223)
• Fixed inconsistencies between reported context and vulnerability data. (#25479)
• Fixed concurrency issues in LRU caches (#26073)
• Removed all CVEs related to a deleted agent from the indexer. (#26232)

Changed

• Added self-recovery mechanism for rocksDB databases. (#24333)
• Improve logging for indexer connector monitoring class. (#25189)
• Added generation of debug symbols. (#23760)

Agent

Fixed

• Fixed macOS agent upgrade timeout. (#25452)
• Fixed macOS agent startup error by properly redirecting cat command errors in wazuh-control. (#24531)
• Fixed inconsistent package inventory size information in Syscollector across operating systems (#24516)
• Fixed missing Python path locations for macOS in Data Provider. (#24125)
• Fixed permission error on Windows 11 agents after remote upgrade. (#25429)
• Fixed increase of the variable containing file size in FIM for Windows. (#24387)
• Fixed timeout issue when upgrading Windows agent via WPK. (#25699)
• Allowed unknown syslog identifiers in Logcollector's journald reader. (#26748)

Changed

• Added generation of debug symbols. (#23760)
• Changed how the AWS module handles non-existent regions. (#23998)
• Changed macOS packages building tool. (#2006)
• Enhance Wazuh macOS agent installation instructions (#7498)
• Enhance Windows agent signing procedure. (#2826)
• Enhance security by implementing a mechanism to prevent unauthorized uninstallation of Wazuh agent on Linux endpoints. (#23466)
• Enhance integration with Microsoft Intune MDM to pull audit logs for security alert generation. (#24498)
• Updated rootcheck old signatures. (#26137)

RESTful API

Added

• Created new endpoint for agent uninstall process. (#24621)

Other

Changed

• Updated the embedded Python version up to 3.10.15. (#25374)
• Upgraded certifi and removed unused packages. (#25324)
• Upgraded external cryptography library dependency version to 43.0.1. (#25893)
• Upgraded external starlette and uvicorn dependencies. (#26252)

Manager

Fixed

• Fixed an unhandled exception during IPC event parsing. (#26453)

Manager

Fixed

• Fixed vulnerability detector issue where RPM upgrade wouldn't download new content. (#24909)
• Fixed uncaught exception at Keystore test tool. (#25667)
• Replaced eval calls with ast.literal_eval. (#25705)
• Fixed the cluster being disabled by default when loading configurations. (#26277)
• Added support ARM packages for wazuh-manager. (#25945)

Changed

• Improved provisioning method for wazuh-keystore to enhance security. (#24110)

Agent

Added

• Added support for macOS 15 "Sequoia" in Wazuh Agent. (#25652)

Fixed

• Fixed agent crash on Windows version 4.8.0. (#24910)
• Fixed data race conditions at FIM's run_check. (#25209)
• Fixed Windows agent crashes related to syscollector.dll. (#24376)
• Fixed errors related to 'libatomic.a' library on AIX 7.X. (#25445)
• Fixed errors in Windows Agent: EvtFormatMessage returned errors 15027 and 15033. (#24932)
• Fixed FIM issue where it couldn't fetch group entries longer than 1024 bytes. (#25459)
• Fixed Wazuh Agent crash at syscollector. (#25469)
• Fixed a bug in the processed dates in the AWS module related to the AWS Config type. (#23528)
• Fixed an error in Custom Logs Buckets when parsing a CSV file that exceeds a certain size. (#24694)
• Fixed macOS syslog and ULS not configured out-of-the-box. (#26108)

RESTful API

Fixed

• Fixed requests logging to obtain the hash_auth_context from JWT tokens. (#25764)
• Enabled API to listen IPV4 and IPV6 stacks. (#25216)

Changed

• Changed the error status code thrown when basic services are down to 500. (#26103)

Manager

Fixed

• Added support for multiple Certificate Authorities files in the indexer connector. (#24620)
• Removed hardcoded cipher text size from the RSA decryption method. (#24529)
• Avoid infinite loop while updating the vulnerability detector content. #25094

Changed

• Added self-recovery mechanism for rocksDB databases. (#24333)
• Improve logging for indexer connector monitoring class. (#25189)
• Added generation of debug symbols. (#23760)

