Release/v11.2.7 (#2040)

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

# Conflicts:
#	frontend/src/environments/environment.ts

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: Add new ControlConfig creation component for SQL‑based compliance evaluation

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: add compliance control and query configuration tables with related DTOs and mappers

* feat: enhance compliance control configuration with section mapping and DTO updates

* feat: Revert unnecessary changes

* feat: enhance compliance control configuration with section mapping and DTO updates

* feat: refactor compliance query form and related components for improved layout and usability

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: provide endpoint for OpenSearch evaluations including latest evaluation calculation per control

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: provide endpoint for OpenSearch evaluations including latest evaluation calculation per control

* feat: refactor compliance evaluation classes and update related mappings

* feat: implement compliance orchestrator backend client and evaluation logic

* feat: refactor compliance evaluation classes and update related mappings

* feat: implement timeline visualization for compliance evaluations with initial chart setup and styling

* feat: implement timeline visualization for compliance evaluations with initial chart setup and styling

* feat: implement timeline visualization for compliance evaluations

* feat: implement timeline visualization for compliance evaluations

* feat: implement timeline visualization for compliance evaluations

* feat: implement timeline visualization for compliance evaluations

* feat: implement timeline visualization for compliance evaluations

* feat: enrich compliance evaluation details with rule, rule value, and hits

* feat: enhance compliance control evaluation with pagination support

* feat: extend control evaluation status with additional states and refine evaluation logic

* feat: add evaluation rule and rule value to compliance evaluation DTO and service

* feat: include evaluation rule and rule value in query evaluation model and logic

* feat: enhance compliance control evaluation with search functionality

* feat: update application version file path for consistency

* fix: implement sorting logic for compliance evaluations

* feat(agent): add native auditd collector for Linux

- Implement native auditd collector using go-libaudit v2 with netlink multicast
- Add enterprise-ready auditd configuration (50-utmstack.rules)
- Respect existing customer audit rules (additive approach)
- Add cleanup on agent uninstall (removes UTMStack rules only)
- Support automatic auditd installation on Debian/Ubuntu/RHEL/Fedora
- Handle migration path for existing auditd installations
- Add distro detection for package manager selection
- Remove legacy beats/filebeat commented code

* feat(filters): add auditd support to linux filter v5.0.0

- Support native auditd collector JSON format (type: auditd)
- Map auditd fields to Standard Event Schema:
  - syscall/category -> action
  - result -> actionResult
  - exe/comm -> origin.process
  - proctitle -> origin.command
  - subj_user -> origin.user
  - cwd -> origin.path
  - exit -> statusCode (cast to int)
- Set default severity 'info' for auditd events
- Preserve numeric IDs in log.* for correlation rules
- Maintain backwards compatibility with journald format

* refactor(filters): remove deprecated system_linux_module.yml

* fix(filters): adjust auditd event severity handling in linux filter

* chore(agent): update version to 11.1.5

* changeset[backend](linux): update linux filter

* fix(agent): prevent auditd buffer overflow with backpressure mitigation

* fix(agent): reduce auditd log noise with threshold and execve filter

- Add 50 event threshold for EventsLost logging (ignore 1-2 event losses)
- Filter execve rules to real users only (auid>=1000, auid!=-1)
- Simplify EventsLost function

* fix(agent): filter false events lost from go-libaudit sequence rollover

* feat(agent): expand auditd rules with log tampering and identity files

* feat[backend](agent): added shell parameter to agent connection

* feat[frontend](agent-console): added shell switch for windows agents (powershell or cmd)

* fix[backend](elastic-service): added space verification before removing elastic-index

* fix[backend](index-removal): added index verification before removal

* fix[backend](index-removal): fixed index state field obtention

* fix[backend](index-removal): fixed compilation errors on index removal

* changeset[backend](o365_visualization): updated o365 file upload visualization

* changeset[backend](o365_visualization): updated o365 file sync downloaded visualization

* changeset[backend](o365_visualization): updated o365 visualizations

* update windows-events filter

* feat[backend](dependencies): updated apache-tika to avoid vulnerable version

* feat[backend](dependencies): updated flying-saucer-pdf dependency and removed unneeded itext dependency

* fix(installer): enhance post-installation error handling and Docker shutdown for security risks

