1 OSSEC changelog (3.3.0) <scott@atomicorp.com>
6 Scott R. Shinn (http://www.atomicorp.com)
8 Contributors on this release
10 almirb (Almir Bolduan)
11 aquerubin (Antonio Querubin)
12 atomicturtle (Scott R. Shinn)
13 Bob-Andrews (Bob Andrews)
23 OSSECCON 2019, from the whole team here at OSSEC it was really fantastic meeting everyone at the show, and we look forward to seeing you all again at OSSECCON 2020!
24 PCRE2, Jubois made a major update to the IDS foundation in OSSEC 3.3.0 with PCRE2 (https://www.pcre.org/current/doc/html/pcre2.html) library. This is an extremely powerful update to the overall pattern analysis functionaility in OSSEC. In order to build this with the native distribution pcre2 packages (pcre2-devel, etc), you will need to use: export PCRE2_SYSTEM=yes. This adds several new xml tags:
25 - pcre2 (to replace regex)
40 Dynamic Decoders, discussed in the "Beyond Security" talk at OSSECCON 2019, this allows for user-defined keys in decoders. These are exposed in JSON output for inclusion with other data analytics tools. This adds a new internal option: analysisd.decoder_order_size to define the maximum number keys allowed in a single decoder.
45 (jubois) - PCRE2 regular expression support - PR#1652
46 (atomicturtle) - ossec-analysisd, Dynamic decoder support. Original: Vikman Fdez-Castro - PR#1678
47 (ddpbsd) - ossec-execd, Switch "white lists" to "allow lists" - PR#1687 - NARRATE HERE
50 (Bob-Andrews) - rootcheck, update for NullSessionShares - PR#1669
51 (Bob-Andrews) - topleveldomainrules.xml, Shady TLD web traffic detection - PR#1671
52 (Bob-Andrews) - last_rootlogin_rules.xml, Sensitive login detection - PR#1671
53 (Bob-Andrews) - unbound_rules.xml, added rule for maybe critical TLD request - PR#1672
54 (Bob-Andrews) - rootcheck, Deleted repeating rules - PR#1674
55 (ddpbsd) - Update info links in Windows rules - PR#1675
56 (aquerubin) - Added decoder for pam_succeed_if - PR#1684
60 (MangyCoyote) - ossec-analysisd, support Syslog ISO timestamp events with optional fraction of second - PR#1664
61 (ddpbsd) - Fix compilation with PCRE2_SYSTEM=yes - PR#1666
62 (aquerubin) - ossec-batch-manager.pl, update regexp for ipv6 addresses - PR#1667
63 (mephesto1337) - Fix part of issue#1663, compiling with PCRE2_SYSTEM=yes - PR#1677
64 (ddpbsd) - active-response, Fix for issue#1647, log disable-account.sh to the correct location - PR#1683
65 (aquerubin) - Copy resolv.conf on build event - PR#1685
66 (almirb) - active-response, Corrected the way active-response logs are generated on windows - PR#1689
67 (atomicturtle) - ossec-execd, Expose filename variable in AR add/delete events - PR#1695
72 OSSEC changelog (3.2.0) <scott@atomicorp.com>
78 Scott R. Shinn (Atomicorp, Inc.)
80 Contributors on this release
94 The great JSON-in-ing has begun! New features in this release focus on extending JSON output support to control commands like agent_control, syscheck_control, and rootcheck_control. Additional extensions add support for archives.log in native json format, and improving the alert.json output. This release also also brings some much needed enhancements to ossec-authd to streamline the agent registration experience (thanks nhatking16591!), Bob-Andrews continues on major auditing improvements plus support for Solaris 11.
96 We'd like to thank all the great contributors (named and anonymous!) who continue to improve ossec and support our community. We'd also like to welcome all our new contributors to OSSEC on this release. They have helped us on bug testing, documentation, new features, rules, compliance checks, code and more. There are no small contributions to a project like OSSEC, and we continue to thrive with your support. Special thanks to security researchers A.P. and S.S. for their audit of the ossec project, your work has greatly benefited the community.
