Security hardening release. The headline change: TLS certificate verification
is now ON by default for both the Wazuh manager and the Wazuh Indexer
connections. The previously published 1.0.0 shipped with verification off by
default; if you rely on a self-signed lab certificate, you must now opt out
explicitly with WAZUH_VERIFY_SSL=false and/or WAZUH_INDEXER_VERIFY_SSL=false
(the server prints a startup warning when you do).
Security
- Verify TLS certificates by default for the manager and indexer clients;
disabling verification is now an explicit opt-out that logs a startup
warning (
security: verify TLS by default). - Gate unredacted
get_manager_configoutput behind the server-sideWAZUH_ALLOW_SENSITIVE_CONFIGflag; a model-supplied tool argument can never enable it on its own. - Delimit attacker-influenced SIEM content returned to the model: alert
full_log, alertrule_description, raw eventdata, and manager log descriptions are wrapped in<untrusted_siem_data>markers with anoutput.untrusted_data_notewarning, and the affected tool descriptions flag the fields as data, never instructions. - Route all tool-level error returns through the
safe-errorsanitizer so errors that bypass the client wrappers (JSON parse errors with body snippets, URL errors) never reach the MCP client raw. - Fail fast at startup when
WAZUH_INDEXER_URLis set withoutWAZUH_INDEXER_PASSWORDinstead of silently sending an empty password. - Minimize sensitive tool output by default: agent IPs, alert full logs, raw event data, process command lines, file hashes, and manager log descriptions are hidden unless opted in per call.
- Validate all MCP tool inputs with strict schemas: bounded pagination, length-limited search text, per-tool sort enums, and allowlisted identifiers for agent, alert, group, and SCA policy IDs.
- Encode Wazuh API path segments to prevent path injection.
- General security hardening pass across clients and tools, including sanitized diagnostics output that redacts URLs and never returns credentials.
Added
- Indexer-backed vulnerability tools:
list_vulnerabilitiesandsearch_vulnerabilities. - Response size caps via
WAZUH_MCP_MAX_RESPONSE_BYTES(default 250000); oversized responses return a truncated JSON preview withoutput.response_truncatedmetadata instead of an error. paginationobject (total,limit,offset,has_more) on paginated tool responses, alongside the existing top-level fields.- Transient-error retries for manager
GETand indexer search requests on429,502,503,504, and common network reset or timeout errors. AGENTS.mdcontributor guide and ascripts/verifyentrypoint that runs test, typecheck, and build in order.
Changed
- The MCP server version reported in handshakes is now derived from
package.jsoninstead of a hardcoded constant. - Documentation and test fixtures use RFC 5737 documentation addresses
(
192.0.2.x) instead of RFC 1918 space. - Dependencies refreshed;
npm auditclean.
Fixed
- Strip the draft-07
$schemamarker the MCP SDK stamps on tool schemas, which some clients reject when listing the full tool set.
CI
- Publish with npm provenance (
npm publish --provenancewithid-token: write). - Skip npm publish when the version already exists on the registry, making tag builds idempotent.