BMC

TrueSight Cloud Security

TrueSight Cloud Security is a cloud-based digital platform that tracks regulatory and security compliance by collecting, organizing, and analyzing high volumes of volatile IT business data, in real time, to meet the demands of web-scale IT. Complete and accurate analysis empowers IT operations to make fast, data-driven decisions that support continuous digital service improvement and innovation.
Release information

This topic provides information about what is new or changed in TrueSight Cloud Security, including known and corrected issues.

Tip

To stay informed of updates to Cloud Security releases, place a watch on this page.

October 2018: Release 1

What's new

The following feature is available in this release of Cloud Security:

Item Description
Incident Creation

This version of TrueSight Cloud Security has enabled a new feature to create and manage 'Incidents' on violations to alert users when policies are not adhered to.

For more details, please refer to:

Managing Notifications

Orchestration Connector

TrueSight Cloud Security has launched an Orchestration connector to facilitate incident creation.

For more details, please refer to:

Orchestration Connector

ITSM Integration


For more details, please refer to:

Integration with Remedy for incident creation


For a list of all open issues, see Known issues.

Corrected issues

Item Description
DRDK2-14546

TSCS UI filters were not applied correctly in violations section.

DRDK2-14175 Approval page showed inconsistent behaviour.

DRDK2-13931

CP Cloud connector lambda logs showed some errors after successful run.

DRDK2-14771

Incorrect remediation Status was displayed on Remediation Page in TSCS UI.

DRDK2-14772  

Disabled option was removed from all configuration tab filters on Remediation History page in TSCS UI.

DRDK2-14327

Scanned non-compliant resources triggered remediation and showed status under Violations L3 page but the remediation status was not displayed in Resources L3 page.

DRDK2-14142 Schema credentials were not encrypted.

September 2018: Release 2

What's new

The following feature is available in this release of Cloud Security:

Item Description
Auto Remediation

TrueSight Cloud Security now offers an auto remediation feature that triggers remediation action without user intervention when violations are detected.

For more details, please refer to:

Viewing Remediation History

For a list of all open issues, see Known issues.

Corrected issues

Defect ID Description
DRDK2-14702

AWS on-prem connector did not update action content as expected.

DRDK2-14333

Incorrect username was visible on Remediation History Page under User column in TSCS UI.

DRDK2-14314

Alignment misplacement was noted on Remediation History Page in TSCS UI.

DRDK2-14166

Connector Lambda got errors while updating data.

September 2018: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Descriptio
Policies

TrueSight Cloud Security now has a new feature that allows users to import policies in bulk from the policy library. Policies have also been sorted in accordance with respective connectors to enhance user experience.

For more details, please refer to:

Updating a policy

Azure Connector


Cloud Security now enables users to choose between resources associated with Global Azure Cloud as well as those associated with Azure Government Cloud.

For more details, please refer to:

Azure Connector

Corrected issues

Defect ID Description
DRDK2-14144  InfraIngestLambda showed errors in production.
DRDK2-14242 Enabled multi AZ support readiness for CP.
DRDK2-14238  Sandbox was not evaluating results.
DRDK2-14140  Policy Engine evaluations were unresponsive for many feeds.


For a list of all open issues, see Known issues.


August 2018: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description

AWS Cloud Connector


Cloud Security has launched an AWS Partition feature that gives users the freedom to select AWS or AWS GovCloud (US) while downloading AWS Cloud Connector.

For more details, please refer to:

AWS Cloud Connector

AWS On-Premises Connector

Cloud Security now enables users to scan resources in AWS Gov cloud regions by choosing AWS GovCloud (US) instead of AWS (default).

For more details, please refer to:

AWS On-Premises Connector


For a list of all open issues, see Known issues.


August 2018: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description

GCP Cloud Connector


This version of Cloud Security has launched GCP Cloud Connector which enables user to run connectors directly from cloud without downloading the connectors.

For more details, please refer to:

GCP Cloud connector

Managing Notifications

Cloud Security now offers an Overall Compliance option in addition to the New Violation Notification, enables users to choose Weekly and Monthly frequencies in addition to the default Daily frequency option, as well as provides enhanced resource choices between connectors and tags.

For more details, please refer to:

Managing notifications

Corrected issues

For a list of all open issues, see Known issues.



July 2018: Release 2

What's new

The following changes are perceivable in this release of Cloud Security:

a. Some UI, functional and security defects have been addressed.

b. Changes have been incorporated in trial user email.
c. Older OWASP connectors have been deprecated.

Corrected issues

Defect ID Description

DRDK2-13772

New users could not be created for Juno Stack on Edge Browser since T&C checkbox was not present.

DRDK2-13745

AWS Cloud connector sometimes took 270 - 300 seconds causing lambda timeouts, and this was observed on PROD.

DRDK2-13703

Security policy of ElasticBeanstalk's loadbalancer needed to be updated.

DRDK2-13188

Disabling connector took approximately 1 second more than the benchmark time of approximately 2 seconds.

DRDK2-12919

Resource remediation didn't work using group inline policy while cross accounts were configured .

DRDK2-9426

DevOps - SPS - EBS volumes of elastic beanstalk instances were not encrypted.


For a list of all open issues, see Known issues.


July 2018: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description
Azure Connector

This version of Cloud Security supports a modified Azure Connector which has additional support to enable remediation.

For details, please refer to:

Azure Connector

GCP Connector

This version of Cloud Security supports a modified version of GCP Connector which has additional support to enable remediation.

For details, please refer to:

GCP Connector


Managing Exceptions

You can now use Cloud Security for editing exception names, start dates and end dates.

For details, please refer to:

Managing Exceptions


Corrected issues


For a list of all open issues, see Known issues.


June 2018: Release

What's new

The following features are available in this release of Cloud Security:

Item Description

GCP Connector

This version of Cloud Security supports a new connector which provides compliance of resources from google cloud Platform.

For details on please refer to

GCP Connector

Please note that GCP rules are developed based on CIS benchmark released on 3rd of April 2018.

Trials

You can now use Trial version of Cloud Security, the trial period being 14 days. you can select Trial option while registering a new user.

for more information, please refer to

Registering

Corrected issues


For a list of all open issues, see Known issues.


May 2018: Release

What's new

The following features are available in this release of Cloud Security:

Item Description

Ability to configure more than one account in one AWS connector

This version of Cloud Security provides support for configuring multiple AWS accounts using single connector.

For prerequisites, please refer to

Multiple AWS Accounts Support

Support for Notifications

You can receive email notifications for new violations on daily basis.

for more information, please refer to

Managing notifications

Corrected issues

This release corrects issues related to pdf functionality issues.