98 If you're interested in joining our team, or just interacting with us on slack email us at: invite@ossec.net
105 (atomicturtle) - add ossec-configure to contrib - PR#1559
106 (atomicturtle) - add <log_format>audit</log_format> for native audit.log support - PR#1589
107 (nhatking16591) - authd, Allow reuse ID and improve search algorithm finding available ID key. Fixes issue#1587, PR#1594
108 (ddpbsd) - syscheck, add <no_recurse> option to keep FIM from going down directories. Addresses Issue#1595 - PR#1597
109 (atomicturtle) - archives.json, JSON support for archives.log with <logall_json>yes</logall_json> - PR#1596, PR#1601, PR#1608
110 (atomicturtle) - agent_control, -j for JSON output - PR#1625
111 (atomicturtle) - syscheck/rootchec_control, add -j for JSON output - PR#1626
112 (atomicturtle) - manage_agents, add -j for JSON output, -a to add new agent, -a -n add new agent with declared name - PR#1627
113 (atomicturtle) - internal_options.conf, remoted.pass_empty_keyfile will toggle if remoted exits on an empty client.keys file - PR#1628
114 (atomicturtle) - manage_agents, add -d modifier to -a (add) to remove an agent pinned to an already declared IP - PR#1632
115 (atomicturtle) - manage_agents, add -F <sec> modifier to -a (add), this will delete an agent with the same IP if it has not been seen in -F <secs> - PR#1639
116 (atomicturtle) - manage_agents, add -m flag to show the max agent limit - PR#1650
120 (Bob-Andrews) - rootcheck, add Solaris11 CIS checks - PR#1557
121 (Bob-Andrews) - rootcheck, add password requirement checks - PR#1558, PR#1562
122 (Bob-Andrews) - Kasperskey Endpoint Security rules/decoders - PR#1573
123 (Bob-Andrews) - Cowrie / Dionaea Modern Honeypot Network rules/decoders - PR#1574
124 (Bob-Andrews) - Dionaea/Cowrie decoder, Changed IPv4 to IPv4/IPv6 - PR#1578
125 (Bob-Andrews) - Windows Powershell rules: ms_powershell_rules.xml, add powershell rules - PR#1579
126 (jubois) - proftpd decoder: decoder simplification - PR#1657
127 (ddpbsd) - nsd rules: nsd_rules.xml, detect zone transfer attempts - PR#1598
128 (Bob-Andrews) - Windows Powershell rules: ms_powershell_rules.xml, dangerous commands/background activity - PR#1646
132 (mig5) - firewall-drop.sh, modify to support non-bash environments - PR#1572
133 (mwmahlberg) - ossec-agent.conf, remove double hyphen in comment. Fixes issue#1582 - PR#1583
134 (ddpbsd) - ossec-maild, allow permission changes to make it into email alerts. Fixes issue#1571 - PR#1593
135 (ddpbsd) - installation, addresses issue#1570, allow installation as unpriv user - PR#1599
136 (atomicturtle) - JSON output, basic json functions for agent_control - PR#1600, PR#1602
137 (ddpbsd) - ossec-authd, use IPExist to check for duplicate IP addresses - PR#1603
138 (ddpbsd) - general, default to not setting the compiler optimization level - PR#1604
139 (ddpbsd) - general, default to showing verbose compiler output - PR#1605
140 (atomicturtle) - agent_control, JSON output prep work - PR#1606
141 (atomicturtle) - JSON output, adding functions for rootcheck compliance output in JSON - PR#1607
142 (atomicturtle) - JSON output, minor optimization - PR#1609
143 (atomicturtle) - agent_control, minor fixes for JSON output - PR#1610
144 (ddpbsd) - zlib, shifting dependencies to the system zlib - PR#1612
145 (ddpbsd) - LUA, disable lua by default, shifting dependencies to the system lua - PR#1613
146 (ddpbsd) - security review, coverity fixes - PR#1616
147 (atomicturtle) - JSON output, minor update for JSON log dirs/files - PR#1617
148 (atomicturtle) - JSON output, fix lf location array from unknown syslog - PR#1618
