Release/v11.2.6 (#2025)

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

# Conflicts:
#	frontend/src/environments/environment.ts

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: enhance compliance control configuration with section mapping and DTO updates

* feat: Revert unnecessary changes

* feat: enhance compliance control configuration with section mapping and DTO updates

* feat: refactor compliance query form and related components for improved layout and usability

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: provide endpoint for OpenSearch evaluations including latest evaluation calculation per control

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: provide endpoint for OpenSearch evaluations including latest evaluation calculation per control

* feat: refactor compliance evaluation classes and update related mappings

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: refactor compliance evaluation classes and update related mappings

* feat: implement timeline visualization for compliance evaluations with initial chart setup and styling

* feat: implement timeline visualization for compliance evaluations with initial chart setup and styling

* feat: implement timeline visualization for compliance evaluations

* feat: implement timeline visualization for compliance evaluations

* feat: implement timeline visualization for compliance evaluations

* feat: implement timeline visualization for compliance evaluations

* feat: implement timeline visualization for compliance evaluations

* feat: enrich compliance evaluation details with rule, rule value, and hits

* feat: enhance compliance control evaluation with pagination support

* feat: extend control evaluation status with additional states and refine evaluation logic

* feat: add evaluation rule and rule value to compliance evaluation DTO and service

* feat: include evaluation rule and rule value in query evaluation model and logic

* feat: enhance compliance control evaluation with search functionality

* feat: update application version file path for consistency

* fix: implement sorting logic for compliance evaluations

* feat(agent): add native auditd collector for Linux

- Implement native auditd collector using go-libaudit v2 with netlink multicast
- Add enterprise-ready auditd configuration (50-utmstack.rules)
- Respect existing customer audit rules (additive approach)
- Add cleanup on agent uninstall (removes UTMStack rules only)
- Support automatic auditd installation on Debian/Ubuntu/RHEL/Fedora
- Handle migration path for existing auditd installations
- Add distro detection for package manager selection
- Remove legacy beats/filebeat commented code

* feat(filters): add auditd support to linux filter v5.0.0

- Support native auditd collector JSON format (type: auditd)
- Map auditd fields to Standard Event Schema:
  - syscall/category -> action
  - result -> actionResult
  - exe/comm -> origin.process
  - proctitle -> origin.command
  - subj_user -> origin.user
  - cwd -> origin.path
  - exit -> statusCode (cast to int)
- Set default severity 'info' for auditd events
- Preserve numeric IDs in log.* for correlation rules
- Maintain backwards compatibility with journald format

* refactor(filters): remove deprecated system_linux_module.yml

* fix(filters): adjust auditd event severity handling in linux filter

* chore(agent): update version to 11.1.5

* changeset[backend](linux): update linux filter

* fix(agent): prevent auditd buffer overflow with backpressure mitigation

* fix(agent): reduce auditd log noise with threshold and execve filter

- Add 50 event threshold for EventsLost logging (ignore 1-2 event losses)
- Filter execve rules to real users only (auid>=1000, auid!=-1)
- Simplify EventsLost function

* fix(agent): filter false events lost from go-libaudit sequence rollover

* feat(agent): expand auditd rules with log tampering and identity files

* feat[backend](agent): added shell parameter to agent connection

* feat[frontend](agent-console): added shell switch for windows agents (powershell or cmd)

* fix[backend](elastic-service): added space verification before removing elastic-index

* fix[backend](index-removal): added index verification before removal

* fix[backend](index-removal): fixed index state field obtention

* fix[backend](index-removal): fixed compilation errors on index removal

* changeset[backend](o365_visualization): updated o365 file upload visualization

* changeset[backend](o365_visualization): updated o365 file sync downloaded visualization

* changeset[backend](o365_visualization): updated o365 visualizations

* update windows-events filter

* feat[backend](dependencies): updated apache-tika to avoid vulnerable version

* feat[backend](dependencies): updated flying-saucer-pdf dependency and removed unneeded itext dependency

* fix(installer): enhance post-installation error handling and Docker shutdown for security risks

* changeset[backend](windows_filter): updated windows filters

* changeset[backend](windows_rules): updated windows rules

* feat[frotend](dependencies): updated dependencies for security improves

* changeset[backend](windows_rules): updated windows rules data types

* fix(installer): security improvements and code cleanup

   Security fixes:
   - Use crypto/rand instead of math/rand for secret generation
   - SELinux set to permissive instead of disabled (RedHat)
   - PostgreSQL/OpenSearch ports never exposed (use docker exec)
   - Nginx uses ephemeral key instead of INTERNAL_KEY

