BMC Helix Cloud Security is a cloud-based digital platform that tracks regulatory and security compliance by collecting, organizing, and analyzing high volumes of volatile IT business data, in real time, to meet the demands of web-scale IT. Complete and accurate analysis empowers IT operations to make fast, data-driven decisions that support continuous digital service improvement and innovation.

Release information

This topic provides information about what is new or changed in BMC Helix Cloud Security, including known and corrected issues.

Tip

To stay informed of updates to Cloud Securityreleases, place a watch on this page.


Jan 2020: Release

What's new

Following features are available in this release of Cloud Security:

ItemDescription

Discovery Integration 

BMC Discovery(On-Prem) 

With this release , BMC Helix Cloud Security support integration with Cloud Security and Cloud Cost with BMC Discovery(On-Prem Collector)(hosted on AWS or on on-prem). BMC Helix Cloud Security has launched an Discovery On Premise connector. This will  allow users to see the security posture of the business service. User should be able to report, notify, set exceptions on business service. 

Event Driven Compliance(AWS)
  • Support for more AWS resources

With this release, BMC Helix Cloud Security Support more AWS resources like IAM Password Policy, IAM Policy, Elastic Block Store (EBS),Elastic Search (ES),Relational Database Service (RDS), CloudTrail, Key Management Service (KMS),Virtual Private Cloud (VPC),Elastic Compute Cloud (EC2),Elastic Load Balancer (ELB). BMC Helix Cloud Security scan for newly discovered resource or changes made to existing resource. Any changes to a resource should trigger a scan specific for that resource and flag if it is non-compliant.

  • API to trigger Compliance scan for specific resource(AWS)

With this release, BMC Helix Cloud Security Support API to trigger compliance scan for specific resource(AWS). As a CloudOps engineer, whenever a new configuration for a specific resource is pushed or a new resource is created in a cloud environment through a DevOps pipeline, then CloudOps engineer able to call an API from a DevOps pipeline to scan the same specific resources for any misconfiguration.

 

Compliance On Google Cloud
  • For GCP Connector Single Policy Support For CIS

With this release, BMC Helix Cloud Security Support For GCP Connector Single Policy Support For CIS. BMC Helix Cloud Security supports single benchmark for CIS GCP benchmarks instead of service specific benchmarks.

  • GKE

With this release, BMC Helix Cloud Security Support for GKE(Google Kubernetes Engine). Create/Update GCP policies and remedial actions in BMC Helix Cloud Security as per the final benchmark released by CIS for GKE.





Nov 2019: Release

What's new

Following features are available in this release of Cloud Security:

ItemDescription

Managing Remedy Single Sign On

Remedy Single Sign-On (Remedy SSO) is an authentication system for a multi software environment that enables users to present credentials for authentication only once. After Remedy SSO authenticates the users, they can gain access to any other application with automatic authentication without providing the credentials again.




Oct 2019: Release

What's new

Following features are available in this release of Cloud Security:

ItemDescription

Cloud Security integration with BMC Discovery

  • With this release , TSCS support integration with BMC Discovery . This will  allow users to see the security posture of the business service. User should be able to report, notify, set exceptions on business service.  



June 2019: Release

What's new

Following features are available in this release of Cloud Security:

ItemDescription

Event Driven Compliance for BMC Helix Cloud Security

  • With this release, TSCS Support Event-Driven Compliance for AWS Cloud Connector. This feature will enable TSCS to scan for a newly discovered resource or changes made to an existing resource for S3 and Security Group. With this capability, It will be ensured that any new resources deployed or existing resources modified in the cloud are compliant to the security configuration as per the latest CIS standards. 
  • Please refer this Page.



May 2019: Release

What's new

Following features are available in this release of Cloud Security:

ItemDescription

White Label Support for BMC Helix Cloud Operations




May 2019: Release 1

What's new

Following features are available in this release of Cloud Security:

ItemDescription
Kubernetes Connector
  • As part of this change, user will be able to onboard the Kubernetes connector. For more details, please refer this page.
OpenShift Connector
  • As part of this change, user will be able to onboard the OpenShift connector. For more details, please refer this page.






April 2019: Release 2

What's new

Following features are available in this release of Cloud Security:

ItemDescription
Azure Cloud Connector Support for Remediation
  • As part of this change, user will be able to remediate the non-compliant resources with Azure Cloud Connector. For more details, please refer this page.
Single Policy Support for Docker
  • As part of this change, we have single policies for CIS Docker benchmarks instead of separate policies for each resource type.



April 2019: Release 1

What's new

Following features are available in this release of Cloud Security:

ItemDescription
Azure Cloud Connector Support for Compliance
  • As part of this change, user will be able to scan the non-compliant resources with Azure Cloud connector. For more details, please refer this page.



March 2019: Release 3

What's new

Following features are available in this release of Cloud Security:

ItemDescription
RCSD Download Support
  • As part of this change, User will be able to download RSCD Agent directly from the BMC Helix Cloud Security UI.


March 2019: Release 2

What's new


Following features are available in this release of Cloud Security:

ItemDescription
Single Policy Support
  • As part of this change, we have single policies for CIS AWS benchmark instead of separate polciies for each resource type.
  • As part of this change, all the below resource types are merged into Single resource type viz. “Account: Global Configurations"

Same can be seen on Dashboard page, Resources page, Violations page & Remediations page:

  • IAM: IAM Password Policy
  • IAM: IAM Roles
  • IAM: IAM Support Policy
  • AWSConfig:Management Tools – AWS Config
Open JDK 11 Support

All the new connector (except server connector) download now support Open JDK 11.0.2 and will also reflect in the connector prerequisites.


March 2019: Release 1

What's new


Following features are available in this release of Cloud Security:

ItemDescription
Permission
  • BMC Helix Cloud Security now supports public access BLOCK policies across all buckets that AWS has recently released.




February 2019: Release 2

What's new


Following features are available in this release of Cloud Security:

ItemDescription
GDPR Support for AWS

BMC Helix Cloud Security now support releases in GDPR

Articles 30,

Articles 32,

Articles 24 & 25.

This includes 14 New GDPR AWS policies.

PCI Support for AWS

BMC Helix Cloud Security now support PCI DSS v3.2.1.Which includes 14 AWS Policies.

User can download benchmarks from https://www.pcisecuritystandards.org/, Which includes 14 New PCI AWS Policies.

February 2019: Release 1

What's new


Following features are available in this release of Cloud Security:

ItemDescription
Violation Action Details

With this release, a Cloud Ops engineer will be able to see more information on a violation and remedial action that will be taken when remediation is triggered for that violation.


