Merge branch '4.5'

CHANGELOG.md

@@ -16,7 +16,7 @@ All notable changes to this project will be documented in this file.
 - Added a new wazuh-clusterd task for agent-groups info synchronization. ([#11753](https://github.com/wazuh/wazuh/pull/11753))
 - Added unit tests for functions in charge of getting ruleset sync status. ([#14950](https://github.com/wazuh/wazuh/pull/14950))
 - Added auto-vacuum mechanism in wazuh-db. ([#14950](https://github.com/wazuh/wazuh/pull/14950))
-- Delta events in Syscollector when data gets changed may now produce alerts. ([#10843](https://github.com/wazuh/wazuh/pull/10843)) 
+- Delta events in Syscollector when data gets changed may now produce alerts. ([#10843](https://github.com/wazuh/wazuh/pull/10843))
 
 #### Changed
 
@@ -36,13 +36,15 @@ All notable changes to this project will be documented in this file.
 - Added the update field in the CPE Helper for Vulnerability Detector. ([#13741](https://github.com/wazuh/wazuh/pull/13741))
 - Prevented agents with the same ID from connecting to the manager simultaneously. ([#11702](https://github.com/wazuh/wazuh/pull/11702))
 - wazuh-analysisd, wazuh-remoted and wazuh-db metrics have been extended. ([#13713](https://github.com/wazuh/wazuh/pull/13713))
-- Minimized and optimized wazuh-clusterd number of messages from workers to master related to agent-info and agent-groups tasks. ([#11753](https://github.com/wazuh/wazuh/pull/11753))
+- Minimized and optimized wazuh-clusterd number of messages from workers to master related to agent-info tasks. ([#11753](https://github.com/wazuh/wazuh/pull/11753))
 - Improved performance of the `agent_groups` CLI when listing agents belonging to a group. ([#14244](https://github.com/wazuh/wazuh/pull/14244)
 - Changed wazuh-clusterd binary behaviour to kill any existing cluster processes when executed. ([#14475](https://github.com/wazuh/wazuh/pull/14475))
 - Changed wazuh-clusterd tasks to wait asynchronously for responses coming from wazuh-db. ([#14791](https://github.com/wazuh/wazuh/pull/14843))
 - Use zlib for zip compression in cluster synchronization. ([#11190](https://github.com/wazuh/wazuh/pull/11190))
 - Added mechanism to dynamically adjust zip size limit in Integrity sync. ([#12241](https://github.com/wazuh/wazuh/pull/12241))
 - Deprecate status field in SCA. ([#15853](https://github.com/wazuh/wazuh/pull/15853))
+- Agent group guessing (based on configuration hash) now writes the new group directly on the master node. ([#16066](https://github.com/wazuh/wazuh/pull/16066))
+- Added delete on cascade of belongs table entries when a group is deleted. ([#16098](https://github.com/wazuh/wazuh/issues/16098))
 
 
 #### Fixed
@@ -70,6 +72,7 @@ All notable changes to this project will be documented in this file.
 - Fixed Virustotal integration to support non UTF-8 characters. ([#13531](https://github.com/wazuh/wazuh/pull/13531))
 - Fixed a bug masking as Timeout any error that might occur while waiting to receive files in the cluster. ([#14922](https://github.com/wazuh/wazuh/pull/14922))
 - Fixed a read buffer overflow in wazuh-authd when parsing requests. ([#15876](https://github.com/wazuh/wazuh/pull/15876))
+- Applied workaround for bpo-46309 used in cluster to wazuh-db communication.([#16012](https://github.com/wazuh/wazuh/pull/16012))
 
