CloudPassage Halo - July 2012
The 25 July 2012 release of CloudPassage® Halo® is a major release that includes general availability of support for firewalls, security events, and GhostPorts authentication on Windows Server platforms. Version support for Windows has also been expanded. In addition, this release introduces a new way for Rackspace customers to register for Halo. The release also includes several product improvements, user experience enhancements, and general bug fixes.
New Features in this Release
General availability of Windows Server support
With this release, Halo support for Windows servers becomes a generally available and fully supported feature. On their Windows servers, Halo users can create firewall policies and deploy fully functional server firewalls; they can create policies to detect and manage security events; and they can implement GhostPorts multi-factor authentication (available to NetSec subscribers).
Support for Windows Server 2008 R1 SP2
In this release Halo adds support for Windows Server 2008 R1 SP2, in both 32-bit and 64-bit implementations. Halo now fully supports both Release 1 and Release 2 of Windows Server 2008.
Support for server tags in Windows Daemon installer
The Windows version of the Halo Daemon installer has been enhanced to allow users to enter a server tag at installation time, in order to assign the server to a specific server group. (This convenience had been available when performing a script-based unattended installation, or through the Windows Service Manager after installation.)
For greater convenience, the wizard now includes a screen on which the administrator can enter a server tag.
New version of the Halo Demon
With this release, a new version of the Halo Daemon for Windows has been released. The new version number is 2.5.3. For Linux, the latest version number remains unchanged at 2.4.2.
Halo subscriptions available through Rackspace marketplace
Rackspace customers can now sign up for CloudPassage Halo directly through the Rackspace Cloud Tools Marketplace. This offering gives Rackspace customers an integrated billing solution and single invoice for all applications purchased through the marketplace. Go to https://cloudtools.rackspace.com/home for details.
CloudPassage API now available with new Basic subscriptions
Newly registered Halo Basic subscribers can use the CloudPassage API to programmatically manipulate the Halo features that they have access to. For example, if you sign up for a Basic subscription you will now have access to the Users, Servers, Server Groups, Server Commands, and Firewall API endpoints. NetSec and Pro users continue to have API access to their features, as before.
The CloudPassage API Programmer Guide marks in detail which parts of the API are available with Professional subscriptions only, and which parts are available with either Professional or NetSec subscriptions. Unmarked methods and object fields are available to all users.
New Features in Previous Minor Releases
---------------- 2 July 2012 Release ----------------
The 2 July 2012 release of CloudPassage® Halo® included a number of feature enhancements and bug fixes.
Deactivating a user closes any open GhostPorts session the user may have
If a GhostPorts user is de-activated, or if the user's access to GhostPorts is removed, and if the user has a currently open GhostPorts session, Halo closes that session immediately.
All closures of GhostPorts sessions now recorded as security events
Whenever a GhostPorts session is closed, whether deliberately or through time-out, an event is recorded that includes the reason for the closure and the username of the affected user. These events are visible on the Security Events History page of the Portal.
List of users on Site Administration page now sortable
On the Users tab on the Site Administration page of the Halo Portal, the list of users is sortable by several columns, including user name, first name, last name, email, and status.
List of CVEs for a package is sorted and filtered for uniqueness
On the results page for a software vulnerability scan on a server, the list of common vulnerabilities and exposures (CVEs) is both sorted numerically and filtered to remove duplicates.
Corrected "pending" banner when re-installing a firewall
If a firewall is changed outside of Halo, a Reinstall firewall policy link appears on the Server Firewall Management page. If the user clicks that link, a blue banner with the message "Pending firewall change" is displayed. Previously, that banner message persisted even after the firewall was re-installed. A new message displays as soon as the install is complete, saying "This server has had the firewall policy installed and a monitoring check is pending."
Nonfunctional controls removed from configuration risks PDF reports
A user may generate a PDF version of a configuration risks report from the Server Configuration Details page in the Portal. The report had included links for enabling or disabling rules; however, the links did not function correctly and now have been removed.
Basic users see link to API docs
On the Support page in the Halo Portal, the link to the CloudPassage API documentation is now available to all users, including Halo Basic users.
Server group list in Firewall drop down now sorted alphabetically
On the Create and Edit Firewall pages in the Halo Portal, drop-down lists of server groups for the Source or Destination attributes of a rule are now correctly sorted alphabetically by group name.
Clarification of which actions can result in alerts
Text has been added to the Alert Profiles page in the Halo Portal, clarifying that alerts can be generated by the occurrence of special events, by failures of rule checks during configuration scans, and by target changes detected during file integrity scans.
---------------- 19 June 2012 Release ----------------
The 19 June 2012 release of CloudPassage® Halo® included modifications to its subscription plans, changes to the registration experience, additional firewall policy capabilities, and a number of bug fixes and feature enhancements.
Revamped Halo subscription plans
With this release, CloudPassage introduces significant improvements to its three subscription plans (Basic, NetSec, and Professional). These updates will help CloudPassage to better tailor our offerings to specific customers' needs:
- Basic: The Basic subscription level remains completely free of charge with no expiration. Meant for small businesses, a Basic subscription allows your organization to create and dynamically manage Windows and Linux server firewalls. You may protect up to 5 servers at this subscription level.
Basic subscribers also have use of the Halo Portal management console, access to the CloudPassage API, and the ability to create log entries and alerts triggered by security events.
- NetSec: The NetSec subscription level adds account management (server access scanning), GhostPorts multi-factor authentication, enhanced API access, longer data retention, professional-level technical support, and an unlimited number of protected servers.
- Professional: The Professional subscription level adds configuration security, software vulnerability monitoring, file integrity monitoring, full API access, and data retention of more types of data, as well as professional-level technical support, and an unlimited number of protected servers.
For more details on the features and pricing of these plans, go to www.cloudpassage.com/plans.
Cloning and deleting firewall policies
It is now possible to delete or clone a firewall policy. Those two actions have been added to the Actions drop-down list on the Firewall Policies page.
You may delete a firewall policy even if it is being used by a server group. In that case you are warned that the group will be left without a firewall policy , but you are not barred from deleting the policy. Also, each server in that group will retain its existing firewall until a new policy is assigned to the group or the server is moved to another group.
Disabling individual rule checks in a configuration policy
Previously, it was possible to disable individual rules of a configuration policy (on a server's configuration scan results page), but it was not possible to disable an individual check within a rule. With this release, you now can disable both individual checks and whole rules.
Email sent to GhostPorts user on change in authentication type
GhostPorts users whose authentication type has changed from YubiKey to SMS will now receive a notification email specific to the authentication change, rather than the standard invitation email sent to new GhostPorts users.
The following issues are among those resolved in this release.
- The date range filter on the Security Events History page is now functioning correctly.
- To support programmatic editing of Windows firewalls, separate Windows and Linux firewall IDs have been defined in the CloudPassage API.
- On the Site Administration page, sorting for the "GhostPorts" and "Portal Access" columns has been improved. Also, the "Last Login" column now correctly shows only successful logins.
- If you are a site administrator in Halo, you can now deactivate a user who is "pending"—that is, has been invited but has never logged in.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- In this release, file integrity monitoring scans cannot detect block/character devices or fifo files, and cannot detect changes to file permissions or file attributes of any files.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds.Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.
- Manually run