* changeset[backend](windows_filter): updated windows filters

* changeset[backend](windows_rules): updated windows rules

* feat[frotend](dependencies): updated dependencies for security improves

* changeset[backend](windows_rules): updated windows rules data types

* fix(installer): security improvements and code cleanup

   Security fixes:
   - Use crypto/rand instead of math/rand for secret generation
   - SELinux set to permissive instead of disabled (RedHat)
   - PostgreSQL/OpenSearch ports never exposed (use docker exec)
   - Nginx uses ephemeral key instead of INTERNAL_KEY

   Code improvements:
   - Remove unused parameters (GetAdminEmail, ConfigureNginx)
   - Remove dead code (if true condition)
   - Fix typo "fisnished" -> "finished"
   - Simplify PostInstallation (no Docker restart needed)
   - Remove unused dependencies (lib/pq, grequests)

* feat(security): add OpenSearch SSL and authentication support

* feat[backend](updated filters and rules): added a initial process to update logtash filters an rules

* feat: add endpoint to retrieve latest evaluation by control ID

* feat: enhance compliance evaluation mappers to load full Standard object

* feat(soc-ai): add multi-provider LLM support and HTTP API for manual analysis
  - Add support for multiple LLM providers (OpenAI, Anthropic) with URL-based detection
  - Implement generic authentication via customHeaders configuration
  - Add HTTP API server on port 8090 for manual alert submission:
    - POST /api/v1/analyze - Submit alert for async LLM analysis
    - GET /api/v1/metrics - API request metrics
    - GET /health - Health check (unauthenticated)
  - Add X-Internal-Key authentication middleware for protected endpoints
  - Add AutoAnalyze config flag to enable/disable automatic processing
  - Add AnthropicRequest/Response schema types for Claude API format
  - Add ANTHROPIC_API_VERSION constant for required header
  - Clean up unused constants (GPT_API_ENDPOINT, AllowedGPTModels)
  - Fix silent JSON parsing errors with proper logging

* feat(backend): add filters and rules to backend docker image

* fix(backend): update OpenSearch connection to use HTTPS with authentication

* feat(panel): add manual alert analysis endpoint with SSL support

* fix(backend): use analyzeAlert method in UtmAlertServiceImpl

* feat[backend](updated filters and rules): added initial load service

* feat[backend](updated filters and rules): added initial load service

* feat[backend](updated filters and rules): forced systemOwnedMode on rules and filters insertion in initial update

* feat[backend](updated filters and rules): added removed rules and filters routines

* feat[backend](updated filters and rules): forced filters adn rules to follow id convention of system owned rules/filters

* feat[backend](updated filters and rules): set null to invalid module name rules

* changeset[backend](socai): updated socai integration guide configuration

* fix[frontend](integration-guide): fixed cisco asa and firepower commands

* fix[backend](cypherUtil): make key|iv derivation be local instead of static

* fix: correct query parameter for search

* fix: Corrected incorrect behavior in filtering

* fix: update sorting direction for compliance evaluations

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* feat: add print view for compliance evaluations with detailed report

* fix[backend](healthcheck): removed springboot healthcheck to allow custom opensearch client to be used

* fix[backend](initial-setup): improved filter insertion on system load

* fix[backend](initial-setup): improved filter deletion on initial setup

* changeset[backend](data-types,modules): seeded data type - module relation

* fix[backend](initial-setup): improved error handling on failed to insert filter

* fix[backend](initial-setup): fixed filter index error

* fix[backend](initial-setup):added RuleYml to parse rules yml

* fix[backend](rules): fixed rules definitions

* feat[backend](log_events): added logs on every system admin operation

* fix[rules]: remove unused rules

* fix[baclend]: solve sintax problems in rules

* fix[backend]: solved problem with merge

* fix[backend](serialization): add @JsonIgnore to UtmModule lazy collections to prevent HttpMessageNotWritableException

* fix[agent-manager](security): prevent SQL injection in filters, add constant-time
  key comparison, fix cache race condition, and add command timeout

* feat[backend,frontend](incident-response): add shell selection for Windows agents, fix flow agent loading, enforce alert name in triggers, and rename default to dedicated agent

* fix[frontend](soar): remove legacy automation route and update audit link to use flow editor

* refactor(plugins): replace config polling with channel-based configuration updates across cloud integration plugins (AWS, Azure, GCP, O365, Sophos)