January 2019: Release 1

What's new

Following features are available in this release of Cloud Security:

ItemDescription
Resource Consistency

With this release, the Resources representation in BMC Helix Cloud Security and BMC Helix Cloud Cost would be similar. We also show Accounts Column and Accounts Filter in Dashboard, Resources, Violation and Remediation Pages.


December 2018: Release 2
August 2017: Release 2

What's new

Following features are available in this release of Cloud Security:

ItemDescription
Change Creation

BMC Helix Cloud Security now supports integration with Remedy so that user can create change ticket for every remediation that takes place either automatically or manually. 

For more details, please refer to:

Creating Change


December 2018: Release 1

What's new

Following features are available in this release of Cloud Security:

ItemDescription
Content update for AWS CIS 1.2

BMC Helix Cloud Security is Now AWS CIS Compliance content 1.2 Compliant.

User needs to use latest permission JSON to get all Rules working as expected.

For more details refer to : Minimum Permissions for AWS Connector


October 2018: Release 1

What's new

The following feature is available in this release of Cloud Security:

ItemDescription
Incident Creation

This version of BMC Helix Cloud Security has enabled a new feature to create and manage 'Incidents' on violations to alert users when policies are not adhered to.

For more details, please refer to:

Creating Incident

Orchestration Connector

BMC Helix Cloud Security has launched an Orchestration connector to facilitate incident creation.

For more details, please refer to:

Orchestration Connector

ITSM Integration

BMC Helix Cloud Security provides a sample run book for creating incidents and a sample workflow to guide users in creating the appropriate business logic.

For more details, please refer to:

Integration with Remedy for Incident and Change creation.


For a list of all open issues, see Known issues.

Corrected issues

ItemDescription
DRDK2-14546

TSCS UI filters were not applied correctly in violations section.

DRDK2-14175Approval page showed inconsistent behaviour.

DRDK2-13931

CP Cloud connector lambda logs showed some errors after successful run.

DRDK2-14771

Incorrect remediation Status was displayed on Remediation Page in TSCS UI.

DRDK2-14772  

Disabled option was removed from all configuration tab filters on Remediation History page in TSCS UI.

DRDK2-14327

Scanned non-compliant resources triggered remediation and showed status under Violations L3 page but the remediation status was not displayed in Resources L3 page.

DRDK2-14142Schema credentials were not encrypted.

December 2018: Release 1

What's new

Following features are available in this release of Cloud Security:

ItemDescription
Content update for AWS CIS 1.2

BMC Helix Cloud Security is Now AWS CIS Compliance content 1.2 Compliant.

User needs to use latest permission JSON to get all Rules working as expected.

For more details refer to : Minimum Permissions for AWS Connector


October 2018: Release 1

What's new

The following feature is available in this release of Cloud Security:

ItemDescription
Incident Creation

This version of BMC Helix Cloud Security has enabled a new feature to create and manage 'Incidents' on violations to alert users when policies are not adhered to.

For more details, please refer to:

Managing Notifications

Orchestration Connector

BMC Helix Cloud Security has launched an Orchestration connector to facilitate incident creation.

For more details, please refer to:

Orchestration Connector

ITSM Integration

BMC Helix Cloud Security provides a sample run book for creating incidents and a sample workflow to guide users in creating the appropriate business logic.

For more details, please refer to:

Integration with Remedy for Incident and Change creation.


For a list of all open issues, see Known issues.

Corrected issues

ItemDescription
DRDK2-14546

TSCS UI filters were not applied correctly in violations section.

DRDK2-14175Approval page showed inconsistent behaviour.

DRDK2-13931

CP Cloud connector lambda logs showed some errors after successful run.

DRDK2-14771

Incorrect remediation Status was displayed on Remediation Page in TSCS UI.

DRDK2-14772  

Disabled option was removed from all configuration tab filters on Remediation History page in TSCS UI.

DRDK2-14327

Scanned non-compliant resources triggered remediation and showed status under Violations L3 page but the remediation status was not displayed in Resources L3 page.

DRDK2-14142Schema credentials were not encrypted.

December 2018: Release 1

What's new

Following features are available in this release of Cloud Security:

ItemDescription
Content update for AWS CIS 1.2

BMC Helix Cloud Security is Now AWS CIS Compliance content 1.2 Compliant.

User needs to use latest permission JSON to get all Rules working as expected.

For more details refer to : Minimum Permissions for AWS Connector


October 2018: Release 1

What's new

The following feature is available in this release of Cloud Security:

ItemDescription
Incident Creation

This version of BMC Helix Cloud Security has enabled a new feature to create and manage 'Incidents' on violations to alert users when policies are not adhered to.

For more details, please refer to:

Managing Notifications

Orchestration Connector

BMC Helix Cloud Security has launched an Orchestration connector to facilitate incident creation.

For more details, please refer to:

Orchestration Connector

ITSM Integration

BMC Helix Cloud Security provides a sample run book for creating incidents and a sample workflow to guide users in creating the appropriate business logic.

For more details, please refer to:

Integration with Remedy for Incident and Change creation.


For a list of all open issues, see Known issues.

Corrected issues

ItemDescription
DRDK2-14546

TSCS UI filters were not applied correctly in violations section.

DRDK2-14175 Approval page showed inconsistent behaviour.

DRDK2-13931

CP Cloud connector lambda logs showed some errors after successful run.

DRDK2-14771

Incorrect remediation Status was displayed on Remediation Page in TSCS UI.

DRDK2-14772  

Disabled option was removed from all configuration tab filters on Remediation History page in TSCS UI.

DRDK2-14327

Scanned non-compliant resources triggered remediation and showed status under Violations L3 page but the remediation status was not displayed in Resources L3 page.

DRDK2-14142Schema credentials were not encrypted.

September 2018: Release 2

What's new

The following feature is available in this release of Cloud Security:

ItemDescription
Auto Remediation

BMC Helix Cloud Security now offers an auto remediation feature that triggers remediation action without user intervention when violations are detected.

For more details, please refer to:

Viewing Remediation History

For a list of all open issues, see Known issues.

Corrected issues

Defect IDDescription
DRDK2-14702

AWS on-prem connector did not update action content as expected.

DRDK2-14333

Incorrect username was visible on Remediation History Page under User column in TSCS UI.

DRDK2-14314

Alignment misplacement was noted on Remediation History Page in TSCS UI.

DRDK2-14166

Connector Lambda got errors while updating data.

September 2018: Release 1

What's new

The following features are available in this release of Cloud Security:

ItemDescriptio
Policies

BMC Helix Cloud Security now has a new feature that allows users to import policies in bulk from the policy library. Policies have also been sorted in accordance with respective connectors to enhance user experience.

