Merge pull request #6935 from wazuh/merge-4.7.2-into-4.7

Merge 4.7.2 into 4.7

CHANGELOG.md

@@ -1,6 +1,20 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## [v4.7.2]
+
+### Added
+
+- Added custom role creation steps to GCP credentials configuration section. ([#6837](https://github.com/wazuh/wazuh-documentation/pull/6837))
+- Added a subsection for alert visualization in AWS Security Lake. Added a note about time to display alerts. ([#6838](https://github.com/wazuh/wazuh-documentation/pull/6838))
+- Added ``urllib3==1.26.18`` dependency to Docker installation steps. ([#6824](https://github.com/wazuh/wazuh-documentation/pull/6824))
+
+### Changed
+
+- Added minimum configuration reading permissions to RBAC section use case. ([#6850](https://github.com/wazuh/wazuh-documentation/pull/6850))
+- Updated AWS profile configuration instructions. ([#6803](https://github.com/wazuh/wazuh-documentation/pull/6803))
+- Updated configuration step in Yara use case and Apache web server installation step in Malware detection PoC. ([#6894](https://github.com/wazuh/wazuh-documentation/pull/6894))
+
 ## [v4.7.1]
 
 ### Added

source/_static/js/redirects.js

@@ -69,6 +69,7 @@ newUrls['4.7'] = [
   '/getting-started/use-cases/posture-management.html',
   '/release-notes/release-4-7-0.html',
   '/release-notes/release-4-7-1.html',
+  '/release-notes/release-4-7-2.html',
   '/cloud-security/azure/posture-management.html',
   '/cloud-security/gcp/posture-management.html',
 ];

source/_variables/settings.py

@@ -21,7 +21,7 @@
 # The full version, including alpha/beta/rc tags
 # Important: use a valid branch (4.0) or, preferably, tag name (v4.0.0)
 
-release = '4.7.1'
-api_tag = 'v4.7.1'
+release = '4.7.2'
+api_tag = 'v4.7.2'
 
 apiURL = 'https://raw.githubusercontent.com/wazuh/wazuh/'+api_tag+'/api/api/spec/spec.yaml'

source/cloud-security/amazon/services/prerequisites/considerations.rst

@@ -74,12 +74,14 @@ Users can customize two retry configurations.
 
 -  ``max_attempts``: The maximum number of attempts including the initial call. This configuration can override the default value set by the retry mode.
 
-You can specify the retry configuration in the ``~/.aws/config`` `configuration file <https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#using-a-configuration-file>`__. The profile section must include the ``max_attempts``, ``retry_mode``, and ``region`` settings. It is important to use the same profile as the one you chose as your :ref:`authentication method <authentication_method>`. If the authentication method doesn't have a profile, then the ``[Default]`` profile must include the configurations. In case the system doesn't have this file, the `aws-s3` Wazuh module defines the following values by default:
+You can specify the retry configuration in the ``~/.aws/config`` `configuration file <https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#using-a-configuration-file>`__. The profile section must include the ``max_attempts``, ``retry_mode``, and ``region`` settings.
+
+It's important to match this profile section with the :ref:`authentication method profile <aws_profile>`. If the authentication method lacks a profile, then the ``[default]`` profile section must include the configurations. If the configuration file is missing, the `aws-s3` Wazuh module defines the following values by default:
 
 -  ``retry_mode=standard``
--  ``max_attempts=10``.
+-  ``max_attempts=10``
 
-The following example of a ``~/.aws/config`` file sets retry parameters for the *dev* profile:
+The following example of a ``~/.aws/config`` file sets the retry parameters for the *dev* profile:
 
 .. code-block:: ini
 
@@ -88,13 +90,16 @@ The following example of a ``~/.aws/config`` file sets retry parameters for the
    max_attempts=5
    retry_mode=standard
 