149 (atomicturtle) - manage_agents, bugfix when generating keys from a file - PR#1619
150 (atomicturtle) - ossec-analysisd, increase default memory size from 1024 to 8192 (dcid) - PR#1620
151 (ddpbsd) - security review, coverity fixes - PR#1621
152 (atomicturtle) - JSON output, adding more groups, and clean up formatting - PR#1622
153 (ddpbsd) - security review, coverity fixes for PR#1624 - PR#1629
154 (ddpbsd) - manage_agents, add an error path for being unable to chmod authfile - PR#1629
155 (pillarsdotnet) - active-response, directory traversal fix - PR#1630
156 (ddpbsd) - ossec-control, remove author tag from output - PR#1633
157 (atomicturtle) - agent management cleanup, rootcheck/syscheck data is removed on a delete event - PR#1634
158 (ddpbsd) - json output, add prototype for function/ fixing compile warnings - PR#1636
159 (ddpbsd) - json output, cleanup for unused variables - PR#1637
160 (ddpbsd) - ossec-maild, remove legacy sms output type - PR#1638
161 (ddpbsd) - agent_control, usage output update - PR#1640
162 (jubois) - dotests.sh, Improved dotests.sh output - PR#1641
163 (jubois) - Correct tests in contrib/logtesting - PR#1645
164 (atomicturtle) - ossec-analysisd, fix for analysisd segfault in overwrite rule condition - PR#1649
165 (atomicturtle) - ossec-csyslogd, fix for size returned from a tcp syslog event - PR#1653
166 (jubois) - fix compilation warnings - PR#1654
167 (knqyf263) - ossec-maild, fix for email being sent infinitely - PR#1658
170 OSSEC changelog (3.1.0) <scott@atomicorp.com>
175 Scott R. Shinn (Atomicorp, Inc.)
180 Special thanks on this release go out to:
181 davestoddard for an amazingly well thought out, and well documented update to the networking code
182 Bob-Andrews for the largest update to the auditing system in the project history
183 phamvoung for resolving some very subtle bugs and high profile issues with the authd daemon
185 We'd also like to thank all the other fantastic contributors to the project, whom are referenced in parenthesis in the changelog. We cannot thank you enough!
191 (davestoddard) Modification to Correct IP Connectivity Issues on BSD Servers PR #1412
194 (Bob-Andrews) - linux_usbdetect_rules.xml, ms1016_usbdetect_rules.xml, ms_firewall_rules.xml
195 (Bob-Andrews) - Added ms_ipsec_rules PR #1549
196 (Bob-Andrews) - Rootchecks for Debian 7+8, cis_debianlinux7-8_L1_rcl.txt, cis_debianlinux7-8_L2_rcl.txt, cis_win10_enterprise_L1_rcl.txt, cis_win10_enterprise_L2_rcl.txt PR #1531
197 (Bob-Andrews) - acsc_office2016_rcl.txt, Added rootcheck PR #1510
198 (Bob-Andrews) - added cis_win2016_memberL1_rcl.txt, cis_win2016_memberL2_rcl.txt PR #1496
199 (Bob-Andrews) - cis_win2012r2_memberL1_rcl.txt, Added Check Description/Alert PR #1495
200 (ddpbsd) - additional sshd decoders PR #1480
201 (ddpbsd) - basic support for Dnsmasq PR #1461
204 (iasdeoupxe) - host-deny.sh: Move duplicate entry check into the add action PR #1554
205 (iasdeoupxe) - host-deny.sh: Use consistent indentation PR #1553
206 (iasdeoupxe) - host-deny.sh: Remove unnecessary echo for duplicated entry PR #1552
207 (Bob-Andrews) - Added new id ranges for linux usb detection rules, ms1016 usb detection rules and ms firewall rules from PR #1543
208 (Bob-Andrews) - Corrected IDs to a non user defined range PR #1547 (psad_rules.xml, sysmon_rules.xml, unbound_rules.xml)
209 (c0r3dump3d) - Correct and expand spanish translation PR #1541
210 (ddpbsd) - Adjust the tests for sysmon rules PR #1548
211 (MangyCoyote) - install.sh - case for s-nail patch can't be applied if `mail` is not installed PR #1539
212 (atomicturtle) - ossec-authd Fix for foreground flags PR #1538
