CloudPassage Halo — 13 July 2015 Release
The 13 July 2015 Release of CloudPassage® Halo® includes the addition of Boolean logic capability to configuration policy rules, availability of two new configuration rule checks, expanded character support for FIM and LIDS rules, improved functioning of the LIDS regular-expression tester, and—for the Halo API—new fields in the event object that identify the specific scan and finding that tirggered the event.
New Features and Improvements
Configuration Security Monitoring
Boolean logic capability added to CSM rules
Every Configuration policy rule can now be put into either of two states that have different criteria for determining whether the rule has passed or failed. The form for creating or editing a rule now has two radio buttons (AND and OR, just above the first rule check), that you can choose between:
- If the rule contains multiple checks and you select AND (the default), all checks must pass for the rule to pass; if any check fails, the rule fails.
- If you select OR, the rule passes if any of the checks within it passes. For the rule to fail, all of its checks must fail.
The addition of the OR capability allows you to create policy rules that apply a different logic for defining rule violations, one in which the existence of any one of several settings is sufficient to specify a good configuration. For example, a rule could have one check that requires a given file to have a specific ACL, and another check that requires the file to not be present. If the two checks are OR'd, it means that the file need not exist, but if it does it must have that specific ACL.
New Package Presence Check
The Package Presence check compares the specified package names with the installed set of packages on the server being scanned. Use it like this:
- Select should be installed to specify that all the listed packages must be installed.
- Select should not be installed to create a blacklist—none of the specified packages may be installed.
- Select allowed to be installed to create a whitelist—only packages on the list may be installed.
New User Account Presence Check
The User Account Presence check compares the specified usernames with the set of usernames for all active local accounts on the server being scanned. Use it like this:
- Select should be present to specify that all the listed accounts must exist on the server.
- Select should not be present to create a blacklist—none of the specified accounts may exist.
- Select allowed to be present to create a whitelist—only accounts on the list may exist.
File Integrity Monitoring / Log-Based Intrusion Detection
Additonal character support for FIM and LIDS rules
In FIM and LIDS policy rules, file paths can now include the character
+ , so that filenames including that character (such as
/opt/opscode/embedded/share/terminfo/v/vt100+) can be specified in the rule.
Improved functioning of the regular-expression tester
In the Halo portal, the Create/Edit LIDS Policy page includes an expression tester that you can use to verify the search expressions in your rules. Previously, entering a complex and unsupported expression could cause the tester to fail. The issue has been fixed, and the tester now functions properly.
Halo REST API
New fields for event objects
On the Events API endpoint, event objects now contain the additional fields
finding_id, tying each event to the specific finding of the specific scan (SCM, FIM, LIDS, SVA, or SAM) that it represents. You can use those referenced IDs in the event to retrieve the details of the cause of the event.
Please note that the following features may soon be removed from Halo. Please plan to modify any code or procedures that depend on them.
- Halo REST API: "Users" endpoint gone. This deprecated feature has now been removed. With this release, the "Users" API endpoint no longer exists in the current (v1) version of the Halo API.
- FIM option to generate a separate event for every changed object. On the Edit File Integrity Policy page of the Halo portal, the checkbox allowing this (unrecommended) option will be removed. Scans will always group all changes to a given policy-defined target on a given server into a single event.
Expected removal date: Q3 2015.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.