* feat[soc-ai]: improve soc-ai integration

* fix[backend,frontend,plugins](integrations): mask sensitive config values, improve validation error messages per provider, and prevent double-encryption

* fix[frontend](integrations): only clear saved tenant changes instead of all pending changes

* fix(modules-config): prevent single plugin failure from blocking all sync

* fix[backend,frontend]: add missing Constants import and remove duplicate variable declaration

* feat: refactor OpenSearch integration with new connection model

* feat: rename compliance configuration changelogs

* fix: correct standardId binding in compliance control create component

* fix[frontend](alert-selection): improved selection/remove alert condition on table

* fix[modules-config](socai): fixed providers configuration

* fix[frontend](socai_module_config): fixed saving state handling

* feat[modules-config](socai): generalized socai connection check and validations

* feat: trigger initial scheduler dispatch when backend configs are present

* fix[frontend](alert-selection): improved selection/remove alert condition on table

* fix[modules-config](socai): fixed providers configuration

* fix[frontend](socai_module_config): fixed saving state handling

* feat[modules-config](socai): generalized socai connection check and validations

* fix[frontend](socai_alert_analyze): updated loading status inmediately after request is maded

* refactor(modules-config): improve resilience and code organization

Add resilient module synchronization:
  - Implement periodic retry mechanism (5-minute interval)
  - Add StartPeriodicRetry for automatic recovery

* feat: rename compliance configuration changelogs

* fix[modules-config](socai): trimmend config values to avoid false positive on config verification

* fix[modules-config](socai): send model on test request to avoid wrong model false positive

* fix[modules-config](socai): add little message on model test to manage wrong models and wronk api keys on the request

* fix[modules-config](socai): manage gemini test response correctly

* fix[frontend](tooltips): moved tooltip position to body so they can be showed above any other copmonent

* fix[frontend](alert-popup): fixed alert popup position

* fix[backend](socai_model): removed model invalidation on custom provider

* fix[frontend](socai-analysis): fixed wait status on socai alert analysis

* fix[frontend](linux): fixed linux agent name on integration guides

* fix[frontend](socai): selected currently configured provider once its setted up

* fix[backend](modules_config): removed json ignore and desencryption on event manager communication

* fix[backend](modules_config): removed decryption on config validation

* chore[](v11-pipeline): temporary remove v11 windows agent singing from actions

* ci: unify agent signing into reusable workflow (Windows KMS + macOS)

* fix(ci): remove invalid --version check on jsign download

* fix(ci): drop osslsigncode verify step from Windows signing

* feat[backend](modules-config): removed decryption type in all comunications with modules config service

* fix[backend](modules_config): setted get operations as readonly transactions

* feat(modules-config): add logging and decryption support

* chore(modules-config): improve error context in decryption failures

* fix[modules-config](socai): make model verification on openai come on the asbtract base validator

* fix[frontend](alerts): added a sockai error on alert analization

* fix[backend](modules_config): remove socai.model filtration on modules config sent

* fix[backend](modules_config): remove socai from non removable config modules list

* deleted: removed rootkit_files_detection rule from linux

* deleted: removed suspicious_managedcode_host_process rule from windows

* deleted: the suspect_managedcode_host_process and rootkit_files_detection rules were removed from windows and linux respectively

---------

Co-authored-by: Elena Lopez Milan <elopez@utmstack.com>
Co-authored-by: Yadian Llada Lopez <yadian.llada@gmail.com>
Co-authored-by: AlexSanchez-bit <sanchez.saez.alex01@gmail.com>
Co-authored-by: JocLRojas <joc.l.rojas02@gmail.com>
Co-authored-by: Osmany Montero <osmontero@icloud.com>
Co-authored-by: Alex Sánchez <alex.sanchez@utmstack.com>

