1.5.5. Release 1.2.2-5

Release date: 14.03.2022

The new changes in this release are the following:

1.5.5.1. openNAC Agent

  • The agent scripts are executed for each change, so that all the parameters it returns are reviewed and updated at all times. Agent scripts were not running when there was a network change. Now, they are executed on each change in order to have the parameters updated at all times.

  • Agent payloads and agent logs are stored in the database. Before being saved, they go through a compression so that they do not take up so much space in the database.

  • The API returns the last authentication status in each response from the agent.

  • When we see the agent payloads and the agents logs, we can find the ID of the user that authenticates the agent, since it is saved.

  • There is the option to only process authenticated payloads. In ON Agent -> Agent Configuration the “Only process trusted payloads” option appears in which we can indicate if only authenticated payloads are processed, or all.

  • In the list of user devices found in ON CMDB -> User Devices, there is a “keyboard” icon that takes us to the inventory of all the payloads of that device.

1.5.5.2. ON Core

  • When in ON NAC -> Business Profiles we want to filter by Tags, the option to search for devices in the Business Profile is disabled, since the Tags filter is prioritized over the search.

  • In ON CMDB -> Security -> Admin Users we have the option to add a new admin user, and edit it. By editing it we can change the user’s role as well as the other parameters except the password.

  • In ON CMDB -> User Data Sources, there is a new option called View users that displays a list of users belonging to the selected data source.

  • In Configuration -> OTP, a refactor has been made with respect to previous versions and a table with the configured OTPs has been added.

  • It is possible to generate OTPs based on groups from a user database. In Configuration -> OTP, in the Create OTPs using LDAP/AD group option. We can create OTPs based on user sources. They will only be created for those users who have defined an email. We will have the option to select the User Data Source, the Group and if we want the OTPs to be regenerated for those users who already have one. An email will be sent to those users who have been generated an OTP.

  • The current network device class structure has been modified so that from openNAC frontend we can see all the models that we have approved for each brand, instead of having generic sheets or device families. These are still maintained internally from the BE, and the devices shown in the FE inherit from those generic classes.

  • Theme settings in openNAC are global. In the user icon on the top right, in the Theme section, we can configure the openNAC theme. The following changes have been made to the theme settings:

    • Removed the theme setting from User Settings.

    • The Theme section has been added, where only administrator users have access

    • Changed the form to change the theme, where you can modify the icon.

    • The configured icon is displayed on the login page, password change and error pages.

  • Added firewall healtcheck to monitor ping and VPN services. Added a flag on unresponsive firewalls so that they are not used when trying to connect to wireguard. An alert icon has also been added to commercial profiles for active connections that have the firewall inactive.

  • New tags have been added for browser extensions.

    • CBE (Chrome Browser Extension)

    • FBE (Firefox Browser Extension)

    • EBE (Edge Browser Extension)

1.5.5.3. ON Analytics

  • In the api.ini it is verified that the version of kibana is correct. The correct version of kibana is checked to avoid incompatibility errors in other versions.

  • New openNAC fields have been added to better exploit the data that does not arrive and to have more fields to analyze.

  • The openNAC captive portal is now available in the Spanish language.

  • Anonymization of fields. The function of being able to anonymize certain fields and emails has been added to prevent them from appearing in plain text. To enable this option, the OPENNAC_ELK_ANONYMIZATION variable found in /etc/default/opennac must be set to true. The fields that it anonymize with its corresponding hash are stored in an index named identities where there is the relationship between the hash and its value. The fields that are anonymized are opennac_userid, smtp_mailfrom, smtp_rcptto. In the following fields, it is detected if there is any email and if there is, it is anonymized: smtp_to, smtp_from, smtp_cc, smtp_first_received, smtp_second_received.

1.5.5.4. Wireguard

  • New logs to calculate the session time of a VPN user. New logs have been added to calculate the time a user initiates a new session with WireGuard from the openNAC agent, until it is disconnected.

  • VPN options in agent profiles have been revised. In ON Agent -> Agent Profiles, when any of the VPNs are enabled, the configuration files must also be selected, otherwise an error message is displayed. For example, if OpenVPN is enabled, it should be necessary to select at least one OpenVPN configuration file.

  • A list of FWs have been configured in the WireGuard plugin. In Configuration -> Plugins, in the wireGuardSync plugin, if we click on Edit plugin, we can see a list of firewalls, where we can edit them, add more and remove them from the list.

  • Balance of FW nodes when connecting WireGuard using the plugin.

  • Script to update WireGuard configurations with dynamic end devices and with dynamic public key. (They are two different scripts)

  • Wireguard uses switch IPs to search for FW to disconnect wireguard. When connecting to WireGuard, the plugin should balance the FW nodes and call another node if it doesn’t respond.

  • The openNAC agent uses the public key variable received from the ON Core to connect to WireGuard.

1.5.5.5. Changes to consider

  • The openNac agents need to be updated due to changes in the agent’s connection to Wireguard.

  • The openNAC 2SRA / EMM VAR infrastructure needs to be updated in its entirety (CMI / VPN Gateway FW included) due to internal changes.

  • The field opennac_result.lasteval has been defined as type “date”. Initially, there may be conflicts with pre-update indexes. When these are purged, no warning should come out.