Wazuh 4.0 released

We are glad to announce that Wazuh 4.0.0 is released. Discover the new additions and improvements here! Wazuh is now better than ever.

New features and changes in Wazuh 4.0

The Wazuh API is now a part of the Wazuh manager package. Its performance has been improved, it incorporates role-based access control (RBAC) capabilities and it is easier to use and deploy.

The manager and agent’s default communication protocol is now TCP. This change guarantees a reliable delivery of the data collected by the agents, the pushing of centralized configuration settings in real-time and faster execution of active responses.

This version includes a new feature for agent auto-enrollment. Now agents automatically request a registration key when needed, preventing them from losing their connection with the Wazuh manager when keys are lost or corrupted.

API RBAC (Role-Based Access Control)

The Wazuh API now includes role-based access control. This feature manages the access to API endpoints, using policies and user roles. It also allows role and policy assignments to users that will fulfill different functions in the environment.

You can access the RBAC configuration menu on the Wazuh WUI on Wazuh > Security

animated GIF of how to access the RBAC configuration menu on the Wazuh 4.0 WUI

This capability will, for example, allow the access restriction of a user to the FIM monitored files of a group of agents. You can read here more about how to add roles to users.

Agents auto-enrollment

There is no need to request a key using an external CLI because the agents can now request the key autonomously. When an agent has a manager IP defined on its ossec.conf it will automatically request the key to the manager if does not have a valid key at startup.

The auto-enrollment functionality also allows the agent to request a new key in case of losing the connection with the manager. If this happens, the agent will check if the manager is defined on theossec.conf and if it is, it will request a new key by default every 10 seconds up to 5 consecutive times. Both the number of request attempts and the frequency these keys are requested can be customized on the ossec.conf.

The agent enrollment can still be done using the agent-auth, but with the auto-enrollment, there is no need to request the key. It is worth mentioning that all the agents from previous versions are still 100 % compatible with the 4.x version.

FIM: Disk quota limitations

FIM implements a group of settings to control the module temporal files disk usage. This means that we can now choose the amount of disk space used by the report change utility. The diff option reports changes in the monitored files by creating a compressed copy of the file and checking if it changes. This method may use a lot of disk space depending on the number of files monitored, so this new setting will help prevent this situation by allowing the user to set limits. Wazuh 4.0 introduces new capabilities to limit the space used:

  • disk_quota: This field specifies the total amount of space the diff utility can use. By default, this value is set to 1GB.
  • file_size: This option limits the file size which will report diff information. Files bigger than this limit will not report diff information. By default, this limit is set to 50MB.

Here is an example of how to use disk_quota and file_size:

    <diff>
        <disk_quota>
          <enabled>yes</enabled>
          <limit>1GB</limit>
        </disk_quota>
        <file_size>
          <enabled>yes</enabled>
          <limit>50MB</limit>
        </file_size>
      
        <nodiff>/etc/ssl/private.key</nodiff>
      </diff>  

In addition, you can now monitor directories using environment variables. More information about how to set a list of directories to be monitored.

Wazuh Kibana plugin

The Wazuh Kibana plugin adds support for Open Distro for Elasticsearch v1.10.1 and Elastic Stack v7.9.1 and v7.9.2.

Apart from the RBAC support, this upgrade brings new configuration view settings for GCP integration and has expanded the supported deployment variables.

The Wazuh Kibana plugin also adds statistics for the listener engine:

Listener engine of Wazuh 4.0 app screenshot

And the analysis engine:

Analysis engine

To learn more about all the new features and changes in the Wazuh Kibana plugin, visit its repository.

More information and links about Wazuh 4.0

This release includes a lot more features, you can find more information in the following links:

If you have any questions about Wazuh 4.0, don’t hesitate to check out our documentation to learn more about Wazuh. You can also join our Slack and our mailing list where our team and other users will help you.

The post Wazuh 4.0 released appeared first on Wazuh.