+.. note::
+   When using a profile different to ``default``, ensure the profile name includes the prefix word ``profile``.
+
 Additional configuration
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
 Wazuh supports additional configuration options found in the ``.aws/config file``. The supported keys are the primary keys stated in the `boto3 configuration <https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html>`_. Supported keys are:
 
-- region_name.
-- signature_version.
+- region_name
+- signature_version
 - s3
 - proxies
 - proxies_config
@@ -104,9 +109,12 @@ The following example of a ``~/.aws/config`` file sets the supported configurati
 
 .. code-block:: ini
 
-   [dev]
+   [profile dev]
    region = us-east-1
    output = json
+   max_attempts = 5
+   retry_mode = standard
+
    dev.s3.max_concurrent_requests = 10
    dev.s3.max_queue_size = 1000
    dev.s3.multipart_threshold = 64MB
@@ -124,13 +132,12 @@ The following example of a ``~/.aws/config`` file sets the supported configurati
    dev.proxy.client_cert = /path/to/client_cert.pem
    dev.proxy.use_forwarding_for_https = true
 
-   dev.signature_version = s3v4
-   max_attempts = 5
-   retry_mode = standard
+   signature_version = s3v4
 
 .. note::
-   To configure multiple profiles for the integration, declare each profile in the ``~/.aws/config`` file using the same pattern as before.
-   If no profile is declared in the module configuration, the *default* profile is used.
+   All ``s3`` and ``proxy`` configuration sections must start with ``[profile <PROFILE-NAME>]``.
+
+To configure multiple profiles for the integration, declare each profile section in ``~/.aws/config`` with ``[profile <PROFILE-NAME>]``. If you don't declare a profile section in this configuration file, Wazuh uses the ``default`` profile.
 
 Configuring multiple services
 -----------------------------

source/cloud-security/amazon/services/supported-services/security-lake.rst

@@ -185,8 +185,10 @@ Set the configuration inside the section ``<subscriber type="security_lake">``.
 After setting the required parameters, restart the Wazuh manager to apply the changes:
 
 .. include:: /_templates/common/restart_manager.rst
-Please note that the module's time of execution varies depending on the number of notifications present in the queue. If the ``<interval>`` value is less than the required time of execution, the :ref:`Interval overtaken<interval_overtaken_message>` message will be displayed in the ``ossec.log`` file.
 
+.. note::
+
+    The module execution time varies depending on the number of notifications in the queue. This affects the time to display alerts on the Wazuh dashboard. If the ``<interval>`` value is less than the execution time, the :ref:`Interval overtaken <interval_overtaken_message>` message appears in the ``ossec.log`` file.
 
 Parameters
 ^^^^^^^^^^
@@ -213,3 +215,12 @@ Authentication
 
 
 More information about the different authentication methods can be found in the :ref:`Configuring AWS credentials <amazon_credentials>` documentation.
+
+Visualizing alerts in Wazuh dashboard 
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Once you set the configuration and restart the manager, you can visualize the Amazon Security Lake alerts in the Wazuh dashboard. To do this, go to the **Security events** module. Apply the filter ``rule.groups: amazon_security_lake`` for an easier visualization.
+
+    .. thumbnail:: /images/aws/security-lake-1.png
+      :align: center
+      :width: 80%

source/cloud-security/gcp/prerequisites/considerations.rst

@@ -47,9 +47,9 @@ Find an example of running the module on a manager using the ``--reparse`` optio
 
 .. code-block:: console
 
-  # /var/ossec/wodles/gcloud/gcloud --integration_type access_logs -b 'wazuh-example-bucket' -c credentials.json --reparse --only_logs_after '2021-Jun-10' --debug 2
+  # /var/ossec/wodles/gcloud/gcloud --integration_type access_logs -b 'wazuh-example-bucket' -c credentials.json --reparse --only_logs_after '2021-Jun-10' -l 2
 
-The ``--debug 2`` parameter gets a verbose output. This is useful to show the script is working, specially when handling a large amount of data.
+The ``-l 2`` parameter gets a verbose output. This is useful to show the script is working, specially when handling a large amount of data.
 
