From c6500a773b07dc40e37cbb06823f0fc03954d92e Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Thu, 31 Aug 2023 20:00:23 -0300 Subject: [PATCH 01/17] Expand on the element --- .../ruleset/ruleset-xml-syntax/rules.rst | 78 +++++++++++-------- 1 file changed, 47 insertions(+), 31 deletions(-) diff --git a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst index 6e37097f70..c78c0c77c0 100644 --- a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst +++ b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst @@ -183,6 +183,52 @@ The **xml labels** used to configure ``rules`` are listed here. | `var`_ | Name for the variable. Most used: `BAD_WORDS`_ | Defines a variable that can be used anywhere inside the same file. | +-------------------------+---------------------------------------------------------------+------------------------------------------------------------------------------------------------------+ +.. _rules_group: + +group +^^^^^ + +Groups are tags to categorize alerts. Groups provide the following benefits. + +- A search criteria to filter related alerts. +- A matching condition for rules that use `if_group`_ and `if_matched_group`_. + +The ```` element is a root element in the rule file. All rules must have at least one group and must be enclosed by this element as shown in the following example. + + .. code-block:: xml + + + + + 400 + INFO + Wazuh API: Informative event. + + + + +There's an additional ```` element to set groups within a rule definition as follows. + +.. code-block:: xml + + + 400 + WARNING + Wazuh API: Warning event. + gpg13_4.12 + + +These two ```` elements provide the following benefits: + +- Allow assigning one or more groups to the alerts. +- Keep the rules definitions organized. + ++--------------------+------------+ +| **Default Value** | n/a | ++--------------------+------------+ +| **Allowed values** | Any String | ++--------------------+------------+ + .. _rules_rule: rule @@ -2070,36 +2116,6 @@ Example: List of logged in users. It will not be alerted by default. -.. _rules_group: - -group -^^^^^ - -Add additional groups to the alert. Groups are optional tags added to alerts. - -They can be used by other rules by using if_group or if_matched_group, or by alert parsing tools to categorize alerts. - -Groups are variables that define behavior. When an alert includes that group label, this behavior will occur. - -Example: - - .. code-block:: xml - - - Group for rules related with spam. - spam, - - -Now, every rule with the line ``spam,`` will be included in that group. - -It's a very useful label to keep the rules ordered. - -+--------------------+------------+ -| **Default Value** | n/a | -+--------------------+------------+ -| **Allowed values** | Any String | -+--------------------+------------+ - .. _rules_mitre: mitre @@ -2154,7 +2170,7 @@ Example: BAD_WORDS -^^^^^^^^^ +~~~~~~~~~ error|warning|failure From 1737cbf9df1fcb09f85d7967f6ecf29fe34e4b0d Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Fri, 1 Sep 2023 17:06:37 -0300 Subject: [PATCH 02/17] Change rule examples and improve texts --- .../ruleset/ruleset-xml-syntax/rules.rst | 46 +++++++++++-------- 1 file changed, 26 insertions(+), 20 deletions(-) diff --git a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst index c78c0c77c0..e98c155e89 100644 --- a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst +++ b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst @@ -193,35 +193,39 @@ Groups are tags to categorize alerts. Groups provide the following benefits. - A search criteria to filter related alerts. - A matching condition for rules that use `if_group`_ and `if_matched_group`_. -The ```` element is a root element in the rule file. All rules must have at least one group and must be enclosed by this element as shown in the following example. +All rules must have at least one group. - .. code-block:: xml +The ```` element is a root element in the rule file. All rule definitions must be enclosed by the ```` ```` pair as shown in the following example. + +.. code-block:: xml + :emphasize-lines: 1,7 - - - - 400 - INFO - Wazuh API: Informative event. - - - + + + ossec + syscollector + Syscollector event. + + -There's an additional ```` element to set groups within a rule definition as follows. +There's an additional ```` element within a rule definition to set groups as follows. .. code-block:: xml + :emphasize-lines: 6 - - 400 - WARNING - Wazuh API: Warning event. - gpg13_4.12 - + + + 230 + normal + The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored. + syscheck,fim_db_state, + + These two ```` elements provide the following benefits: -- Allow assigning one or more groups to the alerts. -- Keep the