For a list of all open issues, see Known issues.


April 2018: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description

New predefined roles available for users

This version of Cloud Security provides additional roles that can be assigned to users who are invited to use the service. Previous versions only allowed Admin and View Only roles. This enables you to assign more specific control of capabilities based on roles in your organization and associate those roles within Security, Operations, and Audit persona categories.

In the UI, you can select the roles from the Invite Users page.

The Send Invitation button shows the number of users that will be sent an email invitation to use Cloud Security under the selected role.

You can select or change the role assigned to an invitee using the drop-down that corresponds to the name, or delete the invitation by clicking the trash can icon.

The following new roles are supported:

  • Security Architect
  • Security Engineer
  • Security Auditor
  • Operator
  • Operations Admin
  • Cloud Security Admin
  • Tenant Admin

For more information about these roles, including the capabilities that each role has in Cloud Security see Managing users.

Support for RHEL 6 EC2 Server - Extended Object (Central Execution) Compliance Policy

This version of Cloud Security supports the CIS - Red Hat Enterprise Linux 6 policy based on the recommended settings defined by Red Hat Enterprise Security Configuration Benchmark Settings for Linux 6 Version 2.0.2, published June 2, 2016.

Note: You must set the following properties in the asset.json file for the Server connector before running the connector to evaluate CIS RHEL6 policies:

EXCLUDE_HOME_DIR_USER_LIST
MEDIA_PARTITION_LIST
SSH_ALLOW_GROUPS
SSH_ALLOW_USERS
SSH_DENY_GROUPS
SSH_DENY_USERS

For more information about using the Server connector to evaluate compliance with this new policy, see Server connector.

Corrected issues

This release corrects issues related to CIS RHEL 6 policies.

Open issues

For a list of all open issues, see Known issues.


April 2018: Release 1

Corrected issues

This release corrects issues related to View Only access for users invited by Tenants.

The following additional issue was corrected in this release:

Defect ID Description
DRDK2-11604

After an evaluation returned results of no non-compliant resources, the value of the trend graph showed -1 and +1 instead of 0.

Open issues

For a list of all open issues, see Known issues.


March 2018: Release 4

What's new

The following features are available in this release of Cloud Security:

Item Description
Azure Connector Multiple Subscription Support

In this release, in support of Azure multi-subscription support released earlier in the month, the Azure Subscription ID field has been moved to the advanced configuration section on the Add a Connector page. As with the initial release of this functionality, leaving this field blank triggers Security to fetch all subscriptions (single or multiple) that are associated with the Client ID. The Client ID must have access to all subscriptions to be scanned. If you change the number of subscriptions, in the scan the Azure connector will automatically fetch that new number of subscriptions. Typing a single ID specifies that Policy scans only the resources of that subscription.

For more information on this new functionality, see Azure connector.

Tenant login preferences

This version of Cloud Security retains the organization selected when the Tenant logs in to Cloud Security. This ensures that users are directed to the most recently selected organization the next time they log in, instead of being directed to the Choose an Organization screen.

Corrected issues

This release corrects several issues related to View Only access for users invited by Tenants.

The following additional issues were corrected in this release:

Defect ID Description
DRDK2-11472

Multiple error messages occurred intermittently after redownloading an Azure connector.

DRDK2-10643

A Tenant Admin User was unable to update the fields of other Tenant Admin users in the same organization.

Open issues

For a list of all open issues, see Known issues.


March 2018: Release 3

What's new

The following features are available in this release of Cloud Security:

Item Description
Updated CIS Docker Benchmark support
The Docker connector enables you to collect data from Docker Containers, Docker Hosts, and Docker Daemons, and evaluate Docker content against the  Center for Internet Security (CIS) Docker 1.12 Benchmark. This policy is created based on the recommended Docker Host, Docker Container, and Docker Daemon settings defined by CIS Docker 1.12.0 Benchmark Version 1.0.0, published on January 19th, 2017.

This release supports CIS Docker 1.12.0 and 1.13.0 for both single host and Kubernetes environments.

For more information, see Docker connector.

Support for Microsoft Edge browsers

This version of Cloud Security is certified for Microsoft Edge. Currently, Edge browsers do not support the ability to export data to PDF. Therefore, in Security, the Export to PDF functionality is unavailable on the Dashboard and Transaction Utilization page (this feature is still available using Chrome browsers).

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-11011

On the Connector panel, the Update Instructions link disappeared when changing the connector status from Disable to Enable.

DRDK2-9862

After a session had timed out, users were unable to log back in to Cloud Security using the previous URL (containing the /account/login suffix), but instead had to log in using the base URL.

This release also corrects several issues related to View Only access for users invited by Tenants.

Open issues

For a list of all open issues, see Known issues.


March 2018: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description

Azure Connector Multiple Subscription Support

This release of Cloud Security enables Tenants to configure multiple Azure subscriptions for a single connector. Previously, a connector had to be configured for each subscription in Azure. This gives Cloud Security users more flexibility with connector configurations so that they can configure a minimal number of connectors for Azure, regardless of how many subscriptions for Azure services are required.

A GUID (or, for SQL Servers/Database, a Name) uniquely identifies your subscription to use Azure services. For each tenant, there can be multiple subscriptions in one Azure account, and costs are tracked based on subscription level. Each subscription in an Azure account can have different resource groups. All Azure resources must be part of resource groups.

For example, one company (tenant) might have different organizations (QA, Payroll, and so forth). So that company could have different subscriptions for those departments, but they would only have to configure the connector a single time to fetch the information across all subscriptions and display it in Cloud Security.

In Cloud Security, leaving the Azure Subscription ID blank when onboarding the connector triggers Security to fetch all subscriptions (single or multiple) that are associated with the Client ID.

As in prior releases, you can still enter a single subscription ID to specify that only one subscription be scanned.

For more information about onboarding Azure connectors, see Azure connector.

Azure CIS Latest benchmark changes

This release of Cloud Security implements updates in support of the new version of the CIS Microsoft Azure Benchmark, released February 20, 2018.

CIS Docker policy 1.12 Benchmark support

The Docker connector enables you to collect data from Docker Containers and evaluate Docker content against the Center for Internet Security (CIS) Benchmark, the specification developed for establishing secure configurations for various technology groups. This release of Cloud Security supports the supports the CIS Benchmark version 1.12 for Docker.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-11168

A user was invited a second time for the same organization with a different role, instead of just the user's role being updated.

