CloudPassage Halo — Late March 2013 Release
The Late March 2013 Release of CloudPassage® Halo® is a major release that brings configuration security monitoring to Windows servers, adds new auditing events, updates the MS SQL firewall service, and includes minor updates to the CloudPassage API.
New Features in This Release
Windows Configuration Security Monitoring (Beta Release)
With this release, the configuration security monitoring feature of CloudPassage Halo becomes available to Windows Server users as a beta feature. For a complete explanation of the feature for both Windows and Linux, see Monitoring Server Configuration Security.
Windows configuration security features
The beta release of Windows configuration security monitoring offers significant capabilities and conveniences, including:
- Creating and editing Windows configuration policies and assigning them to server groups
- Import and export of configuration policies
- Automatic scanning enabled by default
- Programmatic access to configuration security monitoring capabilities through the CloudPassage API
This initial beta release also includes the two important configuration rule checks described next. Many additional checks are currently under development or in planning, and are expected to be made available over the coming months.
Windows Local Security Policy Setting check
The Local Security Policy Setting check for Windows verifies whether a specified local security policy setting has a given value on a scanned Windows server. This one check allows you to verify the desired value for any one of over 20 local security policy settings.
Using this check in a configuration policy allows you to enforce Windows Server security controls that are traditionally set by Group Policy for an Active Directory domain. Since cloud-based Windows servers often run without a domain controller, you can use this check to ensure that all of your Windows servers maintain the same security posture. For details, see Rule Check: Local Security Policy Setting (Windows).
Local security policy is a Windows-specific feature; there is no exact equivalent to this check available for Linux servers.
Windows File Presence check
The File Presence check for Windows verifies the presence (or absence) of one or more files on a scanned Windows server.
This check functions similarly to the existing File Presence check for Linux, except that wildcards are not supported in file paths. For details, see Rule Check: File Presence (Windows).
Corrected MS SQL firewall service available
An existing Halo firewall service (named "ms sql (tcp/1443)" in the Service dropdown list on the Create/Edit Firewall page) uses TCP port 1443, which is incorrect. That service has been renamed to "TCP-1443 (1443)", and a new firewall service ("ms sql (tcp/1433)") has been added to correctly support MS SQL communications.
New auditing event for configuration security monitoring
The event "Configuration policy deleted" is generated whenever a Halo user deletes a configuration policy through the Portal UI. This new event augments the existing configuration security monitoring events "Configuration policy modified" and "Configuration rule matched" that you can view and search for on the Security Events History page and export through the Events API.
New auditing events for Halo firewall automation
The auditing events "Halo firewall policy assigned" and "Halo firewall policy unassigned" have been added to the set of logged firewall events that you can view and search for on the Security Events History page, and export through the Events API.
Updates to the CloudPassage API
Halo configuration policy objects in the API now include a
platform field to distinguish Linux from Windows policies. Also, the server group object now has an added
windows_policy_ids field, to support assigning Windows configuration policies to a server group.
Features and Fixes in Previous Minor Releases
Since the last major release of CloudPassage Halo in early March 2013, CloudPassage has released one minor production update. The following document describes the new features and improvements included in that update.
- New Halo Features and Fixes - 13 March 2013
...includes changes and consolidations in the Halo Portal user interface, customizable password requirements, logging of additional auditing events, improvements to configuration security monitoring, and enhancements to the CloudPassage API. Continue reading...
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds.Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.
- Manually run