Halo Release Notes —8 September 2016
The 8 September 2015 Release of the Halo portal includes a number of enhancements, such as implementing the new Halo interface to the Site Administration screen, unifying Special Events policies with other policies in the Policies screen, and much more.
New Features and Improvements
Limit data to a selected server group
This release enables users to limit a group-level view so that it includes only data from the group itself and not aggregate data from all of its subgroups. To do this, click the Options icon and deselect Aggregate data from descendant groups. The screen reloads with updated data that is specific to the group you are viewing and "Aggregate Data Off" appears next to the Options icon.
Note: The selection you make will persist for subsequent logins until you turn aggregate data back on.
Increased size limits for server tags and group names
To facilitate automated naming of server groups, the maximum size of both server tags and server group names has been increased to100 characters.
Note: If you are automating group creation by using tag names as your group names, note that tag names can include only letters, numbers, periods, underscores, and dashes, whereas group names can include almost any characters. You may sacrifice flexibility in group names if you choose the convenience of autogenerating them from tag names.
Policies and Special Events Policies
Special events policies now in the Policies screen
This release unifies special events policies with all other policies in the Policies screen to enable users to work with them as they would with any other policy type.
Specifically, the following tasks can now be performed in the Policies screen:
- Create a special events policy by selecting Special Events from the Policy Type menu in the New Policy dialog.
- Manage special events policies from the Policy Details sidebar.
- Import and export special events policies.
- Clone a special events policy.
- Retire or delete a special events policy.
Special Events option removed from Policies menu
As a result of the changes to special events policies (see previous item), Special Events has been removed from the Policies menu.
Indicate when a FIM policy has no active baseline
This release implements a notification to clearly indicate when a File Integrity Management (FIM) policy has no active baseline. This notification can be viewed in the group-level Settings view under the Policies subtab.
Site and User Administration
Site Administration screen updated
With this release, the Site Administration screen has been updated to the new user interface. As a part of this update, some settings have been regrouped under different views. A few items to note:
- Settings that were previously located under the Scanner Settings and Daemon Settings tabs can now be found under the Settings view, which is separated by Agent (Daemon) Settings and Other Controls (see image in next bullet).
- The agent self-verification setting is now grouped with other Agent Scanning settings.
- The "Enable Automatic Scanning" check box has been removed. With this release, the act of enabling is implicit when you select a frequency from the Automatically Scan drop-down menu. Selecting Never disables automatic scanning.
- Master Account settings can now be found under the Advanced view.
For complete information about Site Administration settings, see the Site Administration appendix of the Halo Operations Guide.
Site Administration and User Administration screens combined
The User and Site Administration screens are now combined. Users now appears as a view button of the Site Administration screen (see image below). For more information, see the Site Administration appendix of the Halo Operations Guide.
Note: As a result of this change, the appendices in the Halo Operations Guide have been updated; namely, the User Administration and Site Administration appendices have been combined and user roles is now its own appendix. See Site Administration and User Roles for more information.
Group administrators can now manage other users within the same group
This release implements the ability for users with an "administrator" role in a group to manage other users within the same group scope. This means that root administrators and account owners can now delegate user management tasks to group administrators.
File Integrity Monitoring (FIM)
New UI implemented with FIM scans
This release enables users to work with FIM scans and scan findings in the new interface. Specifically, you can now do the following in the new UI:
- Open a new Scan Results/Server Scan History view. To do so, click the Scans view button to activate the view, then click the Status link of the FIM scan. A Scan Results screen opens that provides details about the scan, including the individual rule checks.
- Launch a new scan from the new Scan Results page (see next image). To do so, click the Launch New Scan button.
- Export scan results from the new Scan Results page. To do so, click the Export button to export the results in a PDF.
A PDF of the File Integrity Report opens with the following information:
- A summary of all passes, critical failures, and non-critical failures.
- A list of all baseline servers.
- A details page that describes all of the rules that passed.
- A details page that describes each critical and non-critical failure,including what changed between the scanned file and the baseline.
Investigate FIM rule checks
This release enables users to investigate individual FIM rule checks in both the Issues (group and server-level) and Scan Results views.
