Views:
July 04, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 4 July 2022.
  • Introducing in the new Evolution Chart summary widget under the Overview tab, which enables you to view your overall compliance trends upto one year and the daily average breakdown of your compliance score by Success, Failed, and Total checks. Read more>
  • Conformity now supports the following compliance standards:
  • The ISO ISO 27001:2013 for GCP
  • The PCI DSS V3.2.1 (updated to April 2022)for GCP
  • Updated AWS and Azure rules mapping for APRA CPS 234 compliance standard.
  • Added a new operator `isNullOrUndefined` for Custom Rules.
Bug Fixes
  • Fixed a bug where unassociated checks from other accounts were being shown inside the Most critical failures section of the Group Dashboard and the Account Dashboard.
  • Fixed a bug where users were unable to connect to Jira OAuth via our Jira communications channel using SSO into the conformity platform via Trend Micro Cloud One Console.
  • To ensure Microsoft Teams notifications are received promptly for all organizations, Microsoft Teams communication channels are now limited to 100 notifications/hr per channel.
  • Fixed a bug where unassociated checks were being displayed from other accounts in the same organisation in View by Rule & View by Standards & Frameworks views.
  • Fixed a bug with the drop-down email selection to load all the available emails configuring a scheduled report.
  • Fixed a bug with Well Architected Tool notes not being generated at times and added support for the Sustainability pillar.
Custom Policy Updates
There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37. Click here to access the current custom policy.
Conformity Bot Update
Enhanced performance of Conformity Bot to only assess by scanning or to only scan the minimum Active Directory data required to run Active Directory rules for Azure subscriptions.
New Rules
GCP
  • CloudSQL-022: Disable "log_planner_stats" Flag for PostgreSQL Database Instances: The rule ensures that the `log_planner_stats` PostgreSQL database flag is set to "off"
  • CloudSQL-023: Disable 'log_parser_stats' Flag for PostgreSQL Database Instances: This rule ensures that the `log_hostname` PostgreSQL database flag is set to "on".
  • CloudSQL-024: Enable "skip_show_database" Flag for MySQL Database Instances: This rule ensures that the `skip_show_database` MySQL database flag is set to "on".
  • CloudSQL-025: Disable 'log_parser_stats' Flag for PostgreSQL Database Instances: This rule ensures that the `log_parser_stats` PostgreSQL database flag is set to "off".
  • CloudSQL-026: Disable 'log_executor_stats' Flag for PostgreSQL Database Instances: Ensure that the `log_executor_stats` PostgreSQL database flag is set to Off.
  • CloudVPC-006: Cloud DNS logging for VPC Networks: This rule ensures that the Cloud DNS logging is enabled for all your Virtual Private Cloud (VPC) networks using DNS server policies.
  • CloudLoadBalancing-001: Check for Insecure SSL Cipher Suites: This rule ensures that there are no HTTPS/SSL Proxy load balancers configured with insecure SSL policies.
  • CloudStorage-003: Configure Retention Policies with Bucket Lock: This rule ensures that the log bucket retention policies are using the Bucket Lock feature
  • CloudIAM-010: Enforce Separation of Duties for KMS-Related Roles: This rule ensures that separation of duties is implemented for all Google Cloud KMS-related roles.
Azure
  • Network-023: Check for Unrestricted DNS Access: This rule ensures that no network security groups allow unrestricted inbound access on TCP and UDP port 53.
  • Network-020: Check for Unrestricted ICMP Access: This rule ensures that no network security groups allow unrestricted inbound access using Internet Control Message Protocol (ICMP).
  • Network-018: Check for Unrestricted SMTP Access: This rule ensures that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP port 25.
  • Network-019: Check for Unrestricted Telnet Access: This rule ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP port 23
  • SecurityCenter-035: Microsoft Defender for Cloud for SQL Server Virtual Machines: This rule ensures that Microsoft Defender for Cloud is enabled for SQL Server virtual machines.
  • SecurityCenter-036: Enable Microsoft Defender for Cloud for Azure SQL Database Servers: This rule ensures that Microsoft Defender for Cloud is enabled for your Azure SQL database servers.
  • SecurityCenter-037: Enable Microsoft Defender for Cloud for Azure Containers: This rule ensures that Microsoft Defender for Cloud is enabled for Azure containers.
  • SecurityCenter-038: Enable Microsoft Defender for Cloud for Storage Accounts: This rule ensures that Microsoft Defender for Cloud is enabled for Azure storage accounts.
Rule Updates
  • Updated the following rules to enhance check result and improve the way exceptions are handled:
  • CloudVPC-004: Default VPC Network In Use
  • CloudVPC-005: Check for Legacy Networks
  • Updated the following rules check results with minor text changes:
  • SecurityCenter-032: Enable Microsoft Defender for Cloud for Virtual Machines
  • SecurityCenter-033: Enable Microsoft Defender for Cloud for App Service
  • SecurityCenter-034: Enable Microsoft Defender for Cloud for Key Vaults
  • The following rules will now have no checks for Google Kubernetes (GKE) clusters as the best practices do not apply to GKE clusters:
  • ComputeEngine-001: Check for Virtual Machine Instances with Public IP Addresses
  • ComputeEngine-004: Disable IP Forwarding for Virtual Machine Instances
  • ComputeEngine-006: Check for Instances Associated with Default Service Accounts
  • ComputeEngine-008: Check for Instance-Associated Service Accounts with Full API Access
  • VirtualMachines-023:Enable Accelerated Networking for Virtual Machines: Enabled a feature to exclude checks by `tags` or `resourceId` for the rule.
  • ActiveDirectory-003: Check for Active Directory Guest Users: Updated Active-Directory 003 to evaluate 100 guest users instead of all the guest users.