213 (atomicturtle) - ossec-authd Add -f foreground flag support PR #1537
214 (featzor) - psad signature match level 6 PR #1517
215 (Bob-Andrews) - Corrected rootcheck CIS tests for cis_win2012r2_domainL2_rcl.txt, is_win2012r2_memberL2_rcl.txt, cis_win2016_domainL2_rcl.txt PR #1521
216 (franciosi) - Updated README.md, correts small typos PR #1519
217 (ddpbsd) - Fix the subject handling. Issue submitted by Michael Starks #1370 PR #1377
218 (foygl) - ossec-slack.sh, Fix and clean up output for Slack integration PR #1508
219 (ddpbsd) - From issue #1514, a duplicate `_gsid1 == 0` -> `_gsid0 == 0` PR #1515
220 (Bob-Andrews) - cis_win2016_domainL1_rcl.txt, Corrected Check - Registry Hive PR #1511
221 (ashley-dunn) - Fix "bellow" typos in ossec-[client|local|server].sh files PR #1512
222 (ddpbsd) - Fix the log location in the ossec-slack AR script. PR #1422
223 (phamvuong) - BUGFIX: remove default value for authpass PR #1464
224 (calve) - Bump version definition in defs.h PR #1504
225 (ddpbsd) - More coverity fixes PR #1497
226 (ddpbsd) - Modify status() to not return 1 when maild is not running PR #1501
227 (ddpbsd) - Coverity fixes PR #1490
228 (Bob-Andrews) - Moved file to ossec-hids/ src/rootcheck/db/ PR #1493
229 (ddpbsd) - Make sure there's room for the full alert id in json alerts PR #1487
230 (ddpbsd) - Fix an issue in the nodiff option which could ignore files it isn't supposed to PR #1486
231 (ddpbsd) - Hard coded user/group changed to appropriate variables PR #1484
232 (ddpbsd) - Add FreeBSD's php.ini location to rootcheck db PR #1483
233 (ddpbsd) - Replace hard coded directories with the appropriate variables PR #1482
234 (ddpbsd) - When trying to bind to a local address, present the error on failure. PR #1457
235 (ddpbsd) - version_bump.sh Quick script to make version bumping easier PR #1532
236 (phamvuong) - Call select() before checking active socket PR #1529
237 (stephengroat) - use nicer looking travis build badge PR #1460
238 (stevhsu) - Correct lua version variable PR #1459
243 OSSEC changelog (3.0.0) <scott@atomicorp.com>
248 Scott R. Shinn (Atomicorp, Inc.)
251 SQLite support for syscheck
252 PR #1091 - whitelist for files in sqlite DB
253 PR #1364 - add some ifdefs for the md5 whitelist database (USE_SQLITE)
258 Add Pagerduty Active response
263 PR #890 / #873 - Dichotomic search to add agents with authd
264 PR #1154 / #1210 - password support
265 PR #1161 - avoid IP duplication, time limit agent deletion with duplicate IP, and option for re-using an agent ID
266 PR #1190 - Exit handler for authd to delete PID file
267 PR #1208 - add cipher configuration support
269 zlib update to 1.2.11
272 ossec-agent selinux module
276 PR #1170 - add agent-auth.exe support
278 add tcp support for agent communications
281 GeoIP support in rules and events
282 PR #840 - Support in alerts
283 PR #927 - add geoip support to JSON output analysisd.geoip_jsonout=0
284 PR #929 - Modify rule token different_geoip rule to different_srcgeoip
285 PR #984 - fix some geoIP bugs
286 PR #1108 - decoder fixes
289 Bugfix #947 - Escape the '.' in the grep for '.ALERTLAST' #947
290 Bugfix #959 - silent curl in ossec-slack
292 Decoders filename attribute
293 PR #915 - A few fixes, but most importantly the ability to set the filename attribute from a decoder. This will help create automated pipelines for FIM Verification. I currently need to compare FIM events against 1) Puppet, 2) GIT, and 3) RPM. This patch allows FIM events to be intercepted by my custom FIM Verification script, which generates logging events which OSSEC can read and turn back into an event with the filename attribute set.
