Merge pull request #6909 from wazuh/merge-4.7.2-into-4.8.0

Merge 4.7.2 into 4.8.0

CHANGELOG.md

@@ -31,11 +31,15 @@ All notable changes to this project will be documented in this file.
 
 ### Added
 
-- Support for Wazuh 4.7.2.
+- Added custom role creation steps to GCP credentials configuration section. ([#6837](https://github.com/wazuh/wazuh-documentation/pull/6837))
+- Added a subsection for alert visualization in AWS Security Lake. Added a note about time to display alerts. ([#6838](https://github.com/wazuh/wazuh-documentation/pull/6838))
+- Added ``urllib3==1.26.18`` dependency to Docker installation steps. ([#6824](https://github.com/wazuh/wazuh-documentation/pull/6824))
 
 ### Changed
 
-- Updated the use case: Give a user permissions to read and manage a group of agents with minimum configuration reading permissions. ([#6850](https://github.com/wazuh/wazuh-documentation/pull/6850))
+- Added minimum configuration reading permissions to RBAC section use case. ([#6850](https://github.com/wazuh/wazuh-documentation/pull/6850))
+- Updated AWS profile configuration instructions. ([#6803](https://github.com/wazuh/wazuh-documentation/pull/6803))
+- Updated configuration step in Yara use case and Apache web server installation step in Malware detection PoC. ([#6894](https://github.com/wazuh/wazuh-documentation/pull/6894))
 
 ## [v4.7.1]
 

source/getting-started/use-cases/index.rst

@@ -18,8 +18,8 @@ Below you can find examples of some of the most common use cases of the Wazuh pl
 Endpoint security                  Threat intelligence               Security operations             Cloud security
 =================================  ================================  ==============================  ==================================
 :doc:`configuration-assessment`    :doc:`threat-hunting`             :doc:`incident-response`        :doc:`container-security`
-:doc:`malware-detection`           :doc:`log-analysis`               :doc:`regulatory-compliance`    :doc:`Workload protection <cloud-workload-protection>`
-:doc:`file-integrity`              :doc:`vulnerability-detection`    :doc:`it-hygiene`               :doc:`posture-management`
+:doc:`malware-detection`           :doc:`log-analysis`               :doc:`regulatory-compliance`    :doc:`posture-management`
+:doc:`file-integrity`              :doc:`vulnerability-detection`    :doc:`it-hygiene`               :doc:`Workload protection <cloud-workload-protection>`
 =================================  ================================  ==============================  ==================================
 
 .. toctree::
@@ -35,5 +35,5 @@ Endpoint security                  Threat intelligence               Security op
    regulatory-compliance
    it-hygiene
    container-security
-   cloud-workload-protection
    posture-management
+   cloud-workload-protection

source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst

@@ -85,7 +85,7 @@ Perform the following steps to install and configure an Apache web server.
 
 #. Install the latest `Visual C++ Redistributable package <https://aka.ms/vs/17/release/vc_redist.x64.exe>`__.
 
-#. Download the Apache web server `ZIP installation file <https://www.apachelounge.com/download/VS16/binaries/httpd-2.4.54-win64-VS16.zip>`__. This is an already compiled binary for Windows operating systems.
+#. Download the Apache web server `ZIP installation file <https://www.apachelounge.com/download/VS17/binaries/httpd-2.4.58-win64-VS17.zip>`__. This is an already compiled binary for Windows operating systems.
 
 #. Unzip the contents of the Apache web server zip file and copy the extracted ``Apache24`` folder to the ``C:`` directory.
 

source/release-notes/release-4-7-2.rst

@@ -13,17 +13,70 @@ What's new
 
 This release includes new features or enhancements as the following:
 