   Code improvements:
   - Remove unused parameters (GetAdminEmail, ConfigureNginx)
   - Remove dead code (if true condition)
   - Fix typo "fisnished" -> "finished"
   - Simplify PostInstallation (no Docker restart needed)
   - Remove unused dependencies (lib/pq, grequests)

* feat(security): add OpenSearch SSL and authentication support

* feat[backend](updated filters and rules): added a initial process to update logtash filters an rules

* feat: add endpoint to retrieve latest evaluation by control ID

* feat: enhance compliance evaluation mappers to load full Standard object

* feat(soc-ai): add multi-provider LLM support and HTTP API for manual analysis
  - Add support for multiple LLM providers (OpenAI, Anthropic) with URL-based detection
  - Implement generic authentication via customHeaders configuration
  - Add HTTP API server on port 8090 for manual alert submission:
    - POST /api/v1/analyze - Submit alert for async LLM analysis
    - GET /api/v1/metrics - API request metrics
    - GET /health - Health check (unauthenticated)
  - Add X-Internal-Key authentication middleware for protected endpoints
  - Add AutoAnalyze config flag to enable/disable automatic processing
  - Add AnthropicRequest/Response schema types for Claude API format
  - Add ANTHROPIC_API_VERSION constant for required header
  - Clean up unused constants (GPT_API_ENDPOINT, AllowedGPTModels)
  - Fix silent JSON parsing errors with proper logging

* feat(backend): add filters and rules to backend docker image

* fix(backend): update OpenSearch connection to use HTTPS with authentication

* feat(panel): add manual alert analysis endpoint with SSL support

* fix(backend): use analyzeAlert method in UtmAlertServiceImpl

* feat[backend](updated filters and rules): added initial load service

* feat[backend](updated filters and rules): added initial load service

* feat[backend](updated filters and rules): forced systemOwnedMode on rules and filters insertion in initial update

* feat[backend](updated filters and rules): added removed rules and filters routines

* feat[backend](updated filters and rules): forced filters adn rules to follow id convention of system owned rules/filters

* feat[backend](updated filters and rules): set null to invalid module name rules

* changeset[backend](socai): updated socai integration guide configuration

* fix[frontend](integration-guide): fixed cisco asa and firepower commands

* fix[backend](cypherUtil): make key|iv derivation be local instead of static

* fix: correct query parameter for search

* fix: Corrected incorrect behavior in filtering

* fix: update sorting direction for compliance evaluations

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* fix[backend](healthcheck): removed springboot healthcheck to allow custom opensearch client to be used

* fix[backend](initial-setup): improved filter insertion on system load

* fix[backend](initial-setup): improved filter deletion on initial setup

* changeset[backend](data-types,modules): seeded data type - module relation

* fix[backend](initial-setup): improved error handling on failed to insert filter

* fix[backend](initial-setup): fixed filter index error

* fix[backend](initial-setup):added RuleYml to parse rules yml

* fix[backend](rules): fixed rules definitions

* feat[backend](log_events): added logs on every system admin operation

* fix[rules]: remove unused rules

* fix[baclend]: solve sintax problems in rules

* fix[backend]: solved problem with merge

* fix[backend](serialization): add @JsonIgnore to UtmModule lazy collections to prevent HttpMessageNotWritableException

* fix[agent-manager](security): prevent SQL injection in filters, add constant-time
  key comparison, fix cache race condition, and add command timeout

* feat[backend,frontend](incident-response): add shell selection for Windows agents, fix flow agent loading, enforce alert name in triggers, and rename default to dedicated agent

* fix[frontend](soar): remove legacy automation route and update audit link to use flow editor

* refactor(plugins): replace config polling with channel-based configuration updates across cloud integration plugins (AWS, Azure, GCP, O365, Sophos)

* feat[soc-ai]: improve soc-ai integration

* fix[backend,frontend,plugins](integrations): mask sensitive config values, improve validation error messages per provider, and prevent double-encryption

* fix[frontend](integrations): only clear saved tenant changes instead of all pending changes

* fix(modules-config): prevent single plugin failure from blocking all sync

* fix[backend,frontend]: add missing Constants import and remove duplicate variable declaration