299 PR #1297 / #1335 - update named rules
300 PR #1324 - Bitcoin wallet scans to suspicious URLs
301 PR #1356 - Openbsd DHCP rules
306 Bugfix #42 - Add option to use unaltered hashes with Windows syscheck
307 Bugfix #210 - Time option in rules is rejecting valid syntax.
308 Bugfix #425 - manage_agents unable to access /dev/random due to chroot
309 Bugfix #454 - Prevent manage_agents from chrooting in bulk mode
310 Bugfix #780 - Compile warning (and potential segfault) after merge from calve/do_not_show_diff
311 Bugfix #829 - Segmentation fault at logcollector
312 Bugfix #888 - Pull Request #840 reverts some ipv6 support
313 Bugfix #869 - ossec-agentd is unable to unmerge files
314 Bugfix #892 - Contrib tools need to be updated for IPv6.
315 Bugfix #911 - "any" is broken after change to sacmp for ipv4 networks #911
316 Bugfix #913 - logcollector goes into loop when a NULL is in the log
317 Bugfix #960 - do not attempt to start ossec-maild when it is enabled
318 Bugfix #961 - fix for open file handle when rotating alerts.json
319 Bugfix #976 - win32: 2 values in internal_options.conf ignored
320 Bugfix #994 - rootcheck, fix for false positive trojaned /bin/grep
321 Bugfix #998 - IPv6 triggers Rule 1002
322 Bugfix #1065 - fix for negating IP/CIDR rules
323 Bugfix #1084 - fix a double free
324 Bugfix #1106 - ossec-remoted, Fix for clang checks, and a potential DOS caused by a warning
325 Bugfix #1142 - CEF field uniqueness fix
326 Bugfix #1145 - if getaddrinfo fails with WAI_FAMILY try ipv4
327 Bugfix #1165 - rpm spec files generate ossec user and group in user space
328 Bugfix #1180 - Add last events (previous output) to JSON output
329 Bugfix #1205 - Avoid EOL conversion of received files in the windows receiver
330 Bugfix #1227 - Fix for daily reports not being sent
331 Bugfix #1237 - Custom CFLAGS/CXXFLAGS/LDFLAGS support
332 Bugfix #1274 - ossec-authd, ipv6 returns an invalid key
333 Bugfix #1278 - Use getent to check for users/group
334 Bugfix #1366 - Update to rule ID map
335 Bugfix #1370 - Bugfix for full subject handling
339 PR #770 - ossec-dbd, postgresql fixes on the user colume, schema, and not null conditions
340 PR #778 - syscheck, Selective opening mode to extract file hash #778
341 PR #792 - Check for a null from malloc
342 PR #802 - ossec-dbd, allow for longer entries in the system.information column
343 PR #804 - ossec-dbd, allow for mysql/postgres format changing based on MYSQLDB/POSTGDB
344 PR #806 - ossec-reportd, report fixes on IP and user fields
345 PR #808 - Igngore openBSD's random seed
346 PR #824 - ossec-dbd, fix for mysql/postgres insert condition
347 PR #839 - JSON output, Add group field to json output
348 PR #843 - Add support for CZMQ v3
349 PR #848 - Fixed bug at logcollector that inhibited alerts about file reduction
350 PR #849 - ossec-maild, Format string security fix
351 PR #855 - Fixed memory error on CDB lists management
352 PR #859 - added utils to rename an agent or change its IP address (rename_agent.sh, renumber_agent.sh)
353 PR #862 - ossec-analysisd, fixed memory leaks
354 PR #864 - There is an error when running ossec-logtest to test rules with check_diff, since it doesn't change root directory and tries to create a directory at/queue/diff`.
355 PR #866 - JSON output, Add timestamp for events
356 PR #881 - Add debugging output to active repsonse xml config read
357 PR #883 - Bugfix for agents failing to bind to a specific local IP address and the server is specified by hostname.
358 PR #887 - agent status needs to be verified before using agt->lip
359 PR #893 - Prelude IDS support, Do not use absolute indexes in prelude fields
360 PR #899 - manage_agents, OSSEC agent IDs can only be numbers but they are treated as strings. Because of this, it's possible to add the agent "00" and "000", or "1" and "00001" at the same time, and they can be confused on extracting keys or on deleting agents.
