1.5.4. Release 1.2.4-2
Release date: 23.04.2024
Welcome to the 1.2.4-2 OpenNAC Enterprise release.
In this release, our main focus has been on enhancing stability to ensure a seamless user experience through minor bug fixing.
With this release, the OpenNAC Agent is updated to version 102.04.02014.
Note
WireGuard users must restart the service from the Administration Portal after performing the 1.2.4-2 update. Failure to do so will prevent the changes related to VXLAN from being applied.
1.5.4.1. OpenNAC improvements
This section describes all changes that affect the OpenNAC solution.
1.5.4.1.1. ON Core
These are the changes that affect the ON Core component in this release.
Functionalities
In this release, when the Medigate plugin does not return any data, the tag ONC_MEDIGATE_NO_DATA will be assigned to the device. See the Medigate plugin section for more information.
This version removes the USB policy column from the Agent profiles section.
The Agent payloads section now includes the BitLocker OSQuery, displaying information about the execution of this disk encryption feature when enabled in Windows operating systems. It ill add tags for each drive individually (ISS_BITLOCKER_DRIVE_C, NCS_BITLOCKER_DRIVE_D) and global tags for the drivers set (ISS_BITLOCKER, NCS_BITLOCKER). See the Agent payload section for more information.
Enhanced the check_ntlm.php script to provide error information about the UDS being checked during execution.
This version introduces a new job called SwitchTrunkPortStatus. This job aims to ensure the integrity and security of trunk ports within the network infrastructure by identifying and addressing potential anomalies or security risks, such as unauthorized devices connected to trunk ports. See the the Analyze Trunk Port Status section for information on how to proper configure this job. Also, refer to the Analytics Data Lake section for more information about the results obtained by this job.
There is a new plugin that retrieves information from Cynerio Healthcare Solutions. See the Configuration > plugins section for more information.
There is a new flag called Allow nested groups on AD group authorizations in the User Data Sources section. This flag controls whether subgroup memberships within AD groups are considered for access permissions. See the User Data Sources section for more information.
This release introduces a new feature in the NetBackup Scheduler section. By clicking on the Show only errors new button located on the “View logs” window, it will only display the errors of the backup tests. See the NetBackup Scheduler section for more information.
Bugs fixed
This version addresses the PHP warnings that appeared on plugin executions.
We have fixed a string truncation problem identified in ON Netbackup > Network device compliance > NetDevice Tests section of the Administration portal.
Fixed the invalid column value found on Captive instances and Compliance gap remediation.
This release addresses the issue where only HTTP protocol was accepted when configuring a proxy URL on agent profiles, now allowing HTTPS as well.
Fixed the Agent payloads section to display the full 12-character agent version.
Resolved issue where errors encountered while applying deltas in the updatedb.php script were not accompanied by the error reason.
Resolved issue related to error checking the Agent status in the Captive Portal.
The NTLM healthcheck now functions properly when credentials contain passwords with the character “$”.
The issue of high memory consumption during the Agent download has been resolved in this release.
This version fixes the Bulk edit mal functioning found in the ON CMDB > Network devices section.
The issue with non-functional vxlan-tap interface after rebooting the VPNGW node has been fixed.
The segmentation fault issue occurring during Radius authentication with the Calling-Station-Id attribute has been resolved.
This release fixes an issue with the sizing of check-boxes across the Administration portal.
Resolved a bug in raphael.min related to resizing or loading portal sections.
Resolved issue where logout events from different WireGuard nodes were being processed, regardless of session information.
Resolved an issue where DHCP fingerprint tags were not being added due to DHCP ACK management.
We have addressed the issue with the Captive Portal error on displaying a quarantine result.
Enhanced configuration for environments with multiple dynamic zones by ensuring inclusion of all IP pools in the Monitor Network Behaviour script. This update resolves an issue where incomplete rules were generated due to missing IP pools, ensuring proper traffic allowance VPNGW node to sensor.
If you used the wrong SSH password in the Ansible playbook for migrating CMIX to VPNGW, the Administration Portal would not detect it. Now, it displays an error in the “VPNGW import process logs” for manual correction of the password and proper migration of VPNGW nodes.
We have addressed a minor string encoding issue found in Agent Profiles > Service configuration section.
Resolved an issue that was not allowing the proper disabling of Agent OSQueries.
1.5.4.1.2. ON Analytics
These are the changes that affect the ON Analytics component in this release.
Functionalities
This release implements automated replacement of the /etc/elastCurator/action.yaml file during Elasticsearch updates while preserving customized rotation values.
The UNAC Volumetry dashboard features enhancements by rearranging visualizations and adding a section dedicated to event distribution charts by type of location, network device, nodes, hostname, policy rules, and more. For more information, see the Analytics section.
The UNAC Authentication Metrics dashboard features enhancements by rearranging visualizations. For more information, see the Analytics section.
The UNAC Details dashboard now includes some of the new charts that are also displayed in the UNAC volumetry: Event distribution by policy rules, network devices and node hostname. For more information, see the Analytics > UNAC section.