- Open a Finding Details sidebar from the Issues view. To do so, open the Issues view. Click a FIM issue to open its Issue Details sidebar. In the Findings area of the sidebar, click an individual rule check (see image below). A Finding Details sidebar opens and provides you with details about the individual rule. You can close the sidebar to return to the Issue Details sidebar.
- Open a Finding Details sidebar from the Scan Results view. To do so, click the Scans view button, then click the Status link of a FIM scan to open the Scan Results view. Click the left arrow to expand a finding and display the individual rule checks that make up the finding (see image below). Click a rule check to open the Finding Details sidebar. For more information, see Addressing FIM Findings in the File Integrity Monitoring guide.
Improved workflow for deleting baselines
Previously, Halo users were not permitted to delete file integrity baselines that were not assigned to a specific server. The validation has been relaxed to allow for deletion of baselines that either (1) are assigned to an existing server visible to the user, or (2) are owned by a server group visible to the user.
Server Account Management (SAM)
Administering server accounts in Halo
This release enables users to administer server accounts from the new interface. Users can now do the following tasks from the new UI:
- View and edit account details from a sidebar. To do so, open a server-level account view and click the account to open its sidebar. To edit, click the Edit button.
- Activate and deactivate local server accounts. To do so, open a server-level account view, click the account to open its sidebar, then click Activate or Deactivate (the button that appears depends on the current state of the account). See the image in the next bullet for an example.
- Create a new local account on a server. To do so, open a server-level account view, then click New > Account.
- Return new account password. When a new local server account is created, a notification appears with the system-generated password.
For more detailed information on any of these items, see the section titled Administering Server Accounts from the Server Account Management guide.
Software Vulnerability Assessment
Improved accuracy and PDF-to-portal consistency for vulnerability scan results
Previously, PDF exports of older vulnerability scans could potentially show results inconsistent with results displayed in the Halo portal, and both could be inaccurate, because the results displayed could be from the server's most recent scan instead of the requested scan. That issue has been corrected, and historical scan results are now displayed accurately and consistently.
Windows Server 2008 (pre-R2) not supported
Although Halo is not officially supported on Windows Server platforms earlier than 2008 R2, some customers have successfully run Halo on older releases of Windows 2008. Nevertheless, Software Vulnerability Assessment is not compatible with pre-R2 releases of Windows 2008, and vulnerability scans will not run on them.
Enable/disable Traffic Discovery scanning in group settings
This release enables administrators to enable and disable Traffic Discovery scanning from the Settings view of any server group.
Note: This feature is only available for accounts in which Traffic Discovery has been activated. For information about activating Traffic Discovery, contact your CloudPassage account representative.
For details, see Enable Traffic Discovery Scanning in the Halo Operations Guide.
Ability to add and remove nodes in visualization
This release enables users add and remove nodes in the Traffic Discovery visualization.
To do so, click the Select Nodes drop-down menu and click the nodes you want the visualization to display.
The nodes selected appear next to the menu with an "X," which you can click to remove the node. To change its order, drag and drop it.
For details, see Interpreting and Manipulating Traffic Visualizations in the Traffic Discovery Guide.
Path highlighting implemented in visualization
This release implements path highlighting to enable users to clearly follow the connection path from one side of the visualization to the other.
To view a connection path, click the dark-blue bar. The full connection is highlighted in a lighter color.
Filter the Traffic Discovery graph
Previously, only Traffic Discovery's list view could be filtered. This release enables filtering of the graph view. For more information about filtering, see Filtering Connection Views in the Traffic Discovery Guide.
To see the object fields that you can use to filter the graph, see the Filtering Views appendix of the Halo Operations Guide.
Maintain display settings
When a user customizes their Traffic Discovery display settings, this release enables the customized settings to be maintained throughout the user's session and across server groups.
Workload Firewall Management
Improved Windows firewall policy update process
Previously, updating a Windows firewall policy could result in network packet loss, depending on the details of the existing and new firewall policies. The issue has been resolved by ensuring that Halo updates Windows firewall policies without resetting the local Windows firewall.
New Windows and Linux agents made available
On 16 May 2016, CloudPassage announced the availability of a new Halo agent for Windows and Linux platforms. The version number is 3.7.6. For more information, see the Halo Agent Release Notes.
Further upgrade to Windows and Linux agents
On 8 June 2016, CloudPassage released a new version of the Halo agent for Windows and Linux. The version number is 3.7.8. For more information, see the Halo Agent Release Notes.
