RSS
 

This topic describes the changes in this minor release of Compliance Scanner for VMware Tanzu.

For product versions and upgrade paths, see Upgrade Planner.

v1.2.54

Release date: June 29, 2023

Features

New features and changes in this release:

  • Ignore directories: Compliance Scanner allows you to specify directories to ignore in scans, for example, large NFS and SMB drives. For how to specify directories to ignore, see Configure scan variables.
  • golang v1.20.4: Updated golang to v1.20.4.
  • STIG Viewer 2.17: This release adds support for STIG Viewer 2.17.

Resolved issues

This release has the following fix:

CIS Kubernetes scan results display correct version.

Known issues

No known issues.

v1.2.53

Release deploymentate: January 25, 2023

Features

New features and changes in this release:

  • Ubuntu STIG version update: Stemcell Security Technical Implementation Guide (STIG) version has been updated to V2R3.
  • Kubernetes STIG version update: Kubernetes Security Technical Implementation Guide (STIG) version has been updated to V1R7.
  • CIS Kubernetes version update: CIS Kubernetes benchmark has been updated to v1.6.1.

Known issues

CIS Kubernetes scan results wrongly display benchmark v1.5.0 instead of v1.6.1.

v1.2.52

Release Date: January 10, 2023

Features

New features and changes in this release:

  • Kubernetes STIG: Kubernetes Security Technical Implementation Guide (STIG) V1R2 has been added.
  • Ubuntu STIG version update: Stemcell Security Technical Implementation Guide (STIG) version has been updated to V2R2.
  • Object prefix support for S3: You can specify the AWS S3 object prefix to group scan results. in an S3 bucket. This lets you store scan results from multiple foundations in a single S3 bucket. For how to set S3 object prefix, see Configure to Upload to an S3 Bucket in Installing and Configuring Compliance Scanner.
  • Logging scanned and skipped VMs: Scan logs now include IP addresses of scanned and skipped VMs.
  • Non-default CNI check for Tanzu Kubernetes Grid Integrated Edition: You can specify the non-default container networking interface (CNI) directory for configuration check. For how to set the CNI directory, see Configure Scan Variables in Installing and Configuring Compliance Scanner.

Known issues

There are no known issues for this release.

v1.2.49

Release date: January 4, 2021

Resolved issues

This release has the following fix:

  • The Compliance Scanner deployment no longer fails in air-gapped environments.

Known issues

There are no known issues for this release.

v1.2.48

Release date: December 3, 2020

Features

New features and changes in this release:

  • Tanzu Kubernetes Grid Integrated Edition (TKGI) benchmarks: Additional benchmarks added:

    • The TKGI Master Node - Level 1 and Level 2
    • The TKGI Worker Node - Level 1 and Level 2

    For information about these new benchmarks, see Benchmarks for Compliance Scanner.

  • Store scan results in C2S and SC2S regions: You can now store scan results in AWS C2S and SC2S regions. For how to select an S3 bucket region, see Configure to Upload to an S3 Bucket in Installing and Configuring Compliance Scanner.

  • Ability to exclude instance groups: This allows the user to exclude instance groups, for example, errand VMs and Diego Cell VMs, from scans. For more information, see List of instance group names that will be excluded from deployment.

  • Ability to scan specific deployments: This allows the user to scan specific deployments, for example, a TKGI cluster. For more information, see List of deployments to scan in Installing and Configuring Compliance Scanner.

  • Detection Timeout field: Compliance Scanner skips scanning VMs where Compliance Scanner is not deployed, such as Windows VMs. For more information, see Detection Timeout.

  • golang v1.14.2: Updated golang to v1.14.2.

Known issues

This release has the following issue:

  • This release does not work in air-gapped environments.

v1.2.32

Release date: May 11, 2020

Features

New features and changes in this release:

  • CPU limit and Enforce CPU limit are configured separately: The CPU limit for Compliance Scanner is now configured independently of the Enforce CPU limit field. When you upgrade to v1.2.32 from v1.1.19 or later, the value of CPU limit is reset to the installation default of 50%.
    For instructions on setting the CPU limit, see Configure Scans.

  • Configure an Amazon S3 bucket for scan results: You can now configure an Amazon S3 bucket for scan results if you have the instance profile name of the S3 bucket. You no longer need to know the access key ID and the secret access key for the S3 bucket.
    For information, see Configure to Upload to an S3 Bucket.

  • Adds support for S3 using AWS instance profiles to authenticate.
    For more information, see Using AWS Instance Profile.

  • Switch from Unix socket to TCP with mTLS: Changes the communication protocol between the Scanner Web and the Scanner Daemon from Unix socket to TCP with mTLS.

  • Speeds up targeted benchmark runs.
  • Updates bundled OpenSCAP to v1.3.2

  • Updates STIG benchmark:

    • Adds audit rules SV-90369r2_rule, SV-90387r3_rule, SV-90437r3_rule, SV-90445r3_rule, SV-90465r3_rule, SV-95681r1_rule, SV-90459r3_rule
    • Adds NIST Control Map to the STIG benchmark

  • Updates CIS benchmark:

    • Removes exceptions for audit rules: 4.1.6, 4.1.7
    • Fixes CIS Level 1 rules:
      • 1.1.17, 1.1.18, 1.1.19 - Remove the verification for cd roms
      • 2.2.7-2 - Use dpkg instead of systemctl
      • 4.2.1.2 - Remove duplicate log entries and remove unneeded log files for rsyslog configuration
      • 4.3 - Ignore /var/log/cloud-init.log to be log rotated
      • 5.2.11 - Remove SSH MAC Exception
    • Fixes CIS Level 2 rule:
      • 4.1.10 - Fix failing test due to stemcell changes

Resolved issues

This release has the following fixes:

  • Fixes permission issue causing Scheduled Scan to not work: The process is now run as VCAP.
  • Fixes cgroups issue: A single core is now used when scanning.

Known issues

There are no known issues for this release.

v1.2.16

Release date: October 28, 2019

Features

New features and changes in this release:

  • Store scan results in an Azure Blob Storage Container: You can now use an Azure Blob Storage Container to store scan results. For information, see (Optional) Configure External Store Upload.

  • Schedule scans: Adds the ability to schedule scans. This enables the user to schedule a time and day of the week to run their scan. For more information, see Configure Scheduled Scan.

  • Benchmarks used with Compliance Scanner are updated:

    • The CIS Ubuntu Linux 16.04 LTS – Level 1 benchmark replaces the Recommended Security Baseline benchmark.
    • The CIS Ubuntu Linux 16.04 LTS – Level 2 benchmark replaces the Strict Security Practices benchmark. For information about these new benchmarks, see Benchmarks for Compliance Scanner for VMware Tanzu.

  • Custom SSH Banner field: Use this new field to provide the text expected when verifying the login SSH Banner on VMs during a scan. For more information, see Configure Scan Variables.

  • Updates golang dependency: The golang dependency is now v1.13.1.

Known issues

This release has the following issues:

  • Schedule Scan: A permission issue causes Scheduled Scan to not work when run under root.
  • cgroups: Scans use more resources due to multiple cores of a VM being used to run scans. This might cause performance issues on Diego Cell VMs with many apps.

View release notes for another version

To view the release notes for another product version, select the version from the drop-down menu at the top of this page.

check-circle-line exclamation-circle-line close-line
Scroll to top icon