These are release notes for Compliance Scanner for VMware Tanzu.

For product versions and upgrade paths, see Upgrade Planner.

v1.2.49

Release Date: January 4, 2021

Resolved Issues

This release has the following fix:

  • The Compliance Scanner deployment no longer fails in air-gapped environments.

Known Issues

There are no known issues for this release.

v1.2.48

Release Date: December 3, 2020

Features

New features and changes in this release:

  • Tanzu Kubernetes Grid Integrated Edition (TKGI) benchmarks: Additional benchmarks added:

    • The TKGI Master Node - Level 1 and Level 2
    • The TKGI Worker Node - Level 1 and Level 2

    For information about these new benchmarks, see Benchmarks for Compliance Scanner.

  • Store scan results in C2S and SC2S regions: You can now store scan results in AWS C2S and SC2S regions. For how to select an S3 bucket region, see Configure to Upload to an S3 Bucket in Installing and Configuring Compliance Scanner.

  • Ability to exclude instance groups: This allows the user to exclude instance groups, for example, errand VMs and Diego Cell VMs, from scans. For more information, see List of instance group names that will be excluded from deployment.

  • Ability to scan specific deployments: This allows the user to scan specific deployments, for example, a TKGI cluster. For more information, see List of deployments to scan in Installing and Configuring Compliance Scanner.

  • Detection Timeout field: Compliance Scanner skips scanning VMs where Compliance Scanner is not deployed, such as Windows VMs. For more information, see Detection Timeout.

  • golang v1.14.2: Updated golang to v1.14.2.

Known Issues

This release has the following issue:

  • This release does not work in air-gapped environments.

v1.2.32

Release Date: May 11, 2020

Features

New features and changes in this release:

  • CPU limit and Enforce CPU limit are configured separately: The CPU limit for Compliance Scanner is now configured independently of the Enforce CPU limit field. When you upgrade to v1.2.32 from v1.1.19 or later, the value of CPU limit is reset to the installation default of 50%.
    For instructions on setting the CPU limit, see Configure Scans.

  • Configure an Amazon S3 bucket for scan results: You can now configure an Amazon S3 bucket for scan results if you have the instance profile name of the S3 bucket. You no longer need to know the access key ID and the secret access key for the S3 bucket.
    For information, see Configure to Upload to an S3 Bucket.

  • Adds support for S3 using AWS instance profiles to authenticate.
    For more information, see Using AWS Instance Profile.

  • Switch from Unix socket to TCP with mTLS: Changes the communication protocol between the Scanner Web and the Scanner Daemon from Unix socket to TCP with mTLS.

  • Speeds up targeted benchmark runs.
  • Updates bundled OpenSCAP to v1.3.2
  • Updates STIG benchmark:

    • Adds audit rules SV-90369r2_rule, SV-90387r3_rule, SV-90437r3_rule, SV-90445r3_rule, SV-90465r3_rule, SV-95681r1_rule, SV-90459r3_rule
    • Adds NIST Control Map to the STIG benchmark
  • Updates CIS benchmark:

    • Removes exceptions for audit rules: 4.1.6, 4.1.7
    • Fixes CIS Level 1 rules:
      • 1.1.17, 1.1.18, 1.1.19 - Remove the verification for cd roms
      • 2.2.7-2 - Use dpkg instead of systemctl
      • 4.2.1.2 - Remove duplicate log entries and remove unneeded log files for rsyslog configuration
      • 4.3 - Ignore /var/log/cloud-init.log to be log rotated
      • 5.2.11 - Remove SSH MAC Exception
    • Fixes CIS Level 2 rule:
      • 4.1.10 - Fix failing test due to stemcell changes

Resolved Issues

This release has the following fixes:

  • Fixes permission issue causing Scheduled Scan to not work: The process is now run as VCAP.
  • Fixes cgroups issue: A single core is now used when scanning.

Known Issues

There are no known issues for this release.

v1.2.16

Release Date: October 28, 2019

Features

New features and changes in this release:

  • Store scan results in an Azure Blob Storage Container: You can now use an Azure Blob Storage Container to store scan results. For information, see (Optional) Configure External Store Upload.

  • Schedule scans: Adds the ability to schedule scans. This enables the user to schedule a time and day of the week to run their scan. For more information, see Configure Scheduled Scan.

  • Benchmarks used with Compliance Scanner are updated:

    • The CIS Ubuntu Linux 16.04 LTS – Level 1 benchmark replaces the Recommended Security Baseline benchmark.
    • The CIS Ubuntu Linux 16.04 LTS – Level 2 benchmark replaces the Strict Security Practices benchmark. For information about these new benchmarks, see Benchmarks for Compliance Scanner for VMware Tanzu.
  • Custom SSH Banner field: Use this new field to provide the text expected when verifying the login SSH Banner on VMs during a scan. For more information, see Configure Scan Variables.

  • Updates golang dependency: The golang dependency is now v1.13.1.

Known Issues

This release has the following issues:

  • Schedule Scan: A permission issue causes Scheduled Scan to not work when run under root.
  • cgroups: Scans use more resources due to multiple cores of a VM being used to run scans. This might cause performance issues on Diego Cell VMs with many apps.

View Release Notes for Another Version

To view the release notes for another product version, select the version from dropdown at the top of this page.

check-circle-line exclamation-circle-line close-line
Scroll to top icon