For more details, please refer to:

Updating a policy

Azure Connector


Cloud Security now enables users to choose between resources associated with Global Azure Cloud as well as those associated with Azure Government Cloud.

For more details, please refer to:

Azure Connector

Corrected issues

Defect IDDescription
DRDK2-14144 InfraIngestLambda showed errors in production.
DRDK2-14242Enabled multi AZ support readiness for CP.
DRDK2-14238 Sandbox was not evaluating results.
DRDK2-14140 Policy Engine evaluations were unresponsive for many feeds.


For a list of all open issues, see Known issues.


August 2018: Release 2

What's new

The following features are available in this release of Cloud Security:

ItemDescription

AWS Cloud Connector


Cloud Security has launched an AWS Partition feature that gives users the freedom to select AWS or AWS GovCloud (US) while downloading AWS Cloud Connector.

For more details, please refer to:

AWS Cloud Connector

AWS On-Premises Connector

Cloud Security now enables users to scan resources in AWS Gov cloud regions by choosing AWS GovCloud (US) instead of AWS (default).

For more details, please refer to:

AWS On-Premises Connector


For a list of all open issues, see Known issues.


August 2018: Release 1

What's new

The following features are available in this release of Cloud Security:

ItemDescription

GCP Cloud Connector


This version of Cloud Security has launched GCP Cloud Connector which enables user to run connectors directly from cloud without downloading the connectors.

For more details, please refer to:

GCP Cloud connector

Managing Notifications

Cloud Security now offers an Overall Compliance option in addition to the New Violation Notification, enables users to choose Weekly and Monthly frequencies in addition to the default Daily frequency option, as well as provides enhanced resource choices between connectors and tags.

For more details, please refer to:

Managing notifications

Corrected issues

For a list of all open issues, see Known issues.



July 2018: Release 2

What's new

The following changes are perceivable in this release of Cloud Security:

a. Some UI, functional and security defects have been addressed.

b. Changes have been incorporated in trial user email.
c. Older OWASP connectors have been deprecated.

Corrected issues

Defect IDDescription

DRDK2-13772

New users could not be created for Juno Stack on Edge Browser since T&C checkbox was not present.

DRDK2-13745

AWS Cloud connector sometimes took 270 - 300 seconds causing lambda timeouts, and this was observed on PROD.

DRDK2-13703

Security policy of ElasticBeanstalk's loadbalancer needed to be updated.

DRDK2-13188

Disabling connector took approximately 1 second more than the benchmark time of approximately 2 seconds.

DRDK2-12919

Resource remediation didn't work using group inline policy while cross accounts were configured .

DRDK2-9426

DevOps - SPS - EBS volumes of elastic beanstalk instances were not encrypted.


For a list of all open issues, see Known issues.


July 2018: Release 1

What's new

The following features are available in this release of Cloud Security:

ItemDescription
Azure Connector

This version of Cloud Security supports a modified Azure Connector which has additional support to enable remediation.

For details, please refer to:

Azure Connector

GCP Connector

This version of Cloud Security supports a modified version of GCP Connector which has additional support to enable remediation.

For details, please refer to:

GCP Connector


Managing Exceptions

You can now use Cloud Security for editing exception names, start dates and end dates.

For details, please refer to:

Managing Exceptions


Corrected issues


For a list of all open issues, see Known issues.


June 2018: Release

What's new

The following features are available in this release of Cloud Security:

ItemDescription

GCP Connector

This version of Cloud Security supports a new connector which provides compliance of resources from google cloud Platform.

For details on please refer to

GCP Connector

Please note that GCP rules are developed based on CIS benchmark released on 3rd of April 2018.

Trials

You can now use Trial version of Cloud Security, the trial period being 14 days. you can select Trial option while registering a new user.

for more information, please refer to

Registering

Corrected issues


For a list of all open issues, see Known issues.


May 2018: Release

What's new

The following features are available in this release of Cloud Security:

ItemDescription

Ability to configure more than one account in one AWS connector

This version of Cloud Security provides support for configuring multiple AWS accounts using single connector.

For prerequisites, please refer to

Multiple AWS Accounts Support

Support for Notifications

You can receive email notifications for new violations on daily basis.

for more information, please refer to

Managing notifications

Corrected issues

This release corrects issues related to pdf functionality issues.


For a list of all open issues, see Known issues.


April 2018: Release 2

What's new

The following features are available in this release of Cloud Security:

ItemDescription

New predefined roles available for users

This version of Cloud Security provides additional roles that can be assigned to users who are invited to use the service. Previous versions only allowed Admin and View Only roles. This enables you to assign more specific control of capabilities based on roles in your organization and associate those roles within Security, Operations, and Audit persona categories.

In the UI, you can select the roles from the Invite Users page.

The Send Invitation button shows the number of users that will be sent an email invitation to use Cloud Security under the selected role.

You can select or change the role assigned to an invitee using the drop-down that corresponds to the name, or delete the invitation by clicking the trash can icon.

The following new roles are supported:

  • Security Architect
  • Security Engineer
  • Security Auditor
  • Operator
  • Operations Admin
  • Cloud Security Admin
  • Tenant Admin

For more information about these roles, including the capabilities that each role has in Cloud Security see Managing users.

Support for RHEL 6 EC2 Server - Extended Object (Central Execution) Compliance Policy

This version of Cloud Security supports the CIS - Red Hat Enterprise Linux 6 policy based on the recommended settings defined by Red Hat Enterprise Security Configuration Benchmark Settings for Linux 6 Version 2.0.2, published June 2, 2016.

Note: You must set the following properties in the asset.json file for the Server connector before running the connector to evaluate CIS RHEL6 policies:

EXCLUDE_HOME_DIR_USER_LIST
MEDIA_PARTITION_LIST
SSH_ALLOW_GROUPS
SSH_ALLOW_USERS
SSH_DENY_GROUPS
SSH_DENY_USERS

For more information about using the Server connector to evaluate compliance with this new policy, see Server connector.

Corrected issues

This release corrects issues related to CIS RHEL 6 policies.

Open issues

For a list of all open issues, see Known issues.


April 2018: Release 1

Corrected issues

This release corrects issues related to View Only access for users invited by Tenants.

The following additional issue was corrected in this release:

Defect IDDescription
DRDK2-11604

After an evaluation returned results of no non-compliant resources, the value of the trend graph showed -1 and +1 instead of 0.

Open issues

For a list of all open issues, see Known issues.


