CloudPassage Halo — 12 March 2015 Release
The 12 March 2015 release of CloudPassage® Halo® includes a Halo firewall option that helps with Docker integration, corrections to the portal display of server lists and user-account SSH keys, updates to the Halo Terms of Service, and other minor enhancements and fixes.
New Features and Improvements
New firewall policy option to ignore iptables forwarding rules
To allow Halo firewalls to function properly in a Docker environment without interfering with Docker's management of the FORWARD chain, Halo firewall policies can now be configured to ignore the iptables forwarding rules. In that case, Halo will not override Docker-inserted firewall modifications of forwarding rules, and Halo will not generate a "firewall modified" security event when the modifications occur.
"Configuration Risks" server display corrected to remove duplicates
Previously, when multiple simultaneous configuration scans were run, the list of servers on the Halo dashboard's Configuration Risks page could contain duplicate entries for the same server. The issue has been addressed so that each server now appears only once in the table.
Corrected display of SSH information in Server Account Management
Recently, SSH information for server-local users has been missing from the account details displayed by Server Account Management after a scan. The issue has been addressed and the SSH information is now displayed properly.
Improved parsing of file integrity scan results
Some Halo customers have recently reported that Halo's parsing of file integrity scan results for display in the Halo portal can result in an HTTP 404 error (resource not found). CloudPassage has addressed the issue by upgrading certain infrastructure drivers, and we do not expect these errors to recur.
Problem that caused recurring false-positive vulnerabilities has been corrected
Customer reported an issue in which remediated vulnerabilities would (properly) disappear from subsequent scans, but only temporarily. After a week or so, the same vulnerabilities would once again be reported. An intense investigation of the inner workings of SVA located the source of the problem, and it is now fixed.
Deleted host marked as active
Previously, it had been possible (though rare) for a deleted server host to appear in the in Halo Portal as active, even though in reality it had been deleted. And the Halo user could not at that point delete the agent. Improvements in agent-to-analytics engine communication have eliminated the possibility of achieving that stalemated state.
Updated CloudPassage Terms of Service document
The CloudPassage Terms of Service document has been updated. Please review it at https://portal.cloudpassage.com/terms-of-service.html.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- IE8 not supported for Halo reporting. The Halo reporting service does not function for a user who has logged into Halo using Internet Explorer 8.
Workaround: Log in with a more recent version of IE or with a different browser, or use the Halo API to construct server searches.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds. Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.
- Manually run