* feat: refactor OpenSearch integration with new connection model

* feat: rename compliance configuration changelogs

* fix: correct standardId binding in compliance control create component

* fix[frontend](alert-selection): improved selection/remove alert condition on table

* fix[modules-config](socai): fixed providers configuration

* fix[frontend](socai_module_config): fixed saving state handling

* feat[modules-config](socai): generalized socai connection check and validations

* feat: trigger initial scheduler dispatch when backend configs are present

* fix[frontend](alert-selection): improved selection/remove alert condition on table

* fix[modules-config](socai): fixed providers configuration

* fix[frontend](socai_module_config): fixed saving state handling

* feat[modules-config](socai): generalized socai connection check and validations

* fix[frontend](socai_alert_analyze): updated loading status inmediately after request is maded

* refactor(modules-config): improve resilience and code organization

Add resilient module synchronization:
  - Implement periodic retry mechanism (5-minute interval)
  - Add StartPeriodicRetry for automatic recovery

* feat: rename compliance configuration changelogs

* fix[modules-config](socai): trimmend config values to avoid false positive on config verification

* fix[modules-config](socai): send model on test request to avoid wrong model false positive

* fix[modules-config](socai): add little message on model test to manage wrong models and wronk api keys on the request

* fix[modules-config](socai): manage gemini test response correctly

* fix[frontend](tooltips): moved tooltip position to body so they can be showed above any other copmonent

* fix[frontend](alert-popup): fixed alert popup position

* fix[backend](socai_model): removed model invalidation on custom provider

* fix[frontend](socai-analysis): fixed wait status on socai alert analysis

---------

Co-authored-by: Elena Lopez Milan <elopez@utmstack.com>
Co-authored-by: Yadian Llada Lopez <yadian.llada@gmail.com>
Co-authored-by: AlexSanchez-bit <sanchez.saez.alex01@gmail.com>
Co-authored-by: JocLRojas <joc.l.rojas02@gmail.com>
Co-authored-by: Osmany Montero <osmontero@icloud.com>
Co-authored-by: Alex Sánchez <alex.sanchez@utmstack.com>

Author: 6 people

.github/workflows/reusable-java.yml

@@ -36,6 +36,11 @@ on:
         type: string
         default: "clean install"
         description: "Maven goals to execute"
+      copy_filters_and_rules:
+        required: false
+        type: boolean
+        default: false
+        description: "Copy filters and rules folders to build context"
 
 jobs:
   build:
@@ -99,6 +104,13 @@ jobs:
           username: utmstack
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Copy filters and rules to build context
+        if: ${{ inputs.copy_filters_and_rules }}
+        run: |
+          cp -r filters ./${{ inputs.image_name }}/
+          cp -r rules ./${{ inputs.image_name }}/
+          echo "✅ Copied filters and rules to ./${{ inputs.image_name }}/"
+
       - name: Build and Push the Image
         uses: docker/build-push-action@v6
         with:

.github/workflows/v11-deployment-pipeline.yml

@@ -493,6 +493,7 @@ jobs:
       use_tag_as_version: true
       maven_profile: 'prod'
       maven_goals: 'clean package'
+      copy_filters_and_rules: true
 
   build_frontend:
     name: Build Frontend Microservice

agent-manager/agent/agent_imp.go

@@ -29,13 +29,20 @@ type AgentService struct {
 	AgentStreamMap        map[uint]AgentService_AgentStreamServer
 	AgentStreamMutex      sync.Mutex
 	CacheAgentKey         map[uint]string
-	CacheAgentKeyMutex    sync.Mutex
+	CacheAgentKeyMutex    sync.RWMutex
 	CommandResultChannel  map[string]chan *CommandResult
 	CommandResultChannelM sync.Mutex
 
 	DBConnection *database.DB
 }
 
+func (s *AgentService) ValidateAgentKey(key string, id uint) bool {
+	s.CacheAgentKeyMutex.RLock()
+	defer s.CacheAgentKeyMutex.RUnlock()
+	_, valid := utils.IsKeyPairValid(key, id, s.CacheAgentKey)
+	return valid
+}
+
 func InitAgentService() error {
 	var err error
 	agentServOnce.Do(func() {
@@ -338,20 +345,35 @@ func (s *AgentService) ProcessCommand(stream PanelService_ProcessCommandServer)
 			return status.Errorf(codes.Internal, "failed to send command to agent: %v", err)
 		}
 
