CloudPassage Halo — 28 September 2015 Release
The 28 September 2015 Release of CloudPassage® Halo® includesthe general availability release of Log-Based Intrusion Detection, new and enhanced configuration security rule checks for running processes and services on Windows, support for the use of system environment variables in Windows policy paths, and other enhancements and fixes.
New Features and Improvements
Log-Based Intrusion Detection
Halo LIDS module now generally available
With this release, Halo's Log-Based Intrusion Detection (LIDS) module has completed its beta testing, and it is now in General Availability (GA). Use LIDS to detect and alert on suspicious activities, as recorded in any system and application log files on any of your servers. LIDS is available on both Linux and Windows platforms.
Windows policy paths can include system environment variables
Rule targets for CSM, FIM, and LIDS policies on Windows platforms can now include environment variables as initial components of target pathnames, using the format
For example, if the Windows system volume on a server is
C:\, the path
%SYSTEMDRIVE%\Windows\Boot will remain a valid path even if the system volume is
F:\ or any other value.
Note: Policy paths can include only system environment variables. User environment variables, which are specific to a given account, are not supported.
Windows 'Service is started' check can function as a whitelist
A new setting has been added to the Windows "Service is started" configuration check. You can now specify "OK to be started/running" and supply a list of permissible services, in which case the check functions as a whiltelist. All running services must be on the list of permitted services; if any running service is not on the list, the check fails.
Process Presence check available for Windows
With this release, a Windows version of the Process Presence configuration check is available. You can use the check to verify that all of a specified set of Windows processes are running, or that none of them is running, or that all running processes are members of that set (whitelist).
Software Vulnerability Assessment
Ubuntu 14.04 false-positives corrected
Previously, performing a vulnerability scan on an Ubuntu 14.04 system that included the linux-image-generic package version 3.13.0-48.80 led to the reporting of several false-positive vulnerabilities. The issue has been addressed and the false positives are no longer being reported.
Please note that the following features have been or may soon be removed from Halo. Please plan to modify any code or procedures that depend on them.
- The use of
daemon-keyas a Halo agent startup parameter is now deprecated. In your Linux and Windows Halo installation scripts, please replace all instances of
- In the Halo API, the use of
scato refer to the configuration scan type is deprecated in favor of
csm. Please use
csmin your future API calls that take a scan type parameter For example:
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.