CloudPassage Halo — 27 October 2016
The 27 October 2016 release of CloudPassage® Halo® introduces a number of enhancements, including a new filtering feature in the portal UI, visual and functional improvements to Traffic Discovery, improved server lifecycle management, and much more.
New Features and Improvements
Tooltips added to improve clarity
A number of tooltips have been added in various parts of the Environment screen to improve clarity:
- In the Servers view, hovering over the issues metric displays details about the issue count.
- In the group tree, hovering over the issues metric displays enhanced text to explain the meaning of the issue counts. Example below:
- In the context title bar, hovering over the issue count icons displays text to explain the meaning of the issue counts. Example below:
- In the inventory Summary view, hovering over the issue count icons displays a definition of the issue by severity.
- In the context title bar, hovering over the breadcrumbs displays the full group path. Example below:
Sidebars now resizable
Previously, sidebars (such as the Issue Details sidebar) could not be resized. This release implements the ability to resize the sidebars to better accommodate the amount of information that often displays.
Improvements to CSV export
This release implements improvements to the comma-separated value (CSV) export feature to enable users to have more control over what they want to export. When exporting a CSV, users can now:
- Select the export date range.
- Specify whether to include all possible columns, or just those displayed on the screen.
- Specify whether to include server names and IDs.
For more information, see Export Data from a View in the Halo Operations Guide.
New and improved filtering feature
This release implements a completely updated filtering feature to make it easier to filter the following views: Issues, Scans, Servers, Alerts, Policies, and Connections (for customers who have Connections enabled).
Highlights of the new feature include:
- Create new filters by clicking the filter box and selecting filter attributes and values that apply to the dataset you are viewing.
- Wherever applicable, drop-down and hints automatically appear to help you build the filter quickly.
- View, re-use, and delete recently used filters.
For complete information about filtering, see Filtering Views in the Halo Operations Guide.
Manual resolution of FIM and CSM issues
Previously, inconsistencies occurred in the reporting of the status of some CSM and FIM issues, in that manually resolving an issue resulted in an on-screen success banner, yet the issue continued to be displayed in the list of open issues. Likewise, depending on the exact construction of an API query, the same issue could be reported as both open and resolved.
The problem has been corrected, and open and resolved issues are now reported consistently.
View retired policies
This release implements the ability to view the details of a retired policy in the Policies List.
To view a retired policy:
- In the Policies List, click the Retired subtab.
- Click the name of a retired policy. The retired policy details open in a non-editable sidebar.
- You can work with the retired policy by doing any of the following:
- To unretire the policy: Click Unretire Policy. The policy is now active and appears in the Available subtab.
- To delete the policy: Click Delete Policy. A confirmation dialog appears. Click Delete Policy.
Caution: Deleted policies cannot be restored. If you think you may want to re-use or refer to the policy in the future, you can do nothing and leave it in your Retired subtab.
This release implements the ability to unretire a policy to make it active again.
To unretire a policy:
- In the Retired subtab of the Policies List, click to select the check box next to the policy you want to unretire.
- Click the Edit button, then click Unretire Policy.
A notification appears to confirm the action and the policy moves to the Available subtab.
Ability to create a new policy from the Policies subtab
Previously, there was not a direct way for users to create a policy from the view where policies are assigned to groups in the Environment screen. This release implements a Create New Policy button in the Policies subtab of the Settings view, which appears when a policy does not already exist for a particular type of coverage.
To create a new policy from the Environment screen:
- Select the group for which you want to create a policy.
- Click the Settings view button to activate the view, then click the Policies subtab.
If there is a module that does not have policies available to choose from, a Create New Policy button displays.
- Click Create New Policy.
The Create New Policy dialog opens.
- Click how you want to create the policy: from an existing template or from scratch.
- Enter a name and description for the new policy.
- Click Edit Policy Rules.
The module's Edit Policy page opens so you can begin building the policy rules. For more information about creating policies, see any of the module guides.
Sub-group users can now see shared Policies
This release enables sub-group users to view the content of shared policies in their Policies List. Once a policy owner shares a policy with a sub-group, it becomes available for viewing in the sub-group users' Policies List, its details can be viewed (but not edited), and it can be cloned by the sub-group users.
Servers and Server Groups
Automatically retire deactivated servers
This release implements the ability to automatically retire deactivated servers. Automatically retiring servers helps declutter your portal because their issues are automatically resolved and the servers no longer appear in the portal unless explicitly called. For more details, see About Server States in the Halo Operations Guide.
Note: As of this release, new accounts will have this setting activated by default; however, existing accounts must activate it manually.
To automatically retire deactivated servers:
- Open Site Administration, then click the Settings view.
- On the Agent Settings subtab, click the Retire deactivated servers after drop-down list.
- Click the length of time that you want to pass before deactivated servers are automatically retired.
- Click Save.
If you have existing deactivated servers that have been deactivated for the time frame you indicated, they are now retired.
Note: Retiring a server does not delete the server from Halo. For more information about retired servers, see Retire a Server in the Halo Operations Guide.