 #### Removed
 
@@ -141,14 +144,17 @@ All notable changes to this project will be documented in this file.
 - Fixed AWS integration database maintenance error managament. ([#13185](https://github.com/wazuh/wazuh/pull/13185))
 - The default delay at GitHub integration has been increased to 30 seconds. ([#13674](https://github.com/wazuh/wazuh/pull/13674))
 - Logcollector has been fixed to allow locations containing colons (:). ([#14706](https://github.com/wazuh/wazuh/pull/14706))
-- Fixed system architecture reporting in Logcollector on Apple Silicon devices. ([#13835](https://github.com/wazuh/wazuh/pull/13835))
+- Fixed system architecture reporting in Syscollector on Apple Silicon devices. ([#13835](https://github.com/wazuh/wazuh/pull/13835))
 - The C++ standard library and the GCC runtime library is included with Wazuh. ([#14190](https://github.com/wazuh/wazuh/pull/14190))
 - Fixed missing inventory cleaning message in Syscollector. ([#13877](https://github.com/wazuh/wazuh/pull/13877))
 - Fixed WPK upgrade issue on Windows agents due to process locking. ([#15322](https://github.com/wazuh/wazuh/pull/15322))
 - Fixed FIM injection vulnerabilty when using `prefilter_cmd` option. ([#13044](https://github.com/wazuh/wazuh/pull/13044))
 - Fixed the parse of ALB logs splitting `client_port`, `target_port` and `target_port_list` in separated `ip` and `port` for each key. ([14525](https://github.com/wazuh/wazuh/pull/14525))
 - Fixed a bug that prevent processing Macie logs with problematic ipGeolocation values. ([15335](https://github.com/wazuh/wazuh/pull/15335))
 - Fixed GCP integration module error messages. ([#15584](https://github.com/wazuh/wazuh/pull/15584))
+- Fixed an error that prevented the agent on Windows from stopping correctly. ([#15575](https://github.com/wazuh/wazuh/pull/15575))
+- Fixed Azure integration credentials link. ([#16140](https://github.com/wazuh/wazuh/pull/16140))
+
 
 #### Removed
 
@@ -219,7 +225,7 @@ All notable changes to this project will be documented in this file.
 - Deprecated `GET /agents/{agent_id}/group/is_sync` endpoint. ([#12365](https://github.com/wazuh/wazuh/issues/12365))
 - Deprecated `GET /manager/stats/analysisd`, `GET /manager/stats/remoted`, `GET /cluster/{node_id}stats/analysisd`, and `GET /cluster/{node_id}stats/remoted` API endpoints. ([#14230](https://github.com/wazuh/wazuh/pull/14230))
 
-### Ruleset 
+### Ruleset
 
 #### Added
 
@@ -241,13 +247,13 @@ All notable changes to this project will be documented in this file.
 - Updated 0580-win-security_rules.xml rules. ([#13579](https://github.com/wazuh/wazuh/pull/13579))
 - Updated Wazuh MITRE ATT&CK database to version 11.3. ([#13622](https://github.com/wazuh/wazuh/pull/13622))
 - Updated detection rules in 0840-win_event_channel.xml. ([#13633](https://github.com/wazuh/wazuh/pull/13633))
-- SCA policy for Ubuntu Linux 20.04 rework. ([#15070](https://github.com/wazuh/wazuh/pull/15070)) 
+- SCA policy for Ubuntu Linux 20.04 rework. ([#15070](https://github.com/wazuh/wazuh/pull/15070))
 - Updated Ubuntu Linux 22.04 SCA Policy with CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0. ([#15051](https://github.com/wazuh/wazuh/pull/15051))
 
 #### Fixed
 
 - Fixed OpenWRT decoder fixed to parse UFW logs. ([#11613](https://github.com/wazuh/wazuh/pull/11613))
-- Bug fix in wazuh-api-fields decoder. ([#14807](https://github.com/wazuh/wazuh/pull/14807)) 
+- Bug fix in wazuh-api-fields decoder. ([#14807](https://github.com/wazuh/wazuh/pull/14807))
 - Fixed deprecated MITRE tags in rules. ([#13567](https://github.com/wazuh/wazuh/pull/13567))
 - SCA checks IDs are not unique. ([#15241](https://github.com/wazuh/wazuh/pull/15241))
 - Fixed regex in check 5.1.1 of Ubuntu 20.04 SCA. ([#14513](https://github.com/wazuh/wazuh/pull/14513))

api/api/spec/spec.yaml

@@ -45,7 +45,7 @@ info:
   title: 'Wazuh API REST'
   license:
     name: 'GPL 2.0'
-    url: 'https://github.com/wazuh/wazuh/blob/4.4/LICENSE'
+    url: 'https://github.com/wazuh/wazuh/blob/v4.4.1/LICENSE'
 
 servers:
   - url: '{protocol}://{host}:{port}'
@@ -2020,16 +2020,6 @@ components:
                     n_synced_chunks:
                       type: integer
                       format: int32
-                last_sync_agentgroups:
-                  type: object
-                  properties:
-                    date_start_master:
-                      type: string
-                    date_end_master:
-                      type: string
-                    n_synced_chunks:
-                      type: integer
-                      format: int32
                 last_sync_integrity:
                   type: object
                   properties:
@@ -2054,8 +2044,6 @@ components:
                           format: int32
                 sync_agent_info_free:
                   type: boolean
-                sync_agent_groups_free:
-                  type: boolean
                 sync_integrity_free:
                   type: boolean
 