DRDK2-10998 The error, "Bad RequestMissing 'min' attribute in request payload..." displayed after a tenant logged on to Security for the first time and there was no evaluation data.

This release also corrects several issues related to View Only access for users invited by Tenants.

Open issues

For a list of all open issues, see Known issues.


March 2018: Release 1

This release of Cloud Security corrects several issues related to View Only access for users invited by Tenants.

For more information about this feature, see Managing users.

Open issues

For a list of all open issues, see Known issues.


February 2018: Release 4

What's new

The following features are available in this release of Cloud Security:

Item Description

View-only access for users invited by Tenants

Tenant Administrators can now assign roles to users for whom they have granted access to use Cloud Security. View Only users have the ability to view all data created by other users in Cloud Security

An example of a View Only use case is when you want to establish a Compliance Audit role where that person can analyze compliance information without performing any modifications.

After logging in, they are redirected to the Dashboard, where they can perform the following actions:

  • View Compliance Results
  • View Connectors
  • View Policies
  • View Exceptions
  • View Users
  • Export Reports (.pdf or .csv)

View Only users cannot add or modify connectors, policies, exceptions, or users, nor can they add or invite new users to use Cloud Security.

If no data is displayed on the Dashboard, View Only users are notified to contact their Tenant Administrator, who can perform all operations in Cloud Security.

For more information, see Managing users.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-10731

The following error was displaying on the Users page: "Process exited before completing request".

DRDK2-10580 A CSV export from both the Violations and Resources pages did not include the Resource Name.

Open issues

For a list of all open issues, see Known issues.


February 2018: Release 3

What's new

The following features are available in this release of Cloud Security:

Item Description

Azure CIS Latest benchmark changes

This release of Cloud Security implements updates in support of the new CIS Microsoft Azure version 1.0.0 benchmark.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-10598

A user invited to use Cloud Security within multiple organizations did not have the correct permissions for that organization.

Open issues

Currently when Connector (system) users unsuccessfully log into Cloud Security after the fifth attempt and are subsequently locked out, Connector (owner) users do not receive an email notification.

For a list of all open issues, see Known issues.


February 2018: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description

Running on-demand compliance scans

You can run a compliance scan by directly from the downloaded connector. This can be useful for existing connectors that have long intervals between scans based on a set schedule, and you decide that you want to perform an ad-hoc scan. In this case you can trigger the collection cycle to happen right away instead of or in addition to setting a scheduled scan in the future. When onboarding the connector, the mode is set to run a scan On Demand by default. Both collection modes enable you to run on-demand scans.

This version adds support for on-demand scanning for Azure, Docker, and Server connectors.

For more information about on-demand scanning, see Managing connectors.

Open issues

For a list of all open issues, see Known issues.


February 2018: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description
Policy versioning

Cloud Security now enables you to update a policy to a newer version if one is available. This helps avoid conflicts with compatibility with newer versions of connectors with existing policies. If you have an older connector in a Tenant and try to onboard a newer version of the connector, the connector might not be compatible with the policies currently mapped to it.

There are two ways to identify that a new policy update is available:

  • When you updated a connector, the Connector Update instructions indicate which, if any, policies might be incompatible with the new version of the connector.

  • On the Manage Policies page, an information banner displays in the row of the listed policy indicating that a new version is available.

To update the policy:
  1. On the Manage Policies page, in the row corresponding to the policy you want to update, click Update to the right of information banner.
    A notification will display validating the compatibility of the updated policy with the existing connectors.



    Connectors that are not compatible with the updated policy are denoted by an "X" in the list.

    Note

    Proceeding with the update will disable the mappings between the policy and its non-compatible connectors.

  2. On the Policy Update Confirmation message, click Update Policy.

Alternately, click the policy and drill down to the Policy Details page, click Update Policy Now! on the information banner at the top of the page, and then click Update Policy on the Policy Update Confirmation message.

You can also update policies from the Add a Connector page during the connector onboarding process.

For more information about updating policies, see Updating a policy.

Running on-demand compliance scans

You can run a compliance scan by directly from the downloaded connector. This can be useful for existing connectors that have long intervals between scans based on a set schedule, and you decide that you want to perform an ad-hoc scan. In this case you can trigger the collection cycle to happen right away instead of or in addition to setting a scheduled scan in the future. When onboarding the connector, the mode is set to run a scan On Demand by default. Both collection modes enable you to run on-demand scans.

This version supports on-demand scanning for Java-based connectors.

For more information about on-demand scanning, see Managing connectors.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description

DRDK2-10089

DRDK2-10090

For a connector created in On Demand mode that was subsequently changed to Scheduled mode, the next scheduled time on the connector panel was displayed as the date and time that the connector was created, when it should have displayed the date and time that the connector will run. Also, when the scheduled interval was changed, the new collection cycle might not have been applied immediately.
DRDK2-9875

The Severity across all out of the out-of-box (OOTB) policies were not standardized.

Open issues

For a list of all open issues, see Known issues.


January 2018: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description

Deleting users

This version of Cloud Security enables a Tenant Admin to delete users if they are no longer a member of the Tenant, or for any other reason. (For example, the contract for an employee that was invited to join an organization might have ended, and that contractor should no longer have access to Cloud Securityand the user data.)

For more information about deleting and managing users, see Managing users.

Running on-demand compliance scans

You can run a compliance scan by directly from the downloaded connector. This can be useful for existing connectors that have long intervals between scans based on a set schedule, and you decide that you want to perform an ad-hoc scan. In this case you can trigger the collection cycle to happen right away instead of or in addition to setting a scheduled scan in the future. When onboarding the connector, the mode is set to run a scan On Demand by default. Both collection modes enable you to run on-demand scans.

This version supports on-demand scanning for AWS on-premise and AWS Cloud connectors.

You can run an on-demand scan on a connector in the Running state (by clicking the Evaluate Now button on the connector panel) or set the next collection cycle on a connector in the Disabled state (by editing the connector and changing the Collection Mode in the configuration) to run on demand.

For open issues related to on-demand scans, see Open issues.

For more information about on-demand scanning, see Managing connectors.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-9971 When running the Azure connector against a Virtual Machine, CIS Rule 7.6 (Ensure that only approved extensions are installed) was reporting as Indeterminate when it should have reported as NonCompliant.
DRDK2-9784

Delete button remained enabled when there no user was selected in the Manage Users page.

DRDK2-9783
TenantAdmin User was unable to get information of an invited TenantAdmin user in the same organization.

