CloudPassage Halo — 28 May 2014 Release
The 28 May 2014 Release of CloudPassage® Halo® includes an enhanced configuration rule check, an event-consolidation option and a new scan-results display for file integrity scans, a new custom label available for identifying servers, a new version of the Halo agent, minor updates to the Halo API, and other enhancements and fixes.
New Features and Improvements
Configuration Security Monitoring
Network Service Accessibility check supports port ranges (and more ports)
This check includes two functional upgrades:
- The maximum size of the list of ports has been increased to 2048 bytes.
- The port list can include ranges of port numbers. For example, a list entry of 16000:16999/TCP means that any port from 16000 to 16999 (inclusive) may be open for TCP connections.
File integrity Monitoring
(See also the Halo API changes, below)
File Integrity Monitoring now includes a scan results page
File Integrity Monitoring scan issues can now be viewed as scan results (analogous to configuration scan results). Previously, the File Integrity Monitoring Scan Results page displayed only file integrity events, identical to the display on the Security Events History page.
As in configuration scanning, the results are displayed like this:
- Issues are grouped by policy rule; all rules from all policies used in the scan are included.
- By default, critical issues appear first, then non-critical, then rule passes.
- Expand a rule to view a list of the individual issues (or scanned objects) within it.
- Within a rule, scanned objects are by default sorted in this order: added, modified, missing, OK.
- Expand an object to view how it compares to its baselines.
- The results are paginated.
Multiple changes detected in a given target are by default reported as one event
By default, all issues (object changes) for a single file integrity target are combined into a single event during a scan. A Halo site administrator can choose to instead consider each individual change within a target to be a separate event. Note that making a separate event for every change within a target can significantly increase the total number of events reported.
Under Scanner Settings > File Integrity Monitoring on the Site Administration page, select or clear the checkbox Generate a separate event for every change detected by a file integrity monitoring rule.
Improved baseline-matching logic
The logic for comparing a scanned target object to multiple baselines has been corrected, so that now a target that does not contain a particular object passes when compared to two baselines, one of which includes the object and one of which does not.
Halo Agent (Daemon) and Servers
New versions of the Halo agent
As of this release, new versions of the Halo agent are available: v. 3.1.8 on Linux platforms, and v. 3.1.9 on Windows platforms.
Agent restarts automatically after upgrade
When you upgrade the Halo agent on a server, the upgraded agent automatically starts at the end of the upgrade process, if the older agent was running when the upgrade started. There is no need to manually start the new agent.
If you are upgrading and do not want the new agent to start, just stop the older agent before starting the upgrade.
Package managers can accept both HTTP and HTTPS
Installing and upgrading Halo Daemons can now occur over either HTTPS or HTTP connections. The installation scripts in the Halp Portal by default specify HTTPS.
Custom label attribute available for servers
An optional label attribute has been added to Halo servers. The attribute is called label in the Halo portal, and
server_label in the Halo API. It is an alternative to the existing hostname and FQDN attributes assigned to each server. If a non-null value exists for a server's label attribute, the label is displayed everywhere in the portal UI, in place of the hostname or FQDN.
The label attribute has been implemented to allow you to use Halo to assign more user-friendly or explanatory names to your servers.
You cannot specify a server label from within the Halo portal or through the Halo API; instead, you add a parameter to the Halo agent's startup command, as follows:
- (Linux) Modify the agent startup script:
--server-labeloption on the start command line, as in
sudo /etc/init.d/cphalod start --daemon-key=yourDaemonKey --server-label=yourServerLabel
- (Windows) Execute an unattended installation:
/server-label yourServerLabeloption on the command line.
- (Windows) Use the Windows Service Manager after installation:
- Open the Services control panel. For example, from the Start menu, select Administrative Tools and then Services.
- Right-click the line for the CloudPassage Halo Daemon service, then select Properties from the drop-down menu.
- In the Properties dialog, enter the label assignment in the Start parameters field, using this format:
- Now start the service by clicking Start.
Important: Do not click OK without first clicking Start. If you click OK first, the tag will not be assigned to the agent.
For complete instructions on installing and uninstalling Halo agents on your server hosts, see Install Daemons in the Halo Operations Guide.
Logging and Alerting
New audit event defined
Halo generates the "Halo API authentication success" audit event each time an API key is used to obtain an access token from the Halo API authorization server. This is a separate event from "Halo login success", which is generated each time a Halo user logs into the Halo portal.
In the Halo API, the name for this event is
File integrity scan details now returned by Server Scans API
The Server Scans API endpoint now supports the method "List server file integrity scan results", which returns the details of the latest file integrity scan on a specified server:
Historical scan details are available, as before, through the "Get scan details" method of the Scan History endpoint.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds. Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.
- Manually run