Release notes
- Version: 4.8.0
- Build number: 12121
- Release date: 2024-02-19 (general availability)
- Benchmarks release date: 2024-02-21
- Server version: nanitor-4.8.0.12121-14294-master
- Agent version: nanitor-4.8.0.12115-14290-master
- Collector version: nanitor-4.8.0.12115-14290-master
Welcome to Nanitor v4.8.0! This release introduces significant enhancements across our cybersecurity threat management platform, with a keen focus on MSP & MSSP support, identity security, and compliance framework updates. From hierarchical organization structuring to critical identity security checks and PCI-DSS v4.0 compliance, our latest update is designed to enhance your security posture management in a more comprehensive and efficient manner.
Highlights
Enhanced Identity Security for Active Directory (AD) Identities
In our latest update, we've made significant strides in Active Directory (AD) identity visibility and management. This enhancement empowers both Chief Information Security Officers (CISOs) and IT/sysadmins to swiftly identify and mitigate significant security vulnerabilities, ensuring a robust defense against potential threats.
- Expanded AD Identity Inventory: Our platform has been significantly enhanced to provide a full inventory of Active Directory (AD) user identities. This includes users who may not have logged into any monitored computers but have access rights. Previously, our inventory was limited to users observed on monitored systems. Now, by integrating directly with the domain controller, we capture a complete list of user identities, offering full visibility and control over AD security.
- Issue Type Renaming: We have evolved the "user" issue type into "identity," laying the groundwork for future enhancements in this crucial area.
- New Identities Tab: We've introduced an "identities tab" within identity issues, detailing the specific identities impacted. This feature is designed to streamline the identification and remediation process, crucial for IT/sysadmins tasked with day-to-day security management.
Critical AD environment issues now detectable:
- Privileged user account (identity) has an SPN (Service Principal Name)
- Privileged user account has unconstrained Kerberos Delegations
- User account with a Primary Group ID other than 513
- User account with a SIDHistory of a well-known Privileged SID
These critical enhancements significantly improve our ability to monitor well-known AD security risks, automatically flagging them as critical in our system for immediate attention.
As seen in the screenshot below, by default the new issues are enabled (in baseline) and with a severity rating of critical.
Supported Identity Types Clarified:
We have clarified the types of identities supported by our platform, adding a new "identity type" column to our inventory for greater clarity:
- Windows domain user
- Windows local user
- Linux user
- Apple user
Additionally, the introduction of a "location" column specifies where each identity is defined—distinguishing between local user accounts on individual computers and domain user accounts defined within the domain.
Get Started: To enable the new AD Idenities feature, follow the instructions from our Documentation: Enabling Active Directory users discovery.
Feedback:
We're actively enhancing identity security, a crucial area of our focus. As this evolves, your feedback is key to refining our approach and ensuring success. Please reach out to share your thoughts and suggestions!
Enhanced MSP & MSSP Support: Parent Organizations & Cross-Organizational API access
We've deepened our commitment to MSPs and MSSPs through advanced features that streamline organizational management and enable dynamic, cross-organizational API query capabilities.
- Suborganization management: We've introduced the capability to create and manage suborganizations directly from a parent organization. This feature is invaluable for MSPs and MSSPs aiming to group organizations under a unified management umbrella, enhancing operational efficiency and oversight.
- Enhanced organization switcher: The organization switcher has been upgraded with search functionality and the ability to display an organizational hierarchy. This makes navigating between tens or hundreds of suborganizations seamless and intuitive.
-
Cross-Organizational API Queries: API keys generated for parent organizations now grant the ability to perform queries across all suborganizations. This advancement empowers MSPs to custom-build dashboards and set up alerts tailored to their operational needs, all from a single access point.
-
Inherited User Roles: User roles can now be inherited from the top-level organization upon selection. This streamlines role management across organizations, ensuring consistent access control and permissions alignment.
We are committed to continuously enhancing our support for MSPs and MSSPs. This journey is ongoing, and we eagerly anticipate your feedback to guide our future updates. Please reach out to share your thoughts and suggestions!
New Compliance Framework: PCI-DSS v4.0
Stay current with the latest compliance standards with our update to PCI-DSS v4.0. This ensures your compliance efforts are streamlined, simplifying audits, and enhancing compliance management for financial institutions.