 
 Configuring multiple Google Cloud Storage bucket

source/cloud-security/gcp/prerequisites/credentials.rst

@@ -13,14 +13,37 @@ In order to make the Wazuh GCP module pull log data from Google Pub/Sub or Googl
 
 To do this, it is recommended to create a service account with the Pub/Sub or Storage permissions and then create a key. It is important to save this key as a JSON file as it will be used as the authentication method for the GCP module.
 
+Creating a custom role
+----------------------
+
+The ``gcp-bucket`` module requires permissions to access storage buckets and objects. To create a role with the required permissions, follow these steps:
+
+#. Go to the **Roles** section and click on **Create Role**.
+#. Establish a **Title** and click on **Add Permissions**.
+#. On the search bar, filter available permissions by typing **Storage Legacy Bucket Writer**. Select the following ones:
+
+   - ``storage.bucket.get``
+   - ``storage.objects.create``
+   - ``storage.objects.delete``
+   - ``storage.objects.list``
+
+#. Click on **Create**.
+
+.. thumbnail:: /images/cloud-security/gcp/gcp-bucket-role.png
+    :align: center
+    :width: 100%
+
 Creating a service account
 --------------------------
 
 Within the **Service Accounts** section, create a new service account and add the following roles depending on which module to use: ``gcp-pubsub``, ``gcp-bucket``, or both.
 
 - For ``gcp-pubsub``, add two roles with *Pub/Sub* permissions: **Pub/Sub Publisher** and **Pub/Sub Subscriber**.
-- For ``gcp-bucket``, add the following role with *Google Cloud Storage bucket* permissions: **Storage Legacy Bucket Writer**.
+- For ``gcp-bucket``, add the following role with *Google Cloud Storage bucket* permissions: **Storage Bucket Writer**.
 
+.. thumbnail:: /images/cloud-security/gcp/gcp-service-account.png
+    :align: center
+    :width: 100%
 
 Creating a private key
 ----------------------

source/proof-of-concept-guide/block-malicious-actor-ip-reputation.rst

@@ -85,7 +85,7 @@ Perform the following steps to install and configure an Apache web server.
 
 #. Install the latest `Visual C++ Redistributable package <https://aka.ms/vs/17/release/vc_redist.x64.exe>`__.
 
-#. Download the Apache web server `ZIP installation file <https://www.apachelounge.com/download/VS16/binaries/httpd-2.4.54-win64-VS16.zip>`__. This is an already compiled binary for Windows operating systems.
+#. Download the Apache web server `ZIP installation file <https://www.apachelounge.com/download/VS17/binaries/httpd-2.4.58-win64-VS17.zip>`__. This is an already compiled binary for Windows operating systems.
 
 #. Unzip the contents of the Apache web server zip file and copy the extracted ``Apache24`` folder to the ``C:`` directory.
 

source/proof-of-concept-guide/monitoring-docker.rst

@@ -41,7 +41,7 @@ Perform the following steps to install Docker on the Ubuntu endpoint and configu
    .. code-block:: console
 
       $ curl -sSL https://get.docker.com/ | sh
-      $ sudo pip3 install docker==4.2.0
+      $ sudo pip3 install docker==4.2.0 urllib3==1.26.18
 
 #. Edit the Wazuh agent configuration file ``/var/ossec/etc/ossec.conf`` and add this block to enable the ``docker-listener`` module:
 

source/release-notes/index-4x.rst

@@ -11,6 +11,7 @@ This section summarizes the most important features of each Wazuh 4.x release.
 =============================================  ====================
 Wazuh version                                  Release date
 =============================================  ====================
+:doc:`4.7.2 </release-notes/release-4-7-2>`    10 January 2024
 :doc:`4.7.1 </release-notes/release-4-7-1>`    20 December 2023
 :doc:`4.7.0 </release-notes/release-4-7-0>`    27 November 2023
 :doc:`4.6.0 </release-notes/release-4-6-0>`    31 October 2023
@@ -62,6 +63,7 @@ Wazuh version                                  Release date
 