Open issues

Currently, for a connector created in On Demand mode that is subsequently changed to Scheduled mode, the next scheduled time on the connector panel is displayed as the date and time that the connector was created. It should display the date and time that the connector will run.

Also, when the scheduled interval is changed, the new collection cycle might not be applied immediately. For example, if an existing collection cycle of 2 days is subsequently changed, you must wait 2 days for the connector to complete the existing cycle before a collection cycle based on the new schedule can begin. This could adversely impact your impact to run scans more quickly.

For a list of all open issues, see Known issues.


Back to top

December 2017 Releases

  Click here to expand...


December 2017: Release 3

What's new

The following features are available in this release of Cloud Security:

Item Description

Tenant User Management and Managed Service Providers


Cloud Security enables access to its services by Managed Service Providers, providers of services to a set of clients across a business. For example, a company might have a set of customers for whom they want to use Cloud Securityto perform a security assessment. The company that enables its clients to provide these service is the Managed Service Provider (MSP). The clients, or organizations within the MSP are known as the Managed Tenants.

The MSP can choose which organizations to work with, and Managed Tenants can invite additional users into the organization to leverage the same data and functionality in Cloud Security(such as viewing compliance results, connectors, and policies) to meet the requirements of its customers.

Note

In order for an MSP Tenant to create an organization, a PM must approve the request. Upon approval, and after you receive email confirmation of the approval, log in, and then receive the login page, you must log out and then log back in to see the Choose an organization page where you can select a Managed Tenant to use Cloud Security You must also log out and log back in if you are already logged in, request to add an organization and do not log in from the email confirmation.

For more information about MSP registration, see Registering.

Connector versioning

Cloud Security now enables you to update a connector to a newer version if one is available. This helps avoid conflicts with compatibility with newer versions of policies with existing connectors. If you have an older connector in a Tenant and try to onboard a newer version of the connector, the connector might not be compatible with the policies currently mapped to it.

 If a newer version is available for the connector you have onboarded, an information banner displays on the bottom pane of the connector panel on the Manage Connectors page.

To update the connector, see Managing connectors.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-9558

Users were able to switch to an organization to which they were not part of, and they were able to get the list of users for which they were not part of.

DRDK2-7574

The selection check box was disabled for a remediation on the Resources page when more than 100 resources were mapped the remediation action.

Open issues

For a list of all open issues, see Known issues.


December 2017: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description
Tenant User Management and Managed Service Providers

Cloud Security enables access to its services by Managed Service Providers, providers of services to a set of clients across a business. For example, a company might have a set of customers for whom they want to use Cloud Securityto perform a security assessment. The company that enables its clients to provide these service is the Managed Service Provider (MSP). The clients, or organizations within the MSP are known as the Managed Tenants.

The MSP can choose which organizations to work with, and Managed Tenants can invite additional users into the organization to leverage the same data and functionality in Cloud Security(such as viewing compliance results, connectors, and policies) to meet the requirements of its customers.

For more information about MSP registration, see Registering.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-8714 Deleting a connector did not delete all of the associated resource and violation system data.

Open issues

For a list of all open issues, see Known issues.


December 2017: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description
Tenant User Management and Managed Service Providers

Cloud Security enables access to its services by Managed Service Providers, providers of services to a set of clients across a business. For example, a company might have a set of customers for whom they want to use Cloud Security to perform a security assessment.The company that enables its clients to provide these service is the Managed Service Provider (MSP). The clients, or organizations within the MSP are known as the Managed Tenants.

The MSP can choose which organizations to work with, and Managed Tenants can invite additional users into the organization to leverage the same data and functionality in Cloud Security(such as viewing compliance results, connectors, and policies) to meet the requirements of its customers.

For more information about MSP registration, see Registering.

Creating an exception for a specific resource/rule

Cloud Security enables you to create exceptions for a rule in a policy only for specific resources.

For example, you might create an exception for another department in an organization that does not consider a specific resource as non-compliant.

You can also create a resource-specific exception from the Violations page using the exception flag.

For example, a user might view a specific resource and wants to add an exception on the spot. Using the flag option enables you to do so without leaving the page.

Using either method, the resource for which you create the exception will then be shown as a status of CompliantWithException.

You can also enable, disable, and delete an exception in this release of Cloud Security

For more information, see Managing exceptions.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-9239 For the CloudTrail policy, some of the rules were showing that remediation content was not available.

Open issues

For a list of all open issues, see Known issues.


Back to top

November 2017 Releases

  Click here to expand...


November 2017: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description
Tenant User Management and Managed Service Providers

Cloud Security enables access to its services by Managed Service Providers, providers of services to a set of clients across a business. For example, a company might have a set of customers for whom they want to use Cloud Security to perform a security assessment.The company that enables its clients to provide these service is the Managed Service Provider (MSP). The clients, or organizations within the MSP are known as the Managed Tenants.

The MSP can choose which organizations to work with, and Managed Tenants can invite additional users into the organization to leverage the same data and functionality in Cloud Security (such as viewing compliance results, connectors, and policies) to meet the requirements of its customers.

For more information, see Registering and Managing users.

Installing the Server connector as a service (Windows and Linux OS)

As an alternative to running the Server Connector locally using a batch file (similar to other on-premise connectors), this release of Cloud Security enables you to install the connector as a service, which enables the connector to continuously run and collect data through Windows Services.

For more information, see Server connector.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-8983 The Server connector was crashing on a Red Hat Enterprise Linux target machine.
DRDK2-8807 Duplicate resources were displayed on the Resources page.

Open issues

For a list of all open issues, see Known issues.


November 2017: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description
Managing exceptions

Cloud Security enables you to create exceptions for a rule in a policy. Exceptions enable you to mark all resources that are evaluated against the rule as exceptions. An Administrator can create an exception with just the Policy Name and the Rule Name that the exception is associated with. Once the exception is created, on a subsequent evaluation the qualifying resource-rule combination is considered compliant, even if it is evaluated as non-compliant in Cloud Security

A resource can be added to more than one exception, and resources with exceptions that have expired will turn non-compliant at the next evaluation.

Note

A new evaluation is necessary for any exception to be enforced. Because an exception is for a particular vulnerability, a resource can still be non-compliant if there are other failures. The Compliance of a resource is based on the threshold value defined in the policy.

For more information, see Managing exceptions.

On-premise mode for Server connector

This release of Cloud Securityenables you to run compliance on servers that are on-premise. The Server connector is deployed on the host from which it connects to the RSCD agent of specified targets in a file that you specify during onboarding. The file specifies where the connector runs, and triggers the compliance against the server. Multiple servers can be added in the file as comma-separated endpoints.

