CloudPassage Halo — May 2013 Release
The May 2013 Release of CloudPassage® Halo® is a major release that adds new configuration policy rule checks to the beta release of Configuration Security Monitoring for Windows, implements a new version of the Halo Daemon, and includes several minor functional enhancements.
New Features in This Release
New Windows Configuration Security Monitoring Features
The configuration security monitoring feature of CloudPassage Halo became available to Windows Server users as a beta feature in the Late March 2013 release. This release adds powerful new rule checks for Windows. For a complete explanation of configuration security monitoring for both Windows and Linux, see Monitoring Server Configuration Security.
Service Started check
Verifies whether the specified Windows service or services are running (or not running) on a scanned Windows server.
For details on this check, see Rule Check: Service is Started (Windows).
Registry Key Value Setting check
Compares the actual value of a Windows registry key to its expected value.
For details on this check, see Rule Check: Registry Key Value Setting (Windows).
Local User Rights Assignment check
User Rights Assignment is part of the Local Security Policy on a Windows server. It specifies which users and groups are assigned to which security rights on the server. Over 40 different rights are defined.
This check verifies whether the supplied list of users and groups encompasses all who are assigned to the specified user right (policy). You can use this check to verify that only appropriate users and groups have a given right on the server.
For details on this check, see Rule Check: Local user Rights Assignment (Windows)
Advanced Audit Policy Setting check
Verifies whether the selected advanced security audit policy setting has the specified value on a scanned Windows server. This one check allows you verify the desired setting of any one of over 50 advanced audit policy settings.
The advanced security audit policy allows fine-grained control over what audit events should be logged. Audit events are stored as XML in a security log file and are viewable in the Windows Event Viewer.
Using this check in a configuration policy allows you to verify that a given event class (audit subcategory) is logged—or not logged—in the manner that you expect.
For details on this check, see Rule Check: Advanced Audit Policy Setting (Windows).
New Halo Daemon release for Windows
This release also marks the availability of version 2.8.2 of the Halo Daemon for Windows. If you are using configuration polices that include any of the following rule checks, you will need to upgrade to the new Daemon:
- Registry Key Value Setting (Windows)
- Advanced Audit Policy Setting (Windows)
- Service Started (Windows)
The latest version of the Halo Daemon for Linux remains at 2.7.9.
Improved re-baselining process
When a file integrity monitoring user re-baselines a server, the server selected by default in the dropdown list is now the server from which the current baseline was taken.
Features and Fixes in Previous Minor Releases
Since the last major release of CloudPassage Halo in early March 2013, CloudPassage has released two minor production updates. The following documents describe the new features and improvements included in each update.
- New Halo Features and Fixes - 29 April 2013
...includes several new configuration rule checks for Linux platforms, a new set of customizable controls on users' login and password settings, and minor UI enhancements and functional improvements. Continue reading...
- New Halo Features and Fixes - 8 April 2013
...includes the addition of nine new Linux rule checks to configuration security monitoring, plus minor functional improvements and user-interface enhancements. Continue reading...
The following are among the customer-reported issues that have been resolved for this release.
Improved handling of RDP sessions for GhostPorts users
As each GhostPorts user opens a session, the firewall on that user's server is rebuilt to accommodate the user. Previously, on Windows servers with large numbers of RDP sessions, rebuilding the firewall policy rule by rule took excessively long. Halo now adds rules in batches which allows the policy to be rebuilt faster.
Improved baseline processing on Linux servers
On servers with a Debian-based Linux OS such as Ubuntu, scans of "
/" (root) have sometimes failed because of the dynamic nature of the contents of the
/proc directory. Halo has addressed this issue by verifying the existence of each file in
/proc before creating its cryptographic signature.
Value type now included in Windows registry key signature
The data type of a Windows registry key's value is now included in the cryptographic signature of the key, so that file integrity monitoring can now detect changes to the data type.
Note: Because of this change, users of file integrity monitoring that upgrade to Daemon version 2.8.2 will need to regenerate baselines for all policies that target registry keys.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds. Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.
- Manually run
- On the Add File Integrity Exception dialog box, it is not possible to activate the Custom date-range field by clicking within it.
Workaround: To enter a custom date range, use the tab key to tab into the field.