rules definitions organized. +- Enable the assignment of one or more groups to the alerts. +- Keep the rule definitions organized. +--------------------+------------+ | **Default Value** | n/a | @@ -229,6 +233,8 @@ These two ```` elements provide the following benefits: | **Allowed values** | Any String | +--------------------+------------+ +To set more than one group within a ```` element, you need to use the separator character ``,``. + .. _rules_rule: rule From f18631fe29e72d2465ea816d4b3cf206a4873c2e Mon Sep 17 00:00:00 2001 From: Jorge Marino Date: Fri, 10 Nov 2023 23:09:07 -0300 Subject: [PATCH 03/17] wAdding difference of usage for element as enclosing or inner element in Rules definition --- .../ruleset/ruleset-xml-syntax/rules.rst | 54 ++++++++++--------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst index e98c155e89..ac8295bf73 100644 --- a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst +++ b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst @@ -188,27 +188,32 @@ The **xml labels** used to configure ``rules`` are listed here. group ^^^^^ -Groups are tags to categorize alerts. Groups provide the following benefits. +Groups are used to categorize alerts in the Dashboard in the first place. +It is mandatory for a rule to belong to one group at least. +This way we can have sets of related rules in the same group, for example 'syscheck', 'attack', or 'syslog'. -- A search criteria to filter related alerts. -- A matching condition for rules that use `if_group`_ and `if_matched_group`_. +We can specify the group of a rule using the element, enclosing the whole rule's definition. -All rules must have at least one group. - -The ```` element is a root element in the rule file. All rule definitions must be enclosed by the ```` ```` pair as shown in the following example. +Example: .. code-block:: xml - :emphasize-lines: 1,7 + :emphasize-lines: 6 - - ossec - syscollector - Syscollector event. + + 230 + normal + The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored. -There's an additional ```` element within a rule definition to set groups as follows. + +In this example, the rule "234" belongs to the group "wazuh". Whenever we filter rules in the dashboard with group:wazuh, this rule will be in the results. + + +On the other hand, the element can be used inside the rule's definition instead of enclosing it.. + +Example: .. code-block:: xml :emphasize-lines: 6 @@ -218,24 +223,23 @@ There's an additional ```` element within a rule definition to set groups 230 normal The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored. - syscheck,fim_db_state, + group_example, -These two ```` elements provide the following benefits: +Using inside the rule's definition have effects only during the Matching Algorithm. +We can define another rule to match if the indicated group has matched before using _ and _. -- Enable the assignment of one or more groups to the alerts. -- Keep the rule definitions organized. - -+--------------------+------------+ -| **Default Value** | n/a | -+--------------------+------------+ -| **Allowed values** | Any String | -+--------------------+------------+ +.. code-block:: xml + :emphasize-lines: 6 -To set more than one group within a ```` element, you need to use the separator character ``,``. + + + group_example, + + -.. _rules_rule: +We can think of as a way to categorize rules to be matched from other rules instead of using ids, adding a semantic meaning to our rules. rule ^^^^ @@ -780,7 +784,7 @@ If ``user`` label is declared multiple times within the rule, the following rule .. _rules_sys_name: system_name -^^^^^^^^^^^^ +^^^^^^^^^^^ Used as a requisite to trigger the rule. It will check the system name (decoded as ``system_name``). From 97ecb14fbef52d24ae384aa5c3af2fbe6138e143 Mon Sep 17 00:00:00 2001 From: Norberto Vicchi Date: Tue, 19 Dec 2023 19:41:37 -0300 Subject: [PATCH 04/17] Added alpine linux procedure as well as audit 3.1.1 and higher versions note --- .../file-integrity/advanced-settings.rst | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/source/user-manual/capabilities/file-integrity/advanced-settings.rst b/source/user-manual/capabilities/file-integrity/advanced-settings.rst index fd6fb26107..fc5eb5bc00 100644 --- a/source/user-manual/capabilities/file-integrity/advanced-settings.rst +++ b/source/user-manual/capabilities/file-integrity/advanced-settings.rst @@ -42,6 +42,37 @@ For Debian based systems, use the following command: # apt-get install auditd +For Alpine Linux systems: + + .. code-block:: console + + # apk add audit=3.1.1-r0 + # rc-update add auditd default + # cp /usr/sbin/audisp-af_unix /sbin/audisp-af_unix + + +.. note:: + + `Audit 3.1.1 changelog `_. indicates that the audispd af_unix plugin was moved to a standalone program. For whodata to successfully connect to the Audit daemon, it is necessary to install this plugin. + + In Red Hat based systems, use the following command to install the audspd af_unix plugin: + + .. code-block:: console + + # yum install audispd-plugins + + For Debian based systems, use the following command to install the audspd af_unix plugin: + + .. code-block:: console + + # apt-get install audispd-plugins + + In any case, you should restart the Auditd daemon. + + .. code-block:: console + + # service auditd restart + Perform the following steps to enable who-data monitoring. In this example, you configure who-data monitoring for ``/etc`` directory. #. Edit the Wazuh agent ``/var/ossec/etc/ossec.conf`` configuration file and add the configuration below: From cf02e88cb55226b64d8b8299dda1d3a595cfcb8f Mon Sep 17 00:00:00 2001 From: Norberto Vicchi <69121070+ncvicchi@users.noreply.github.com> Date: Wed, 20 Dec 2023 10:22:01 -0300 Subject: [PATCH 05/17] Update source/user-manual/capabilities/file-integrity/advanced-settings.rst Co-authored-by: Manuel Cano <119335479+mjcr99@users.noreply.github.com> --- .../capabilities/file-integrity/advanced-settings.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/user-manual/capabilities/file-integrity/advanced-settings.rst b/source/user-manual/capabilities/file-integrity/advanced-settings.rst index fc5eb5bc00..7c100aba95 100644 --- a/source/user-manual/capabilities/file-integrity/advanced-settings.rst +++ b/source/user-manual/capabilities/file-integrity/advanced-settings.rst @@ -55,7 +55,7 @@ For Alpine Linux systems: `Audit 3.1.1 changelog `_. indicates that the audispd af_unix plugin was moved to a standalone program. For whodata to successfully connect to the Audit daemon, it is necessary to install this plugin. - In Red Hat based systems, use the following command to install the audspd af_unix plugin: + In Red Hat based systems, use the following command to install the audispd af_unix plugin: .. code-block:: console From 52d853c1f7a1942e79bb80ae89ad96af43abdf39 Mon Sep 17 00:00:00 2001 From: Norberto Vicchi <69121070+ncvicchi@users.noreply.github.com> Date: Wed, 20 Dec 2023 10:22:06 -0300 Subject: [PATCH 06/17] Update source/user-manual/capabilities/file-integrity/advanced-settings.rst Co-authored-by: Manuel Cano <119335479+mjcr99@users.noreply.github.com> --- .../capabilities/file-integrity/advanced-settings.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/user-manual/capabilities/file-integrity/advanced-settings.rst b/source/user-manual/capabilities/file-integrity/advanced-settings.rst index 7c100aba95..d51c71ea8e 100644 --- a/source/user-manual/capabilities/file-integrity/advanced-settings.rst +++ b/source/user-manual/capabilities/file-integrity/advanced-settings.rst @@ -61,7 +61,7 @@ For Alpine Linux systems: # yum install audispd-plugins - For Debian based systems, use the following command to install the audspd af_unix plugin: + For Debian based systems, use the following command to install the audispd af_unix plugin: .. code-block:: console From c6c5187c7b7685ad35058422ec355280480f418b Mon Sep 17 00:00:00 2001 From: Norberto Vicchi Date: Wed, 20 Dec 2023 14:33:11 -0300 Subject: [PATCH 07/17] Added a missing command to restart audit after copying plugin --- .../capabilities/file-integrity/advanced-settings.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/source/user-manual/capabilities/file-integrity/advanced-settings.rst b/source/user-manual/capabilities/file-integrity/advanced-settings.rst index d51c71ea8e..6aef363b20 100644 --- a/source/user-manual/capabilities/file-integrity/advanced-settings.rst +++ b/source/user-manual/capabilities/file-integrity/advanced-settings.rst @@ -49,6 +49,7 @@ For Alpine Linux systems: # apk add audit=3.1.1-r0 # rc-update add auditd default # cp /usr/sbin/audisp-af_unix /sbin/audisp-af_unix + # rc-service auditd restart .. note:: From 371fac3a633a6fecf7a6dad6b2a89be528c17044 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Thu, 21 Dec 2023 11:12:57 -0300 Subject: [PATCH 08/17] Add changes from review --- .../file-integrity/advanced-settings.rst | 51 ++++++++----------- 1 file changed, 22 insertions(+), 29 deletions(-) diff --git a/source/user-manual/capabilities/file-integrity/advanced-settings.rst b/source/user-manual/capabilities/file-integrity/advanced-settings.rst index 6aef363b20..98fc383522 100644 --- a/source/user-manual/capabilities/file-integrity/advanced-settings.rst +++ b/source/user-manual/capabilities/file-integrity/advanced-settings.rst @@ -30,49 +30,42 @@ Configuration You need to install the audit daemon if you don’t have it