Editing connectors

The editing option enables you to change configuration parameters you set during the connector onboarding process.

Note

You can only edit a connector that is in the Downloaded or Disabled states. Currently, editing is supported only for AWS on-premise and cloud connectors.

For more information, see Editing a connector.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-8849

After onboarding an AWS on-premise connector, the connector data was not populating in Cloud Security.

DRDK2-8716

When importing a new policy, Security Group policy data did not display in Cloud Security for on-premise connectors.

Open issues

For a list of all open issues, see Known issues.


Back to top

October 2017 Releases

  Click here to expand...


October 2017: Release 2

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-8516 After deleting an AWS connector from Policy, the Transaction Utilization count was still increasing.
DRDK2-7115
All the rules of the IAM_PASSWORD_POLICY were not getting remediated for the AWS cloud connector.

Open issues

For a list of all open issues, see Known issues.


October 2017: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description
Cloud Security support for compliance on EC2 instance using a Server Connector.

This version of Cloud Security supports running CIS Compliance checks on servers in multi-cloud environments.  A new Server connector enables you to perform server regulatory compliance on EC2 CIS W2K12 instances.

The following policies are currently available for the Server connector:

  • CIS - Windows Server 2012 R2 DC. This Policy is based on the recommended settings defined by Microsoft Windows Server 2012 R2 Security Configuration Benchmark Version 2.2.0, published April 28th, 2016 (Reference#: http://cisecurity.org).
  • CIS - Windows Server 2012 R2 MS. This Policy is based on the recommended settings defined by Microsoft Windows Server 2012 R2 Security Configuration Benchmark Version 2.2.0, published April 28th, 2016 (Reference#: http://cisecurity.org).

Note

This version of TrueSight Cloud Security Service supports compliance with Server connectors for AWS EC2 instances on Windows only. Remediation is not yet supported.

For more information, see Server connector.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-8416 For the CIS AWS 1.24 AWSIoTRuleActions policy, the rule was evaluated as Indeterminate when it should have been Compliant.
DRDK2-7809 Base Connector was not reflecting selection hint for multiple feeds published in sequence.

Open issues

For a list of all open issues, see Known issues.


Back to top

September 2017 Releases

  Click here to expand...


September 2017: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description

Cloud Security compliance on Microsoft Azure multi-cloud environments

This version of TrueSight Cloud Security supports multi-cloud environments through compliance of Microsoft Azure. You can now download and configure an Azure connector and collect information from Microsoft Azure resources and perform compliance and risk assessments on Azure using Cloud Security.

The following policies are currently available for the Azure connector:

  • BMC Azure Network Security Groups
  • BMC Azure Subscription
  • BMC Azure Virtual Machine
  • BMC Azure Virtual Network

For more information, see Azure connector.

Multi-user support for tenants

Now a tenant can support additional users for Cloud Security. This enables collaboration between multiple users for a specific tenant.

On the Sign up panel that appears when creating an account, the Company Name and Work Email Address fields enable multi-usable support for tenants. The email address you provide designates the tenant, who can then invite other users to collaborate and share data.

You can then manage new users that are added after registration directly from the Policy UI. For more information, see Registering and Managing users.
Dashboard data filtering using tags

The TrueSight Cloud Security Dashboard now gives you the the ability to filter data based on tags, metadata related to specific resources (security groups, database instances, and so forth) represented as key-and-value pairs. Tags enable you to categorize a resource by purpose or other category. You can then search on that category and filter widget data using tag filters, which are available on the top-level dashboard, and Resources and Violations multi-level pages. You can also designate search criteria to search on any or all metadata on selected resources.

Note

For this release of Cloud Security, tags are supported for AWS and Azure resources.

The TrueSight Cloud Security dashboard displays the compliance health of your environment at a glance, and enables you to customize the data based on filters you define. The dashboard shows current summary compliance statistics of your resources also displays clickable widgets that enable to you traverse directly to specific resources or rules. For capturing and sharing, you can export data to CSV or PDF format.

For more information about the new Dashboard, exporting, and data filtering using tags, see Navigating the Dashboard.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-7707 Elastic Search policy did not show intermittently when the All Policies filter was selected and Total Resources data changed intermittently.
DRDK2-4981

The cookbookupload.sh script in the Chef connector does not handle the case where the directory path in which the connector.zip file is extracted contains a space.

Open issues

For a list of all open issues, see Known issues.


September 2017: Release 1

Open issues

For a list of all open issues, see Known issues.


Back to top

August 2017 Releases

  Click here to expand...


August 2017: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description
New Policy Dashboard

The TrueSight Cloud Security Dashboard displays the compliance health of your environment at a glance, and enables you to customize the data based on filters you define. The dashboard shows current summary compliance statistics of your resources also displays clickable charts that enable to you traverse directly to specific resources or rules. For capturing and sharing, you can export data to CSV or PDF format.

For more information about the new Dashboard, see Navigating the Dashboard.

Support for manual remediation of compliance violations for AWS Cloud Connectors

Cloud Security users might have one or more AWS accounts where various artifacts (for example, Compute, Storage, Networks, Databases, and so forth) are created and subsequently changed on a regular basis. To ensure that these artifacts adhere to an organizations regulatory policies, Policy users might need information about these objects to be collected and analyzed on a periodic basis.

This release of Cloud Security provides manual remediation of AWS Cloud connectors. This connector collects various artifacts of an AWS account and publishes them to Cloud Security, where they can be evaluated against AWS CIS policies. AWS CIS policies are provided with Policy per the definitions provided in the CIS AWS Foundations Benchmark, a set of security configuration best practices for AWS. Remediation functions the same way for Cloud connectors as for AWS on-premise connectors, and is available for all supported polices.

Note the following limitations with remediating AWS policies in the current release of TrueSight Cloud Security:

  • Currently, all S3 Buckets data is pushed to the Cloud Security UI, when only the S3 buckets data that is associated with CloudTrail policies should be fetched and pushed to the Policy UI.

For more information about AWS remediation, see Remediating violations. For an example of the onboarding process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud connector and AWS On-Premises connector.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-7453 Evaluations are not visible in UI after first run.
DRDK2-7446 An S3 bucket policy is public-accessible with list and write permissions.
DRDK2-7343

AWS cloud connector logs were generating unnecessary data in logs and causing an increase in Cloudwatch billing.

DRDK2-7282 The aws collector lambda logs printed an access key and security keys.
DRDK2-7268 A search on the Resource page returned no values.
DRDK2-5078 Policy Registration page supports apostrophes, hyphens, and spaces in the name, and the phone number followed by a country code.

