CloudPassage Halo — 06 August 2014 Release
The 06 August 2014 Release of CloudPassage® Halo® features the beta release of Halo's Log-Based Intrusion Detection system, adds the ability to place IP address restrictions on authentication to the Halo API, and includes other new features and improvements.
New Features and Improvements
Beta release of Log-Based Intrusion Detection
With this release, a beta version of the Halo Log-Based Intrusion Detection system is available to all Halo Professional or Enterprise customers on both Linux and Windows platforms. It is Halo's newest security module and it significantly enhances your ability to quickly detect unauthorized activity all across your cloud infrastructure.
Log-Based Intrusion Detection monitors server log files for events of interest that you have specified by policy, and it can send you alerts when any of those events occur. The module can track any number of system or application log files on any of your servers.
Log entries detected by Log-Based Intrusion Detection are saved as Halo events and thus are visible in the Halo portal and can be exported to log-management or SIEM systems for further analysis.
Log-Based Intrusion Detection policies consist of multiple rules, each of which specifies a log file to examine and a search pattern (or event ID) that identifies a particular kind of event. Halo provides both Linux and Windows example policies that you can use as-is, or you can use the Halo portal to easily customize them or create new policies of your own.
- A Linux policy rule might look something like this:
In this case, all Linux servers in the server group to which this rule's policy is assigned will be scanned for root-password change events, as recorded in the log file
- A Windows policy rule might look something like this:
In this case, all Windows servers in the server group to which this rule's policy is assigned will be scanned for "account enabled" events (ID = 4722) in which the event message also contains the word "Guest" (meaning that a guest account has been enabled), as recorded in the Windows "Security" event channel.
Log-Based Intrusion Detection provides another method for detecting unauthorized activity on your servers, complementing the change-detection capabilities of Halo File Integrity Monitoring. See Using Log-Based Intrusion Detection with CloudPassage Halo for complete information on this new module.
IP restrictions on authentication with API keys
It is now possible to restrict the IP addresses from which an API client can authenticate to the Halo API. When creating a new API key, you can associate one or more API addresses or CIDR blocks with it, by adding them in a comma-separated list on the Create a New API Key form.
If a key does specify one or more allowed IP addresses, the authentication endpoint of the Halo API will reject any authentication attempts using that key from an IP address that is not on the allowed list. In that situation, the client cannot authenticate and an API authentication failure event is logged.
If the key specifies no IP addresses, the authentication endpoint allows authentication from any address.
Other new features and improvements
Halo API enhancements
- The Servers API endpoint now supports filtering server searches by multiple server groups. For example:
- When you execute a saved search, the Saved Searches API endpoint by default returns the results in JSON format. You can now elect to retrieve the results in CSV or PDF format instead.
New audit events logged
The following audit event types are now logged and can be configured in the Halo portal, as of this release. (Equivalent Halo API event-type names are shown in parentheses.)
Software Vulnerability Assessment:
- Software vulnerability exception created (
- Software vulnerability exception expired (
- Software vulnerability exception deleted
Server Account Management:
- Local account activation requested (
- Local account creation requested (
- Local account deactivation requested (
- Local account modification requested (
- Local account ssh keys update requested (
Corrected sorting for Users list on Site Administration page
The list of Halo users on the Users tab of the Halo portal's Site Administration page is now sortable by the following additional columns: Portal Access, GhostPorts, Last Login, and Status.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds. Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.
- Manually run