@@ -7076,7 +7064,7 @@ paths:
                 api_version: "v4.3.0"
                 revision: '40100'
                 license_name: "GPL 2.0"
-                license_url: "https://github.com/wazuh/wazuh/blob/4.4/LICENSE"
+                license_url: "https://github.com/wazuh/wazuh/blob/v4.4.1/LICENSE"
                 hostname: "wazuh"
                 timestamp: "2019-04-02T08:08:11Z"
 
@@ -9231,8 +9219,8 @@ paths:
                           code: 1707
                           message: "Cannot send request, agent is not active"
                           remediation: "Please, check non-active agents connection and try again.
-                           Visit https://documentation.wazuh.com/current/user-manual/registering/index.html
-                           and https://documentation.wazuh.com/current/user-manual/agents/agent-connection.html
+                           Visit https://documentation.wazuh.com/4.4/user-manual/registering/index.html
+                           and https://documentation.wazuh.com/4.4/user-manual/agents/agent-connection.html
                            to obtain more information on registering and connecting agents"
                         id:
                           - '009'
@@ -9641,15 +9629,10 @@ paths:
                             extra_valid: 0
                             shared: 0
                         sync_agent_info_free: true
-                        sync_agent_groups_free: true
                         last_sync_agentinfo:
                           date_start_master: 2021-05-27T10:50:49.174463Z
                           date_end_master: 2021-05-27T10:50:49.175921Z
                           n_synced_chunks: 1
-                        last_sync_agentgroups:
-                          date_start_master: 2021-05-27T10:50:49.174463Z
-                          date_end_master: 2021-05-27T10:50:49.175921Z
-                          n_synced_chunks: 1
                         last_keep_alive: 2021-05-27T10:50:08.985208Z
                     - info:
                         name: worker2
@@ -9673,15 +9656,10 @@ paths:
                             extra_valid: 0
                             shared: 0
                         sync_agent_info_free: true
-                        sync_agent_groups_free: true
                         last_sync_agentinfo:
                           date_start_master: 2021-05-27T10:50:48.832800Z
                           date_end_master: 2021-05-27T10:50:48.833854Z
                           n_synced_chunks: 1
-                        last_sync_agentgroups:
-                          date_start_master: 2021-05-27T10:50:48.832800Z
-                          date_end_master: 2021-05-27T10:50:48.833854Z
-                          n_synced_chunks: 1
                         last_keep_alive: 2021-05-27T10:50:18.650204Z
                   total_affected_items: 3
                   total_failed_items: 0
@@ -10310,7 +10288,6 @@ paths:
                         synchronization:
                           enabled: yes
                           interval: "5m"
-                          max_interval: "1h"
                           max_eps: 10
                       command:
                         - name: disable-account

architecture/FIM/db/001-class-testtool.puml

@@ -0,0 +1,61 @@
+' Copyright (C) 2015, Wazuh Inc.
+' Created by Wazuh, Inc. <[email protected]>.
+' This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+@startuml class-testtool
+title FIMDB - Test tool
+package "testtool" <<folder>> #DDDDDD {
+    package "action" <<Folder>> {
+        abstract IAction {
+            + void execute()
+            + void ~IAction()
+        }
+        class "RemoveFileAction" {
+            +void execute()
+        }
+        class "GetFileAction" {
+            +void execute()
+        }
+        class "CountEntriesAction" {
+            +void execute()
+        }
+        class "UpdateFileAction" {
+            +void execute()
+        }
+        class "SearchFileAction" {
+            +void execute()
+        }
+        class "RunIntegrityAction" {
+            +void execute()
+        }
+        class "PushMessageAction" {
+            +void execute()
+        }
+        class "StartTransactionAction" {
+            +void execute()
+        }
+        class "SyncTxnRowsAction" {
+            +void execute()
+        }
+        class "GetDeletedRowsAction" {
+            +void execute()
+        }
+    }
+    interface "Main" <<(F,#FF7700)>> {
+        +void main()
+    }
+}
+
+IAction <|-- RemoveFileAction
+IAction <|-- GetFileAction
+IAction <|-- CountEntriesAction
+IAction <|-- UpdateFileAction
+IAction <|-- SearchFileAction
+IAction <|-- RunIntegrityAction
+IAction <|-- PushMessageAction
+IAction <|-- StartTransactionAction
+IAction <|-- SyncTxnRowsAction
+IAction <|-- GetDeletedRowsAction
+Main -- IAction
+@enduml
+

