Release notes

Version: 4.8.0
Build number: 12121
Release date: 2024-02-19 (general availability)
Benchmarks release date: 2024-02-21
Server version: nanitor-4.8.0.12121-14294-master
Agent version: nanitor-4.8.0.12115-14290-master
Collector version: nanitor-4.8.0.12115-14290-master

Welcome to Nanitor v4.8.0! This release introduces significant enhancements across our cybersecurity threat management platform, with a keen focus on MSP & MSSP support, identity security, and compliance framework updates. From hierarchical organization structuring to critical identity security checks and PCI-DSS v4.0 compliance, our latest update is designed to enhance your security posture management in a more comprehensive and efficient manner.

Highlights

Enhanced Identity Security for Active Directory (AD) Identities

In our latest update, we've made significant strides in Active Directory (AD) identity visibility and management. This enhancement empowers both Chief Information Security Officers (CISOs) and IT/sysadmins to swiftly identify and mitigate significant security vulnerabilities, ensuring a robust defense against potential threats.

Expanded AD Identity Inventory: Our platform has been significantly enhanced to provide a full inventory of Active Directory (AD) user identities. This includes users who may not have logged into any monitored computers but have access rights. Previously, our inventory was limited to users observed on monitored systems. Now, by integrating directly with the domain controller, we capture a complete list of user identities, offering full visibility and control over AD security.
Issue Type Renaming: We have evolved the "user" issue type into "identity," laying the groundwork for future enhancements in this crucial area.
New Identities Tab: We've introduced an "identities tab" within identity issues, detailing the specific identities impacted. This feature is designed to streamline the identification and remediation process, crucial for IT/sysadmins tasked with day-to-day security management.

Critical AD environment issues now detectable:

Privileged user account (identity) has an SPN (Service Principal Name)
Privileged user account has unconstrained Kerberos Delegations
User account with a Primary Group ID other than 513
User account with a SIDHistory of a well-known Privileged SID

These critical enhancements significantly improve our ability to monitor well-known AD security risks, automatically flagging them as critical in our system for immediate attention.

As seen in the screenshot below, by default the new issues are enabled (in baseline) and with a severity rating of critical.

New issues in Identity issue configuration — Illustration of the identity issue configuration, highlighting the critical severity rating by default for the new identity issues.

Supported Identity Types Clarified:

We have clarified the types of identities supported by our platform, adding a new "identity type" column to our inventory for greater clarity:

Windows domain user
Windows local user
Linux user
Apple user

Additionally, the introduction of a "location" column specifies where each identity is defined—distinguishing between local user accounts on individual computers and domain user accounts defined within the domain.

Identity inventory — Our enhanced identity inventory provides a comprehensive overview, showcasing where identities are defined for improved management and security.

Get Started: To enable the new AD Idenities feature, follow the instructions from our Documentation: Enabling Active Directory users discovery.

Feedback:

We're actively enhancing identity security, a crucial area of our focus. As this evolves, your feedback is key to refining our approach and ensuring success. Please reach out to share your thoughts and suggestions!

Enhanced MSP & MSSP Support: Parent Organizations & Cross-Organizational API access

We've deepened our commitment to MSPs and MSSPs through advanced features that streamline organizational management and enable dynamic, cross-organizational API query capabilities.

Suborganization management: We've introduced the capability to create and manage suborganizations directly from a parent organization. This feature is invaluable for MSPs and MSSPs aiming to group organizations under a unified management umbrella, enhancing operational efficiency and oversight.

Organization defined as a sub organization — The organization creator window has been updated to allow for the definition of a parent organization, simplifying the creation of structured suborganizations.

Enhanced organization switcher: The organization switcher has been upgraded with search functionality and the ability to display an organizational hierarchy. This makes navigating between tens or hundreds of suborganizations seamless and intuitive.

Org switcher hierarchy — Our improved organization switcher now features a searchable interface and visualizes the hierarchy of parent and suborganizations, ensuring quick and easy navigation.

Cross-Organizational API Queries: API keys generated for parent organizations now grant the ability to perform queries across all suborganizations. This advancement empowers MSPs to custom-build dashboards and set up alerts tailored to their operational needs, all from a single access point.
Inherited User Roles: User roles can now be inherited from the top-level organization upon selection. This streamlines role management across organizations, ensuring consistent access control and permissions alignment.

We are committed to continuously enhancing our support for MSPs and MSSPs. This journey is ongoing, and we eagerly anticipate your feedback to guide our future updates. Please reach out to share your thoughts and suggestions!

