CloudPassage Halo — March 2013 Release
The March 2013 Release of CloudPassage® Halo® is a major release that brings file integrity monitoring to Windows servers, adds new file integrity monitoring capabilities for both Windows and Linux users, introduces a new 64-bit Daemon version with proxy support, and includes minor user experience enhancements and functional improvements.
New Features in This Release
Windows File Integrity Monitoring (Beta Release)
With this release, the file-integrity scanning feature of CloudPassage Halo becomes available to Windows Server users as a beta feature. For a complete explanation of the feature for both Windows and Linux, see Monitoring Server File Integrity.
Windows Equivalents to Linux File Integrity Features
Windows file integrity monitoring, although in beta, is just as full-featured as its Linux counterpart. It offers all the same capabilities as previous Linux releases, including:
- Creating and assigning Windows file integrity policies to server groups
- Scanning of text files, binary files, symbolic links, and devices
- Scanning of directories, including recursive scanning
- Creating exclusions with wildcards (now part of Pattern-Based Inclusions and Exclusions)
- Use of single or multiple baselines, availability of baseline reports
- Ability to create exceptions to suppress events for specific violations
- Convenient import and export of file integrity policies
- Automatic scanning enabled by default
- Programmatic access to file integrity monitoring capabilities through the CloudPassage API
In addition, file integrity monitoring includes the Windows specific features described next, plus features that are new to both Windows and Linux, as described below in Pattern-Based Inclusions and Exclusions and Additional File Integrity Enhancements and Fixes.
Scanning for Changes to Windows-Specific Metadata
As on Linux servers, Windows file integrity monitoring lets you scan for changes to a file or directory's metadata, such as owner, permissions, or date-time, and the Halo Portal displays the changes to those details. Some details are different for Windows, however; for example, a Windows file's permissions are displayed in an access control list, and the date-times displayed are creation date and modification date, instead of the Linux ctime and mtime.
Also displayed under More Details are the scan date and server name, plus—under ADS—the signatures of any alternate data streams files (see next).
Detecting Changes to Alternate Data Streams Files
For historical reasons, the Windows file system (NTFS) supports storage of data in a second container within a file, separate from the usual data that appears in Windows Explorer and in system windows. This little-used capability is called alternate data streams (ADS), and was originally developed for compatibility with the resource-fork and data-fork design of the Macintosh Hierarchical File System (HFS).
Because data stored in a file's alternate data stream is not visible without special Windows tools, malicious data could easily be stored there and normally escape detection. If the ADS data includes executable code, it has the same execution permissions as the parent file. For that reason, Halo file integrity monitoring automatically scans every target file for alternate data streams files, and reports any additions, deletions, or changes that it detects, based on the baseline's alternate data streams content.
Scanning of Windows Registry Keys
The Windows registry is an essential component of every Windows system, containing location and configuration information for essentially all installed system-level and application-level components. Unexpected changes to certain registry keys can be indicators of malicious activity on the system.
Halo file integrity scanning can examine registry keys and alert you to changes that you feel could be security issues. Registry keys follow a hierarchical organization much like a file system, and you can use recursion, exclusions, inclusions, and exceptions to narrow down your registry targets, just as you can with file-system targets.
Windows File Integrity Policy Templates
Halo provides default policy templates for Windows file integrity scanning. Currently available templates include the following:
- Core System Files (Windows 2008) v1 BETA. Detects changes in Windows Server 2008 system files, including installers, system settings, core applications, diagnostic files, boot files, and others.
- Core System Files (Windows 2012) v1 BETA. Detects changes in Windows Server 2012 system files, including installers, system settings, core applications, diagnostic files, boot files, and others.
- Core Registry Keys (Windows 2008) v1 BETA. Detects changes in Windows Server 2008 registry keys related to security settings, including network, user behavior, administration, audit, and others.
- Core Registry Registry Keys (Windows 2012) v1 BETA. Detects changes in Windows Server 2012 registry keys related to security settings, including network, user behavior, administration, audit, and others.
You can use these templates as they are to begin protecting your servers. You can also customize them to better fit your individual situation, or you can create specialized file integrity policies from scratch.
Windows Support in File Integrity API
If you are using the Cloudpassage API to duplicate Halo Portal capabilities with your own tools, you will be able to programmatically apply the following file-integrity policy-manipulation capabilities to both Windows and Linux Servers:
- List a single file integrity policy or all policies
- Create, update, or delete a file integrity policy
- List a single file integrity baseline or all baselines
- Create, update (re-baseline), or delete a file integrity baseline
New File integrity Monitoring Features
File integrity monitoring for both Windows and Linux includes the following new features.
Pattern-Based Inclusions and Exclusions
Targets in a file integrity policy can now have inclusions (patterns specifying files or directories to include in a scan) as well as exclusions (patterns specifying files or directories to exclude from a scan).
You define both inclusions and exclusions the same way, by creating a search pattern with or without wildcards, and then specifying whether it should be an inclusion or exclusion.
You can define multiple inclusions or exclusions for a target, and you can even apply both inclusions and exclusions to the same target.
Additional File Integrity Enhancements and Fixes
- Each file integrity policy's operating-system type ( or ) is displayed graphically on the File Integrity Policies page and the File Integrity Exceptions page.
- Each baseline report (Accessed through Details in the Action dropdown menu) now displays the total number of objects included in a given baseline scan.
Note: Inconsistent scan results may occur if the baseline report displays a total of more than 10,000 scanned objects for a baseline scan.
New Halo Daemon Features
Significant advances in Halo Daemon capability are introduced with this release.
64-bit Daemon for Windows
The latest release of the Windows Halo Daemon (version 2.7.8) runs in 64-bit mode, and is supported on the 64-bit versions of Windows Server 2008 and 2012. The 64-bit Daemon allows access to 64-bit Registry keys on these Windows versions.
The 32-bit Windows Halo Daemons (versions 2.5.6 and earlier) continue to be supported by Halo, running in 32-bit mode on Windows 2008 and 2012. However, file integrity monitoring is not supported on those systems.
Daemon Proxy Support for Both Linux and Windows
On both Windows and Linux platforms, the 2.7.8 version of the Halo Daemon can now run on servers that are configured to use a proxy server. To take advantage of this feature, you provide the proxy information to Halo when installing the Daemon. The Halo Portal displays the proxy information in the More details section of the server's File Integrity Monitoring Scan Details page.
On a server that is configured to use a proxy, Halo automatically adds a hidden rule to the server's firewall to allow the Halo Daemon to connect to the Grid through the proxy.
Features and Fixes in Previous Minor Releases
Since the last major release of CloudPassage Halo in July 2012, CloudPassage has released two minor production updates. The following documents describe the new features and improvements added to each update.
- New Halo Features and Fixes - 29 January 2013
...includes increased flexibility in constructing alert profiles, plus minor user experience enhancements and functional improvements. Continue reading...
- New Halo Features and Fixes - 14 January 2013
...includes improved administrative capabilities for site administrators, clarified onscreen messaging for all users, enhanced logging capabilities, and other user experience enhancements and functional improvements. Also, support for the deprecated legacy API keys is removed as of this release. Continue reading...
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds.Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.
- Manually run