+Wazuh agent
+^^^^^^^^^^^
+
+- `#20638 <https://github.com/wazuh/wazuh/pull/20638>`__ Added request timeouts for the external and cloud integrations. This prevents indefinite waiting for a response.
+
+Ruleset
+^^^^^^^
+
+- `#17565 <https://github.com/wazuh/wazuh/pull/17565>`__ Added new SCA policy for Debian 12 systems.
+
+Other
+^^^^^
+
+- `#20798 <https://github.com/wazuh/wazuh/pull/20798>`__ Upgraded external ``aiohttp`` library dependency to version ``3.9.1`` to address a security vulnerability.
+
 Wazuh dashboard
 ^^^^^^^^^^^^^^^
 
 - `#6191 <https://github.com/wazuh/wazuh-dashboard-plugins/pull/6191>`__ Added **Hostname** and **Board Serial** information to **Agents** > **Inventory data**.
 - `#6208 <https://github.com/wazuh/wazuh-dashboard-plugins/pull/6208>`__ Added contextual information to the deploy agent steps.
 
+Packages 
+^^^^^^^^
+
+- `#2670 <https://github.com/wazuh/wazuh-packages/pull/2670>`__ Removed installed dependencies that were part of the Wazuh installation assistant. This ensures a clean post-installation state.
+- `#2677 <https://github.com/wazuh/wazuh-packages/pull/2677>`__ Removed ``gnupg`` package as RPM dependency in the Wazuh installation assistant.
+
 Resolved issues
 ---------------
 
 This release resolves known issues as the following: 
 
+Wazuh manager
+^^^^^^^^^^^^^
+
+===========================================================  =============
+ Reference                                                   Description
+===========================================================  =============
+`#21011 <https://github.com/wazuh/wazuh/pull/21011>`__       ``wazuh-remoted`` now logs the warning regarding invalid message size from agents in hex format.
+`#20658 <https://github.com/wazuh/wazuh/pull/20658>`__       Fixed a bug within the Windows Eventchannel decoder to ensure proper handling of Unicode characters.
+`#20735 <https://github.com/wazuh/wazuh/pull/20735>`__       Fixed data validation for decoding Windows Eventchannel XML input strings.
+===========================================================  =============
+
+Wazuh agent
+^^^^^^^^^^^
+
+===========================================================  =============
+ Reference                                                   Description
+===========================================================  =============
+`#20656 <https://github.com/wazuh/wazuh/pull/20656>`__       Implemented validation for the format of the IP address parameter in the ``host_deny`` active response.
+`#20594 <https://github.com/wazuh/wazuh/pull/20594>`__       Fixed a bug in the Windows agent that might lead it to crash when gathering forwarded Windows events.
+`#20447 <https://github.com/wazuh/wazuh/pull/20447>`__       Fixed issue with the ``profile`` prefix in parsing AWS configuration profiles.
+`#20660 <https://github.com/wazuh/wazuh/pull/20660>`__       Fixed parsing and validation for the AWS regions argument, expanding the AWS regions list accordingly.
+===========================================================  =============
+
+Ruleset
+^^^^^^^
+
+===========================================================  =============
+ Reference                                                   Description
+===========================================================  =============
+`#20663 <https://github.com/wazuh/wazuh/pull/20663>`__       Updated AWS Macie rules to show relevant fields in alert details.
+===========================================================  =============
+
 Wazuh dashboard
 ^^^^^^^^^^^^^^^
 
@@ -35,6 +88,15 @@ Wazuh dashboard
 `#6224 <https://github.com/wazuh/wazuh-dashboard-plugins/pull/6224>`__                                                                               Fixed error navigating back to agent in some scenarios.
 =================================================================================================================================================    =============
 
+Packages
+^^^^^^^^
+
+=====================================================================     =============
+Reference                                                                 Description
+=====================================================================     =============
+`#2667 <https://github.com/wazuh/wazuh-packages/pull/2667>`_              Fixed warning message when generating certificates.
+=====================================================================     =============
+
 Changelogs
 ----------
 

source/user-manual/agents/remote-upgrading/index.rst

@@ -3,15 +3,9 @@
 .. meta::
     :description: From Wazuh 3.0.0 version onwards, agents can be upgraded remotely. Learn more about it in this section of the Wazuh documentation. 
 