New Compliance Framework: PCI-DSS v4.0

Stay current with the latest compliance standards with our update to PCI-DSS v4.0. This ensures your compliance efforts are streamlined, simplifying audits, and enhancing compliance management for financial institutions.

Benchmark updates

Our upcoming benchmarks, set to release shortly after the product launch (see more detail in the release information header on top), will automatically integrate with the Nanitor server without requiring any manual action from our customers.

In this release, while we haven't introduced new benchmarks, we've concentrated on significantly enhancing the accuracy and reliability of our existing benchmarks. This focus on quality is critical, as we aim to eliminate false positives and refine testing methodologies. Given the intricate nature of security benchmarks, where multiple solutions can address a single rule, our commitment to precision and adaptability is paramount.

Updated benchmarks

We have made comprehensive updates to several benchmarks, with a particular emphasis on rectifying false positives and enhancing our testing processes:

Ubuntu 20.04 (revision 11): based on CIS benchmark version 2.0.1 (Ubuntu Linux 20.04 LTS Benchmark): Multiple checks were fixed due to reported false positives.
IBM AIX (revision 12): based on CIS benchmark version 1.0.0 (IBM AIX 7.1 Benchmark): Updated to fix a false positive in mindigit password check.
Apache Http Server 2 (revision 8): based on CIS benchmark version 2.0.0: Rule 4.1 - Ensure Options for the OS Root Directory are Restricted was fixed to address a false positive.
47 benchmarks were updated with incremented new revisions to add new compliance framework mappings for PCI-DSS v4.0 framework.

Improvements

Software inventory now has a filter for software type, enabling users to filter and get an overview of OS in the environment.

Software OS inventory — The software inventory can now by filtered by type OS to get an inventory of operating systems.

Health report options: Expanded options for the Health Status PDF report, offering more customization for reporting needs. Issue type was added as a filtering option.
CIA triad refresh. We are continuing to try to simplify and make CIA (Confidentiality, Integrity, Availability) vectors more readable with a new design.
Project management simplification: Easier to change status. Now user can freely adjust the status, but progress is still tracked automatically.
Patch issue - linked vulnerabilities: The tab with fixed vulnerabilities has been improved to better reflect the severity of the related vulnerabilities and link to issues.
Organization switcher moved to personal settings. As a user can have various roles in different organizations, with organization settings possibly not available, it was necessary to move the switcher to a menu that is always available.
User role in profile info. For convenience the user can now go to their Personal Settings and view their organizational role.
Selection of all roles now supported when editing user organization permissions for SAML.
Public API: Issue API endpoint: Added severity, and CISA KEV fields and filtering options to the returned issue data. See: API docs.

Bug Fixes

Resolved Benchmark Assignment Issue: Fixed an issue where Windows AD Servers were not being correctly assigned AD benchmarks.
Ubuntu 20.04 Benchmark Corrections: Addressed false positives and incorrect captures in Ubuntu 20.04 benchmarks.
Agent Update Fix on RHEL 6.10: Corrected an issue preventing nanitor-agent updates on RHEL 6.10 i686.
Login and Scheduled Report Fixes: Addressed login issues related to 2FA mismatches and improved the reliability of scheduled health score reports.
AIX benchmark fix: mindigit rule was fixed to support case where the value is set higher than 1.
CentOS Ensure SSH access is limited rule was fixed to address a false positive.
EASM: Fix made to properly combine the internal and external asset entries when an external asset is signed up with an agent.
Bug fixed where 2FA code provided as text did not match the QR code.
Bug fixed where adding a collected asset with incorrect credentials was not recoverable.
Oracle Linux: RedHat benchmarks updated to avoid a bug where RedHat benchmarks were assigned to Oracle Linux.
Bug fixed where a user uploading a profile image that was too big would silently fail, as well as adding image size and format instructions.

Documentation:

Identity documentation: New user guide documentation on Identity support in the Nanitor User Guide: Identities.
Projects documentation: New user guide documentation on our remediation Projects in the Nanitor User Guide: Projects.

Helpful articles

How to perform manual upgrade on self-hosted servers

Updates

2024-02-13: Initial v4.8.0 release was published and released to early-access users.
2024-02-19: Release published for general availability.
2024-02-21: Benchmarks released for v4.8.0 version.
2024-02-22: A new server-only build (nanitor-4.8.0.12121-14294-master) was published to hotfix database migration issues that were affecting some servers and blocking background processing tasks. Also, this version includes a hotfix when some users can’t log in with SAML.