already installed on your endpoint. -In Red Hat based systems, auditd is usually installed by default. If not, install it using the following command: +.. tabs:: - .. code-block:: console - - # yum install audit - -For Debian based systems, use the following command: - - .. code-block:: console + .. group-tab:: Red Hat-based - # apt-get install auditd - -For Alpine Linux systems: - - .. code-block:: console - - # apk add audit=3.1.1-r0 - # rc-update add auditd default - # cp /usr/sbin/audisp-af_unix /sbin/audisp-af_unix - # rc-service auditd restart + .. code-block:: console + # yum install audit + + For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service. -.. note:: + .. code-block:: console - `Audit 3.1.1 changelog `_. indicates that the audispd af_unix plugin was moved to a standalone program. For whodata to successfully connect to the Audit daemon, it is necessary to install this plugin. + # yum install audispd-plugins + # systemctl restart auditd - In Red Hat based systems, use the following command to install the audispd af_unix plugin: + .. group-tab:: Debian-based - .. code-block:: console + .. code-block:: console - # yum install audispd-plugins + # apt-get install auditd - For Debian based systems, use the following command to install the audispd af_unix plugin: + For Audit 3.1.1 and later, install the audispd af_unix plugin and restart the Audit service. - .. code-block:: console + .. code-block:: console - # apt-get install audispd-plugins + # apt-get install audispd-plugins + # systemctl restart auditd - In any case, you should restart the Auditd daemon. + .. group-tab:: Alpine Linux - .. code-block:: console + .. code-block:: console - # service auditd restart + # apk add audit=3.1.1-r0 + # rc-update add auditd default + # cp /usr/sbin/audisp-af_unix /sbin/audisp-af_unix + # rc-service auditd restart Perform the following steps to enable who-data monitoring. In this example, you configure who-data monitoring for ``/etc`` directory. From cb3220f60cb8ae4a7aa796133893d2c7c8642ee1 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Fri, 22 Dec 2023 09:17:08 -0300 Subject: [PATCH 09/17] Update 4.7.2 docs changelog --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ea5366156..8b7da3d660 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,11 +5,14 @@ All notable changes to this project will be documented in this file. ### Added -- Support for Wazuh 4.7.2. +- Added custom role creation steps to GCP credentials configuration section. ([#6837](https://github.com/wazuh/wazuh-documentation/pull/6837)) +- Added a subsection for alert visualization in AWS Security Lake. Added a note about time to display alerts. ([#6838](https://github.com/wazuh/wazuh-documentation/pull/6838)) +- Added ``urllib3==1.26.18`` dependency to Docker installation steps. ([#6824](https://github.com/wazuh/wazuh-documentation/pull/6824)) ### Changed -- Updated the use case: Give a user permissions to read and manage a group of agents with minimum configuration reading permissions. ([#6850](https://github.com/wazuh/wazuh-documentation/pull/6850)) +- Added minimum configuration reading permissions to RBAC section use case. ([#6850](https://github.com/wazuh/wazuh-documentation/pull/6850)) +- Updated AWS profile configuration instructions. ([#6803](https://github.com/wazuh/wazuh-documentation/pull/6803)) ## [v4.7.1] From 2ed9c87eadb5df961dfa9ac450c51dbc5aef2669 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Fri, 22 Dec 2023 11:41:22 -0300 Subject: [PATCH 10/17] Update 4.7.2 release notes --- source/release-notes/release-4-7-2.rst | 62 ++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/source/release-notes/release-4-7-2.rst b/source/release-notes/release-4-7-2.rst index 61b8559902..76f15254e8 100644 --- a/source/release-notes/release-4-7-2.rst +++ b/source/release-notes/release-4-7-2.rst @@ -13,17 +13,70 @@ What's new This release includes new features or enhancements as the following: +Wazuh agent +^^^^^^^^^^^ + +- `#20638 `__ Added request timeouts for the external and cloud integrations. This prevents indefinite waiting for a response. + +Ruleset +^^^^^^^ + +- `#17565 `__ Added new SCA policy for Debian 12 systems. + +Other +^^^^^ + +- `#20798 `__ Upgraded external ``aiohttp`` library dependency to version ``3.9.1`` to address a security vulnerability. + Wazuh dashboard ^^^^^^^^^^^^^^^ - `#6191 `__ Added **Hostname** and **Board Serial** information to **Agents** > **Inventory data**. - `#6208 `__ Added contextual information to the deploy agent steps. +Packages +^^^^^^^^ + +- `#2670 `__ Removed installed dependencies that were part of the Wazuh installation assistant. This ensures a clean post-installation state. +- `#2677 `__ Removed ``gnupg`` package as RPM dependency in the Wazuh installation assistant. + Resolved issues --------------- This release resolves known issues as the following: +Wazuh manager +^^^^^^^^^^^^^ + +=========================================================== ============= + Reference Description +=========================================================== ============= +`#21011 `__ ``wazuh-remoted`` now logs the warning regarding invalid message size from agents in hex format. +`#20658 `__ Fixed a bug within the Windows Eventchannel decoder to ensure proper handling of Unicode characters. +`#20735 `__ Fixed data validation for decoding Windows Eventchannel XML input strings. +=========================================================== ============= + +Wazuh agent +^^^^^^^^^^^ + +=========================================================== ============= + Reference Description +=========================================================== ============= +`#20656 `__ Implemented validation for the format of the IP address parameter in the ``host_deny`` active response. +`#20594 `__ Fixed a bug in the Windows agent that might lead it to crash when gathering forwarded Windows events. +`#20447 `__ Fixed issue with the ``profile`` prefix in parsing AWS configuration profiles. +`#20660 `__ Fixed parsing and validation for the AWS regions argument, expanding the AWS regions list accordingly. +=========================================================== ============= + +Ruleset +^^^^^^^ + +=========================================================== ============= + Reference Description +=========================================================== ============= +`#20663 `__ Updated AWS Macie rules to show relevant fields in alert details. +=========================================================== ============= + Wazuh dashboard ^^^^^^^^^^^^^^^ @@ -35,6 +88,15 @@ Wazuh dashboard `#6224 `__ Fixed error navigating back to agent in some scenarios. ================================================================================================================================================= ============= +Packages +^^^^^^^^ + +===================================================================== ============= +Reference Description +===================================================================== ============= +`#2667 `_ Fixed warning message when generating certificates. +===================================================================== ============= + Changelogs ---------- From 1d7958833760258a61c9fc7016f9c76f0b494a74 Mon Sep 17 00:00:00 2001 From: Mateo Cervilla Date: Wed, 27 Dec 2023 09:38:53 -0300 Subject: [PATCH 11/17] Add MacOS 14 SCA Policies --- .../sec-config-assessment/available-sca-policies.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst b/source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst index 493e66cb65..eb90c0823b 100644 --- a/source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst +++ b/source/user-manual/capabilities/sec-config-assessment/available-sca-policies.rst @@ -103,6 +103,8 @@ The table below shows SCA policies pre-installed in Wazuh out-of-the-box. The Wa +-----------------------------+------------------------------------------------------------+-------------------------------+ | cis_apple_macOS_13.x | CIS Checks for macOS 13.x | macOS 13.x (Ventura) | +-----------------------------+------------------------------------------------------------+-------------------------------+ + | cis_apple_macOS_14.0 | CIS Checks for macOS 14.0 | macOS 14.0 (Sonoma) | + +-----------------------------+------------------------------------------------------------+-------------------------------+ | web_vulnerabilities | System audit for web-related vulnerabilities | N/A | +-----------------------------+------------------------------------------------------------+-------------------------------+ | cis_apache_24 | CIS Apache HTTP Server 2.4 Benchmark | Apache configuration files | From 8c44a9eb266bcf256d41d99e0522d70a506a46f7 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Wed, 27 Dec 2023 13:16:25 -0300 Subject: [PATCH 12/17] Add changes from review --- .../ruleset/ruleset-xml-syntax/rules.rst | 82 ++++++++----------- 1 file changed, 33 insertions(+), 49 deletions(-) diff --git a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst index ac8295bf73..25704e6f31 100644 --- a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst +++ b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst @@ -3,8 +3,6 @@ .. meta:: :description: The Wazuh Ruleset is used to analyze incoming events and generate alerts when appropriate. Learn more about Rules syntax in this section. -.. _rules_syntax: - Rules