Open issues

For a list of all open issues, see Known issues.


August 2017: Release 1

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-7005

Incorrect data and messages displayed in the Cloud Security UI when data was published through an API.

DRDK2-6319 For CloudTrail rules 3.1 through 3.14, the filter pattern parameter was editable.
DRDK2-6233 Remediation did not work for CloudTrail policies when the policy had one metric filter and one alarm with associated SNS topic, but no SNS Subscription for the topic.
DRDK2-6224 The error message, "Endpoint request Timedout" displayed on the Policy UI when a bulk remediation was submitted.
DRDK2-4980 The call, "policy-api/policies/getPoliciesForConnector" took significant time (2-3 seconds) to respond.

Open issues

For a list of all open issues, see Known issues.


Back to top

July 2017 Releases

  Click here to expand...


July 2017: Release 2

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-6697 The Lambda policy did not retry deleting the connector after the data deletion failed.
DRDK2-6538 The Severity Filter sequence changed after selection.
DRDK2-6137 An AWS cloud connector showed a date that had passed as a scheduled start date.

Open issues

For a list of open issues, see Known issues.


July 2017: Release 1

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect ID Description
DRDK2-6804 An error message displayed on the Resources page when publishing data from a policy through an API.
DRDK2-6747 An invalid message displayed on Remediation Submitted state.
DRDK2-6540 Password Policy remediation failed if the password policy had not been applied to the account.
DRDK2-6539

AWS on-premise connector data did not reflect in Cloud Security even though logs showed that data was successfully published.

DRDK2-6421 The error, "Rate Exceeded, TooManyRequestsException" occured while trying to push data for 1000 resources.
DRDK2-5251

AWS cloud and on-premise connectors overrode each other's resources.

Open issues

For a list of open issues, see Known issues.


Back to top

June 2017 Releases

  Click here to expand...


June 2017: Release 4

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-6246 The collector kept scanning services and resources even if there were too many resources.
DRDK2-6196 The 'max_items_per_feed' was infinite even if it was set to 20 by default in the collector.properties file.
DRDK2-6424 The number of search calls kept increasing on the Resources tab when navigating through different tabs on the Portal UI.

Open issues

For a list of open issues, see Known issues.


June 2017: Release 3

What's new

The following features are available in this release of Cloud Security:

Item Description

Content support for manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS CloudWatch CIS Policy
  • AWS CloudTrail CIS Policy

Note the following limitations with remediating AWS policies in the current release of Cloud Security:

Policy Limitation
AWS CIS CloudTrail (rules 3.1 through 3.14)

Before remediating violations, you must provide the name of the SNS topic from your AWS account as a remediation parameter.

The SNS topic must:

  • Reside in the same AWS region as the corresponding CloudTrail and CloudWatch LogGroup.
    For example, if the CloudTrail and CloudWatch log groups are in the us-east-1 region, the SNS topic in which the name is provided in remediation must also be in that region.
  • Contain at least one subscription that is confirmed, so that a subscription entry in the Subscription ID column has an ARN value (for example, arn:aws:sns:us-east-1:875062582069:East1_Topic:26aa2d24-aa85-471f-812b-d9f7ca4fa2b1).
AWS CIS IAM Credentials
After a rule is remediated:
  • The SDK/API queries take 4 hours to return the remediation values to Cloud Security
  • The key should be deleted and a new one created. Instead, Cloud Security deactivates the key so that you can take appropriate measures before deleting and creating a new one.
AWS CIS KMS
  • Although the KMS key might contain multiple aliases, the UI displays only one.
  • If the KMS key is in the Disabled state, the UI shows a status of Compliant with the KMS key disabled.

  • If the KMS key is in the Pending Deletion state, the UI shows a status of Compliant with the KMS key pending deletion.

For more information, see Remediating violations. For an example of the onboarding process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud connector and AWS On-Premises connector.

Security enhancements

The following messages appear upon one or more unsuccessful login attempts:

1st and 2nd failed attempt: Invalid credentials. Please try again.

3rd failed attempt: Invalid credentials. Your account will be locked after 2 more unsuccessful login attempts.

4th failed attempt: Invalid credentials. Your account will be locked after another unsuccessful login attempt.

5th failed attempt and thereafter: Your account has been locked because of a maximum number of incorrect login attempts. To unlock it, use the Forgot Password? link and then log in with valid credentials.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-6360 Action Sequence wrapper, Rule 1.3 remediation did not work. Access keys did not get disabled and the user received a message of successful remediation.
DRDK2-6215 When IAM user names were provided in remediation but did not exist, remediation failed with an unclear error message.
DRDK2-6208 Users did not get locked out if they made 5 consecutive unsuccessful login attempts.
DRDK2-5818 AWS CIS IAM: Rule 1.2 (Ensure multi-factor authentication (MFA) was enabled for all IAM users that had a console password) did not exclude those users without passwords.
DRDK2-5817 AWS CIS IAM: Rule 1.12 (Ensure no root account access key exists) showed as compliant, even if the root account did not have access keys.
DRDK2-6088

For CloudTrail policies, rules 3.3 and 3.5, an alarm was not added to the cloud watch log group as part of remediation.

DRDK2-5754 When there were two cloud trails with the same name in different regions, one could be remediated, but the other could not, despite being returned as successful.
DRDK2-5520 An AWS connector kept scanning continuously when the schedule was set to 30 days.
DRDK2-3649 The filterPattern value was not displayed in the evaluation result of rule 3.1 of the AWS CIS CloudTrail policy.

Open issues

For a list of open issues, see Known issues.


June 2017: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description

Content support for manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS Security Group CIS Policy

Note the following limitations with the AWS CIS IAM Credentials policy after a rule is remediated:

  • The SDK/API queries take 4 hours to return the remediation values to Cloud Security
  • The key should be deleted and a new one created. Instead, Cloud Security deactivates the key so that you can take appropriate measures before deleting and creating a new one.

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud connector and AWS On-Premises connector.

Remediation Action Customizations

You can now configure parameter values from the caas-portal and create different action configurations and mappings per resource sets, and then associate a connector instance to those configurations. The Policy Details page now shows the number of configured actions by status (MANUAL or DISABLE). Multiple actions can be mapped to a single rule.

For more information, see Remediating violations and Editing policies.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-6069 You were unable to delete an action that was just added without any details.
DRDK2-6066

An error message appeared when changing the action mapping to Manual using the Remediation button.

Open issues

For a list of open issues, see Known issues.