Group column added to Servers view
This release implements a Group column in the Servers view to enable users to see the group to which the server belongs. In this column, you can:
- Click the arrow next to the heading to sort by group in ascending/descending order.
- Click the group name to open the group in the group tree.
- Hover over the group name to view the group path (image below).
File Integrity Monitoring
Export to PDF improvements
Previously, when exporting FIM scan results to a PDF, there was no indication that an export was in process. This release implements process indicators—such as a loading icon in the Export button—to make it clear that a PDF is generating.
Changes to FIM findings now highlighted
This release implements highlighting in the FIM Finding Details sidebar to indicate what metadata has changed when an object has been modified. Specifically:
- Any of the following metadata fields appears in red font when the value in the scanned object is different from its value in the baseline: SHA256, (Linux) Permissions, Owner, and (Linux) Group.
- For Windows, permissions lines that have been added to the scanned object since the baseline was created are in green; permissions that have been removed from the scanned object since the baseline was created are in red.
Ability to group IP addresses and ports into ranges
This release implements the ability to redisplay local and remote IP addresses as address ranges to control the level of granularity in your display. You can do this by selecting one of the Remote IP Address options from the filter drop-down list or the Columns drop-down list. The options range from (Local or Remote) IP Address 8, which is the coarsest range of granularity with the fewest number of nodes in the column, to IP Address 24, which represents the finest level of granularity in grouped addresses.
Likewise for ports, you can redisplay Local Port and Remote Port as Local Port Category and Remote Port Category, which groups the individual port numbers into three categories (Well-known, Registered, and Dynamically Assigned) based on the port number value.
Ability to group nodes into categories
As with value ranges in IP addresses and port numbers, this release also implements the ability to group other kinds of nodes into categories (or conversely, split category nodes into their component subnodes). This feature applies to Remote Context with Remote Content Type, and to Local Address or Process with Local Group.
For example, clicking the Remote Context node (see image below) automatically enters filter criteria in the Filter bar and filters the view to display just that node. You can then click the zoom in link above the node to see more details or zoom out to see less. Note that after the view refreshes, you may be able to (in the case of IP address ranges) continue zooming to see additional finer or coarser levels of detail.
New quick filter in the visualization view
This release implements a quick filter that enables users to display information for building inbound and outbound firewall rules. To use the quick filter, click the Columns button, then click Inbound Firewall to view inbound firewall connections or Outbound Firewall to view outbound firewall connections.
Improved display of end-to-end connections
End-to-end connections are now highlighted when hovering over the connecting lines between two nodes in two adjacent columns. You can click in any of the segments to filter the display to only that connection. In addition, a tooltip displays when hovering over the connection to provide the following information:
- The count of connections with matching attributes
- Percentage of selected connections compared to other displayed connections
- List of attributes
New columns for Remote Context and Remote Context Type
Previously, the connection table did not display information about local and remote context or remote context type. This release implements two new columns—Remote Context and Remote Context Type—to enable users to easily identify remote connections.
Improvements to make it easier to select and view the columns that display
A number of visual improvements have been made to make it easier to select the columns in the Connections visualization view, as well as distinguish between local and remote connections. Improvements include:
- Local and remote columns are grouped on opposite sides of the diagram, with columns that are shared by both ends of the connection in the middle (see "Local" "Shared" and "Remote" in the image below). Within these categories, users can drag and drop the column headers to change their order. Each category label includes a drop-down list (see "Local", below) that enables users to select additional columns within the category.
- Small horizontal gaps separate each column into its component nodes (see rightmost column below).
- Each column's header appears at the top (see "Remote Context Type", below). Besides identifying the attribute type that the column displays, the header may include
- An "X" control for removing the column.
- "zoom in" and/or "zoo out" controls for showing more or less detail.
- "name" and "size" controls for sorting the nodes of the column alphabetically or by number of connections that pass through the node.
- A Columns button also appears in the top-right corner of the view, which enables users to select or remove columns from a pop-up dialog.
Improvements to TD visualization when viewing large numbers of connections
Previously, the TD visualization was difficult to view when there were a large number of connections. This release implements the following improvements to ensure that the graph dynamically scales when there are a large number of connections:
- Font sizes dynamically adjust so that text does not display on top of each other.
- Graph height dynamically adjusts to fit the available space.
- A tooltip appears when hovering over individual nodes.
New Direction column enables visualization of connection behavior
This release implements a new Direction column in the visualization to enable users to visualize the inbound and outbound connection behavior of a selected application.
Full paths to server groups in visualizations
Previously, only a group name displayed when viewing the remote destination server group. This release implements a new tooltip that displays the full path of the destination server group, including its parent group. To view the tooltip, hover over a node in the Remote Context column.
In addition, a new column called Local Group has been implemented. This column displays the groups to which the servers the the local end of the connections belong. Hovering over a node in the column displays a tooltip that provides the full path of the group.
Renamed Connections column
Previously, group-level connections displayed a column titled "Count" in the list view. This column header has been changed to Connections to more accurately describe the number in this column.