-		result := <-s.CommandResultChannel[cmdID]
-		err = s.DBConnection.Upsert(
-			&models.AgentCommand{},
-			"agent_id = ? AND cmd_id = ?",
-			map[string]interface{}{"command_status": models.Executed, "result": result.Result},
-			cmd.AgentId, cmdID,
-		)
-		if err != nil {
-			catcher.Error("failed to update command status", err, map[string]any{"process": "agent-manager"})
-		}
+		select {
+		case result := <-s.CommandResultChannel[cmdID]:
+			err = s.DBConnection.Upsert(
+				&models.AgentCommand{},
+				"agent_id = ? AND cmd_id = ?",
+				map[string]interface{}{"command_status": models.Executed, "result": result.Result},
+				cmd.AgentId, cmdID,
+			)
+			if err != nil {
+				catcher.Error("failed to update command status", err, map[string]any{"process": "agent-manager"})
+			}
 
-		err = stream.Send(result)
-		if err != nil {
-			return err
+			err = stream.Send(result)
+			if err != nil {
+				return err
+			}
+		case <-time.After(5 * time.Minute):
+			s.CommandResultChannelM.Lock()
+			delete(s.CommandResultChannel, cmdID)
+			s.CommandResultChannelM.Unlock()
+
+			_ = s.DBConnection.Upsert(
+				&models.AgentCommand{},
+				"agent_id = ? AND cmd_id = ?",
+				map[string]interface{}{"command_status": models.Error, "result": "command timed out after 5 minutes"},
+				cmd.AgentId, cmdID,
+			)
+
+			return status.Errorf(codes.DeadlineExceeded, "agent did not respond within 5 minutes")
 		}
 
 		s.CommandResultChannelM.Lock()

agent-manager/agent/collector_imp.go

@@ -43,13 +43,20 @@ type CollectorService struct {
 	CollectorConfigsCache     map[uint][]*CollectorConfigGroup
 	CollectorConfigsCacheM    sync.Mutex
 	CacheCollectorKey         map[uint]string
-	CacheCollectorKeyMutex    sync.Mutex
+	CacheCollectorKeyMutex    sync.RWMutex
 	CollectorPendigConfigChan chan *CollectorConfig
 	CollectorTypes            []enum.UTMModule
 
 	DBConnection *database.DB
 }
 
+func (s *CollectorService) ValidateCollectorKey(key string, id uint) bool {
+	s.CacheCollectorKeyMutex.RLock()
+	defer s.CacheCollectorKeyMutex.RUnlock()
+	_, valid := utils.IsKeyPairValid(key, id, s.CacheCollectorKey)
+	return valid
+}
+
 func InitCollectorService() {
 	collectorServOnce.Do(func() {
 		CollectorServ = &CollectorService{

agent-manager/agent/interceptor.go

@@ -2,7 +2,7 @@ package agent
 
 import (
 	"context"
-	_ "errors"
+	"crypto/subtle"
 	"fmt"
 	"strconv"
 	"strings"
@@ -79,11 +79,11 @@ func authHeaders(md metadata.MD, fullMethod string) error {
 		typ := strings.ToLower(connectorType[0])
 		switch typ {
 		case "agent":
-			if _, isValid := utils.IsKeyPairValid(key, uint(id), AgentServ.CacheAgentKey); !isValid {
+			if !AgentServ.ValidateAgentKey(key, uint(id)) {
 				return status.Error(codes.PermissionDenied, "invalid key")
 			}
 		case "collector":
-			if _, isValid := utils.IsKeyPairValid(key, uint(id), CollectorServ.CacheCollectorKey); !isValid {
+			if !CollectorServ.ValidateCollectorKey(key, uint(id)) {
 				return status.Error(codes.PermissionDenied, "invalid key")
 			}
 		default:
@@ -102,7 +102,7 @@ func authHeaders(md metadata.MD, fullMethod string) error {
 }
 
 func isInternalKeyValid(token string) bool {
-	return token == config.InternalKey
+	return subtle.ConstantTimeCompare([]byte(token), []byte(config.InternalKey)) == 1
 }
 