March 2018: Release 4

What's new

The following features are available in this release of Cloud Security:

ItemDescription
Azure Connector Multiple Subscription Support

In this release, in support of Azure multi-subscription support released earlier in the month, the Azure Subscription ID field has been moved to the advanced configuration section on the Add a Connector page. As with the initial release of this functionality, leaving this field blank triggers Security to fetch all subscriptions (single or multiple) that are associated with the Client ID. The Client ID must have access to all subscriptions to be scanned. If you change the number of subscriptions, in the scan the Azure connector will automatically fetch that new number of subscriptions. Typing a single ID specifies that Policy scans only the resources of that subscription.

For more information on this new functionality, see Azure On-Premise Connector.

Tenant login preferences

This version of Cloud Security retains the organization selected when the Tenant logs in to Cloud Security. This ensures that users are directed to the most recently selected organization the next time they log in, instead of being directed to the Choose an Organization screen.

Corrected issues

This release corrects several issues related to View Only access for users invited by Tenants.

The following additional issues were corrected in this release:

Defect IDDescription
DRDK2-11472

Multiple error messages occurred intermittently after redownloading an Azure connector.

DRDK2-10643

A Tenant Admin User was unable to update the fields of other Tenant Admin users in the same organization.

Open issues

For a list of all open issues, see Known issues.


March 2018: Release 3

What's new

The following features are available in this release of Cloud Security:

ItemDescription
Updated CIS Docker Benchmark support
The Docker connector enables you to collect data from Docker Containers, Docker Hosts, and Docker Daemons, and evaluate Docker content against the Center for Internet Security (CIS) Docker 1.12 Benchmark. This policy is created based on the recommended Docker Host, Docker Container, and Docker Daemon settings defined by CIS Docker 1.12.0 Benchmark Version 1.0.0, published on January 19th, 2017.

This release supports CIS Docker 1.12.0 and 1.13.0 for both single host and Kubernetes environments.

For more information, see Docker Connector.

Support for Microsoft Edge browsers

This version of Cloud Security is certified for Microsoft Edge. Currently, Edge browsers do not support the ability to export data to PDF. Therefore, in Security, the Export to PDF functionality is unavailable on the Dashboard and Transaction Utilization page (this feature is still available using Chrome browsers).

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-11011

On the Connector panel, the Update Instructions link disappeared when changing the connector status from Disable to Enable.

DRDK2-9862

After a session had timed out, users were unable to log back in to Cloud Security using the previous URL (containing the /account/login suffix), but instead had to log in using the base URL.

This release also corrects several issues related to View Only access for users invited by Tenants.

Open issues

For a list of all open issues, see Known issues.


March 2018: Release 2

What's new

The following features are available in this release of Cloud Security:

ItemDescription

Azure Connector Multiple Subscription Support

This release of Cloud Security enables Tenants to configure multiple Azure subscriptions for a single connector. Previously, a connector had to be configured for each subscription in Azure. This gives Cloud Security users more flexibility with connector configurations so that they can configure a minimal number of connectors for Azure, regardless of how many subscriptions for Azure services are required.

A GUID (or, for SQL Servers/Database, a Name) uniquely identifies your subscription to use Azure services. For each tenant, there can be multiple subscriptions in one Azure account, and costs are tracked based on subscription level. Each subscription in an Azure account can have different resource groups. All Azure resources must be part of resource groups.

For example, one company (tenant) might have different organizations (QA, Payroll, and so forth). So that company could have different subscriptions for those departments, but they would only have to configure the connector a single time to fetch the information across all subscriptions and display it in Cloud Security.

In Cloud Security, leaving the Azure Subscription ID blank when onboarding the connector triggers Security to fetch all subscriptions (single or multiple) that are associated with the Client ID.

As in prior releases, you can still enter a single subscription ID to specify that only one subscription be scanned.

For more information about onboarding Azure connectors, see Azure On-Premise Connector.

Azure CIS Latest benchmark changes

This release of Cloud Security implements updates in support of the new version of the CIS Microsoft Azure Benchmark, released February 20, 2018.

CIS Docker policy 1.12 Benchmark support

The Docker connector enables you to collect data from Docker Containers and evaluate Docker content against the Center for Internet Security (CIS) Benchmark, the specification developed for establishing secure configurations for various technology groups. This release of Cloud Security supports the supports the CIS Benchmark version 1.12 for Docker.

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-11168

A user was invited a second time for the same organization with a different role, instead of just the user's role being updated.

DRDK2-10998The error, "Bad RequestMissing 'min' attribute in request payload..." displayed after a tenant logged on to Security for the first time and there was no evaluation data.

This release also corrects several issues related to View Only access for users invited by Tenants.

Open issues

For a list of all open issues, see Known issues.


March 2018: Release 1

This release of Cloud Security corrects several issues related to View Only access for users invited by Tenants.

For more information about this feature, see Managing users.

Open issues

For a list of all open issues, see Known issues.


February 2018: Release 4

What's new

The following features are available in this release of Cloud Security:

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect IDDescription
DRDK2-10731

The following error was displaying on the Users page: "Process exited before completing request".

DRDK2-10580A CSV export from both the Violations and Resources pages did not include the Resource Name.

Open issues

For a list of all open issues, see Known issues.


February 2018: Release 3

What's new

The following features are available in this release of Cloud Security:




Cloud Security

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect IDDescription
DRDK2-10598

A user invited to use Cloud Security within multiple organizations did not have the correct permissions for that organization.

Open issues

Currently when Connector (system) users unsuccessfully log into Cloud Security after the fifth attempt and are subsequently locked out, Connector (owner) users do not receive an email notification.

For a list of all open issues, see Known issues.


February 2018: Release 2

What's new

The following features are available in this release of Cloud Security:





Open issues

For a list of all open issues, see Known issues.


February 2018: Release 1

What's new

The following features are available in this release of Cloud Security:




Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect IDDescription

DRDK2-10089

DRDK2-10090

For a connector created in On Demand mode that was subsequently changed to Scheduled mode, the next scheduled time on the connector panel was displayed as the date and time that the connector was created, when it should have displayed the date and time that the connector will run. Also, when the scheduled interval was changed, the new collection cycle might not have been applied immediately.
DRDK2-9875

The Severity across all out of the out-of-box (OOTB) policies were not standardized.

Open issues

For a list of all open issues, see Known issues.


Januay81

What's new

The following features are available in this release of Cloud Security:




Correctissues

Open issues


Back to top

December 2017 Releases

 Click here to expand...


December 2017: Release 3

What's new

The following features are available in this release of Cloud Security:

ItemDescription

Tenant User Management and Managed Service Provid


Cloud SecurityCloud Security

Cloud Security

Note

Cloud Security

Corrected issues

Te fllwing isus were corrected in this release of Cloud Security:

Defect IDDescription
DRDK2-9558

Users were able to switch to an oranizatioto which they were nopart o, and they wee able t getlist of uses for which they were not part .

