CloudPassage Halo —April 24, 2017
The April 24, 2017 release of CloudPassage® Halo® includes the availability of new Linux and Windows agents, automated issue resolution, SAM scans for Windows, multiple enhancements to the Accounts view and SAM scan findings views, significant updates to the Halo REST API, and much more.
New Features and Improvements
Miscellaneous Halo Portal Enhancements
New Halo UI login page is now the default
When a Halo user who wishes to use the new Halo UI logs directly into the Halo portal, the URL for that access has until recently been
HTTPS://portal.cloudpassage.com/login?halo2=1. Now, however, the new UI is the only available user interface, so the URL extension is no longer necessary. The new URL is simply
Note: The old URL and SSO integrations using that URL will continue to work.
Added special character now allowable in Halo password
The character "$" is now accepted as valid in a Halo password.
New context menus available
This release implements a context menu in the group tree, as well as the following views: Issues, Servers, Alerts, Policies, and Policy Templates. The context menu is a shortcut to the most common actions associated with the item you clicked.
To open the context menu, Ctrl+click (Mac) or right-click (Windows) a listed item in these views; for example, right-click a particular server in the Servers view or a group in the group tree. The following example illustrates the context menu in the group tree:
Updates to email notifications and portal banners
As of this release, several standard email messages from CloudPassage to Halo customers have been updated to use the new Halo logo and to improve the wording of the message.
Ability to set world time zones in My Account
This release enables users to select any world time zone in the My Account screen. To do so, open My Account from the main menu. Click the Time Zone drop-down menu, select the time zone that you want to apply to your account, and then click Save. Once the time zone is set, the timestamps in Halo will reflect the user's local time.
Display number of days remaining in an evaluation period
For those customers who are using Halo on a trial basis, a notification now appears to indicate the number of days remaining in the evaluation period.
Task indicator for long-running tasks
A task indicator has been implemented for long-running tasks, such as exports.
While the task is running, a square indicator appears at the top of the portal. You can hover over it to view what task is running and its progress.
Automated Issue Resolution
Resolve issues automatically
The logic that defines when an issue automatically resolves has been improved to ensure that no orphaned issues remain once the problem has been remediated and the server has been rescanned. When an issue is resolved automatically, the reason is recorded and an event is generated for audit purposes (see "New 'issue resolved' event" below).
Note: Automatic issue resolution does not remediate the underlying security problem that created the issue. It simply marks the issue as "resolved" in Halo.
For detailed information about what issues are resolved and exceptions, see Resolving Issues in the Halo Operations Guide.
Resolve issues manually
The dialog that appears when a user manually resolves an issue has been updated to more clearly explain issue resolution and enable the user to add a comment. When an issue is resolved manually, the user and reason is recorded and an event is generated for auditing purposes.
New 'issue resolved' event
A new "Issue resolved" event (API name =
issue_resolved) was created to support the improvements made to issue resolution. This event is generated in two ways: (1) When a user manually resolves the issue, and (2) when the system automatically resolves the issue when its server is retired.
Option to retire servers added in the delete servers dialog
Since deleting servers removes a server—along with all of its data—from the Halo portal and prevents the agent from reconnecting, we recommend that users retire servers so that data can be retained. To support this recommendation, the Delete Servers dialog has been improved to clarify the difference between deleting and retiring servers, as well as to add an option to retire servers instead.
For more information about retiring and deleting servers, see Managing Servers in the Halo Operations Guide.
Retire server dialog updated
The dialog box that appears when a server is retired has been updated to include more information about what happens when a server is retired.
OS column in Servers view updated
Previously, there was not a text heading in the OS column in the Servers view. In this release, a heading has been added.
Visual enhancements to the server profile
Several enhancements were made to the server profile to enhance clarity and remove duplication; for example, the Firewall status duplication was removed and clicking the header text of each section expands and collapses that section.
Server Account Management (SAM)
With this release, you can now view Windows accounts and Windows SAM scans in the new Halo interface. In addition, several enhancements were made to the Accounts view and SAM scans to enable users to:
- Obtain local user account and group inventory.
- Identify accounts that are members of the administrator group.
- View historical SAM scans for both Linux and Windows servers.
- Search across workloads for accounts that match certain criteria, such as administrative access, last log in date, and accounts that are "locked" for reasons such as password failure.
The remainder of this section details the release items that support these enhancements.
Note: The new Windows SAM features require the latest Windows agent. See the Halo Agent section in this release notes.
View SAM scan results in the new Halo interface
This release implements the ability to view scan results in the new Halo interface. To do so, click the Scans view button, then click a SAM scan by clicking its link.
Note: Clicking the server name opens the server-level Scans view. Click elsewhere in the row to go directly to the scan results.
The SAM scan opens and displays a scan profile on the left and information about Local User Accounts and Local User Groups on the right, separated into two subtabs. To view more detail about any of these accounts or groups, click it to open a sidebar.
For more information about SAM scans and server accounts, see the Server Account Management module guide.
Export historical scans to PDF
This release enables users to export an historical SAM scan to PDF. To do so, open a SAM scan and click Export.
A PDF of the Server Account Management report opens. This report provides the following information:
- A summary page with information about accounts, such as how many have root permissions, the number of accounts that have logged in, the number of accounts that are disabled, and more.
- Detailed pages about the local user accounts.
- Detailed pages about the local user groups.
SAM scan settings for Windows
User-account-related Site Administration settings (such as SAM scan frequency) now apply to Windows servers as well as to Linux servers.