Author: 6 people

.github/workflows/reusable-sign-agent.yml

@@ -0,0 +1,289 @@
+name: "Reusable: Sign Agent Binaries"
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        required: true
+        type: string
+        description: "Target OS to sign for: 'windows' or 'macos'"
+      artifact_name:
+        required: true
+        type: string
+        description: "Name of the artifact (uploaded by a previous job) that contains the unsigned binaries"
+      binaries:
+        required: true
+        type: string
+        description: |
+          Newline-separated list of binary paths to sign, relative to the root of the downloaded artifact.
+          Example:
+            agent/utmstack_agent_service_windows_amd64.exe
+            agent/updater/utmstack_updater_service_windows_amd64.exe
+      signed_artifact_name:
+        required: false
+        type: string
+        default: ""
+        description: "Name for the output artifact (defaults to <artifact_name>-signed)"
+      retention_days:
+        required: false
+        type: number
+        default: 1
+
+      # ---- Windows / GCP KMS (used only when os=windows) ----
+      gcp_project_id:
+        required: false
+        type: string
+        default: ""
+      kms_location:
+        required: false
+        type: string
+        default: "global"
+      kms_keyring:
+        required: false
+        type: string
+        default: ""
+      kms_key:
+        required: false
+        type: string
+        default: ""
+      cert_chain_path:
+        required: false
+        type: string
+        default: ".github/certs/codesign-chain.pem"
+        description: "Path (in the repo) to the PEM cert chain used by jsign"
+      jsign_version:
+        required: false
+        type: string
+        default: "7.0"
+      sign_name:
+        required: false
+        type: string
+        default: "UTMStack Agent"
+      sign_url:
+        required: false
+        type: string
+        default: "https://utmstack.com"
+      tsa_url:
+        required: false
+        type: string
+        default: "http://timestamp.sectigo.com"
+
+    secrets:
+      # Windows
+      GCP_WINDOWS_SIGNER_SA_KEY:
+        required: false
+      WINDOWS_SIGNER_CERT_CHAIN_PEM:
+        required: false
+        description: "Full PEM cert chain content. When set, overrides cert_chain_path."
+      # macOS
+      APPLE_CERTIFICATE_BASE64:
+        required: false
+      APPLE_CERTIFICATE_PASSWORD:
+        required: false
+      APPLE_SIGNING_IDENTITY:
+        required: false
+      APPLE_ID:
+        required: false
+      APPLE_APP_PASSWORD:
+        required: false
+      APPLE_TEAM_ID:
+        required: false
+
+jobs:
+  sign:
+    name: Sign ${{ inputs.os }} binaries
+    runs-on: ${{ inputs.os == 'windows' && 'ubuntu-latest' || 'macos-latest' }}
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout (for cert chain)
+        if: inputs.os == 'windows'
+        uses: actions/checkout@v4
+
+      - name: Download unsigned binaries
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.artifact_name }}
+          path: ./unsigned
+
+      # =========================================================
+      # Windows path: jsign + GCP KMS
+      # =========================================================
+      - name: Authenticate to Google Cloud
+        if: inputs.os == 'windows'
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_WINDOWS_SIGNER_SA_KEY }}
+
+      - name: Set up gcloud
+        if: inputs.os == 'windows'
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Set up Java (for jsign)
+        if: inputs.os == 'windows'
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: '17'
+
+      - name: Download jsign
+        if: inputs.os == 'windows'
+        env:
+          JSIGN_VERSION: ${{ inputs.jsign_version }}
+        run: |
+          curl -fsSL -o jsign.jar \
+            "https://github.com/ebourg/jsign/releases/download/${JSIGN_VERSION}/jsign-${JSIGN_VERSION}.jar"
+
+      - name: Prepare cert chain
+        if: inputs.os == 'windows'
+        env:
+          CHAIN_SECRET: ${{ secrets.WINDOWS_SIGNER_CERT_CHAIN_PEM }}
+          CHAIN_REPO_PATH: ${{ inputs.cert_chain_path }}
+        run: |
+          set -euo pipefail
+          OUT="${RUNNER_TEMP}/codesign-chain.pem"
+          if [ -n "$CHAIN_SECRET" ]; then
+            echo "→ Using cert chain from secret"
+            printf '%s\n' "$CHAIN_SECRET" > "$OUT"
+          elif [ -f "$CHAIN_REPO_PATH" ]; then
+            echo "→ Using cert chain from repo: $CHAIN_REPO_PATH"
+            cp "$CHAIN_REPO_PATH" "$OUT"
+          else
+            echo "::error::No cert chain available. Set WINDOWS_SIGNER_CERT_CHAIN_PEM secret or commit a chain at ${CHAIN_REPO_PATH}"