DRDK2-7574

The selecton check box was disabdfor a rediation o the Resorcespge whe more than 100 resources were mappe remediatioaction.

Open issues

For a ist fll openssues, see Knowissues.


Dcmber2017: Release 2

Wha's new

Tfllwing feature arvailable ithis release of Cloud Security:

ItemDescription
Tenant User Manaement d Managed Servce Providers

Cloud Security enables ccess o ts services by Maaged Service Providers,roviders of services to set of clints across a businesso example, a cpanymigh ave a etof customers for whom they wnt to use Cloud Securityt perform a secrity assessment. Theompythat nabs its liens to provide these service isthe Maged Service Provider (MSP). The clients, orns within the MSP are knowthes.

TheMSP can choose which organizations to work wi, nd Managed Tenansinvite additional rs into the organization to leverage the same data and functionality inCloud Security(such as viewing compliance results, connectors, and policies) to meet the requirements of its customers

Correcedissues

The follwg ssues were correcd inis rleasefCloud Security:

DfectIDDscriptio
DRDK2-8714Deleting conecord ot delete all of thessoiatedresourc ad violtio sysemata.

Opessus

For ls f lopen isses, e Knownssues.


December 2017: Release 1

What's new

Tfllowing featues re available i ths relese of Cloud Security:

ItemDescrip
nant Ur Management and


Cloud Security




Corrected isses

The follwing isse were corrected in this release of Cloud Security:

Defect IDDescription
DRDK2-9239For the ClodTrail policy, some of the rules were showigtht remediationtent was not avaiab.

Open issues

For a list of all open issues, see Knn isues.


Backto top

November 2017 Releases

 Click here to expand...


Novemb 2017: Relae 2

What's new

he follwingfeatres are available iis rlease ofCloud Security:

ItemDescripti
Teant Usr Management and Managed Servie Providers

Cloud Security enables access to its services by Managed Service Providers, providers f sevices to a set ofclients cross a busines.For example, a company might hve a set ofcustomers for whom they want to ue Cloud Security to perform a security assessment.The companyat eables its clients to provide these ervice is he Managed Service Provider (MSP). The clients, or organizations within the MSP are known as the Managed Tenants.

The MSPcan choose which organizations to work with, and Managed Tenants can nvite additionaers inothe organization to leverage the same data andfunctionality i Cloud Security(such s viewing compliance results, connector,dpolicies) to meet the requireents of its customers.

For more formation, see Regeing nd Managing users.

Installing the Server connecs a service (Wiowsnd Linux OS)
ItemDescription

Cloud SecurityCloud Security users might have one or more AWS accounts where various artifacts (for example, Compute, Storage, Networks, Databases, and so forth) are created and subsequently changed on a regular basis. To ensure that these artifacts adhere to an organizations regulatory policies, Policy users might need information about these objects to be collected and analyzed on a periodic basis.

loudurtThis release of Cloud Security provides manual remediation of AWS Cloud connectors. This connector collects various artifacts of an AWS account and publishes them to Cloud Security, where they can be evaluated against AWS CIS policies. AWS CIS policies are provided with Policy per the definitions provided in the CIS AWS Foundations Benchmark, a set of security configuration best practices for AWS. Remediation functions the same way for Cloud connectors as for AWS on-premise connectors, and is available for all supported polices.

Note the following limitations with remediating AWS policies in the current release of BMC Helix Cloud Security:

  • Currently, all S3 Buckets data is pushed to the Cloud Security UI, when only the S3 buckets data that is associated with CloudTrail policies should be fetched and pushed to the Policy UI.

For more information about AWS remediation, see Remediating violations. For an example of the onboarding process, see Walkthrough: Remediating compliance violation. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud Connector and AWS On-Premises Connector.

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect IDDescription
DRDK2-8983The Server connector was crashing on a Red Hat Enterprise Linux target machine.
DRDK2-8807Duplicate resources were displayed on the Resources page.

Open issues

For a list of all open issues, see Known issues.


November 2017: Release

What's new

Cloud SecurityThe following features are available in this release of Cloud Security:





Releases

 Click here to expand...


Corrected issues

Cloud SecurityThe following issues were corrected in this release:

Defect IDDescription
DRDK2-7453Evaluations are not visible in UI after first run.
DRDK2-7446An S3 bucket policy is public-accessible with list and write permissions.
DRDK2-7343

Cloud SecurityAWS cloud connector logs were generating unnecessary data in logs and causing an increase in Cloudwatch billing.

Cloud SecurityDRDK2-7282

The aws collector lambda logs printed an access key and security keys.
DRDK2-7268A search on the Resource page returned no values.
DRDK2-5078Policy Registration page supports apostrophes, hyphens, and spaces in the name, and the phone number followed by a country code.

Releases

 Click here to expand...

Open issues

Currently, during the execution of an AWS on-premise connector, error messages might display in the aws-collector.log file. For example:

2017-04-17 09:50:08.270 - error: gateway\HttpRetryWrapper.js:38:20:Got error :connect ETIMEDOUT 52.222.183.144:443, retry :3 ,backoff duration :5000
2017-04-17 09:50:10.848 - info: modules\WMRequestPoller.js:83:20:Getting next WM priority requests in 0.08 minutes.
2017-04-17 09:50:10.863 - error: gateway\HttpClientWrapper.js:62:24):Got error :connect ETIMEDOUT 52.222.183.144:443Error: connect ETIMEDOUT 52.222.183.144:443
at Object.exports._errnoException (util.js:873:11)
at exports._exceptionWithHostPort (util.js:896:20)
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1077:14)



These messages indicate that there are network connectivity issues between the AWS connector and the Cloud, and that there might be delays in data collection and in resource remediation.For a list of all open issues, see .


August 2017 Releases

 Click here to expand...

 

August 2017: Release 1

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect IDDescription
DRDK2-7005


Incorrect data and messages displayed in the Cloud Security UI when data was published through an API.
DRDK2-6319For CloudTrail rules 3.1 through 3.14, the filter pattern parameter was editable.
DRDK2-6233Remediation did not work for CloudTrail policies when the policy had one metric filter and one alarm with associated SNS topic, but no SNS Subscription for the topic.
DRDK2-6224The error message, "Endpoint request Timedout" displayed on the Policy UI when a bulk remediation was submitted.
DRDK2-4980The call, "policy-api/policies/getPoliciesForConnector" took significant time (2-3 seconds) to respond.

Open issues

Currently, during the execution of an AWS on-premise connector, error messages might display in the aws-collector.log file. For example:


These messages indicate that there are network connectivity issues between the AWS connector and the Cloud, and that there might be delays in data collection and in resource remediation.

For a list of all open issues, see Known issues.