Updates to the Accounts view
This release implements several changes to both the server and group-level Accounts views. The following list explains just a few of these changes; the remainder of the changes are explained in the subsections that follow.
- The view is now separated into two subtabs, which enable users to view by Local User Accounts or Local User Groups.
- Each row that appears in the view can be clicked to view more details in a sidebar:
- The data provided at the group level displays summarized account information for the selected group.
- The data provided at the server level displays account information from the server's latest SAM scan.
Filter the Accounts view
This release enables users to filter both the group and server-level Accounts view. For information about filtering or for a complete list of the attributes you can use to filter accounts, see Filtering Views in the Halo Operations Guide.
Selecting columns in the Accounts view
You can now select the columns that you want to see in the Accounts view. To select the columns, click the icon on the right side of the view and select the columns you want to see from the list.
Note: Any columns you select will persist until you select different columns.
Launch new scan from the Scans view
Users can now launch a new SAM scan from within the Scans view. To do so, open a scan in the Scans view. In the profile area, click Launch New Scan.
Manually launch a SAM scan for a Windows server
This release implements the ability to manually launch a SAM scan for a Windows server. For information about how to manually launch a scan, see Manually Launching Scans in the Halo Operations Guide.
New SAM events
- "Server Account Scan Requested" (API name =
server_account_scan_requested). Generated when a Halo user requests a manual server account scan.
- Existing audit events have been extended to support alerting on new or deleted Windows user accounts. The events "Server account created" and "Server account deleted" have been changed to "Local account created (API name =
local_account_created) and "Local account deleted (API name =
Configuration Security Monitoring (CSM)
Rule description included in Issue Details sidebar
You can now view the CSM rule description, if one exists, when researching CSM scan details or issue details.
Additional fields in CSM Check Details sidebar
Several improvements were made to the CSM Check Details sidebar to provide users with more information when researching a CSM check. Improvements include visual adjustments to make the content more clear, several new attributes, as well as the ability to view the files that pertain to file-related CSM checks (example below).
Rule validation now prevents generation of false issues
Previously, the presence of certain misplaced characters in configuration policy rule names could cause the generation of invalid issues that could not be deleted. Halo now validates all rule names as they are saved, preventing the issue from recurring.
New Linux and Windows agents available
Version numbers are 4.0.0 for Linux and 4.0.0 for Windows. See the Halo Agent Release Notes for details.
Important: Halo agents with version numbers less than 3.4.3 are no longer supported and will no longer be
able to register with Halo as new agents. Existing agents older than 3.4.3 will continue to connect, but should be upgraded as soon as possible.
View agent logs for a server within Halo
This release enables users to view the transaction log between the agent and the portal. You can do so using a new server-level Details view.
To view agent logs:
- Open the server-level view of the server on which the agent is installed.
- Click the Details view button. The Agent Logs view opens.
Halo REST API
Obtain server's agent log
Functionality has been added to the Servers API endpoint to support retrieval of a server's transaction log between the agent and the portal.
New API endpoints for local user accounts and local user groups
- Two new Server Account Management-related endpoints have been added to the Halo API—Local User Accounts and Local User Groups. Local User Accounts lists all Linux and Windows local accounts defined on all servers in all server groups in a Halo customer account. Local User Groups lists all Linux and Windows user-groups defined on all servers in all server groups of a customer account.
The Local User Accounts endpoint works in conjunction with the existing Server Accounts endpoint to provide account functionality such as retrieval of group-level or server-level user accounts, as well as account creation and management.
- Both the Local User Accounts and Local User Groups endpoints support filtered searches.
- Server account scans now return local user group information as well as user account information. (There are no separate user group scans.)
New API endpoint for Halo issues
An API endpoint is now available for Halo customers to use to manipulate Halo issues (as seen on the Issues view of the Halo portal Environment screen). Issues are essentially persistent and cross-server security events that you can see in the portal and retrieve through the API for further analysis or for archiving. The new API endpoint lets you perform filtered searches for various kinds of issues, and it supports programmatic resolution of active issues.
New functionality added to Server Accounts endpoint
- The "last login" information displayed for a user account now includes a timestamp that provides the exact date and time.
- The necessary API changes have been made to support PDF export of both Windows and Linux historical server account scans.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.
- Assigned GhostPorts users may be invisible to a firewall policy's owner. When a user at a non-root level creates a firewall policy, an administrator at a higher level can add a GhostPorts user (also at a higher level) as a source or destination in a firewall rule of that policy. The policy's owner, however, cannot see the assigned user when viewing the rule in the portal—because the user is at a higher level than the owner.
Workaround: Do not add a GhostPorts user to a descendant group's firewall policy rules if that users is out of the descendant group's scope.
- Cannot modify settings of a group that has out-of-scope policies. An administrator at a non-root level of the group tree cannot modify the settings of any accessible group with an assigned policy (or alert profile) that has become out of scope. This situation can arise if
- A policy owned by a higher-level group is first shared and assigned to a descendant group, and then unshared by the higher-level group's site administrator. The policy remains assigned to the descendant group, but that group's site administrator cannot make any modification to the group settings.
- A higher-level group's site administrator transfers the ownership of a descendant group's policy to a group that is out of scope of the descendant group. The policy remains assigned to the descendant group, but that group's site administrator cannot make any modification to the group settings.
Workarounds: Do not transfer the ownership of a policy from one descendant group to another that is out of the first descendant's scope. Do not unshare a policy if it is assigned to any of your descendant groups.
// <![CDATA[ var pdfTitle="Enter PDF title here"; var pdfURL="insert PDF link here"; specifyPDF(pdfTitle, pdfURL); // ]]>