Agent

Changed

• Added generation of debug symbols. (#23760)
• Changed how the AWS module handles non-existent regions. (#23998)

RESTful API

Added

• Created new endpoint for agent uninstall process. (#24621)

Other

Changed

• Updated the embedded Python version up to 3.10.15. (#25374)
• Upgraded certifi and removed unused packages. (#25324)

Manager

Added

• The manager now supports alert forwarding to Fluentd. (#17306)
• Added missing functionality for vulnerability scanner translations. (#23518)
• Improved performance for vulnerability scanner translations. (#23722)
• Enhanced vulnerability scanner logging to be more expressive. (#24536)
• Added the HAProxy helper to manage load balancer configuration and automatically balance agents. (#23513)
• Added a validation to avoid killing processes from external services. (#23222)
• Enabled ceritificates validation in the requests to the HAProxy helper using the default CA bundle. (#23996)

Fixed

• Fixed compilation issue for local installation. (#20505)
• Fixed malformed JSON error in wazuh-analysisd. (#16666)
• Fixed a warning when uninstalling the Wazuh manager if the VD feed is missing. (#24375)
• Ensured vulnerability detection scanner log messages end with a period. (#24393)

Changed

• Changed error messages about recv() messages from wazuh-db to debug logs. (#20285)
• Sanitized the integrations directory code. (#21195)

Agent

Added

• Added debug logging in FIM to detect invalid report change registry values. Thanks to Zafer Balkan (@zbalkan). (#21690)
• Added Amazon Linux 1 and 2023 support for the installation script. (#21287)
• Added Journald support in Logcollector. (#23137)
• Added support for Amazon Security Hub via AWS SQS. (#23203)

Fixed

• Fixed loading of whodata through timeouts and retries. (#21455)
• Avoided backup failures during WPK update by adding dependency checking for the tar package. (#21729)
• Fixed a crash in the agent due to a library incompatibility. (#22210)
• Fixed an error in the osquery integration on Windows that avoided loading osquery.conf. (#21728)
• Fixed a crash in the agent's Rootcheck component when using <ignore>. (#22588)
• Fixed command wodle to support UTF-8 characters on windows agent. (#19146)
• Fixed Windows agent to delete wazuh-agent.state file when stopped. (#20425)
• Fixed Windows Agent 4.8.0 permission errors on Windows 11 after upgrade. (#20727)
• Fixed alerts are created when syscheck diff DB is full. (#16487)
• Fixed Wazuh deb uninstallation to remove non-config files. (#2195)
• Fixed improper Windows agent ACL on non-default installation directory. (#23273)
• Fixed socket configuration of an agent is displayed. (#17664)
• Fixed wazuh-modulesd printing child process not found error. (#18494)
• Fixed issue with an agent starting automatically without reason. (#23848)
• Fixed GET /syscheck to properly report size for files larger than 2GB. (#17415)
• Fixed error in packages generation centos 7. (#24412)
• Fixed Wazuh deb uninstallation to remove non-config files from the installation directory. (#2195)
• Fixed Azure auditLogs/signIns status parsing (thanks to @jmnis for the contribution). (#22392)
• Fixed how the S3 object keys with special characters are handled in the Custom Logs Buckets integration. (#22621)

Changed

• The directory /boot has been removed from the default FIM settings for AIX. (#19753)
• Refactored and modularized the Azure integration code. (#20624)
• Improved logging of errors in Azure and AWS modules. (#16314)

Removed

• Dropped support for Python 3.7 in cloud integrations. (#22583)

RESTful API

Added

• Added support in the Wazuh API to parse journald configurations from the ossec.conf file. (#23094)
• Added user-agent to the CTI service request. (#24360)

Changed

• Merged group files endpoints into one (GET /groups/{group_id}/files/{filename}) that uses the raw parameter to receive plain text data. (#21653)
• Removed the hardcoded fields returned by the GET /agents/outdated endpoint and added the select parameter to the specification. (#22388)
• Updated the regex used to validate CDB lists. (#22423)
• Changed the default value for empty fields in the GET /agents/stats/distinct endpoint response. (#22413)
• Changed the Wazuh API endpoint responses when receiving the Expect header. (#22380)
• Enhanced Authorization header values decoding errors to avoid showing the stack trace and fail gracefully. (#22745)
• Updated the format of the fields that can be N/A in the API specification. (#22908)
• Updated the WAZUH API specification to conform with the current endpoint requests and responses. (#22954)
• Replaced the used aiohttp server with uvicorn. (#23199)
  • Changed the PUT /groups/{group_id}/configuration endpoint response error code when uploading an empty file.
  • Changed the GET, PUT and DELETE /lists/files/{filename} endpoints response status code when an invalid file is used.
  • Changed the PUT /manager/configuration endpoint response status code when uploading a file with invalid content-type.