Duplicated agents no longer present after reboot and restart
In rare circumstances, rebooting an Ubuntu server or restarting its agent process has resulted in the creation of another agent that duplicates the one being restarted. The issue has been resolved and duplicates should no longer appear.
Faster loading for Summary views
Internal performance improvements have greatly decreased the time required to load and display the group and server Summary views on the Environment screen.
Halo Platform Support
Corrected primary IP address for servers in a Docker environment
Previously, Halo running in a Docker container under certain Linux distributions (such as CentOS 7) displayed a server's Docker bridge address instead of the server's primary IP address in the
primary_ip_address field of the Server object, and in the IP Address field in the Halo portal. The issue has been fixed and the proper IP address is displayed.
Support for Legacy Halo UI
Access restored to FIM and LIDS dashboard pages
In certain Halo accounts, links to the File Integrity Monitoring and Log Based Intrusion Detection dashboard pages have been non-functional. The links have been restored.
Halo REST API
New public Halo REST API document site
A new Halo REST API document is available online at: https://api-doc.cloudpassage.com.
Note: The REST API document on ZenDesk has been deprecated, so please update your bookmarks to the new URL. For your convenience, the API document in our private Documentation Library will continue to remain available—the content between that document and the new site are the same.
Additional fields added to file integrity scan findings object
To support capabilities of the new Halo UI, the following fields have been added to file integrity scan findings:
- associated policies names
- agent process time
- grid process time
- baseline1 + baseline2 sha + associated servers
- owner group name
- object ctime
- object mtime
- server object and baseline times
Please note that the following features have been or may soon be removed from Halo. Please plan to modify any code or procedures that depend on them.
File integrity exception data removed from Halo database and portal
The use of exceptions with File Integrity Monitoring was deprecated in September 2014 (see Halo Release Notes — 22 September 2014). Since that time, exceptions data from earlier scans has continued to be available to Halo users.
As of this release, the Halo portal UI no longer supports viewing or resolving file integrity exceptions, and all exception data has been removed from the Halo database.
ZenDesk REST API documentation deprecated
The REST API documentation on ZenDesk has been deprecated and replaced by the new Halo REST API Documentation at https://api-doc.cloudpassage.com. Please update your bookmarks.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- New Halo UI uses browser time instead of user setting. In the legacy Halo UI, a user can select the time zone for which Halo is to display all date-time values. In the new UI, Halo instead displays times according the the user's browser time zone setting.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.
- Assigned GhostPorts users may be invisible to a firewall policy's owner. When a user at a non-root level creates a firewall policy, an administrator at a higher level can add a GhostPorts user (also at a higher level) as a source or destination in a firewall rule of that policy. The policy's owner, however, cannot see the assigned user when viewing the rule in the portal—because the user is at a higher level than the owner.
Workaround: Do not add a GhostPorts user to a descendant group's firewall policy rules if that users is out of the descendant group's scope.
- Cannot modify settings of a group that has out-of-scope policies. An administrator at a non-root level of the group tree cannot modify the settings of any accessible group with an assigned policy (or alert profile) that has become out of scope. This situation can arise if
- A policy owned by a higher-level group is first shared and assigned to a descendant group, and then unshared by the higher-level group's site administrator. The policy remains assigned to the descendant group, but that group's site administrator cannot make any modification to the group settings.
- A higher-level group's site administrator transfers the ownership of a descendant group's policy to a group that is out of scope of the descendant group. The policy remains assigned to the descendant group, but that group's site administrator cannot make any modification to the group settings.
Workarounds: Do not transfer the ownership of a policy from one descendant group to another that is out of the first descendant's scope. Do not unshare a policy if it is assigned to any of your descendant groups.
- Traffic Discovery: Servers column may have inaccurate counts. In the group-level list views for inbound, outbound, and listening connections, the Servers column displays, for each connection listed, a number that is intended to be the count of servers that have that "same" connection, meaning the number of servers that have a connection with the same core attributes.
That number can be incorrect, because it actually reflects the total number of connections with those attributes, not the total number of servers. It is possible in some cases for a server to have multiple connections with identical core attributes, in which case the reported count will be higher than the total number of servers with that connection.