June 2017: Release 1

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-5910 Remediation did not work for a rule that was configured with a custom remediation action.

DRDK2-5818

The rule "1.2 Ensure multi-factor authentication (MFA) was enabled for all IAM users that have a console password" did not exclude users without passwords.

DRDK2-5709 You could not edit the remediation for rule 2.4 for an AWS CIS CloudTrails policy.
DRDK2-5045

Using "NotPrincipal" as a root user, BMC AWS ElastricSearch policy rule 1.1 was evaluated as Compliant instead of Non-compliant.

Open issues

For a list of open issues, see Known issues.


Back to top

May 2017 Releases

  Click here to expand...


May 2017: Release 2

What's new

The following features are available in this release of Cloud Security:

Item Description

Content support for manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS CIS IAM Credentials Policy
  • AWS CIS RDS Policy

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud connector and AWS On-Premises connector.

Remediation Action Customizations

You can now configure parameter values from the caas-portal and create different action configurations and mappings per resource sets, and then associate a connector instance to those configurations. The Policy Details page now shows the number of configured actions by status (MANUAL or DISABLE). Multiple actions can be mapped to a single rule.

For more information, see Remediating violations and Editing policies.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-5776

You were unable to see the remediation action for all RDS rules.

DRDK2-5735

The status of a remediation action was not displayed for an RDS rule.

DRDK2-5729 Remediation failed for AWS CIS CloudTrails 2.1 and 2.2 rules.

Open issues

For a list of open issues, see Known issues.


May 2017: Release 1

What's new

The following features are available in this release of Cloud Security

Item Description

Manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS Elastic Search and S3 Buckets CIS policies

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud connector and AWS On-Premises connector.

API and SDK enhancements and updates
Self-help (whatfix) flows

This version of TrueSight Cloud Security adds several new whatfix flows that can be invoked directly from the UI:

  • Policy Management flow: How to view policies and the rules of the policy and to filter the list of rules
  • Authoring Sandbox: How to author custom policies
  • Connector Management flow: How to manage an onboarded connector
  • Remediation flow: How to remediate violations of a rule and how to view a violation on the dashboard
  • Managing Resources flow: How to view resources on the dashboard 

Whatfix, introduced in Release 2 of April 2017 with two onboarding flows (on-premise and cloud-based connectors), is a real-time interactive support application that helps guide you through various workflows in the UI through guided steps.

Whatfix is enabled by clicking the Self-Help widget on the right side of the Dashboard after you log in. Self-Help differs from BMC context-sensitive help (opened by clicking the Help button on the right-bottom of the screen ) as it provides an active, interactive "tour" that guides you through a specific flow in the context of the Policy UI. BMC's Help and online documentation provides greater detail and depth to serve as additional information should the whatfix flows not provide enough context.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-5160 Validation requirements on the User Registration Screen were too stringent.
DRDK2-5061 The Base Connector onboarding flow should not contain a Policy Import page.

Open issues

For a list of open issues, see Known issues.


Back to top

April 2017 Releases

  Click here to expand...


April 2017: Release 2

What's new

The following features are available in this release of Cloud Security

Item Description

Manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS CIS IAM Password
  • AWS CIS KMS

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud connector and AWS On-Premises connector.

Re-downloading connectors

You can now re-download a connector from the Manage Connectors page. You might want to re-download a connector in the following situations:

  • A previous download of connector failed.
  • A previously downloaded connector is in the Suspended state.
  • A previously downloaded connector is in Downloaded state.
  • A connector has been misplaced in the Manage Connectors page.

You can also re-download a connector that is in the Disabled state, but not a connector that is in the Running state.

Downloading and re-downloading actions apply only to on-premise connectors. For more information, see Managing connectors.

Deleting connectors

You can now delete a connector from the Manage Connectors page. For example, you might want to reduce connector sprawl on your Manage Connectors page, especially to eliminate unused connectors.


You cannot delete a connector that is in the Running state.

Note

For this version of Cloud Security, data associated with the connector is not deleted.

For more information, see Managing connectors.

API and SDK support

Cloud SecurityAPI conforms to the architectural principles of Representational State Transfer (REST). Its RESTful architecture features a straightforward, easy-to-use interface facilitated by standard HTTP request and response messages. This version of Cloud Security provides two APIs that enable you to perform various functions in the Policy UI. For more general information and specific use cases you can run, see Evaluating data using the REST API.

Additionally, this version of Cloud Security provides a software development kit (SDK) that can access the Innovation Suite APIs and SDKs, the core building blocks for developers. The SDK provides a normalized and homogenous interface to manage your cloud and other on-premises software. The SDK can be used to directly use the Cloud Security API by embedding the .jars file into development code to enable the API to be invoked programatically. For more general information and specific use cases you can run, see Using Cloud Security SDKs and Publishing data in Async mode using the SDK.

Self-help (whatfix) flows

This version of Cloud Security introduces the integration of whatfix, a real-time interactive support application that helps guide you through various workflows in the UI through guided steps.

Whatfix is enabled by clicking the Self-Help widget on the right side of the Cloud Security Dashboard after you log in. Self-Help differs from BMC context-sensitive help (opened by clicking the Help button on the right-bottom of the screen ) as it provides an active, interactive "tour" that guides you through a specific flow in the context of the Policy UI. BMC's Help and online documentation provides greater detail and depth to serve as additional information should the whatfix flows not provide enough context.

Corrected issues

The following issues were corrected in this release:

Defect ID Description  
DRDK2-5216 UI Action Content messages that displayws during the onboarding process should not have been hidden.
DRDK2-5192 Connector A connector crashed on a Red Hat Enterprise Linux Server release 6.8 (Santiago) machine.
DRDK2-5182 Remediation

Remediation was held up when remediation for 25 buckets was submitted.

DRDK2-5181 Remediation An endpoint request timeout message displayed when remediation for 25 buckets was submitted.
DRDK2-5175 UI A Docker Policy with special characters in the name cannot be overwritten with the UI.
DRDK2-5173 Enterprise Connector When running an Enterprize vulcanizer from the command line, the connector name was incorrect.
DRDK2-5170 Remediation Remediation status was not seen in the UI for S3 and ElasticSearch, even after remediation was successfully invoked and executed by the connector.
DRDK2-5128 Remediation The UI did not automatically refresh to show remediation status changes; instead, manual refresh is required.
DRDK2-5103 Remediation Before remediation was submitted, the connector did not verify that it was not disabled and reachable.
DRDK2-5075 Remediation The connector crashed when remediation fails.
DRDK2-5069 Remediation Remediation should not be allowed to trigger for a cloud connector.
DRDK2-5068 Remediation You should be able to trigger remediation again, even if the status displays as Remediation Successful.
DRDK2-5005 Remediation A message should be corrected when attempting to remediate a rule when the connector is not running.
DRDK2-4990 Policies When changing the severity of a rule to "Select Severity" and saving the changes, an error message displayed while saving and the changes cannot be saved.
DRDK2-4987 AWS Rule 2.3 of the AWS S3 policy was showing as Compliant, if Policy contains a Statement having Effect set to "Allow" and a Principal set to *. The rule should be non-compliant.
DRDK2-4894 Policies Rule filters were not working properly.
DRDK2-4845 UI

You could not login to Cloud Security using the Internet Explorer browser.

DRDK2-4403 Docker Connector

You should be able to download a failed connector.

DRDK2-4026 Base Connector You should be able to download a Base Connector with the same name.
DRDK2-4023 Base Connector

The Base Connector should have a license page.

Open issues

For a list of open issues, see Known issues.


April 2017: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description

Manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS CIS S3 buckets
  • BMC AWS ElasticSearch
  • AWS CIS CloudTrails

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud connector and AWS On-Premises connector.

Policy Editor

The Policy Editor adds functionality related to user-initiated remediation actions.

See Editing policies for more information.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-5169 Remediation should be disabled for "AWS CIS Password Policy", "AWS CIS KMS" and "AWS CIS IAM Credentials" policies.
DRDK2-5166 While onboarding an AWS Connector, the AWS CIS Password policy was missing.
DRDK2-5089 Cloud Trail Rule 2.1 Compliance evaluation showed an incorrect result.
DRDK2-5063 Introduce a Filter of connector Name for L3 Violation Page.
DRDK2-4872 Add the "6.5 Avoid container sprawl (Not Scored)" rule in the CIS Docker 1.12.0 CIS Level 1 - Docker Host policy.
DRDK2-4860 Policy Modify date should change on the UI once the policy has been edited using Policy Editor.
DRDK2-4745 Add support for "Days" in the Schedule field in addition to Minutes and Hours for a Chef Connector.
DRDK2-4717 Add a filter option on the Add from Policy Library option.
DRDK2-4551 Action content was created successfully, even if the packaging value was other than "Bundled" or "External".
DRDK2-4404 The Docker policy names did not have the version names displayed.
DRDK2-4008 Clicking Previous and Next on the Download Page displayed an incorrect error about the hostname being used.
DRDK2-4005 Login email id should be case insensitive.
DRDK2-2545 Support UI on Safari browsers.

Open issues

For a list of open issues, see Known issues.


Back to top

March 2017 Releases

  Click here to expand...


March 2017: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description
Chef Connector

The Chef connector enables you to collect data from Chef systems and evaluate Chef content against the Center for Internet Security (CIS) benchmarks

See Chef connector for more information.

Policy Editor

The Policy Editor displays all of the rules associated with a specific policy and enables you to add or remove rules from a policy, enable remediation actions, and filter the list of policies.

See Editing policies for more information.

Updated AWS policy

This release includes an update to the AWS CIS Password Policy. Resources identified by the policy now display the AWS Account Number as the origin of the resource, as shown below:

If you have an AWS connector that uses the policy, you must re-import the AWS CIS Password Policy from the library to reflect the update. You do not need to delete the policy or the connector association, but you do need to re-import the policy.

For information about how to do that, see Updating a policy.

Warning: If you have customized the policy or the rules within the policy, re-importing the policy will remove those customizations.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-807

Occasionally, the Status on the Dashboard showed Receiving data even though the collector did not collect data.

DRDK2-809 When the Policy Engine could not determine whether the status of the rule was compliant, it resolved the value to Non-compliant state, even though it was an Undetermined state.
DRDK2-4402 The yml Indention for a rule was not followed on the Rule Expression screen.

Open issues

For a list of open issues, see Known issues.


Back to top

February 2017 Releases

  Click here to expand...

February 2017: Release 1

What's new

The following features are available in this release of Cloud Security:

Item Description
Improvements to Docker connector

You can now configure the Docker Connector in two different modes:

  • Single Host Deployment - This mode enables you to check compliance on a single Docker host.
  • Clustered (Kubernetes) Deployment - This mode enables you to verify CIS compliance on a Docker cluster (a Linux container) that is managed by Kubernetes as a single system. This release supports CIS Docker 1.12.0 for Kubernetes.

This flexibility enables you to tailor the connector to suit your Docker environment.

  Read more...

Note the following pre-requisites for the Clustered (Kubernetes) Deployment mode:

  • The connector must be deployed on the host where the cluster was created.
  • This mode also requires that the host has SSH connectivity to the master and minions.
CIS compliance policy for Docker

Using the out-of-the-box CIS compliance policy, you can evaluate Docker containers against the CIS security benchmarks.

You can evaluate containers on an individual Docker host or those in a Docker cluster that is managed by Kubernetes.

Corrected issues

The following issues were corrected in this release:

Defect ID Description
DRDK2-3845 You should be able to specify actions to be taken as part of remediation.
DRDK2-2587

A Docker CIS policy should be available as out-of-the-box content, so that I can perform CIS evaluations on Docker connectors.

DRDK2-2586 You should be able to collect data from Docker Containers for CIS policy execution. This includes Docker containers on hosts, as well as Docker Cluster Management systems such as Swarm, AWS, ECS, and Kubernetes.
DRDK2-2013 You should be able to easily view and author policies in YAML format within the UI.

Open issues

For a list of open issues, see Known issues.


Back to top

2016 Releases

  Click here to expand...
December 2016: Initial release

The following features are available in this release of TrueSight Cloud Security:

Item

Description

Data collection

Data evaluation

Verifying compliance for the given data based on out-of-the-box and user-defined policies, using the following views:

Managing resources

Identifying violations

Policies

Viewing the details of the out-of-the-box policies.

On the Dashboard, click Manage > Policies in the navigation bar to view the Policies screen. This screen displays a list of policies that are shipped by default and any customized polices that you might have authored or imported.

See Managing policies.



Administering

 

Set up data collection for custom resources, manage policies, and manage connectors.

Developing

 

Set up data collection for custom resources, manage policies, and manage connectors.

Troubleshooting

 

View troubleshooting information, enable debugging, and contact the BMC customer support team.

PDFs

 

Get a ready-made PDF that contains all the content in this space.
Was this page helpful? Yes No Submitting... Thank you

Comments