Back to top

July 2017 Releases

 Click here to expand...

July 2017: Release 2

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect IDDescription
DRDK2-6697The Lambda policy did not retry deleting the connector after the data deletion failed.
DRDK2-6538The Severity Filter sequence changed after selection.
DRDK2-6137An AWS cloud connector showed a date that had passed as a scheduled start date.

Open issues

For a list of open issues, see Known issues.

Note



July 2017: Release 1

Corrected issues

The following issues were corrected in this release of Cloud Security:

Defect IDDescription
DRDK2-6804An error message displayed on the Resources page when publishing data from a policy through an API.
DRDK2-6747An invalid message displayed on Remediation Submitted state.
DRDK2-6540Password Policy remediation failed if the password policy had not been applied to the account.
DRDK2-6539

AWS on-premise connector data did not reflect in Cloud Security even though logs showed that data was successfully published.

DRDK2-6421The error, "Rate Exceeded, TooManyRequestsException" occured while trying to push data for 1000 resources.
DRDK2-5251

AWS cloud and on-premise connectors overrode each other's resources.

Open issues

For a list of open issues, see Known issues.


Back to top

June 2017 Releases

 Click here to expand...

June 2017: Release 4

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-6246The collector kept scanning services and resources even if there were too many resources.
DRDK2-6196The 'max_items_per_feed' was infinite even if it was set to 20 by default in the collector.properties file.
DRDK2-6424The number of search calls kept increasing on the Resources tab when navigating through different tabs on the Portal UI.

Open issues

For a list of open issues, see Known issues.


June 2017: Release 3

What's new

The following features are available in this release of Cloud Security:

ItemDescription

Content support for manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS CloudWatch CIS Policy
  • AWS CloudTrail CIS Policy

Note the following limitations with remediating AWS policies in the current release of Cloud Security:

PolicyLimitation
AWS CIS CloudTrail (rules 3.1 through 3.14)

Before remediating violations, you must provide the name of the SNS topic from your AWS account as a remediation parameter.

The SNS topic must:

  • Reside in the same AWS region as the corresponding CloudTrail and CloudWatch LogGroup.
    For example, if the CloudTrail and CloudWatch log groups are in the us-east-1 region, the SNS topic in which the name is provided in remediation must also be in that region.
  • Contain at least one subscription that is confirmed, so that a subscription entry in the Subscription ID column has an ARN value (for example, arn:aws:sns:us-east-1:875062582069:East1_Topic:26aa2d24-aa85-471f-812b-d9f7ca4fa2b1).
AWS CIS IAM Credentials
After a rule is remediated:
  • The SDK/API queries take 4 hours to return the remediation values to Cloud Security
  • The key should be deleted and a new one created. Instead, Cloud Security deactivates the key so that you can take appropriate measures before deleting and creating a new one.
AWS CIS KMS
  • Although the KMS key might contain multiple aliases, the UI displays only one.
  • If the KMS key is in the Disabled state, the UI shows a status of Compliant with the KMS key disabled.

  • If the KMS key is in the Pending Deletion state, the UI shows a status of Compliant with the KMS key pending deletion.

For more information, see Remediating violations. For an example of the onboarding process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud Connector and AWS On-Premises Connector.

Security enhancements

The following messages appear upon one or more unsuccessful login attempts:

1st and 2nd failed attempt: Invalid credentials. Please try again.

3rd failed attempt: Invalid credentials. Your account will be locked after 2 more unsuccessful login attempts.

4th failed attempt: Invalid credentials. Your account will be locked after another unsuccessful login attempt.

5th failed attempt and thereafter: Your account has been locked because of a maximum number of incorrect login attempts. To unlock it, use the Forgot Password? link and then log in with valid credentials.

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-6360Action Sequence wrapper, Rule 1.3 remediation did not work. Access keys did not get disabled and the user received a message of successful remediation.
DRDK2-6215When IAM user names were provided in remediation but did not exist, remediation failed with an unclear error message.
DRDK2-6208Users did not get locked out if they made 5 consecutive unsuccessful login attempts.
DRDK2-5818AWS CIS IAM: Rule 1.2 (Ensure multi-factor authentication (MFA) was enabled for all IAM users that had a console password) did not exclude those users without passwords.
DRDK2-5817AWS CIS IAM: Rule 1.12 (Ensure no root account access key exists) showed as compliant, even if the root account did not have access keys.
DRDK2-6088

For CloudTrail policies, rules 3.3 and 3.5, an alarm was not added to the cloud watch log group as part of remediation.

DRDK2-5754When there were two cloud trails with the same name in different regions, one could be remediated, but the other could not, despite being returned as successful.
DRDK2-5520An AWS connector kept scanning continuously when the schedule was set to 30 days.
DRDK2-3649The filterPattern value was not displayed in the evaluation result of rule 3.1 of the AWS CIS CloudTrail policy.

Open issues

For a list of open issues, see Known issues.


June 2017: Release 2

What's new

The following features are available in this release of Cloud Security:

ItemDescription

Content support for manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS Security Group CIS Policy

Note the following limitations with the AWS CIS IAM Credentials policy after a rule is remediated:

  • The SDK/API queries take 4 hours to return the remediation values to Cloud Security
  • The key should be deleted and a new one created. Instead, Cloud Security deactivates the key so that you can take appropriate measures before deleting and creating a new one.

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud Connector and AWS On-Premises Connector.

Remediation Action Customizations

You can now configure parameter values from the caas-portal and create different action configurations and mappings per resource sets, and then associate a connector instance to those configurations. The Policy Details page now shows the number of configured actions by status (MANUAL or DISABLE). Multiple actions can be mapped to a single rule.

For more information, see Remediating violations and Editing policies.

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-6069You were unable to delete an action that was just added without any details.
DRDK2-6066

An error message appeared when changing the action mapping to Manual using the Remediation button.

Open issues

For a list of open issues, see Known issues.


June 2017: Release 1

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-5910Remediation did not work for a rule that was configured with a custom remediation action.

DRDK2-5818

The rule "1.2 Ensure multi-factor authentication (MFA) was enabled for all IAM users that have a console password" did not exclude users without passwords.

DRDK2-5709You could not edit the remediation for rule 2.4 for an AWS CIS CloudTrails policy.
DRDK2-5045

Using "NotPrincipal" as a root user, BMC AWS ElastricSearch policy rule 1.1 was evaluated as Compliant instead of Non-compliant.

Open issues

For a list of open issues, see Known issues.


Back to top

May 2017 Releases

 Click here to expand...

May 2017: Release 2

What's new

The following features are available in this release of Cloud Security:

ItemDescription

Content support for manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS CIS IAM Credentials Policy
  • AWS CIS RDS Policy

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud Connector and AWS On-Premises Connector.