Syntax ============ @@ -188,58 +186,40 @@ The **xml labels** used to configure ``rules`` are listed here. group ^^^^^ -Groups are used to categorize alerts in the Dashboard in the first place. -It is mandatory for a rule to belong to one group at least. -This way we can have sets of related rules in the same group, for example 'syscheck', 'attack', or 'syslog'. +Groups categorize alerts. They allow filtering related alerts in the Wazuh dashboard. -We can specify the group of a rule using the element, enclosing the whole rule's definition. +The default Wazuh ruleset already includes rules that use groups like ``syscheck,``, ``attack,``, and ``syslog,``. As an example, you can filter alerts for these categories by querying ``rule.groups: attack`` or ``rule.groups: (syscheck OR syslog)`` in the Wazuh dashboard. -Example: +Every rule must belong to at least one group. To specify one or more groups for a rule, enclose the rule definition with the ```` element. For example: .. code-block:: xml - :emphasize-lines: 6 + :emphasize-lines: 1,7 - + 230 normal The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored. - -In this example, the rule "234" belongs to the group "wazuh". Whenever we filter rules in the dashboard with group:wazuh, this rule will be in the results. - - -On the other hand, the element can be used inside the rule's definition instead of enclosing it.. - -Example: +You can also specify additional groups by including the ```` element within the rule definition. For example: .. code-block:: xml :emphasize-lines: 6 - + 230 normal The file limit set for this agent is $(file_limit). Now, $(file_count) files are being monitored. - group_example, + syscheck,fim_db_state, -Using inside the rule's definition have effects only during the Matching Algorithm. -We can define another rule to match if the indicated group has matched before using _ and _. - -.. code-block:: xml - :emphasize-lines: 6 +To define rules that trigger only if another rule in a specific group has triggered, check the `if_group`_ and `if_matched_group`_ options. These options use the groups defined in the ```` element inside the rule definition. - - - group_example, - - - -We can think of as a way to categorize rules to be matched from other rules instead of using ids, adding a semantic meaning to our rules. +.. _rules_rule: rule ^^^^ @@ -2164,25 +2144,28 @@ Defines a variable that may be used in any place of the same file. Example: - .. code-block:: xml +.. code-block:: xml + :emphasize-lines: 1,7 - /home/joe/ + /home/joe/ - + - - 550 - ^$joe_folder - A Joe's file was modified. - ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, - + + 550 + ^$joe_folder + A Joe's file was modified. + ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d, + - + BAD_WORDS ~~~~~~~~~ -error|warning|failure +.. code-block:: xml + + error|warning|failure ``BAD_WORDS`` is a very used use case of the ```` option. @@ -2190,13 +2173,14 @@ It is used to include many words in the same variable. Later, this variable can Example: - .. code-block:: xml +.. code-block:: xml + :emphasize-lines: 1,5 - error|warning|failure + error|warning|failure - - - $BAD_WORDS - Error found. - - + + + $BAD_WORDS + Error found. + + From 81e9fe457372585aeef0c81c9e8df9b769801abd Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Thu, 28 Dec 2023 09:35:03 -0300 Subject: [PATCH 13/17] Update source/user-manual/ruleset/ruleset-xml-syntax/rules.rst --- source/user-manual/ruleset/ruleset-xml-syntax/rules.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst index 25704e6f31..efd1ff751f 100644 --- a/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst +++ b/source/user-manual/ruleset/ruleset-xml-syntax/rules.rst @@ -217,7 +217,7 @@ You can also specify additional groups by including the ```` element with -To define rules that trigger only if another rule in a specific group has triggered, check the `if_group`_ and `if_matched_group`_ options. These options use the groups defined in the ```` element inside the rule definition. +To define rules that trigger only if another rule in a specific group has triggered, check the `if_group`_ and `if_matched_group`_ options. .. _rules_rule: From 0f9560529b44c0b931cd1a2cac129dbbea9fdef7 Mon Sep 17 00:00:00 2001 From: Tomas Turina Date: Thu, 28 Dec 2023 13:34:28 +0000 Subject: [PATCH 14/17] Fix YARA outdated link and typo --- .../block-malicious-actor-ip-reputation.rst | 2 +- source/user-manual/capabilities/malware-detection/fim-yara.