-.. _remote-upgrading:
-
 Remote upgrading
 ==================
 
-.. warning::
-
-   Remote upgrade is temporarily unavailable in |WAZUH_CURRENT_MINOR|.
-
 .. topic:: Contents
 
     .. toctree::

source/user-manual/capabilities/file-integrity/advanced-settings.rst

@@ -30,17 +30,42 @@ Configuration
 
 You need to install the audit daemon if you don’t have it already installed on your endpoint.
 
-In Red Hat based systems, auditd is usually installed by default. If not, install it using the following command:
+.. tabs::
 
-   .. code-block:: console
+   .. group-tab:: Red Hat-based
 
-      # yum install audit
+      .. code-block:: console
 
-For Debian based systems, use the following command:
+         # yum install audit
+      
+      For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service.
 
-   .. code-block:: console
+      .. code-block:: console
+
+         # yum install audispd-plugins
+         # systemctl restart auditd
+
+   .. group-tab:: Debian-based
+
+      .. code-block:: console
+
+         # apt-get install auditd
+
+      For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service.
+
+      .. code-block:: console
+
+         # apt-get install audispd-plugins
+         # systemctl restart auditd
+
+   .. group-tab:: Alpine Linux
+
+      .. code-block:: console
 
-      # apt-get install auditd
+         # apk add audit=3.1.1-r0
+         # rc-update add auditd default
+         # cp /usr/sbin/audisp-af_unix /sbin/audisp-af_unix
+         # rc-service auditd restart
 
 Perform the following steps to enable who-data monitoring. In this example, you configure who-data monitoring for ``/etc`` directory.
 

source/user-manual/capabilities/malware-detection/fim-yara.rst

@@ -72,7 +72,7 @@ Perform the following steps to configure YARA and the FIM module on the monitore
       -H 'Referer: https://valhalla.nextron-systems.com/' \
       -H 'Content-Type: application/x-www-form-urlencoded' \
       -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' \
-      --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111 111111111111111111&format=text' \
+      --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \
       -o /tmp/yara/rules/yara_rules.yar
 
 #. Create a ``/var/ossec/active-response/bin/yara.sh`` file and add the content below:

source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst

@@ -103,6 +103,8 @@ The table below shows SCA policies pre-installed in Wazuh out-of-the-box. The Wa
     +-----------------------------+------------------------------------------------------------+-------------------------------+
     | cis_apple_macOS_13.x        |  CIS Checks for macOS 13.x                                 | macOS 13.x (Ventura)          |
     +-----------------------------+------------------------------------------------------------+-------------------------------+
+    | cis_apple_macOS_14.0        |  CIS Checks for macOS 14.0                                 | macOS 14.0 (Sonoma)           |
+    +-----------------------------+------------------------------------------------------------+-------------------------------+
     | web_vulnerabilities         |  System audit for web-related vulnerabilities              | N/A                           |
     +-----------------------------+------------------------------------------------------------+-------------------------------+
     | cis_apache_24               |  CIS Apache HTTP Server 2.4 Benchmark                      | Apache configuration files    |

source/user-manual/ruleset/ruleset-xml-syntax/rules.rst

@@ -3,8 +3,6 @@
 .. meta::
   :description: The Wazuh Ruleset is used to analyze incoming events and generate alerts when appropriate. Learn more about Rules syntax in this section.
 
-.. _rules_syntax:
-
 Rules Syntax
 ============
 
@@ -183,6 +181,44 @@ The **xml labels** used to configure ``rules`` are listed here.
 | `var`_                  | Name for the variable. Most used: `BAD_WORDS`_                | Defines a variable that can be used anywhere inside the same file.                                   |
 +-------------------------+---------------------------------------------------------------+------------------------------------------------------------------------------------------------------+
 