Remediation Action Customizations

You can now configure parameter values from the caas-portal and create different action configurations and mappings per resource sets, and then associate a connector instance to those configurations. The Policy Details page now shows the number of configured actions by status (MANUAL or DISABLE). Multiple actions can be mapped to a single rule.

For more information, see Remediating violations and Editing policies.

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-5776

You were unable to see the remediation action for all RDS rules.

DRDK2-5735

The status of a remediation action was not displayed for an RDS rule.

DRDK2-5729Remediation failed for AWS CIS CloudTrails 2.1 and 2.2 rules.

Open issues

For a list of open issues, see Known issues.


May 2017: Release 1

What's new

The following features are available in this release of Cloud Security

ItemDescription

Manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS Elastic Search and S3 Buckets CIS policies

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud Connector and AWS On-Premises Connector.

API and SDK enhancements and updates
Self-help (whatfix) flows

This version of BMC Helix Cloud Security adds several new whatfix flows that can be invoked directly from the UI:

  • Policy Management flow: How to view policies and the rules of the policy and to filter the list of rules
  • Authoring Sandbox: How to author custom policies
  • Connector Management flow: How to manage an onboarded connector
  • Remediation flow: How to remediate violations of a rule and how to view a violation on the dashboard
  • Managing Resources flow: How to view resources on the dashboard 

Whatfix, introduced in Release 2 of April 2017 with two onboarding flows (on-premise and cloud-based connectors), is a real-time interactive support application that helps guide you through various workflows in the UI through guided steps.

Whatfix is enabled by clicking the Self-Help widget on the right side of the Dashboard after you log in. Self-Help differs from BMC context-sensitive help (opened by clicking the Help button on the right-bottom of the screen ) as it provides an active, interactive "tour" that guides you through a specific flow in the context of the Policy UI. BMC's Help and online documentation provides greater detail and depth to serve as additional information should the whatfix flows not provide enough context.

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-5160Validation requirements on the User Registration Screen were too stringent.
DRDK2-5061The Base Connector onboarding flow should not contain a Policy Import page.

Open issues

For a list of open issues, see Known issues.


Back to top

April 2017 Releases

 Click here to expand...

April 2017: Release 2

What's new

The following features are available in this release of Cloud Security

ItemDescription

Manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS CIS IAM Password
  • AWS CIS KMS

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud Connector and AWS On-Premises Connector.

Re-downloading connectors

You can now re-download a connector from the Manage Connectors page. You might want to re-download a connector in the following situations:

  • A previous download of connector failed.
  • A previously downloaded connector is in the Suspended state.
  • A previously downloaded connector is in Downloaded state.
  • A connector has been misplaced in the Manage Connectors page.

You can also re-download a connector that is in the Disabled state, but not a connector that is in the Running state.

Downloading and re-downloading actions apply only to on-premise connectors. For more information, see Managing connectors.

Deleting connectors

You can now delete a connector from the Manage Connectors page. For example, you might want to reduce connector sprawl on your Manage Connectors page, especially to eliminate unused connectors.


You cannot delete a connector that is in the Running state.

Note

For this version of Cloud Security, data associated with the connector is not deleted.

For more information, see Managing connectors.

API and SDK support

Cloud SecurityAPI conforms to the architectural principles of Representational State Transfer (REST). Its RESTful architecture features a straightforward, easy-to-use interface facilitated by standard HTTP request and response messages. This version of Cloud Security provides two APIs that enable you to perform various functions in the Policy UI. For more general information and specific use cases you can run, see Evaluating data using the REST API.

Additionally, this version of Cloud Security provides a software development kit (SDK) that can access the Innovation Suite APIs and SDKs, the core building blocks for developers. The SDK provides a normalized and homogenous interface to manage your cloud and other on-premises software. The SDK can be used to directly use the Cloud Security API by embedding the .jars file into development code to enable the API to be invoked programatically. For more general information and specific use cases you can run, see Using Cloud Security SDKs and Publishing data in Async mode using the SDK.

Self-help (whatfix) flows

This version of Cloud Security introduces the integration of whatfix, a real-time interactive support application that helps guide you through various workflows in the UI through guided steps.

Whatfix is enabled by clicking the Self-Help widget on the right side of the Cloud Security Dashboard after you log in. Self-Help differs from BMC context-sensitive help (opened by clicking the Help button on the right-bottom of the screen ) as it provides an active, interactive "tour" that guides you through a specific flow in the context of the Policy UI. BMC's Help and online documentation provides greater detail and depth to serve as additional information should the whatfix flows not provide enough context.

Corrected issues

The following issues were corrected in this release:

Defect IDDescription 
DRDK2-5216UIAction Content messages that displayws during the onboarding process should not have been hidden.
DRDK2-5192ConnectorA connector crashed on a Red Hat Enterprise Linux Server release 6.8 (Santiago) machine.
DRDK2-5182Remediation

Remediation was held up when remediation for 25 buckets was submitted.

DRDK2-5181RemediationAn endpoint request timeout message displayed when remediation for 25 buckets was submitted.
DRDK2-5175UIA Docker Policy with special characters in the name cannot be overwritten with the UI.
DRDK2-5173Enterprise ConnectorWhen running an Enterprize vulcanizer from the command line, the connector name was incorrect.
DRDK2-5170RemediationRemediation status was not seen in the UI for S3 and ElasticSearch, even after remediation was successfully invoked and executed by the connector.
DRDK2-5128RemediationThe UI did not automatically refresh to show remediation status changes; instead, manual refresh is required.
DRDK2-5103RemediationBefore remediation was submitted, the connector did not verify that it was not disabled and reachable.
DRDK2-5075RemediationThe connector crashed when remediation fails.
DRDK2-5069RemediationRemediation should not be allowed to trigger for a cloud connector.
DRDK2-5068RemediationYou should be able to trigger remediation again, even if the status displays as Remediation Successful.
DRDK2-5005RemediationA message should be corrected when attempting to remediate a rule when the connector is not running.
DRDK2-4990PoliciesWhen changing the severity of a rule to "Select Severity" and saving the changes, an error message displayed while saving and the changes cannot be saved.
DRDK2-4987AWSRule 2.3 of the AWS S3 policy was showing as Compliant, if Policy contains a Statement having Effect set to "Allow" and a Principal set to *. The rule should be non-compliant.
DRDK2-4894PoliciesRule filters were not working properly.
DRDK2-4845UI

You could not login to Cloud Security using the Internet Explorer browser.

DRDK2-4403Docker Connector

You should be able to download a failed connector.

DRDK2-4026Base ConnectorYou should be able to download a Base Connector with the same name.
DRDK2-4023Base Connector

The Base Connector should have a license page.

