CloudPassage Halo — 1 December 2014 Release
The 1 December 2014 Release of CloudPassage® Halo® includes new information returned for API calls to retrieve Halo events, and changes to Halo account subscription packages for new accounts.
New Features and Improvements
Halo server processes gathered and available through the REST API
Halo now automatically conducts regular scans of all active servers to determine what processes are running on each server. The information gathered for each process includes its name, process ID, parent process ID, state, and impact on system resources (CPU and memory).
Also, the Halo REST API now includes the new endpoint "Server Processes". You can call its "List server processes" method to retrieve the above information and other details for each of the processes running on a given server:
Primary server IP address returned for all server-related events
The Events API endpoint defines the fields that make up the event objects returned by the "List events" method. For server-related events, two IP address fields are now returned:
server_primary_ip_address, the first IP address of the server's network interface, and
server_ip_address, the server's connecting IP address.
Events generated earlier than this release will contain a valid value for the
server_ip_address field, but the listed value for the primary IP address will be
Halo subscription package changes
Separate levels of subscription to Halo (Basic, NetSec, Professional, Enterprise) are no longer available. When a Halo Evaluation period ends, the user cannot log into the Halo portal and must contact CloudPassage Sales if the user wishes to continue using Halo. It is no longer possible to purchase or upgrade Halo accounts through the Halo portal UI.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- IE8 not supported for Halo reporting. The Halo reporting service does not function for a user who has logged into Halo using Internet Explorer 8.
Workaround: Log in with a more recent version of IE or with a different browser, or use the Halo API to construct server searches.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds. Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.
- Manually run