The 2SRA Overview dashboard now includes a pie chart showcasing VPNGW Nodes connections, illustrating the percentage of connections made per node. Additionally, this version introduces a VPN sources connection map, displaying the locations of VPN connections. See the Analytics > 2SRA section for more information.
The Network Behaviour dashboard has been slightly modified to simplify its Location view, displaying now only the Connection Map.
Bugs fixed
Now, in the /etc/elasticsearch/elasticsearch.yml file, the remote cluster client role is consistently added to all nodes when updates are performed.
This version adjusted Analytics and Sensor healthchecks due to OVAs partitioning. The healthcheck for /var/log is now commented out during Sensor or Analytics deployment to prevent failure due to non-existent /var/log partition.
1.5.4.1.3. ON VPNGW
These are the changes that affect the ON VPNGW component in this release.
Bugs fixed
Resolved the issue where VPN Hardening would disable “ip_forward” on the VPNGW when a restart is performed. The solution involves re-executing the hardening script on the VPNGW nodes.
Warning
Execute the hardening script again only on VPNGW nodes:
/usr/share/vpngw-api/scripts/hardeningScript.sh
1.5.4.1.4. ON Agent
These are the changes that affect the ON Agent component in this release.
Functionalities
OSQuery now obtains BitLocker details about the execution of this disk encryption feature when enabled in Windows operating systems. See the Agent payload section for more information.
This version of the Agent updates the supported Ubuntu version from 22.10 to 23.10. See the Multiplatform Agent section for a complete list of the supported operating systems.
Bugs fixed
This version resolves the slow performance issue experienced when opening the Agent UI in Windows OS.
System updates script execution is now properly timed out no longer consuming excessive resources.
This release resolves the issue where the Agent update start was blocked when OSQuery was inactive.
Fixed the failure related to Soluble Agent CDN name length displaying an error message.
Addressed encoding error occurring during script execution within the Soluble Agent’s ProcessExecutor component.
This version addresses a bug where uninstalling the Agent on Linux operating systems would not disconnect the VPN.
Resolved the issue in MacOS and Linux operating systems where the Uninstall payload was not being sent to the Core.
1.5.4.2. Automated deployments
These are the Ansible changes that affect the deployment of the OpenNAC components in this release.
Functionalities
This version introduces three additional hardening strict remediation rules to the hardening process applied while updating your OpenNAC environment. Those rules related to passwords, can be manually applied if desired. See the OpenNAC hardening section for more information.
All enabled DNF modules have been updated to their latest versions to prevent deprecated modules: PHP 8.1, Node.js 20, Nginx 1.22, and Ruby 3.1.
1.5.4.3. Known issues
This section features bugs he have already identified and the expected behavior for this release. These issues will be addressed in the next release.
Plugin execution issue: In the ideal scenario, asynchronous plugins should wait for synchronous plugin execution to conclude before considering their results for evaluation. For instance, if the result is a rejection status, the asynchronous plugin should execute while taking this status into account. However, this coordination is not functioning correctly during the initial policy evaluation on auto-learned devices.
Although we have identified this issue, the plugins perform as expected in scenarios where the device is already registered in the CMDB before the policy evaluation.
VPN farm deletion issue: After deleting a VPNGW farm on the NextGen Portal, the page fails to refresh automatically, and the deleted item remains displayed even after its deletion. To ensure accurate updates, manually refresh the page after deleting a VPNGW farm to reflect the changes properly.
BitLocker Tag Management Issue: Currently, the expected behavior of removing tags for drives no longer connected to the Windows device, such as ISS_BITLOCKER_DRIVE_D, is not functioning correctly. Consequently, the tag updating mechanisms is not working as expected. To ensure BitLocker compliance,check the device’s global Bitlocker compliance via the ISS_BITLOCKER tag: if the device has this tag, all drives currently connected to the device will have BitLocker enabled and operational.
OpenNAC Analytics Dashboards menus are not updated automatically: To manually fix the issue and ensure you are working with the latest changes in the “Dashboard Configuration,” follow these steps:
Warning
The commands indicated below reset all custom values defined within the Configuration > Dashboards list, including the links to custom dashboards created in Kibana.
If you have customized dashboards, they will not be removed from Kibana. However, before resetting the Analytics menu, you will need to add them again in the “Configuration Dashboard”s section.
Open your terminal and execute the following command:
mysql -u root -p opennac;
Reset the menuAnalytics value, by executing the following command:
UPDATE CONFIGURATION SET VALUE = "" WHERE ID = "menuAnalytics";
1.5.4.4. Documentation improvements
All the documentation changes are described in this section.
The documentation introduces a new troubleshooting section for instances where no data is displayed in Elasticsearch.
The Agent troubleshooting section now features how to troubleshoot an Agent installation error found on MacOS.
The Soluble Agent section introduces a new subsection providing Log paths tp locate and inspect Soluble Agent logs on different operating systems.
We greatly appreciate user feedback and ratings as they play a crucial role in delivering user-oriented content. Please, share your valuable insights to help us improve and meet your needs. You can locate the Feedback tab on the right side of the documentation page. Thank you for your contribution!