==OSSEC v1.6 CHANGELOG (Sep 02, 2008)== We are pleased to announce the general availability of OSSEC version 1.6. As always, this version comes with lots of bug fixes and new features. Changelog: -Added suppport for Microsoft Vista/Server 2008. -Added ossec-csyslogd, a client syslog tool to forward OSSEC alerts to remote syslog servers (including SIM/SEMs and log management systems). -Performance improvements on the Windows event log reader, caching some of the libraries and information. -Added decoder for OSSEC alerts coming from another OSSEC servers or local instances. It allows for an hierarchy of multiple servers forwarding to one central "master". -Added scan_on_start option to syscheck, to enable or disable the scans that are performed during the agent startup (only works when scan_time or scan_day are set). -Added syscheck_control script to manage the integrity checking database. -Added rootcheck_control script to manage the policy/auditing database. -Added support for McAfee VirusScan Enterprise (Thanks to Michael Starks) -Added support for VMware ESX logs. -Added the VMWare Security hardening guideline to the policy auditing. http://www.ossec.net/wiki/index.php/SecurityHardening_VMwareESX -Added the CIS benchmark tests for Linux in the policy auditing module. -Added Active response for Windows. -Fixed init scripts for Suse (By Dennis Golden) -Fixed bug on rootcheck that was leaving defunct processes on FreeBSD 7. (Reported by Chris Buechler ). -Fixed timeout issue on Windows 2003. -Fixed null route active response script that was not working properly on FreeBSD. (Reported by Andrew Storms ) -Fixed PF active response. (Reported by Chris from Bittraffic.com). -Fixed issue with host-deny active response script which was changng the SELinux context from the hosts.deny file. (Reported by Doug Floer ) -Fixed check for duplicate directories on syscheck. (Reported by Matthias Schmidt ). -Fixed bug on the syslog pre-decoder when dealing with Aruba logs. (thanks to Brett Simpson for the information). -Added support for modified versions of the proftpd and vsftpd log formats. -Added keyword "any" to be used on manage_agents when an agent can come from any IP address. It works the same as 0.0.0.0/0, which was not working on previous versions too. -Fixed bug on the sendmail filter rules that were not parsing all the formats properly. (thanks to Joachim Vorrath ) -Added decoders and rules for vm-pop3d. (thanks to Chris for the help). -Added support for Wu-FTPD and Mac OS FTP server logs. (thanks to kef_list at ibacom.es for the samples) -Fixed issue with Linux/s390x that was not working properly with the agent/server communication. (thanks to mgoldsberry at gmail.com for the debugging help). -Added local_decoder.xml and local_internal_options.conf files for local modifications. -Added support for reading the logs from a pipe (created by syslog-ng and others). (thanks to alex.pease at gmail.com for the patch). -Fixed bug where the suid,sgid and stick bits were not being properly shown in the integrity checking reports. (thanks to joshua.edmonds at gmail.com for the report) -Added option to disable firewall logging (analysisd.log_fw on the internal_options.conf file). -Fixed compilation warnings on Solaris. -Added init scripts for Solaris and AIX. (thanks to Chris Cuevas for the contribution). Additional fixes reported on our bugzilla: http://www.ossec.net/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&long_desc_type=substring&long_desc=fv16&bug_file_loc_type=allwordssubstr&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED To download the new version: http://www.ossec.net/main/downloads We want to thank everyone who sent comments, suggestions or just some nice words to us! We really appreciate the feedback! Daniel B. Cid (in name of the OSSEC team). http://www.ossec.net/main/about http://www.ossec.net/announcements/v1.6-2008-09-02.txt