361 PR #909 - ossec-logtest, Bugfix for decoders.d/rules.d segfault
362 PR #910 - Update intcheck_op.c
363 PR #912 - update validate_op.c
364 PR #918 - ossec-logtest, add -q "quiet" flag support
365 PR #920 - Bugfixes for OS_IPFound, OS_IPFoundList, OS_IsValidIP. #920
366 PR #921 - JSON output, This removes the double addition of the 'action' field and adds a few other interesting fields that I need for my analysis in ELK. Most notably, the rule.group is now passed out via the zmq output.
367 PR #923 - ossec-dbd, fix SQLi in al_data->location
368 PR #928 - ossec-logtest, add geoip to logtest output
369 PR #930 - fix memory leak in decode-xml.c
370 PR #931 - Custom output, fix common realloc mistake in custom_output_search_replace.
371 PR #934 - Create OSSEC users and group as system members
372 PR #944 - Don't pass null variables to snprintf.
373 PR #950 - Exclude btrfs-Filesystem from searching for hidden files inside directorie
374 PR #953 - Prevent manage_agents from doing invalid actions on interactive mode
375 PR #964 - Csyslogd patch for sending additional FIM event information
376 PR #991 - set default AR level to 7
377 PR #1003 - JSON output, bugfix for duplicated group field
378 PR #1004 - memory fixes in XML decoding, no-terminated strings, and searchAndReplace()
379 PR #1016 - bugfix that prevents ossec-control from starting ossec-maild on server
380 PR #1017 - ossec-remoted, fix for openbsd canary violation
381 PR #1020 - Allow notify_timeout to be configured server-side. #1020
382 PR #1021 - Windows Agent, fix for build related issues
383 PR #1027 -Fx for the "USER_AGENT_CONFIG_PROFILE" preloaded-vars.conf file usage. This fixes that and adds a profile config line if the variable is defined. Very useful for unattended installs or binary installs.
384 PR #1089 - Retire picviz support
385 PR #1090 - JSON output, add "id" to the json log
386 PR #1093 - pf.sh, update support FreeBSD, OpenBSD, and Darwein
387 PR #1097 - ossec-batch-manager.pl, support "any" IP address
388 PR #1099 - AR, prevent duplication in hosts.deny
389 PR #1100 - Windows agent, Open received files in binary mode cause of cr/lf and let hashes match.
390 PR #1102 - JSON output, Fix timestamp
391 PR #1116 - ossec-remoted, systemd support
392 PR #1135 - ossec-dbd, UMYSQL_DATABASE_ENABLED does not exist in the tree except this one place.
393 PR #1137 - Windows agent, administrators group might not be present on non-english installs
394 PR #1148 - Update for gmake to compile on Solaris 11.2
395 PR #1149 - Update adduser.sh for Solaris 11.2
396 PR #1158 - Update shell on ossec-hids-solaris.init Solaris 11.2
397 PR #1159 - Update Makefile for Solaris
398 PR #1179 - ossec-dbd, fix readme display IP as string
399 PR #1235 - spelling fixes
400 PR #1238 - fix for edead oop in hash_op.c
401 PR #1255 - syscheck, update windows syscheck directories
402 PR #1256 - ossec-dbd, use port for postgresql connections
403 PR #1257 - rootcheck, make sleep interval configurable (rootcheck.sleep)
404 PR #1258 - adduser.sh, fix the useradd and groupadd script for openbsd
405 PR #1262 - agentless ssh.exp, remove the P's entirely to support upper and lower case
406 PR #1304 - syscheck, Don't display the errno, show the error message
407 PR #1307 - Allow alerts.log to be turned off (DOUBLE CHECK, THIS WAS REVERTED)
408 PR #1322 - rootcheck, mysql/mariadb auditing checks
409 PR #1336 - Disable warning on OS_PassEmptyKeyfile
410 PR #1342 - remove execute flag on rules and config files
411 PR #1343 - Makefile fix ar warning
412 PR #1344 - add option to exclude lua and use system zlib
413 PR #1345 - gitignore, Ignore zlib paths
414 PR #1347 - Fix compiler warnings: Wall, Wextra
415 PR #1374 - Bugfix for AIX building
416 PR #1382 - added rootcheck file for apache 2.2/2.4