Fixed

• Improved XML validation to match the Wazuh internal XML validator. (#20507)
• Fixed bug in GET /groups. (#22428)
• Fixed the GET /agents/outdated endpoint query. (#24946)

Removed

• Removed the cache configuration option from the Wazuh API. (#22416)

Ruleset

Changed

• The solved vulnerability rule has been clarified. (#19754)

Fixed

• Fixed audit decoders to parse the new heading field "node=". (#22178)

Other

Changed

• Upgraded external OpenSSL library dependency version to 3.0. (#20778)
• Migrated QA framework. (#17427)
• Improved WPKs. (#21152)
• Migrated and adapted Wazuh subsystem repositories as part of Wazuh packages redesign. (#23508)
• Upgraded external connexion library dependency version to 3.0.5 and its related interdependencies. (#22680)

Fixed

• Fixed a buffer overflow hazard in HMAC internal library. (#19794)

Manager

Fixed

• Fixed memory management in wazuh-remoted that might cause data corruption in incoming messages. (#25225)

Manager

Fixed

• Fixed bug in upgrade_agent CLI where it would sometimes raise an unhandled exception. (#24341)
• Changed keystore cipher algorithm to remove reuse of sslmanager.cert and sslmanager.key. (#24509)

Agent

Fixed

• Fixed incorrect macOS agent name retrieval. (#23989)

RESTful API

Changed

• Changed GET /manager/version/check endpoint response to always show the uuid field. (#24173)

Other

Changed

• Upgraded external Jinja2 library dependency version to 3.1.4. (#24108)
• Upgraded external requests library dependency version to 2.32.2. (#23925)

Manager

Added

• Transition to Wazuh Keystore for Indexer Configuration. (#21670)

Changed

• Vulnerability Detection refactor. (#21201)
• Improved wazuh-db detection of deleted database files. (#18476)
• Added timeout and retry parameters to the VirusTotal integration. (#16893)
• Extended wazuh-analysisd EPS metrics with events dropped by overload and remaining credits in the previous cycle. (#18988)
• Updated API and framework packages installation commands to use pip instead of direct invocation of setuptools. (#18466)
• Upgraded docker-compose V1 to V2 in API Integration test scripts. (#17750)
• Refactored how cluster status dates are treated in the cluster. (#17015)
• The log message about file rotation and signature from wazuh-monitord has been updated. (#21602)
• Improved Wazuh-DB performance by adjusting SQLite synchronization policy. (#22774)

Fixed

• Updated cluster connection cleanup to remove temporary files when the connection between a worker and a master is broken. (#17886)
• Added a mechanism to avoid cluster errors to raise from expected wazuh-db exceptions. (#23371)
• Fixed race condition when creating agent database files from a template. (#23216)

Agent

Added

• Added snap package manager support to Syscollector. (#15740)
• Added event size validation for the external integrations. (#17932)
• Added new unit tests for the AWS integration. (#17623)
• Added mapping geolocation for AWS WAF integration. (#20649)
• Added a validation to reject unsupported regions when using the inspector service. (#21530)
• Added additional information on some AWS integration errors. (#21561)

Changed

• Disabled host's IP query by Logcollector when ip_update_interval=0. (#18574)
• The MS Graph integration module now supports multiple tenants. (#19064)
• FIM now buffers the Linux audit events for who-data to prevent side effects in other components. (#16200)
• The sub-process execution implementation has been improved. (#19720)
• Refactored and modularized the AWS integration code. (#17623)
• Replace the usage of fopen with wfopen to avoid processing invalid characters on Windows. (#21791)
• Prevent macOS agent to start automatically after installation. (#21637)