Benchmark updates
Our upcoming benchmarks, set to release shortly after the product launch (see more detail in the release information header on top), will automatically integrate with the Nanitor server without requiring any manual action from our customers.
In this release, while we haven't introduced new benchmarks, we've concentrated on significantly enhancing the accuracy and reliability of our existing benchmarks. This focus on quality is critical, as we aim to eliminate false positives and refine testing methodologies. Given the intricate nature of security benchmarks, where multiple solutions can address a single rule, our commitment to precision and adaptability is paramount.
Updated benchmarks
We have made comprehensive updates to several benchmarks, with a particular emphasis on rectifying false positives and enhancing our testing processes:
- Ubuntu 20.04 (revision 11): based on CIS benchmark version 2.0.1 (Ubuntu Linux 20.04 LTS Benchmark): Multiple checks were fixed due to reported false positives.
- IBM AIX (revision 12): based on CIS benchmark version 1.0.0 (IBM AIX 7.1 Benchmark): Updated to fix a false positive in mindigit password check.
- Apache Http Server 2 (revision 8): based on CIS benchmark version 2.0.0: Rule 4.1 - Ensure Options for the OS Root Directory are Restricted was fixed to address a false positive.
- 47 benchmarks were updated with incremented new revisions to add new compliance framework mappings for PCI-DSS v4.0 framework.
Improvements
- Software inventory now has a filter for software type, enabling users to filter and get an overview of OS in the environment.
- Health report options: Expanded options for the Health Status PDF report, offering more customization for reporting needs. Issue type was added as a filtering option.
- CIA triad refresh. We are continuing to try to simplify and make CIA (Confidentiality, Integrity, Availability) vectors more readable with a new design.
- Project management simplification: Easier to change status. Now user can freely adjust the status, but progress is still tracked automatically.
- Patch issue - linked vulnerabilities: The tab with fixed vulnerabilities has been improved to better reflect the severity of the related vulnerabilities and link to issues.
- Organization switcher moved to personal settings. As a user can have various roles in different organizations, with organization settings possibly not available, it was necessary to move the switcher to a menu that is always available.
- User role in profile info. For convenience the user can now go to their Personal Settings and view their organizational role.
- Selection of all roles now supported when editing user organization permissions for SAML.
- Public API: Issue API endpoint: Added severity, and CISA KEV fields and filtering options to the returned issue data. See: API docs.
Bug Fixes
- Resolved Benchmark Assignment Issue: Fixed an issue where Windows AD Servers were not being correctly assigned AD benchmarks.
- Ubuntu 20.04 Benchmark Corrections: Addressed false positives and incorrect captures in Ubuntu 20.04 benchmarks.
- Agent Update Fix on RHEL 6.10: Corrected an issue preventing nanitor-agent updates on RHEL 6.10 i686.
-
Login and Scheduled Report Fixes: Addressed login issues related to 2FA mismatches and improved the reliability of scheduled health score reports.
-
AIX benchmark fix: mindigit rule was fixed to support case where the value is set higher than 1.
- CentOS Ensure SSH access is limited rule was fixed to address a false positive.
- EASM: Fix made to properly combine the internal and external asset entries when an external asset is signed up with an agent.
- Bug fixed where 2FA code provided as text did not match the QR code.
- Bug fixed where adding a collected asset with incorrect credentials was not recoverable.
- Oracle Linux: RedHat benchmarks updated to avoid a bug where RedHat benchmarks were assigned to Oracle Linux.
- Bug fixed where a user uploading a profile image that was too big would silently fail, as well as adding image size and format instructions.
Documentation:
- Identity documentation: New user guide documentation on Identity support in the Nanitor User Guide: Identities.
- Projects documentation: New user guide documentation on our remediation Projects in the Nanitor User Guide: Projects.
Helpful articles
How to perform manual upgrade on self-hosted servers
Updates
- 2024-02-13: Initial v4.8.0 release was published and released to early-access users.
- 2024-02-19: Release published for general availability.
- 2024-02-21: Benchmarks released for v4.8.0 version.
- 2024-02-22: A new server-only build (nanitor-4.8.0.12121-14294-master) was published to hotfix database migration issues that were affecting some servers and blocking background processing tasks. Also, this version includes a hotfix when some users can’t log in with SAML.