+.. _rules_group:
+
+group
+^^^^^
+
+Groups categorize alerts. They allow filtering related alerts in the Wazuh dashboard.
+
+The default Wazuh ruleset already includes rules that use groups like ``syscheck,``, ``attack,``, and ``syslog,``. As an example, you can filter alerts for these categories by querying ``rule.groups: attack`` or ``rule.groups: (syscheck OR syslog)`` in the Wazuh dashboard.
+
+Every rule must belong to at least one group. To specify one or more groups for a rule, enclose the rule definition with the ``<group name="GROUP1_NAME,GROUP2_NAME,">`` element. For example:
+
+.. code-block:: xml
+   :emphasize-lines: 1,7
+
+   <group name="wazuh,">
+     <rule id="100234" level="3">
+       <if_sid>230</if_sid>
+       <field name="alert_type">normal</field>
+       <description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.</description>
+     </rule>
+   </group>
+
+You can also specify additional groups by including the ``<group>`` element within the rule definition. For example:
+
+.. code-block:: xml
+   :emphasize-lines: 6
+
+   <group name="wazuh,">
+     <rule id="100234" level="3">
+       <if_sid>230</if_sid>
+       <field name="alert_type">normal</field>
+       <description>The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored.</description>
+       <group>syscheck,fim_db_state,</group>
+     </rule>
+   </group>
+
+To define rules that trigger only if another rule in a specific group has triggered, check the `if_group`_ and `if_matched_group`_ options.
+
 .. _rules_rule:
 
 rule
@@ -728,7 +764,7 @@ If ``user`` label is declared multiple times within the rule, the following rule
 .. _rules_sys_name:
 
 system_name
-^^^^^^^^^^^^
+^^^^^^^^^^^
 
 Used as a requisite to trigger the rule. It will check the system name (decoded as ``system_name``).
 
@@ -2070,36 +2106,6 @@ Example:
         <description>List of logged in users. It will not be alerted by default.</description>
       </rule>
 
-.. _rules_group:
-
-group
-^^^^^
-
-Add additional groups to the alert. Groups are optional tags added to alerts.
-
-They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts.
-
-Groups are variables that define behavior. When an alert includes that group label, this behavior will occur.
-
-Example:
-
-  .. code-block:: xml
-
-    <rule id="3801" level="4">
-      <description>Group for rules related with spam.</description>
-      <group>spam,</group>
-    </rule>
-
-Now, every rule with the line ``<group>spam,</group>`` will be included in that group.
-
-It's a very useful label to keep the rules ordered.
-
-+--------------------+------------+
-| **Default Value**  | n/a        |
-+--------------------+------------+
-| **Allowed values** | Any String |
-+--------------------+------------+
-
 .. _rules_mitre:
 
 mitre
@@ -2138,11 +2144,12 @@ Defines a variable that can be used in any place within the same file. It must b
 
 Example:
 
-  .. code-block:: xml
+.. code-block:: xml
+   :emphasize-lines: 1,7
 
-    <var name="joe_folder">/home/joe/</var>
+   <var name="joe_folder">/home/joe/</var>
 
-    <group name="local,">
+   <group name="local,">
 
       <rule id="100001" level="5">
         <if_sid>550</if_sid>
@@ -2151,26 +2158,29 @@ Example:
         <group>ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>
       </rule>
 
-    </group>
+   </group>
 
 BAD_WORDS
-^^^^^^^^^
+~~~~~~~~~
+
+.. code-block:: xml
 
-<var name="BAD_WORDS">error|warning|failure</var>
+   <var name="BAD_WORDS">error|warning|failure</var>
 
 ``BAD_WORDS`` is a very used use case of the ``<var>`` option.
 
 It is used to include many words in the same variable. Later, this variable can be matched into the decoders to check if any of those words are in a caught event.
 
 Example:
 
-  .. code-block:: xml
+.. code-block:: xml
+   :emphasize-lines: 1,5
 
-    <var name="BAD_WORDS">error|warning|failure</var>
+   <var name="BAD_WORDS">error|warning|failure</var>
 
-    <group name="syslog,errors,">
-      <rule id="XXXX" level="2">
-        <match>$BAD_WORDS</match>
-        <description>Error found.</description>
-      </rule>
-    </group>
+   <group name="syslog,errors,">
+     <rule id="XXXX" level="2">
+       <match>$BAD_WORDS</match>
+       <description>Error found.</description>
+     </rule>
+   </group>