 func isInRoute(route string, list []string) bool {

agent-manager/agent/parser.go

@@ -100,7 +100,11 @@ func replaceSecretValues(input string) string {
 			return match
 		}
 		encryptedValue := matches[2]
-		decryptedValue, _ := utils.DecryptValue(config.EncryptionKey, encryptedValue)
+		decryptedValue, err := utils.DecryptValue(config.EncryptionKey, encryptedValue)
+		if err != nil {
+			catcher.Error("failed to decrypt secret value in command", err, map[string]any{"process": "agent-manager"})
+			return match
+		}
 		return decryptedValue
 	})
 }

agent-manager/utils/auth.go

@@ -1,6 +1,7 @@
 package utils
 
 import (
+	"crypto/subtle"
 	"crypto/tls"
 	"net/http"
 	"strings"
@@ -19,10 +20,12 @@ func IsConnectionKeyValid(panelUrl string, token string) bool {
 }
 
 func IsKeyPairValid(key string, id uint, cache map[uint]string) (string, bool) {
-	for agentId, agentKey := range cache {
-		if key == agentKey && id == agentId {
-			return agentKey, true
-		}
+	agentKey, ok := cache[id]
+	if !ok {
+		return "", false
+	}
+	if subtle.ConstantTimeCompare([]byte(key), []byte(agentKey)) == 1 {
+		return agentKey, true
 	}
 	return "", false
 }

agent-manager/utils/filter.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 
 	"gorm.io/gorm"
@@ -24,14 +25,14 @@ type Filter struct {
 	Value interface{}
 }
 
-func NewFilter(searchQuery string) []Filter {
-	defer func() {
-		if r := recover(); r != nil {
-			// Handle the panic here
-			fmt.Println("Panic occurred:", r)
-		}
-	}()
+// validFieldName ensures the field name only contains safe characters (letters, digits, underscores)
+var validFieldName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_]*$`)
 
+func IsValidFieldName(field string) bool {
+	return validFieldName.MatchString(field)
+}
+
+func NewFilter(searchQuery string) []Filter {
 	filters := make([]Filter, 0)
 	if searchQuery == "" {
 		return filters
@@ -42,11 +43,27 @@ func NewFilter(searchQuery string) []Filter {
 	}
 	for _, v := range query {
 		filter := strings.Split(v, "=")
+		if len(filter) != 2 {
+			continue
+		}
 		filerQuery := strings.Split(filter[0], ".")
+		if len(filerQuery) != 2 {
+			continue
+		}
+		field := filerQuery[0]
+		if !IsValidFieldName(field) {
+			fmt.Printf("Rejected invalid filter field: %s\n", field)
+			continue
+		}
+		op := resolveOperator(filerQuery[1])
+		if op == "" {
+			continue
+		}
 		filters = append(filters, Filter{
-			Field: filerQuery[0],
-			Op:    resolveOperator(filerQuery[1]),
-			Value: filter[1]})
+			Field: field,
+			Op:    op,
+			Value: filter[1],
+		})
 	}
 	return filters
 }

agent-manager/utils/paginator.go

@@ -28,7 +28,19 @@ func NewPaginator(limit int, page int, sort string) Pagination {
 	if len(sort) > 0 {
 		srt := make([]string, 0)
 		for _, s := range strings.Split(sort, "&") {
-			srt = append(srt, strings.Replace(s, ",", " ", 1))
+			parts := strings.SplitN(s, ",", 2)
+			field := parts[0]
+			if !IsValidFieldName(field) {
+				continue
+			}
+			direction := "asc"
+			if len(parts) == 2 {
+				d := strings.ToLower(strings.TrimSpace(parts[1]))
+				if d == "desc" {
+					direction = "desc"
+				}
+			}
+			srt = append(srt, field+" "+direction)
 		}
 		p.Sort = strings.Join(srt, ",")
 	}

agent/cmd/uninstall.go

@@ -47,6 +47,15 @@ var uninstallCmd = &cobra.Command{
 		if err = pb.DeleteAgent(cnf); err != nil {
 			utils.Logger.ErrorF("error deleting agent: %v", err)
 		}
+
+		// Uninstall dependencies (cleanup auditd rules, etc.)
+		fmt.Print("Cleaning up dependencies... ")
+		if err = dependency.UninstallAll(); err != nil {
+			fmt.Printf("Warning: %v\n", err)
+		} else {
+			fmt.Println("[OK]")
+		}
+
 		if err = collector.UninstallAll(); err != nil {
 			fmt.Printf("error uninstalling collectors: %v\n", err)
 			os.Exit(1)