Open issues

For a list of open issues, see Known issues.


April 2017: Release 1

What's new

The following features are available in this release of Cloud Security:

ItemDescription

Manual remediation of compliance violations for AWS

When you onboard and configure a connector, you onboard the compliance policies for the connector and the remediation content packsThese content packs contain out-of-the-box remediation actions you can initiate when certain compliance violations are discovered. The remediation actions are mapped to specific rules within a policy.

This release provides remediation content packs for the following AWS policies:

  • AWS CIS S3 buckets
  • BMC AWS ElasticSearch
  • AWS CIS CloudTrails

For more information, see Remediating violations.

For an example of the process, see Walkthrough: Remediating compliance violations. In this example, you initiate a remediation action for a compliance violation with CIS policies for AWS. 

Note: Currently, remediation actions are available and supported only for AWS connectors downloaded after the April 11, 2017 release. If you have an earlier release, you down download a new connector and import the policies during the onboarding process to obtain the latest remediation content. See AWS Cloud Connector and AWS On-Premises Connector.

Policy Editor

The Policy Editor adds functionality related to user-initiated remediation actions.

See Editing policies for more information.

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-5169Remediation should be disabled for "AWS CIS Password Policy", "AWS CIS KMS" and "AWS CIS IAM Credentials" policies.
DRDK2-5166While onboarding an AWS Connector, the AWS CIS Password policy was missing.
DRDK2-5089Cloud Trail Rule 2.1 Compliance evaluation showed an incorrect result.
DRDK2-5063Introduce a Filter of connector Name for L3 Violation Page.
DRDK2-4872Add the "6.5 Avoid container sprawl (Not Scored)" rule in the CIS Docker 1.12.0 CIS Level 1 - Docker Host policy.
DRDK2-4860Policy Modify date should change on the UI once the policy has been edited using Policy Editor.
DRDK2-4745Add support for "Days" in the Schedule field in addition to Minutes and Hours for a Chef Connector.
DRDK2-4717Add a filter option on the Add from Policy Library option.
DRDK2-4551Action content was created successfully, even if the packaging value was other than "Bundled" or "External".
DRDK2-4404The Docker policy names did not have the version names displayed.
DRDK2-4008Clicking Previous and Next on the Download Page displayed an incorrect error about the hostname being used.
DRDK2-4005Login email id should be case insensitive.
DRDK2-2545Support UI on Safari browsers.

Open issues

For a list of open issues, see Known issues.


Back to top

March 2017 Releases

 Click here to expand...

March 2017: Release 1

What's new

The following features are available in this release of Cloud Security:

ItemDescription
Chef Connector

The Chef connector enables you to collect data from Chef systems and evaluate Chef content against the Center for Internet Security (CIS) benchmarks

See Chef connector for more information.

Policy Editor

The Policy Editor displays all of the rules associated with a specific policy and enables you to add or remove rules from a policy, enable remediation actions, and filter the list of policies.

See Editing policies for more information.

Updated AWS policy

This release includes an update to the AWS CIS Password Policy. Resources identified by the policy now display the AWS Account Number as the origin of the resource, as shown below:

If you have an AWS connector that uses the policy, you must re-import the AWS CIS Password Policy from the library to reflect the update. You do not need to delete the policy or the connector association, but you do need to re-import the policy.

For information about how to do that, see Updating a policy.

Warning: If you have customized the policy or the rules within the policy, re-importing the policy will remove those customizations.

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-807

Occasionally, the Status on the Dashboard showed Receiving data even though the collector did not collect data.

DRDK2-809When the Policy Engine could not determine whether the status of the rule was compliant, it resolved the value to Non-compliant state, even though it was an Undetermined state.
DRDK2-4402The yml Indention for a rule was not followed on the Rule Expression screen.

Open issues

For a list of open issues, see Known issues.


Back to top

February 2017 Releases

 Click here to expand...

February 2017: Release 1

What's new

The following features are available in this release of Cloud Security:

ItemDescription
Improvements to Docker connector

You can now configure the Docker Connector in two different modes:

  • Single Host Deployment - This mode enables you to check compliance on a single Docker host.
  • Clustered (Kubernetes) Deployment - This mode enables you to verify CIS compliance on a Docker cluster (a Linux container) that is managed by Kubernetes as a single system. This release supports CIS Docker 1.12.0 for Kubernetes.

This flexibility enables you to tailor the connector to suit your Docker environment.

 Read more...

Note the following pre-requisites for the Clustered (Kubernetes) Deployment mode:

  • The connector must be deployed on the host where the cluster was created.
  • This mode also requires that the host has SSH connectivity to the master and minions.
CIS compliance policy for Docker

Using the out-of-the-box CIS compliance policy, you can evaluate Docker containers against the CIS security benchmarks.

You can evaluate containers on an individual Docker host or those in a Docker cluster that is managed by Kubernetes.

Corrected issues

The following issues were corrected in this release:

Defect IDDescription
DRDK2-3845You should be able to specify actions to be taken as part of remediation.
DRDK2-2587

A Docker CIS policy should be available as out-of-the-box content, so that I can perform CIS evaluations on Docker connectors.

DRDK2-2586You should be able to collect data from Docker Containers for CIS policy execution. This includes Docker containers on hosts, as well as Docker Cluster Management systems such as Swarm, AWS, ECS, and Kubernetes.
DRDK2-2013You should be able to easily view and author policies in YAML format within the UI.

Open issues

For a list of open issues, see Known issues.


Back to top

2016 Releases

 Click here to expand...
December 2016: Initial release

The following features are available in this release of BMC Helix Cloud Security:

Item

Description

Data collection

Data evaluation

Verifying compliance for the given data based on out-of-the-box and user-defined policies, using the following views:

Managing resources

Identifying violations

Policies

Viewing the details of the out-of-the-box policies.

On the Dashboard, click Manage > Policies in the navigation bar to view the Policies screen. This screen displays a list of policies that are shipped by default and any customized polices that you might have authored or imported.

See Managing policies.

Back to top



Onboarding

 

Set up and configure data collection using out-of-the-box connectors.

Identifying violations

 

Quickly identify resources and rules that are non-compliant.

Remediating violations

 

Remediate violations to associated polices to make resources compliant with specific policies.

Administering

 

Set up data collection for custom resources, manage policies, and manage connectors.

Developing

 

Set up data collection for custom resources, manage policies, and manage connectors.

Troubleshooting

 

View troubleshooting information, enable debugging, and contact the BMC customer support team.

PDFs

 

Get a ready-made PDF that contains all the content in this space.
Was this page helpful? Yes No Submitting... Thank you

Comments