+            exit 1
+          fi
+          echo "CERT_CHAIN_FILE=${OUT}" >> "$GITHUB_ENV"
+
+      - name: Sign Windows binaries
+        if: inputs.os == 'windows'
+        env:
+          PROJECT_ID: ${{ inputs.gcp_project_id }}
+          KEYRING_LOCATION: ${{ inputs.kms_location }}
+          KEYRING_NAME: ${{ inputs.kms_keyring }}
+          KEY_NAME: ${{ inputs.kms_key }}
+          SIGN_NAME: ${{ inputs.sign_name }}
+          SIGN_URL: ${{ inputs.sign_url }}
+          TSA_URL: ${{ inputs.tsa_url }}
+          BINARIES: ${{ inputs.binaries }}
+        run: |
+          set -euo pipefail
+
+          TOKEN=$(gcloud auth print-access-token)
+          KEYSTORE="projects/${PROJECT_ID}/locations/${KEYRING_LOCATION}/keyRings/${KEYRING_NAME}"
+
+          while IFS= read -r raw; do
+            bin=$(echo "$raw" | xargs)
+            [ -z "$bin" ] && continue
+            target="./unsigned/${bin}"
+            echo "→ Signing ${target}"
+            ls -la "$target"
+
+            java -jar jsign.jar \
+              --storetype GOOGLECLOUD \
+              --storepass "$TOKEN" \
+              --keystore "$KEYSTORE" \
+              --alias "$KEY_NAME" \
+              --certfile "$CERT_CHAIN_FILE" \
+              --tsaurl "$TSA_URL" \
+              --tsmode RFC3161 \
+              --name "$SIGN_NAME" \
+              --url "$SIGN_URL" \
+              "$target"
+
+            echo "✓ Signed ${target}"
+          done <<< "$BINARIES"
+
+      # =========================================================
+      # macOS path: codesign + notarytool
+      # =========================================================
+      - name: Install Apple certificate
+        if: inputs.os == 'macos'
+        env:
+          CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
+          CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        run: |
+          set -euo pipefail
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          echo "$CERTIFICATE_BASE64" | base64 --decode > "$RUNNER_TEMP/certificate.p12"
+          security import "$RUNNER_TEMP/certificate.p12" -P "$CERTIFICATE_PASSWORD" \
+            -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security list-keychain -d user -s "$KEYCHAIN_PATH"
+
+          security set-key-partition-list -S apple-tool:,apple:,codesign: \
+            -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+      - name: Sign macOS binaries
+        if: inputs.os == 'macos'
+        env:
+          SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          BINARIES: ${{ inputs.binaries }}
+        run: |
+          set -euo pipefail
+          while IFS= read -r raw; do
+            bin=$(echo "$raw" | xargs)
+            [ -z "$bin" ] && continue
+            target="./unsigned/${bin}"
+            echo "→ Signing ${target}"
+            codesign --force --options runtime \
+              --sign "$SIGNING_IDENTITY" \
+              --timestamp \
+              "$target"
+          done <<< "$BINARIES"
+
+      - name: Notarize macOS binaries
+        if: inputs.os == 'macos'
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          BINARIES: ${{ inputs.binaries }}
+        run: |
+          set -euo pipefail
+          while IFS= read -r raw; do
+            bin=$(echo "$raw" | xargs)
+            [ -z "$bin" ] && continue
+            target="./unsigned/${bin}"
+            zip_path="${target}.notarize.zip"
+            echo "→ Notarizing ${target}"
+            ( cd "$(dirname "$target")" && zip "$(basename "$target").notarize.zip" "$(basename "$target")" )
+
+            xcrun notarytool submit "$zip_path" \
+              --apple-id "$APPLE_ID" \
+              --password "$APPLE_APP_PASSWORD" \
+              --team-id "$APPLE_TEAM_ID" \
+              --wait
+
+            rm -f "$zip_path"
+            echo "✓ Notarized ${target}"
+          done <<< "$BINARIES"
+
+      # =========================================================
+      # Upload signed binaries
+      # =========================================================
+      - name: Compute signed artifact name
+        id: artifact
+        env:
+          OVERRIDE: ${{ inputs.signed_artifact_name }}
+          DEFAULT: ${{ inputs.artifact_name }}-signed
+        run: |
+          if [ -n "$OVERRIDE" ]; then
+            echo "name=$OVERRIDE" >> "$GITHUB_OUTPUT"
+          else
+            echo "name=$DEFAULT" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload signed binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.artifact.outputs.name }}
+          path: ./unsigned/
+          retention-days: ${{ inputs.retention_days }}
+          if-no-files-found: error