CloudPassage Halo — 9 April 2015 Release
The 9 April 2015 release of CloudPassage® Halo® includes improved scan performance for File Integrity Monitoring, corrections to the handling of SSH information for server accounts, and other corrections and improvements.
New Features and Improvements
Performance improvements for large FIM scans
To Help achieve desired high levels of performance for File Integrity Monitoring, the scanning process has been made more efficient. One consequence of this improvement is that file integrity scan results now include only those objects that have failed their integrity checks. Objects that pass their checks are not listed in the scan results, although the scan summary displays the total number of objects that passed. (The details of the objects that passed is always available in the baselines used for the scan.)
Improved functionality for "ignore forwarding rules" option in firewall policies
To allow Halo firewalls to function properly in a Docker environment without interfering with Docker's management of the FORWARD chain, Halo firewall policies have supported an option to ignore the iptables forwarding rules. In that case, Halo will not override Docker-inserted firewall modifications of forwarding rules, and Halo will not generate a "firewall modified" security event when the modifications occur.
To make sure that forwarding rules are not deleted during the installation of a Halo firewall policy that has "ignore forwarding" enabled, Halo no longer completely removes an existing policy when installing a new one; it replaces only the inbound and outbound connection rules.
Corrected handling of SSH info for server accounts
Server Account Management now correctly retrieves and displays the SSH information for accounts on all platforms, and it also properly handles the situation in which an account's username is nil.
Please note that the following features will soon be removed from Halo. Please plan to modify any code or procedures that depend on them.
- FIM option to generate a separate event for every changed object. On the Edit File Integrity Policy page of the Halo portal, the checkbox allowing this (unrecommended) option will be removed. Scans will always group all changes to a given policy-defined target on a given server into a single event.
Expected removal date: Q2 2015.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.