New filter attributes
The following updates have been made to filtering the Connections view:
- You can filter on the attribute Local Hostname, which is the hostname of the local server. To do so, select this attribute from a filter drop-down list.
- You can now filter on Local FQDN, which is the fully qualified domain name of the local host. To do so, select this attribute from a filter drop-down list.
- When filtering for specific dates, such as "Last updated date," you can now employ a "since" operator to view all results since a particular date.
For more information about filtering and Connections attributes, see Filtering Views in the Halo Operations Guide.
Auditor role can now view policy and alert profile details
Previously, users with an auditor role could view lists of policies and alerts, but not view the underlying details, such as individual policy rules. This release enables users with an Auditor role to view the details of policies and alerts.
Workload Firewall Management
View raw firewall policy
This release enables users to click a button in the Policy Details sidebar to view the underlying iptables (Linux) or Windows firewall policy in a new browser tab.
To view the raw firewall policy:
- In the Policies view, click a policy name to open the Policy Details sidebar.
- Do one of the following:
- Linux: Click View iptables detail.
- Windows: Click View Windows Firewall detail.
The raw underlying policy opens in a new browser tab:
New audit events defined for server lifecycle
To complete the auditing of all stages of the Halo agent lifecycle, new audit events have been created. This is the complete set of agent lifecycle events:
- New server (
- Server missing (
- Server deactivated (
- Server reactivated (
- Server retired (
- Server un-retired (
- Server deleted (
Support for Legacy Halo Interface
Auto-retirement of deactivated servers available for legacy users
Users of the legacy Halo interface can now set up automatic retirement of deactivated servers by modifying a setting on the Agent Settings tab under Site Administration.
Halo REST API
Extensions to Alert Profile API endpoint
To be more consistent with other types of policies, the alert profile object now includes a complete set of general policy fields, and it also supports filtering results by the values of many of its fields, notably
Non-root administrators now able to manage FIM baselines
Previously, an administrator of a server group below the root group could not, through the Halo API, manage (create/delete/modify) file integrity baselines in that group or its subgroups. The correct permissions have been restored, and administrators can now manage baselines anywhere within their scope.
'retired' field added to special events policy object
To be consistent with other types of Halo policies, the special events policy object now has a complete set of general policy fields, including a boolean
retired field, since users can now retire special events policies.
Please note that the following features have been or may soon be removed from Halo. Please plan to modify any code or procedures that depend on them.
File integrity exception data removed from Halo database and portal
The use of exceptions with File Integrity Monitoring was deprecated in September 2014 (see Halo Release Notes — 22 September 2014). Since that time, exceptions data from earlier scans has continued to be available to Halo users.
As of this release, the Halo portal UI no longer supports viewing or resolving file integrity exceptions, and all exception data has been removed from the Halo database.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- Users appear to have editing capability on out-of-scope resources. The following workflows are misleading and will be addressed in a future Halo release:
- Users with Auditor role in a server group can view the details of a policy assigned to the group, and can access the policy's edit screen and appear to make changes. However, those changes cannot be saved.
- Users in a group can view the details of a policy inherited by the group, and can access the policy's edit screen. However, they cannot successfully edit the policy.
- New Halo UI uses browser time instead of user setting. In the legacy Halo UI, a user can select the time zone for which Halo is to display all date-time values. In the new UI, Halo instead displays times according the the user's browser time zone setting.
- Editing file integrity baseline expiration. If you want to change the expiration value when editing or re-baselining an existing baseline, the new expiration date is now calculated from the current date, rather than from the original baseline-creation date. However, if you keep the same setting (number of days) for the expiration value, the re-calculation does not occur and the expiration date remains based on the original creation date.
Workaround: Select a different expiration value and save the baseline. Then re-edit the baseline and specify your desired expiration value.
- Assigned GhostPorts users may be invisible to a firewall policy's owner. When a user at a non-root level creates a firewall policy, an administrator at a higher level can add a GhostPorts user (also at a higher level) as a source or destination in a firewall rule of that policy. The policy's owner, however, cannot see the assigned user when viewing the rule in the portal—because the user is at a higher level than the owner.
Workaround: Do not add a GhostPorts user to a descendant group's firewall policy rules if that users is out of the descendant group's scope.
- Cannot modify settings of a group that has out-of-scope policies. An administrator at a non-root level of the group tree cannot modify the settings of any accessible group with an assigned policy (or alert profile) that has become out of scope. This situation can arise if
- A policy owned by a higher-level group is first shared and assigned to a descendant group, and then unshared by the higher-level group's site administrator. The policy remains assigned to the descendant group, but that group's site administrator cannot make any modification to the group settings.
- A higher-level group's site administrator transfers the ownership of a descendant group's policy to a group that is out of scope of the descendant group. The policy remains assigned to the descendant group, but that group's site administrator cannot make any modification to the group settings.
Workarounds: Do not transfer the ownership of a policy from one descendant group to another that is out of the first descendant's scope. Do not unshare a policy if it is assigned to any of your descendant groups.