CloudPassage Halo — 29 April 2013 Release
New Features and Fixes
The 29 April 2013 Release of CloudPassage® Halo® is a minor release that includes several new configuration rule checks for Linux platforms, a new set of customizable controls on users' login and password settings, and minor UI enhancements and functional improvements.
New Configuration Checks for Linux
This release introduces three new Linux configuration rule checks—one that examines a server's directories, and two that examine files within a user's home directory.
World-Writable Directories Have Sticky Bit Set
Verifies that the "sticky bit" of all world-writable directories on the server is set. If every world-writable directory has a set sticky bit, or If there are no world-writable directories, the check passes.
The sticky bit, when set, prevents all users except the directory's owner and the superuser from renaming or deleting files within the directory.
You can exclude from this check any directories whose sticky bit you want to ignore.
Home Directory Files Have No Unsafe PATH Statements
To help deter spoofing attacks, verifies that the specified startup scripts in the home directory of the specified user (or users) include only safe PATH statements—meaning that none sets the current directory in the path by including . or :: or : or a NULL field at the beginning or end of the path.
Home Directory Files Have No Invalid umask Commands
Verifies that the specified startup scripts in the home directory of the specified user (or users) include only appropriate
umask commands. In general,
umasks with low values are less safe because the result of their application is that overly permissive files are created.
Login and Password Settings
This release continues the implementation of enhanced authentication and login requirements for Halo users, begun with the 13 March 2003 Halo release.
Site administrator can restrict IP addresses for Portal access
For added security, Halo Site Administrators can specify that their Halo users are permitted log into the Halo Portal (or request a password reset) only from identified IP addresses.
If you are a site administrator, you can enter or edit the list of acceptable addresses in the Halo Portal, at Site Administration > Advanced Settings > Halo Portal Authorized Addresses.
Enter a comma-separated list of IP addresses or CIDR blocks.
Note: The list of authorized addresses must always include (or encompass) the address from which the Site Administrator is accessing the Portal in order to create or edit the list.
To remove all address restrictions for logging into the Portal, delete all addresses from the field and click Save.
Customizable account lockout controls
To guard against password-guessing attacks, Halo Site Administrators can specify the number of consecutive times that their Halo users can attempt (and fail) to log into the Portal before they are locked out for a period of time. The length of that lockout period is also controlled by the Site Administrator.
If you are a site administrator, you can make or change those settings in the Halo Portal, at Site Administration > Advanced Settings > Login Controls.
- For Failed Login Limit, enter a number of times from 1 to 25. (Default = 10.)
- For Lockout duration, enter a number of minutes from 5 to 1440. (Default = 60.)
For a locked-out user to log in again, the user can either complete a password reset (from the Halo Portal login page) or wait until the lockout period ends.
Password expiration and re-use settings are customizable
To minimize the potential for damage from stolen, intercepted, or copied passwords, Halo Site Administrators can specify how often their Halo users must change their passwords. Also, to prevent users from recycling the same passwords frequently, Site Administrators can prevent re-use of the same password for a specified amount of time.
If you are a site administrator, you can make or change those settings in the Halo Portal, at Site Administration > Advanced Settings > Password Expiration.
- For Expire passwords after, enter a number of days from 1 to 365.
- For Prevent password reuse for, enter a number of days from 1 to 999.
These two settings are independent. You can choose to activate neither, or just one, or both.
Note: A user with an expired password can log into the Halo portal, but cannot perform any other task before obtaining a new password.
New Halo Daemon Release for Linux
This release marks the availability of Halo Daemon 2.7.9 for Linux. This version of the Daemon supports use of the new configuration rule check World-Writable Directories have Sticky Bit Set, and it also allows file integrity monitoring to report changes to sticky-bit state as file integrity events. If you are using configuration security monitoring or file integrity monitoring on Linux and wish to monitor your directories' sticky bit, you must install the new Daemon.
Note: Sticky-bit detection for file integrity monitoring can cause false positives if any of the scanned servers are not running daemon 2.7.9, or if new baselines have not been taken. Please be sure to re-baseline your file integrity policies after upgrading.
The version number of the latest Halo Daemon for Windows remains at 2.7.8.
Corrected Windows Configuration Check
The configuration rule check Windows Local Security Policy Setting, part of the Late March 2013 release of CloudPassage Halo, has been corrected in this release to properly support the greater-than (>) and less-than (<) operators.