Fixed

• Fixed process path retrieval in Syscollector on Windows XP. (#16839)
• Fixed detection of the OS version on Alpine Linux. (#16056)
• Fixed Solaris 10 name not showing in the Dashboard. (#18642)
• Fixed macOS Ventura compilation from sources. (#21932)
• Fixed PyPI package gathering on macOS Sonoma. (#23532)

RESTful API

Added

• Added new GET /manager/version/check endpoint to obtain information about new releases of Wazuh. (#19952)
• Introduced an auto option for the ssl_protocol setting in the API configuration. This enables automatic negotiation of the TLS certificate to be used. (#20420)
• Added API indexer protection to allow uploading new configuration files if the <indexer> section is not modified. (#22727)

Fixed

• Fixed a warning from SQLAlchemy involving detached Roles instances in RBAC. (#20527)
• Fixed an issue where only the last <ignore> item was displayed in GET /manager/configuration. (#23095)

Removed

• Removed PUT /vulnerability, GET /vulnerability/{agent_id}, GET /vulnerability/{agent_id}/last_scan and GET /vulnerability/{agent_id}/summary/{field} API endpoints as they were deprecated in version 4.7.0. Use the Wazuh indexer REST API instead. (#20119)
• Removed the compilation_date field from GET /cluster/{node_id}/info and GET /manager/info endpoints. (#21572)
• Deprecated the cache configuration option. (#22387)
• Removed custom parameter from PUT /active-response endpoint. (#17048)

Ruleset

Added

• Added new SCA policy for Amazon Linux 2023. (#17780)
• Added new SCA policy for Rocky Linux 8. (#17784)
• Added rules to detect IcedID attacks. (#19528)

Changed

• SCA policy for Ubuntu Linux 18.04 rework. (#18721)
• SCA policy for Ubuntu Linux 22.04 rework. (#17515)
• SCA policy for Red Hat Enterprise Linux 7 rework. (#18440)
• SCA policy for Red Hat Enterprise Linux 8 rework. (#17770)
• SCA policy for Red Hat Enterprise Linux 9 rework. (#17412)
• SCA policy for CentOS 7 rework. (#17624)
• SCA policy for CentOS 8 rework. (#18439)
• SCA policy for Debian 8 rework. (#18010)
• SCA policy for Debian 10 rework. (#17922)
• SCA policy for Amazon Linux 2 rework. (#18695)
• SCA policy for SUSE Linux Enterprise 15 rework. (#18985)
• SCA policy for macOS 13.0 Ventura rework. (#19037)
• SCA policy for Microsoft Windows 10 Enterprise rework. (#19515)
• SCA policy for Microsoft Windows 11 Enterprise rework. (#20044)
• Update MITRE DB to v13.1. (#17518)

Other

Added

• Added external lua library dependency version 5.3.6. (#21710)
• Added external PyJWT library dependency version 2.8.0. (#21749)

Changed

• Upgraded external aiohttp library dependency version to 3.9.5. (#23112)
• Upgraded external idna library dependency version to 3.7. (#23112)
• Upgraded external cryptography library dependency version to 42.0.4. (#22221)
• Upgraded external numpy library dependency version to 1.26.0. (#20003)
• Upgraded external grpcio library dependency version to 1.58.0. (#20003)
• Upgraded external pyarrow library dependency version to 14.0.1. (#20493)
• Upgraded external urllib3 library dependency version to 1.26.18. (#20630)
• Upgraded external SQLAlchemy library dependency version to 2.0.23. (#20741)
• Upgraded external Jinja2 library dependency version to 3.1.3. (#21684)
• Upgraded embedded Python version to 3.10.13. (#20003)
• Upgraded external curl library dependency version to 8.5.0. (#21710)
• Upgraded external pcre2 library dependency version to 10.42. (#21710)
• Upgraded external libarchive library dependency version to 3.7.2. (#21710)
• Upgraded external rpm library dependency version to 4.18.2. (#21710)
• Upgraded external sqlite library dependency version to 3.45.0. (#21710)
• Upgraded external zlib library dependency version to 1.3.1. (#21710)

Deleted

• Removed external python-jose and ecdsa library dependencies. (#21749)