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst b/source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst index b29215acfa..f72a950290 100644 --- a/source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst +++ b/source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst @@ -85,7 +85,7 @@ Perform the following steps to install and configure an Apache web server. #. Install the latest `Visual C++ Redistributable package `__. -#. Download the Apache web server `ZIP installation file `__. This is an already compiled binary for Windows operating systems. +#. Download the Apache web server `ZIP installation file `__. This is an already compiled binary for Windows operating systems. #. Unzip the contents of the Apache web server zip file and copy the extracted ``Apache24`` folder to the ``C:`` directory. diff --git a/source/user-manual/capabilities/malware-detection/fim-yara.rst b/source/user-manual/capabilities/malware-detection/fim-yara.rst index a0ef7cf65d..f98b104d52 100644 --- a/source/user-manual/capabilities/malware-detection/fim-yara.rst +++ b/source/user-manual/capabilities/malware-detection/fim-yara.rst @@ -72,7 +72,7 @@ Perform the following steps to configure YARA and the FIM module on the monitore -H 'Referer: https://valhalla.nextron-systems.com/' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' \ - --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111 111111111111111111&format=text' \ + --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \ -o /tmp/yara/rules/yara_rules.yar #. Create a ``/var/ossec/active-response/bin/yara.sh`` file and add the content below: From cb0fac93ca37053baeaa60b902004dd5f4e35384 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Thu, 28 Dec 2023 11:03:50 -0300 Subject: [PATCH 15/17] Switch use case positions --- source/getting-started/use-cases/index.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/getting-started/use-cases/index.rst b/source/getting-started/use-cases/index.rst index c36de33195..b0bc907b0f 100644 --- a/source/getting-started/use-cases/index.rst +++ b/source/getting-started/use-cases/index.rst @@ -18,8 +18,8 @@ Below you can find examples of some of the most common use cases of the Wazuh pl Endpoint security Threat intelligence Security operations Cloud security ================================= ================================ ============================== ================================== :doc:`configuration-assessment` :doc:`threat-hunting` :doc:`incident-response` :doc:`container-security` -:doc:`malware-detection` :doc:`log-analysis` :doc:`regulatory-compliance` :doc:`Workload protection ` -:doc:`file-integrity` :doc:`vulnerability-detection` :doc:`it-hygiene` :doc:`posture-management` +:doc:`malware-detection` :doc:`log-analysis` :doc:`regulatory-compliance` :doc:`posture-management` +:doc:`file-integrity` :doc:`vulnerability-detection` :doc:`it-hygiene` :doc:`Workload protection ` ================================= ================================ ============================== ================================== .. toctree:: @@ -35,5 +35,5 @@ Endpoint security Threat intelligence Security op regulatory-compliance it-hygiene container-security - cloud-workload-protection posture-management + cloud-workload-protection From 4fd65dfef4792a79093483059f8153fd9a3b2d74 Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Fri, 29 Dec 2023 16:36:32 -0300 Subject: [PATCH 16/17] Remove WPK unavailable notice --- source/user-manual/agents/remote-upgrading/index.rst | 6 ------ 1 file changed, 6 deletions(-) diff --git a/source/user-manual/agents/remote-upgrading/index.rst b/source/user-manual/agents/remote-upgrading/index.rst index b69abac197..fd94ea917d 100644 --- a/source/user-manual/agents/remote-upgrading/index.rst +++ b/source/user-manual/agents/remote-upgrading/index.rst @@ -3,15 +3,9 @@ .. meta:: :description: From Wazuh 3.0.0 version onwards, agents can be upgraded remotely. Learn more about it in this section of the Wazuh documentation. -.. _remote-upgrading: - Remote upgrading ================== -.. warning:: - - Remote upgrade is temporarily unavailable in |WAZUH_CURRENT_MINOR|. - .. topic:: Contents .. toctree:: From c2db49242acef776cb9a95cfa6f87708b22542fc Mon Sep 17 00:00:00 2001 From: Javier Medeot Date: Thu, 4 Jan 2024 15:31:54 -0300 Subject: [PATCH 17/17] Update 4.7.2 docs changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b7da3d660..f371065aaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file. - Added minimum configuration reading permissions to RBAC section use case. ([#6850](https://github.com/wazuh/wazuh-documentation/pull/6850)) - Updated AWS profile configuration instructions. ([#6803](https://github.com/wazuh/wazuh-documentation/pull/6803)) +- Updated configuration step in Yara use case and Apache web server installation step in Malware detection PoC. ([#6894](https://github.com/wazuh/wazuh-documentation/pull/6894)) ## [v4.7.1]