    .. toctree::
 
+      4.7.2 Release notes <release-4-7-2>
       4.7.1 Release notes <release-4-7-1>
       4.7.0 Release notes <release-4-7-0>
       4.6.0 Release notes <release-4-6-0>

source/release-notes/index.rst

@@ -11,6 +11,7 @@ This section summarizes the most important features of each Wazuh release.
 ==============================================   ====================
 Wazuh version                                    Release date
 ==============================================   ====================
+:doc:`4.7.2 </release-notes/release-4-7-2>`      10 January 2024
 :doc:`4.7.1 </release-notes/release-4-7-1>`      20 December 2023
 :doc:`4.7.0 </release-notes/release-4-7-0>`      27 November 2023
 :doc:`4.6.0 </release-notes/release-4-6-0>`      31 October 2023

source/release-notes/release-4-7-2.rst

@@ -0,0 +1,113 @@
+.. Copyright (C) 2015, Wazuh, Inc.
+
+.. meta::
+  :description: Wazuh 4.7.2 has been released. Check out our release notes to discover the changes and additions of this release.
+
+4.7.2 Release notes - 10 January 2024
+=====================================
+
+This section lists the changes in version 4.7.2. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases.
+
+What's new
+----------
+
+This release includes new features or enhancements as the following:
+
+Wazuh manager
+^^^^^^^^^^^^^
+
+- `#21142 <https://github.com/wazuh/wazuh/pull/21142>`__ Added minimum time constraint of 1 hour for downloading the Vulnerability Detector feed.
+
+Wazuh agent
+^^^^^^^^^^^
+
+- `#20638 <https://github.com/wazuh/wazuh/pull/20638>`__ Added request timeouts for the external and cloud integrations. This prevents indefinite waiting for a response.
+
+Ruleset
+^^^^^^^
+
+- `#17565 <https://github.com/wazuh/wazuh/pull/17565>`__ Added new SCA policy for Debian 12 systems.
+
+Other
+^^^^^
+
+- `#20798 <https://github.com/wazuh/wazuh/pull/20798>`__ Upgraded external ``aiohttp`` library dependency to version ``3.9.1`` to address a security vulnerability.
+
+Wazuh dashboard
+^^^^^^^^^^^^^^^
+
+- `#6191 <https://github.com/wazuh/wazuh-dashboard-plugins/pull/6191>`__ Added **Hostname** and **Board Serial** information to **Agents** > **Inventory data**.
+- `#6208 <https://github.com/wazuh/wazuh-dashboard-plugins/pull/6208>`__ Added contextual information to the deploy agent steps.
+
+Packages 
+^^^^^^^^
+
+- `#2670 <https://github.com/wazuh/wazuh-packages/pull/2670>`__ Removed installed dependencies that were part of the Wazuh installation assistant. This ensures a clean post-installation state.
+- `#2677 <https://github.com/wazuh/wazuh-packages/pull/2677>`__ Removed ``gnupg`` package as RPM dependency in the Wazuh installation assistant.
+- `#2693 <https://github.com/wazuh/wazuh-packages/pull/2693>`__ Added Debian12 SCA files.
+
+Resolved issues
+---------------
+
+This release resolves known issues as the following: 
+
+Wazuh manager
+^^^^^^^^^^^^^
+
+===========================================================  =============
+ Reference                                                   Description
+===========================================================  =============
+`#21011 <https://github.com/wazuh/wazuh/pull/21011>`__       ``wazuh-remoted`` now logs the warning regarding invalid message size from agents in hex format.
+`#20658 <https://github.com/wazuh/wazuh/pull/20658>`__       Fixed a bug within the Windows Eventchannel decoder to ensure proper handling of Unicode characters.
+`#20735 <https://github.com/wazuh/wazuh/pull/20735>`__       Fixed data validation for decoding Windows Eventchannel XML input strings.
+===========================================================  =============
+
+Wazuh agent
+^^^^^^^^^^^
+
+===========================================================  =============
+ Reference                                                   Description
+===========================================================  =============
+`#20656 <https://github.com/wazuh/wazuh/pull/20656>`__       Implemented validation for the format of the IP address parameter in the ``host_deny`` active response.
