diff --git a/CHANGELOG.md b/CHANGELOG.md index 0090d900f1..fe9b98498b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,11 +31,15 @@ All notable changes to this project will be documented in this file. ### Added -- Support for Wazuh 4.7.2. +- Added custom role creation steps to GCP credentials configuration section. ([#6837](https://github.com/wazuh/wazuh-documentation/pull/6837)) +- Added a subsection for alert visualization in AWS Security Lake. Added a note about time to display alerts. ([#6838](https://github.com/wazuh/wazuh-documentation/pull/6838)) +- Added ``urllib3==1.26.18`` dependency to Docker installation steps. ([#6824](https://github.com/wazuh/wazuh-documentation/pull/6824)) ### Changed -- Updated the use case: Give a user permissions to read and manage a group of agents with minimum configuration reading permissions. ([#6850](https://github.com/wazuh/wazuh-documentation/pull/6850)) +- Added minimum configuration reading permissions to RBAC section use case. ([#6850](https://github.com/wazuh/wazuh-documentation/pull/6850)) +- Updated AWS profile configuration instructions. ([#6803](https://github.com/wazuh/wazuh-documentation/pull/6803)) +- Updated configuration step in Yara use case and Apache web server installation step in Malware detection PoC. ([#6894](https://github.com/wazuh/wazuh-documentation/pull/6894)) ## [v4.7.1] diff --git a/source/getting-started/use-cases/index.rst b/source/getting-started/use-cases/index.rst index c36de33195..b0bc907b0f 100644 --- a/source/getting-started/use-cases/index.rst +++ b/source/getting-started/use-cases/index.rst @@ -18,8 +18,8 @@ Below you can find examples of some of the most common use cases of the Wazuh pl Endpoint security Threat intelligence Security operations Cloud security ================================= ================================ ============================== ================================== :doc:`configuration-assessment` :doc:`threat-hunting` :doc:`incident-response` :doc:`container-security` -:doc:`malware-detection` :doc:`log-analysis` :doc:`regulatory-compliance` :doc:`Workload protection ` -:doc:`file-integrity` :doc:`vulnerability-detection` :doc:`it-hygiene` :doc:`posture-management` +:doc:`malware-detection` :doc:`log-analysis` :doc:`regulatory-compliance` :doc:`posture-management` +:doc:`file-integrity` :doc:`vulnerability-detection` :doc:`it-hygiene` :doc:`Workload protection ` ================================= ================================ ============================== ================================== .. toctree:: @@ -35,5 +35,5 @@ Endpoint security Threat intelligence Security op regulatory-compliance it-hygiene container-security - cloud-workload-protection posture-management + cloud-workload-protection diff --git a/source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst b/source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst index 3ffe9f6424..5eb847a552 100644 --- a/source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst +++ b/source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst @@ -85,7 +85,7 @@ Perform the following steps to install and configure an Apache web server. #. Install the latest `Visual C++ Redistributable package `__. -#. Download the Apache web server `ZIP installation file `__. This is an already compiled binary for Windows operating systems. +#. Download the Apache web server `ZIP installation file `__. This is an already compiled binary for Windows operating systems. #. Unzip the contents of the Apache web server zip file and copy the extracted ``Apache24`` folder to the ``C:`` directory. diff --git a/source/release-notes/release-4-7-2.rst b/source/release-notes/release-4-7-2.rst index 61b8559902..76f15254e8 100644 --- a/source/release-notes/release-4-7-2.rst +++ b/source/release-notes/release-4-7-2.rst @@ -13,17 +13,70 @@ What's new This release includes new features or enhancements as the following: +Wazuh agent +^^^^^^^^^^^ + +- `#20638 `__ Added request timeouts for the external and cloud integrations. This prevents indefinite waiting for a response. + +Ruleset +^^^^^^^ + +- `#17565 `__ Added new SCA policy for Debian 12 systems. + +Other +^^^^^ + +- `#20798 `__ Upgraded external ``aiohttp`` library dependency to version ``3.9.1`` to address a security vulnerability. + Wazuh dashboard ^^^^^^^^^^^^^^^ - `#6191 `__ Added **Hostname** and **Board Serial** information to **Agents** > **Inventory data**. - `#6208 `__ Added contextual information to the deploy agent steps. +Packages +^^^^^^^^ + +- `#2670 `__ Removed installed dependencies that were part of the Wazuh installation assistant. This ensures a clean post-installation state. +- `#2677 `__ Removed ``gnupg`` package as RPM dependency in the Wazuh installation assistant. + Resolved issues --------------- This release resolves known issues as the following: +Wazuh manager +^^^^^^^^^^^^^ + +=========================================================== ============= + Reference Description +=========================================================== ============= +`#21011 `__ ``wazuh-remoted`` now logs the warning regarding invalid message size from agents in hex format. +`#20658 `__ Fixed a bug within the Windows Eventchannel decoder to ensure proper handling of Unicode characters. +`#20735 `__ Fixed data validation for decoding Windows Eventchannel XML input strings. +=========================================================== ============= + +Wazuh agent +^^^^^^^^^^^ + +=========================================================== ============= + Reference Description +=========================================================== ============= +`#20656 `__ Implemented validation for the format of the IP address parameter in the ``host_deny`` active response. +`#20594 `__ Fixed a bug in the Windows agent that might lead it to crash when gathering forwarded Windows events. +`#20447 `__ Fixed issue with the ``profile`` prefix in parsing AWS configuration profiles. +`#20660 `__ Fixed parsing and validation for the AWS regions argument, expanding the AWS regions list accordingly. +=========================================================== ============= + +Ruleset +^^^^^^^ + +=========================================================== ============= + Reference Description +=========================================================== ============= +`#20663 `__ Updated AWS Macie rules to show relevant fields in alert details. +=========================================================== ============= + Wazuh dashboard ^^^^^^^^^^^^^^^ @@ -35,6 +88,15 @@ Wazuh dashboard `#6224 `__ Fixed error navigating back to agent in some scenarios. ================================================================================================================================================= ============= +Packages +^^^^^^^^ + +===================================================================== ============= +Reference Description +===================================================================== ============= +`#2667 `_ Fixed warning message when generating certificates. +===================================================================== ============= + Changelogs ---------- diff --git a/source/user-manual/agents/remote-upgrading/index.rst b/source/user-manual/agents/remote-upgrading/index.rst index b69abac197..fd94ea917d 100644 --- a/source/user-manual/agents/remote-upgrading/index.rst +++ b/source/user-manual/agents/remote-upgrading/index.rst @@ -3,15 +3,9 @@ .. meta:: :description: From Wazuh 3.0.0 version onwards, agents can be upgraded remotely. Learn more about it in this section of the Wazuh documentation. -.. _remote-upgrading: - Remote upgrading ================== -.. warning:: - - Remote upgrade is temporarily unavailable in |WAZUH_CURRENT_MINOR|. - .. topic:: Contents .. toctree:: diff --git a/source/user-manual/capabilities/file-integrity/advanced-settings.rst b/source/user-manual/capabilities/file-integrity/advanced-settings.rst index ebd15436df..954e3ef140 100644 --- a/source/user-manual/capabilities/file-integrity/advanced-settings.rst +++ b/source/user-manual/capabilities/file-integrity/advanced-settings.rst @@ -30,17 +30,42 @@ Configuration You need to install the audit daemon if you don’t have it already installed on your endpoint. -In Red Hat based systems, auditd is usually installed by default. If not, install it using the following command: +.. tabs:: - .. code-block:: console + .. group-tab:: Red Hat-based - # yum install audit + .. code-block:: console -For Debian based systems, use the following command: + # yum install audit + + For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service. - .. code-block:: console + .. code-block:: console + + # yum install audispd-plugins + # systemctl restart auditd + + .. group-tab:: Debian-based + + .. code-block:: console + + # apt-get install auditd + + For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service. + + .. code-block:: console + + # apt-get install audispd-plugins + # systemctl restart auditd + + .. group-tab:: Alpine Linux + + .. code-block:: console - # apt-get install auditd + # apk add audit=3.1.1-r0 + # rc-update add auditd default + # cp /usr/sbin/audisp-af_unix /sbin/audisp-af_unix + # rc-service auditd restart Perform the following steps to enable who-data monitoring. In this example, you configure who-data monitoring for ``/etc`` directory. diff --git a/source/user-manual/capabilities/malware-detection/fim-yara.rst b/source/user-manual/capabilities/malware-detection/fim-yara.rst index 8df34618f4..11e5aab613 100644 --- a/source/user-manual/capabilities/malware-detection/fim-yara.rst +++ b/source/user-manual/capabilities/malware-detection/fim-yara.rst @@ -72,7 +72,7 @@ Perform the following steps to configure YARA and the FIM module on the monitore -H 'Referer: https://valhalla.nextron-systems.com/' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' \ - --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111 111111111111111111&format=text' \ + --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \ -o /tmp/yara/rules/yara_rules.yar #. Create a ``/var/ossec/active-response/bin/yara.sh`` file and add the content below: diff --git a/source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst b/source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst index 493e66cb65..eb90c0823b 100644 --- a/source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst +++ b/source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst @@ -103,6 +103,8 @@ The table below shows SCA policies pre-installed in Wazuh out-of-the-box. The Wa +-----------------------------+------------------------------------------------------------+-------------------------------+ | cis_apple_macOS_13.x | CIS Checks for macOS 13.x | macOS 13.x (Ventura) | +-----------------------------+------------------------------------------------------------+-------------------------------+ + | cis_apple_macOS_14.0 | CIS Checks for macOS 14.0 | macOS 14.0 (Sonoma) | + +-----------------------------+------------------------------------------------------------+-------------------------------+ | web_vulnerabilities | System audit for web-related vulnerabilities | N/A | +-----------------------------+------------------------------------------------------------+-------------------------------+ | cis_apache_24 | CIS Apache HTTP Server 2.4 Benchmark | Apache configuration files | diff --git a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst index 14e3576680..20c500bde7 100644 --- a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst +++ b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst @@ -3,8 +3,6 @@ .. meta:: :description: The Wazuh Ruleset is used to analyze incoming events and generate alerts when appropriate. Learn more about Rules syntax in this section. -.. _rules_syntax: - Rules Syntax ============ @@ -183,6 +181,44 @@ The **xml labels** used to configure ``rules`` are listed here. | `var`_ | Name for the variable. Most used: `BAD_WORDS`_ | Defines a variable that can be used anywhere inside the same file. | +-------------------------+---------------------------------------------------------------+------------------------------------------------------------------------------------------------------+ +.. _rules_group: + +group +^^^^^ + +Groups categorize alerts. They allow filtering related alerts in the Wazuh dashboard. + +The default Wazuh ruleset already includes rules that use groups like ``syscheck,``, ``attack,``, and ``syslog,``. As an example, you can filter alerts for these categories by querying ``rule.groups: attack`` or ``rule.groups: (syscheck OR syslog)`` in the Wazuh dashboard. + +Every rule must belong to at least one group. To specify one or more groups for a rule, enclose the rule definition with the ```` element. For example: + +.. code-block:: xml + :emphasize-lines: 1,7 + + + + 230 + normal + The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored. + + + +You can also specify additional groups by including the ```` element within the rule definition. For example: + +.. code-block:: xml + :emphasize-lines: 6 + + + + 230 + normal + The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored. + syscheck,fim_db_state, + + + +To define rules that trigger only if another rule in a specific group has triggered, check the `if_group`_ and `if_matched_group`_ options. + .. _rules_rule: rule @@ -728,7 +764,7 @@ If ``user`` label is declared multiple times within the rule, the following rule .. _rules_sys_name: system_name -^^^^^^^^^^^^ +^^^^^^^^^^^ Used as a requisite to trigger the rule. It will check the system name (decoded as ``system_name``). @@ -2070,36 +2106,6 @@ Example: List of logged in users. It will not be alerted by default. -.. _rules_group: - -group -^^^^^ - -Add additional groups to the alert. Groups are optional tags added to alerts. - -They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts. - -Groups are variables that define behavior. When an alert includes that group label, this behavior will occur. - -Example: - - .. code-block:: xml - - - Group for rules related with spam. - spam, - - -Now, every rule with the line ``spam,`` will be included in that group. - -It's a very useful label to keep the rules ordered. - -+--------------------+------------+ -| **Default Value** | n/a | -+--------------------+------------+ -| **Allowed values** | Any String | -+--------------------+------------+ - .. _rules_mitre: mitre @@ -2138,11 +2144,12 @@ Defines a variable that can be used in any place within the same file. It must b Example: - .. code-block:: xml +.. code-block:: xml + :emphasize-lines: 1,7 - /home/joe/ + /home/joe/ - + 550 @@ -2151,12 +2158,14 @@ Example: ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, - + BAD_WORDS -^^^^^^^^^ +~~~~~~~~~ + +.. code-block:: xml -error|warning|failure + error|warning|failure ``BAD_WORDS`` is a very used use case of the ```` option. @@ -2164,13 +2173,14 @@ It is used to include many words in the same variable. Later, this variable can Example: - .. code-block:: xml +.. code-block:: xml + :emphasize-lines: 1,5 - error|warning|failure + error|warning|failure - - - $BAD_WORDS - Error found. - - + + + $BAD_WORDS + Error found. + +