architecture/FIM/db/002-sequence-testtool.puml

@@ -0,0 +1,21 @@
+' Copyright (C) 2015, Wazuh Inc.
+' Created by Wazuh, Inc. <[email protected]>.
+' This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+@startuml Test tool - Sequence Diagram
+title FIMDB - Test tool
+
+actor FIMDBTestTool as tool
+participant Configuration as config
+participant IAction as action
+database Output as output
+
+tool -> config : Get Configuration
+config --> tool
+tool -> tool : Initialize
+loop n-actions
+tool -> action : Execute action
+action -> output : Write action output
+action --> tool
+end
+@enduml

architecture/FIM/db/ER-diagram.puml

@@ -0,0 +1,63 @@
+@startuml ER FIM DB
+
+entity "file_entry" {
+  path : text **<<PK>>**
+  --
+  mode : integer
+  last_event : integer
+  scanned : integer
+  options : integer
+  checksum : text
+  dev : integer
+  inode : integer
+  size : integer
+  perm : text
+  attributes : text
+  uid : integer
+  gid : integer
+  user_name : text
+  group_name : text
+  hash_md5 : text
+  hash_sha1 : text
+  hash_sha256 : text
+  mtime : integer
+}
+
+entity "registry_key" {
+  path : text **<<PK>>**
+  arch : text **<<PK>>**
+  --
+  perm : text 
+  uid : integer
+  gid : integer
+  user_name : text
+  group_name : text
+  mtime : integer
+  scanned : integer
+  last_event : integer
+  checksum : text
+  hash_full_path : text
+}
+
+entity "registry_data" {
+  path : text **<<PK>>**
+  arch : text **<<PK>>**
+  name : text **<<PK>>**
+  --
+  registry_key_path **<<FK>>**
+  registry_key_arch **<<FK>>**
+  type : integer
+  size : integer
+  hash_md5 : text
+  hash_sha1 : text
+  hash_sha256 : text
+  scanned : integer
+  last_event : integer
+  checksum : text
+  hash_full_path : text
+}
+registry_data }o--|| registry_key
+
+
+@enduml
+

architecture/FIM/db/FIM_sync_algorithm.puml

@@ -0,0 +1,43 @@
+' Copyright (C) 2015, Wazuh Inc.
+' Created by Wazuh, Inc. <[email protected]>.
+' This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+@startuml sequence_diagram_fim_synchronization
+actor "wazuh-agent" as agent
+participant FIM_sync_thread
+participant RSync_thread
+actor "wazuh-manager" as manager
+
+skinparam SequenceGroupBodyBackgroundColor #FFFFFF90
+
+agent -> FIM_sync_thread : FIM sync thread started
+FIM_sync_thread -> RSync_thread : Execute sync
+
+loop #LightSkyBlue Each current interval seconds
+    alt If at least "response timeout"\n seconds since last sync message
+        alt If last sync was successful
+            FIM_sync_thread -> FIM_sync_thread: Reset current interval
+        end
+        FIM_sync_thread -> RSync_thread : Execute sync
+    else
+        FIM_sync_thread -> FIM_sync_thread: Duplicate current interval
+        alt If max interval reached
+            FIM_sync_thread -> FIM_sync_thread: Limit interval to maximum configured
+        end
+    end
+end loop
+
+group #LightSkyBlue sync function
+    RSync_thread -> manager : First sync msg\n("integrity_check_global"\nor "integrity_clear")
+    alt
+        manager -> RSync_thread : Manager response msg
+        RSync_thread -> manager : Agent "state" msg
+        note over RSync_thread, manager
+        Synchronization is considered successful
+        when these messages are not exchanged
+        between manager and agent
+        end note
+    end
+end
+
+@enduml