+`#20594 <https://github.com/wazuh/wazuh/pull/20594>`__       Fixed a bug in the Windows agent that might lead it to crash when gathering forwarded Windows events.
+`#20447 <https://github.com/wazuh/wazuh/pull/20447>`__       Fixed issue with the ``profile`` prefix in parsing AWS configuration profiles.
+`#20660 <https://github.com/wazuh/wazuh/pull/20660>`__       Fixed parsing and validation for the AWS regions argument, expanding the AWS regions list accordingly.
+===========================================================  =============
+
+Ruleset
+^^^^^^^
+
+===========================================================  =============
+ Reference                                                   Description
+===========================================================  =============
+`#20663 <https://github.com/wazuh/wazuh/pull/20663>`__       Updated AWS Macie rules to show relevant fields in alert details.
+===========================================================  =============
+
+Wazuh dashboard
+^^^^^^^^^^^^^^^
+
+=================================================================================================================================================    =============
+ Reference                                                                                                                                           Description
+=================================================================================================================================================    =============
+`#6185 <https://github.com/wazuh/wazuh-dashboard-plugins/pull/6185>`__                                                                               Fixed Agents preview page load when there are no registered agents.
+`#6206 <https://github.com/wazuh/wazuh-dashboard-plugins/pull/6206>`__, `#6213 <https://github.com/wazuh/wazuh-dashboard-plugins/pull/6213>`__       Changed the endpoint to get Wazuh server auth configuration to ``manager/configuration/auth/auth``.
+`#6224 <https://github.com/wazuh/wazuh-dashboard-plugins/pull/6224>`__                                                                               Fixed error navigating back to agent in some scenarios.
+=================================================================================================================================================    =============
+
+Packages
+^^^^^^^^
+
+=====================================================================     =============
+Reference                                                                 Description
+=====================================================================     =============
+`#2667 <https://github.com/wazuh/wazuh-packages/pull/2667>`_              Fixed warning message when generating certificates.
+=====================================================================     =============
+
+Changelogs
+----------
+
+More details about these changes are provided in the changelog of each component:
+
+- `wazuh/wazuh <https://github.com/wazuh/wazuh/blob/v4.7.2/CHANGELOG.md>`__
+- `wazuh/wazuh-dashboard <https://github.com/wazuh/wazuh-dashboard-plugins/blob/v4.7.2-2.8.0/CHANGELOG.md>`__
+- `wazuh/wazuh-packages <https://github.com/wazuh/wazuh-packages/releases/tag/v4.7.2>`__

source/user-manual/capabilities/container-security/monitoring-docker.rst

@@ -53,7 +53,7 @@ Install dependencies on the Docker server
 
    .. code-block:: console
 
-      # pip3 install docker==4.2.0
+      # pip3 install docker==4.2.0 urllib3==1.26.18
 
 Configure the Wazuh agent
 ^^^^^^^^^^^^^^^^^^^^^^^^^

source/user-manual/capabilities/malware-detection/fim-yara.rst

@@ -72,7 +72,7 @@ Perform the following steps to configure YARA and the FIM module on the monitore
       -H 'Referer: https://valhalla.nextron-systems.com/' \
       -H 'Content-Type: application/x-www-form-urlencoded' \
       -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' \
-      --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111 111111111111111111&format=text' \
+      --data 'demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text' \
       -o /tmp/yara/rules/yara_rules.yar
 
 #. Create a ``/var/ossec/active-response/bin/yara.sh`` file and add the content below: