Skip to content

Releases in 2020

March 2020 - v2.27.1

  1. User Experience Improvements

    • Cloudneeti API access: Cloudneeti exposes API to access for Cloud Account onboarding, audit report, scan etc . Refer documentation for more details here

    • Added “Asset Security (Preview)” dashboard: View protected Azure and AWS assets per region. Refer documentation for more details here. Added vulnerabilities for Azure VM

    • Deprecated “Assets” dashboard

    • Private Benchmarks: restrict user deletion, role changes in case collaborated.

    • Updates in benchmark sequence on “Compliance” dashboard.

  2. Platform & Stability Improvements

    • Fixed following bugs

      • Audit log not showing Initiated by when user tries to remediate AWS/Azure policy.
    • Updated implementation for following policies

      • Ensure that Logging is enabled for Azure Key Vault

      • Ensure that Service Principal Certificates are renewed before it expires

    • Audit and Remediation procedures commands are not properly given in the below policies.

      • Ensure discretionary access control permission modification events are collected

      • Ensure unsuccessful unauthorized file access attempts are collected

      • Ensure successful file system mounts are collected

      • Ensure file deletion events by users are collected

      • Ensure changes to system administration scope (sudoers) is collected

      • Ensure kernel module loading and unloading is collected

      • Ensure events that modify date and time information are collected

      • Ensure events that modify user/group information are collected

      • Ensure events that modify the system's network environment are collected

      • Ensure login and logout events are collected

      • Ensure session initiation information is collected

      • Ensure Storage Container storing activity logs is not Publicly accessible

      • 'Ensure that monitoring of unencrypted SQL databases is enabled in ASC

  3. Policies & Benchmarks 

    • Added following 3 Azure account related policies

      Category Policy Title
      Azure - Security Center Ensure that Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version in ASC
      Azure - Security Center Ensure that Vulnerabilities in container security configurations should be remediated in ASC
      Azure - Compute (IaaS) Ensure that Virtual Machine's are used managed disks
    • Added following 38 AWS RHEL VM Baseline policies

      Category Policy Title
      RHEL 7 -  Initial Setup Ensure address space layout randomization (ASLR) is enabled
      RHEL 7 -  Initial Setup Ensure prelink is disabled
      RHEL 7 -  Initial Setup Ensure permissions on /etc/issue are configured
      RHEL 7 -  Network Configuration Ensure TCP SYN Cookies is enabled
      RHEL 7 -  Network Configuration Ensure TCP Wrappers is installed
      RHEL 7 -  Network Configuration Ensure iptables is installed
      RHEL 7 -  Network Configuration Ensure firewall rules exist for all open ports
      RHEL 7 - Access, Authentication and Authorization Ensure default user shell timeout is 900 seconds or less
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH X11 forwarding is disabled
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH MaxAuthTries is set to 4 or less
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH IgnoreRhosts is enabled
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH HostbasedAuthentication is disabled
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH root login is disabled
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH PermitEmptyPasswords is disabled
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH PermitUserEnvironment is disabled
      RHEL 7 -  Access, Authentication and Authorization Ensure only approved MAC algorithms are used
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH Idle Timeout Interval is configured
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH LoginGraceTime is set to one minute or less
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH access is limited
      RHEL 7 -  Access, Authentication and Authorization Ensure SSH warning banner is configured
      RHEL 7 -  Access, Authentication and Authorization Ensure password reuse is limited
      RHEL 7 -  Access, Authentication and Authorization Ensure password hashing algorithm is SHA-512
      RHEL 7 -  Access, Authentication and Authorization Ensure default group for the root account is GID 0
      RHEL 7 -  Access, Authentication and Authorization Ensure minimum days between password changes is 7 or more
      RHEL 7 -  Access, Authentication and Authorization Ensure password expiration warning days is 7 or more
      RHEL 7 -  Access, Authentication and Authorization Ensure all users last password change date is in the past
      RHEL 7 -  System Maintenance Ensure permissions on /etc/shadow- are configured
      RHEL 7 -  System Maintenance Ensure permissions on /etc/group- are configured
      RHEL 7 -  System Maintenance Ensure permissions on /etc/gshadow- are configured
      RHEL 7 -  System Maintenance Ensure no world writable files exist
      RHEL 7 -  System Maintenance Ensure no unowned files or directories exist
      RHEL 7 -  System Maintenance Ensure no ungrouped files or directories exist
      RHEL 7 -  System Maintenance Ensure no legacy "+" entries exist in /etc/passwd
      RHEL 7 -  System Maintenance Ensure no legacy "+" entries exist in /etc/shadow
      RHEL 7 -  System Maintenance Ensure no legacy "+" entries exist in /etc/group
      RHEL 7 -  System Maintenance Ensure root is the only UID 0 account
      RHEL 7 -  System Maintenance Ensure no users have .forward files
      RHEL 7 -  System Maintenance Ensure no users have .netrc files

February 2020 - v2.26.1

  1. User Experience Improvements

    • Asset Security Dashboard Preview: View protected Azure and AWS assets per region. Refer documentation for more details here.

    • Risk Dashboard: Updates to user interface.

    • Release Notification: Users will be notified on a new Cloudneeti SaaS release.

    • AWS Remediation: Support for deploying Cloudneeti Remediation Framework in selected region.

    • Auto Remediation: Added audit logs for successful configuration of Azure and AWS auto remediation.

  2. Platform & Stability Improvements

    • Fixed following bugs

      • Subsequent AWS resources should get remediated in case one of the resources remediation fails from AWS

      • Authentication token enhancements

  3. Policies & Benchmarks

    • Added following 66 AWS RHEL VM Baseline policies
    Category Policy Title
    RHEL 7 - Access, Authentication and Authorization Ensure at/cron is restricted to authorized users
    RHEL 7 - Access, Authentication and Authorization Ensure SSH Protocol is set to 2
    RHEL 7 - Access, Authentication and Authorization Ensure SSH LogLevel is set to INFO
    RHEL 7 - Access, Authentication and Authorization Ensure default user shell timeout is 900 seconds or less
    RHEL 7 - Initial Setup Ensure updates, patches, and additional security software are installed
    RHEL 7 - Initial Setup Ensure nodev option set on /tmp partition
    RHEL 7 - Initial Setup Ensure nosuid option set on /tmp partition
    RHEL 7 - Initial Setup Ensure noexec option set on /tmp partition
    RHEL 7 - Initial Setup Ensure nodev option set on /dev/shm partition
    RHEL 7 - Initial Setup Ensure nosuid option set on /dev/shm partition
    RHEL 7 - Initial Setup Ensure noexec option set on /dev/shm partition
    RHEL 7 - Initial Setup Ensure mounting of cramfs filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of freevxfs filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of jffs2 filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of hfs filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of hfsplus filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of squashfs filesystems is disabled
    RHEL 7 - Initial Setup Ensure mounting of udf filesystems is disabled
    RHEL 7 - Initial Setup Ensure gpgcheck is globally activated
    RHEL 7 - Initial Setup Ensure AIDE is installed
    RHEL 7 - Initial Setup Ensure filesystem integrity is regularly checked
    RHEL 7 - Initial Setup Ensure permissions on bootloader config are configured
    RHEL 7 - Initial Setup Ensure SELinux is installed
    RHEL 7 - Initial Setup Ensure SELinux is not disabled in bootloader configuration
    RHEL 7 - Initial Setup Ensure the SELinux state is enforcing
    RHEL 7 - Initial Setup Ensure SELinux policy is configured
    RHEL 7 - Initial Setup Ensure SETroubleshoot is not installed
    RHEL 7 - Initial Setup Ensure the MCS Translation Service (mcstrans) is not installed
    RHEL 7 - Logging and Auditing Ensure rsyslog or syslog-ng is installed
    RHEL 7 - Logging and Auditing Ensure permissions on all logfiles are configured
    RHEL 7 - Logging and Auditing Ensure rsyslog default file permissions configured
    RHEL 7 - Logging and Auditing Ensure rsyslog is configured to send logs to a remote log host
    RHEL 7 - Logging and Auditing Ensure syslog-ng default file permissions configured
    RHEL 7 - Logging and Auditing Ensure auditing for processes that start prior to auditd is enabled
    RHEL 7 - Logging and Auditing Ensure events that modify date and time information are collected
    RHEL 7 - Logging and Auditing Ensure events that modify user/group information are collected
    RHEL 7 - Logging and Auditing Ensure events that modify the system's network environment are collected
    RHEL 7 - Logging and Auditing Ensure events that modify the system's Mandatory Access Controls are collected
    RHEL 7 - Logging and Auditing Ensure login and logout events are collected
    RHEL 7 - Logging and Auditing Ensure session initiation information is collected
    RHEL 7 - Logging and Auditing Ensure discretionary access control permission modification events are collected
    RHEL 7 - Logging and Auditing Ensure unsuccessful unauthorized file access attempts are collected
    RHEL 7 - Logging and Auditing Ensure successful file system mounts are collected
    RHEL 7 - Logging and Auditing Ensure file deletion events by users are collected
    RHEL 7 - Logging and Auditing Ensure system administrator actions (sudolog) are collected
    RHEL 7 - Logging and Auditing Ensure the audit configuration is immutable
    RHEL 7 - Logging and Auditing Ensure audit log storage size is configured
    RHEL 7 - Logging and Auditing Ensure system is disabled when audit logs are full
    RHEL 7 - Logging and Auditing Ensure audit logs are not automatically deleted
    RHEL 7 - Network Configuration Ensure IP forwarding is disabled
    RHEL 7 - Network Configuration Ensure packet redirect sending is disabled
    RHEL 7 - Network Configuration Ensure source routed packets are not accepted
    RHEL 7 - Network Configuration Ensure ICMP redirects are not accepted
    RHEL 7 - Network Configuration Ensure secure ICMP redirects are not accepted
    RHEL 7 - Network Configuration Ensure suspicious packets are logged
    RHEL 7 - Network Configuration Ensure broadcast ICMP requests are ignored
    RHEL 7 - Network Configuration Ensure bogus ICMP responses are ignored
    RHEL 7 - Network Configuration Ensure Reverse Path Filtering is enabled
    RHEL 7 - Services Ensure X Window System is not installed
    RHEL 7 - Services Ensure time synchronization is in use
    RHEL 7 - Services Ensure ntp is configured
    RHEL 7 - Services Ensure chrony is configured
    RHEL 7 - Services Ensure NIS Client is not installed
    RHEL 7 - Services Ensure rsh client is not installed
    RHEL 7 - Services Ensure talk client is not installed
    RHEL 7 - Services Ensure telnet client is not installed
    RHEL 7 - Services Ensure LDAP client is not installed
    • Added following 3 Azure Data Lake policies
    Category Policy Title
    Azure - Storage and Databases Ensure that firewall is enabled for Azure Data Lake Storage Gen1
    Azure - Storage and Databases Ensure that encryption of sensitive data is enabled for Azure Data Lake Storage Gen1
    Azure - Storage and Databases Ensure that diagnostics log is enabled for Azure Data Lake Storage Gen1
    • Added following 18 M365 IAM policies To get data for these policies, please provide version 1.4 while executing the script for upgrade or creation of Office 365 advance security configuration.

      Category Policy Title
      Identity Ensure that 'Number of methods required to reset' is set to '2'
      Identity Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
      Identity Ensure that 'Notify users on password resets?' is set to 'Yes
      Identity Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
      Identity Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
      Identity Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
      Identity Ensure that 'Users can register applications' is set to 'No'
      Identity Ensure that 'Guest user permissions are limited' is set to 'Yes'
      Identity Ensure that 'Members can invite' is set to 'No'
      Identity Ensure that 'Guests can invite' is set to 'No'
      Identity Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'
      Identity Ensure that 'Self-service group management enabled' is set to 'No'
      Identity Ensure that 'Users can create security groups' is set to 'No'
      Identity Ensure that 'Users who can manage security groups' is set to 'None'
      Identity Ensure that 'Users can create Office 365 groups' is set to 'No'
      Identity Ensure that 'Users who can manage Office 365 groups' is set to 'None'
      Identity Ensure that 'Enable All Users group' is set to 'Yes'
      Identity Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'
    • Updated following 115 Azure security center policies to support Azure Management Group level scope and show No Data as default behavior.

      Refrences

      Configure ASC policies at Management Group level

      Policy Title Category
      Azure - Security Center Ensure that AAD authentication in Service Fabric is set to enabled in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days for Batch accounts is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Azure Search service is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Data Lake Analytics is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Data Lake Store accounts is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Event Hub accounts is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in IoT Hub accounts is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Key Vault vaults is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Logic Apps workflows is set in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Service Bus is set in ASC
      Azure - Security Center Ensure that monitoring of Kubernetes Services without RBAC is enabled in ASC
      Azure - Security Center Ensure that monitoring of sensitive data is classified on SQL database is enabled in ASC
      Azure - Security Center Ensure that monitoring of SQL managed instances alerts being sent to admins and subscription owners is enabled in ASC
      Azure - Security Center Ensure that monitoring of classic storage accounts migration to ARM is enabled in ASC
      Azure - Security Center Ensure that reporting of system updates in virtual machine scale sets is enabled in ASC
      Azure - Security Center Ensure that monitoring of unencrypted SQL databases is enabled in ASC
      Azure - Security Center Ensure that monitoring of classic virtual machines is enabled in ASC
      Azure - Security Center Ensure that OS vulnerabilities monitoring for virtual machine scale sets is enabled in ASC
      Azure - Security Center Ensure that the detection of VM vulnerabilities by a Vulnerability Assessment solution is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Redis Cache is set to enabled in ASC
      Azure - Security Center Ensure that Vulnerability Assessment on your SQL servers is enabled in ASC
      Azure - Security Center Ensure that monitoring of the use of HTTPS in Web App is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Search Service is set to enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Service Bus is set to enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Virtual Machine Scale Sets is set to enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Stream Analytics is set to enabled in ASC
      Azure - Security Center Ensure that disable unrestricted network to storage account is set to enabled in ASC
      Azure - Security Center Ensure that monitor disk encryption is set to enabled in ASC
      Azure - Security Center Ensure that monitor for Endpoint Protection is set to enabled in ASC
      Azure - Security Center Ensure that AAD authentication in SQL server is set to enabled in ASC
      Azure - Security Center Ensure that MFA is enabled for all subscription accounts with owner permissions in ASC
      Azure - Security Center Ensure that MFA is enabled for all subscription accounts with read permissions in ASC
      Azure - Security Center Ensure that MFA is enabled for all subscription accounts with write permissions in ASC
      Azure - Security Center Ensure that deprecated accounts is removed on subscription are set to enabled in ASC
      Azure - Security Center Ensure that deprecated accounts with owner permissions are removed from subscription is set to enabled in ASC
      Azure - Security Center Ensure that external accounts with owner permissions are removed from subscription is set to enabled in ASC
      Azure - Security Center Ensure that external accounts with read permissions are removed from subscription is set to enabled in ASC
      Azure - Security Center Ensure that external accounts with write permissions are removed from subscription is set to enabled in ASC
      Azure - Security Center Ensure that monitor of Adaptive Application whitelisting is set to enabled in ASC
      Azure - Security Center Ensure that metric alerts in Batch account is set to enabled in ASC
      Azure - Security Center Ensure that namespace authorization rules in service bus is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of network security groups is set to enabled in ASC
      Azure - Security Center Ensure that next generation firewall is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of OS vulnerabilities is set to enabled in ASC
      Azure - Security Center Ensure that secure transfer to storage account is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of SQL auditing is set to enabled in ASC
      Azure - Security Center Ensure that SqlDb Vulnerability Assesment is set to enabled in ASC
      Azure - Security Center Ensure that monitor SQL encryption is set to enabled in ASC
      Azure - Security Center Ensure that monitor storage blob encryption is set to enabled in ASC
      Azure - Security Center Ensure that monitor system updates is set to enabled in ASC
      Azure - Security Center Ensure that vulnerability assessment is set to enabled in ASC
      Azure - Security Center Ensure that web application firewall is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of permissive network access to app-services is enabled in ASC
      Azure - Security Center Ensure that Cluster Protection level in Service Fabric is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of SQL managed server without Advanced Data Security is enabled in ASC
      Azure - Security Center Ensure that all Advanced Threat Protection types on SQL server is enabled in ASC
      Azure - Security Center Ensure that monitoring of access rules in Event Hub namespaces is enabled in ASC
      Azure - Security Center Ensure that monitoring of the use of HTTPS in API app is enable in ASC
      Azure - Security Center Ensure that the Audit monitoring of SQL Servers is enabled in ASC
      Azure - Security Center Ensure that monitoring of using built-in RBAC rules is enabled in ASC
      Azure - Security Center Ensure that monitoring of access rules in Event Hubs is enabled in ASC
      Azure - Security Center Ensure that monitoring of Kubernetes Services without authorized IP ranges is enabled in ASC
      Azure - Security Center Ensure that monitoring of Automation Account Encryption is enabled in ASC
      Azure - Security Center Ensure that monitoring of CORS restrictions for API Function is enabled in ASC
      Azure - Security Center Ensure that monitoring of CORS restrictions for API Web is enabled in ASC
      Azure - Security Center Ensure that monitoring of DDoS protection for virtual network is enabled in ASC
      Azure - Security Center Ensure that monitoring of diagnostics logs in selective app services is enabled in ASC
      Azure - Security Center Ensure that monitoring of diagnostic logs in IoT Hubs is enabled in ASC
      Azure - Security Center Ensure that endpoint protection monitoring for virtual machine scale sets is enabled in ASC
      Azure - Security Center Ensure that 'Send alerts to' is set in SQL server Advanced Data Security settings is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Data Lake Analytics is set to enabled in ASC
      Azure - Security Center Ensure that IP Forwarding monitoring on virtual machines is disabled in ASC
      Azure - Security Center Ensure that monitoring of network just In time access is enabled in ASC
      Azure - Security Center Ensure that monitoring of Open Management Ports on virtual machines is enabled in ASC
      Azure - Security Center Ensure that monitoring of IP restrictions for API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of IP restrictions for Function App is enabled in ASC
      Azure - Security Center Ensure that monitoring of IP restrictions for Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of diagnostics logs in App Services is enabled in ASC
      Azure - Security Center Ensure that monitoring of web sockets for API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of web sockets for Function App is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Data Lake Store is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of Endpoint Protection is enabled in ASC
      Azure - Security Center Ensure that monitoring of custom domain use in API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of custom domain use in Function App is enabled in ASC
      Azure - Security Center Ensure that monitoring of custom domain use in Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of .Net version in API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of .Net version in Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Java version in API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Java version in web app is enabled in ASC
      Azure - Security Center Ensure that monitoring of Node.js version in Web App is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Event Hub is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of PHP version in Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Python version in API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Python version in Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of Internet-facing VM for NSG traffic hardening is enabled in ASC
      Azure - Security Center Ensure that monitoring of NSG for virtual machines is enabled in ASC
      Azure - Security Center Ensure that monitoring of NSG for Subnet is enabled in ASC
      Azure - Security Center Ensure that monitoring of Kubernetes Services without pod security policy is enabled in ASC
      Azure - Security Center Ensure that monitoring of remote debugging for API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of remote debugging for Function App is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Key Vault is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of remote debugging for Web App is enabled in ASC
      Azure - Security Center Ensure that required diagnostic logs retention period in days in Stream Analytics is set in ASC
      Azure - Security Center Ensure that Vulnerability Assessment on your SQL managed instances is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Logic Apps is set to enabled in ASC
      Azure - Security Center Ensure that JIT network access policy is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of SQL managed instances without Advanced Data Security is enabled in ASC
      Azure - Security Center Ensure that all Advanced Threat Protection types on SQL managed instance is enabled in ASC
      Azure - Security Center Ensure that monitoring of auditing policy Action-Groups and Actions setting is enabled in ASC
      Azure - Security Center Ensure that diagnostics logs in Batch Account is set to enabled in ASC
      Azure - Security Center Ensure that monitoring of CORS restrictions for API App is enabled in ASC
      Azure - Security Center Ensure that monitoring of the use of HTTPS in function app is enabled in ASC
      Azure - Security Center Ensure that monitoring of web sockets for Web App is enabled in ASC
      Azure - Security Center Ensure that monitoring of PHP version in the API App is enabled in ASC

February 2020 - v2.25.1

  1. User Experience Improvements

    • Private Benchmarks : Added audit log, reports, and email notifications for an association to an active License.
  2. Platform & Stability Improvements

    • Fixed following bugs
      • Extra categories are visible in the Baseline benchmark list
      • Incorrect x/y count found for policy -> Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL database
      • 'Ensure Log Exports feature is enabled for Oracle instances' policy audit/remediation procedure is incorrect
      • 'Ensure Log Exports feature is enabled for RDS MySQL Instance': Audit log is invalid for latest versions of mySQL instances
  3. Policies & Benchmarks Additions/Updates

    • Added the following 5 new security policies for Office 365 cloud account. To get data for these policies, please provide version 1.3 while executing the script for upgrade or creation of Office 365 advance security configuration.

      Category Policy Title
      M365 - Account / Authentication Ensure modern authentication for Exchange Online is enabled
      M365 - Data Management Use custom sensitive infromation type classification for information protection
      M365 - Email Security / Exchange Online Ensure MailTips are enabled for end users
      M365 - Email Security / Exchange Online Ensure basic authentication for Exchange Online is disabled
      M365 - Storage Block OneDrive for Business sync from unmanaged devices

January 2020 - v2.24.1

  1. User Experience Improvements

    • Added email notifications to collaborators of private benchmark
  2. Platform & Stability Improvements

    • Fixed following bugs
      • Private benchmark: Associated/Dissociated benchmarks are not visible under Private Benchmark tab unless user refreshes the UI
      • Private benchmark: Private benchmark details are not opening in single click on navigating to the benchmark list page
      • Private benchmark: Incorrect total count of policies in a category on Configure Benchmark
      • Private benchmark: Arrow button is inconsistent for Private Benchmark 'configurations'
      • Manage Users: Email notification not received on adding Account user
      • Duplicate policies found for SQL Server for NIST-CSF benchmark
  3. Policies & Benchmarks Additions/Updates

    • Added the following 20 new security policies for Azure cloud account

      Category Policy Title
      Azure - Logging and Auditing Ensure that 'Send scan reports to' is set for SQL Server
      Azure - Logging and Auditing Ensure that 'Send scan reports to' is set for SQL database
      Identity & Access Management Ensure that 'Number of methods required to reset' is set to '2'
      Identity & Access Management Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
      Identity & Access Management Ensure that 'Notify users on password resets?' is set to 'Yes
      Identity & Access Management Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'
      Identity & Access Management Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'
      Identity & Access Management Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'
      Identity & Access Management Ensure that 'Users can register applications' is set to 'No'
      Identity & Access Management Ensure that 'Guest user permissions are limited' is set to 'Yes'
      Identity & Access Management Ensure that 'Members can invite' is set to 'No'
      Identity & Access Management Ensure that 'Guests can invite' is set to 'No'
      Identity & Access Management Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'
      Identity & Access Management Ensure that 'Self-service group management enabled' is set to 'No'
      Identity & Access Management Ensure that 'Users can create security groups' is set to 'No'
      Identity & Access Management Ensure that 'Users who can manage security groups' is set to 'None'
      Identity & Access Management Ensure that 'Users can create Office 365 groups' is set to 'No'
      Identity & Access Management Ensure that 'Users who can manage Office 365 groups' is set to 'None'
      Identity & Access Management Ensure that 'Enable "All Users" group' is set to 'Yes'
      Identity & Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'
    • Added the following 28 new security policies for AWS cloud account

      Category Policy Title
      AWS - Audit and Logging Ensure to enable unsafe statement transaction logging for RDS MySQL Instance
      AWS - Data Protection Ensure that latest block encryption algorithms is used for RDS MySQL Instance
      AWS - Data Protection Ensure that server loads the validate password plugin at startup for RDS MySQL Instance
      AWS - Data Protection Ensure to enable FIPS standards on the server side for RDS MySQL Instance
      AWS - Audit and Logging Ensure Log Exports feature is enabled for RDS MySQL Instance
      AWS - Audit and Logging Ensure Log Exports feature is enabled for RDS Mariadb Instance
      AWS - Audit and Logging Ensure Log Exports feature is enabled for Aurora cluster
      AWS - Audit and Logging Ensure Log Exports feature is enabled for Oracle instances
      AWS - Business Continuity Ensure Auto Minor Version Upgrade feature is Enabled for RDS MySQL Instances
      AWS - Business Continuity Ensure backup retention policy is set for RDS MySQL Instances
      AWS - Governance Ensure that Copy Tags to Snapshots feature is enabled for RDS MySQL Instances
      AWS - Data Protection Ensure Deletion Protection feature is enabled for RDS MySQL Instances
      AWS - Identity and Access Management Ensure IAM Database Authentication feature is enabled for RDS MySQL Instances
      AWS - Audit and Logging Ensure that Event Subscription is enabled for RDS MySQL Instance
      AWS - Data Protection Ensure Performance Insights feature is enabled for RDS MySQL Instances
      AWS - Networking Ensure that public access is not given to RDS MySQL Instance
      AWS - Storage and Databases Ensure that port number should not be set as default port number for RDS MySQL Instances
      AWS - Networking Ensure that public subnets are not assigned to RDS MySQL Instances
      AWS - Governance Ensure that unique master user name is used for each RDS MySQL Instance
      AWS - Identity and Access Management Ensure data-tier security group are configured for RDS MySQL Instances
      AWS - Business Continuity Ensure that sufficient backup retention period is applied to RDS MySQL Instances
      AWS - Data Protection Ensure that encryption is enabled for RDS MySQL Instances
      AWS - Business Continuity Ensure Multi-AZ feature is Enabled for RDS MySQL Instance
      AWS - Data Protection Ensure that encryption for storage done with KMS CMKs for each RDS MySQL Instance
      AWS - Audit and Logging Ensure that CloudTrail trail have logging enabled
      AWS - Monitoring Ensure a log metric filter and alarm exist for S3 bucket object read operations
      AWS - Monitoring Ensure a log metric filter and alarm exist for S3 bucket object write operations
      AWS - Monitoring Ensure that S3 buckets are not publicly accessible

January 2020 - v2.23.1

  1. Features & User Experience Improvements

    • Private Benchmark : Cloudneeti offers an ability for Organizations to create their own Information Security benchmark by either deriving from an existing baseline of Cloudneeti supported benchmarks or by creating completely on your own. Refer documentation for more details here.
    • Audit Report API: Cloudneeti offers an Audit report API to get automated access of security and compliance posture. This API is part of a larger set of features for a deeper integration with DevOps and Risk Auditors tooling. Refer details here.
    • Added consistent tooltip across Compliance, Security, Risk, Asset dashboards, and benchmark summary pages.
  2. Platform & Stability Improvements

    • Fixed following bugs
      • Delete Account User email notification missing
      • Fixed the implementation of Application Gateway policies for TLS version 1.0,1.1 and 1.2
  3. Policies & Benchmarks Additions/Updates

    • Added the following 23 Azure security policies for Auto remediation.

      Policy Title
      Ensure that 'Secure transfer required' is 'Enabled' for Storage Account
      Ensure that 'Geo-redundant' is enabled for Azure Storage
      Ensure that remote debugging is turned off for App Service
      Ensure that remote debugging is turned off for Function App
      Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
      Ensure that Auditing and Monitoring is enabled for App Service
      Ensure HTTP/2 is enabled for an App Service Function Apps
      Ensure HTTP/2 is enabled for an App Service API Apps
      Ensure HTTP/2 is enabled for an App Service Mobile Apps
      Ensure Web Sockets are disabled for App Services
      Ensure Web Sockets are disabled for Mobile Apps
      Ensure Web Sockets are disabled for API Apps
      Ensure Web Sockets are disabled for Function Apps
      Ensure web app is using the latest version of TLS encryption
      Ensure that TLS is configured for Function Apps
      Ensure that TLS is configured for Mobile Apps
      Ensure that TLS is configured for API Apps
      Ensure that Auditing and Monitoring is enabled for Mobile App
      Ensure that Auditing and Monitoring is enabled for API App
      Ensure that Mobile App is only accessible over HTTPS
      Ensure that remote debugging is turned off for Mobile App
      Ensure that remote debugging is turned off for API App
      Ensure that Auditing and Monitoring is enabled for Function App
    • Removed the following Azure security policy for Auto remediation due to change in Microsoft Azure

      Policy Title
      Ensure that Network Watcher is 'Enabled
    • Added the following 4 new security policies for Azure cloud account

      Category Policy Title
      Azure - Logging and Auditing Ensure that periodic recurring scans is enabled for SQL server
      Azure - Logging and Auditing Ensure that 'Also send email notification to admin and subscription owners' in Periodic recurring scan is enabled for SQL Server
      Azure - Logging and Auditing Ensure that periodic recurring scans is enabled for SQL database
      Azure - Logging and Auditing Ensure that 'Also send email notification to admin and subscription owners' in Periodic recurring scan is enabled for SQL database
    • Updated Policy titles and implementation for following 5 policies as per recent updates in Microsoft Azure.

      Old policy title Updated policy title
      Ensure that 'Send alerts to' is set for SQL Server Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL Server
      Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Server Ensure that 'Also send email notification to admin and subscription owners' in Advanced Threat Protection Settings is enabled for SQL Server
      Ensure that 'Threat Detection' is set to 'On' for SQL Databases Ensure that 'Advanced Data Security' on a SQL database is set to 'On'
      Ensure that 'Send alerts to' is set for SQL Databases Ensure that 'Send alerts to' in Advanced Threat Protection Settings is set for SQL database
      Ensure that 'Email service and co-administrators' is 'Enabled' for SQL Server Ensure that 'Also send email notification to admin and subscription owners' in Advanced Threat Protection Settings is enabled for SQL database