Views:
January 19, 2022, Conformity—The following features and updates were released to Conformity on 19 January 2022.
  • The Jira communication channel configuration modal now displays an error message when the test ticket cannot be transitioned properly when testing a configuration.
Bug Fixes
  • Fixed a bug with the JIRA ticket workflows not resolving properly when the workflow has a screen attached to the Done transition and the screen has a required field (for example resolution)
  • Fixed a bug that was causing 'Resource' & 'Introduced by' fields to be included by default in slack notification messages from Conformity even though the default configuration displayed in the UI indicated otherwise.
  • Fixed a bug to enable an Admin user to invite a Cloud One Conformity user to a Conformity direct organization.
  • Fixed a bug where ‘Disable’ and ‘Remove’ buttons were being pushed out of the screen when there were multiple safe listed IP addresses for an API key.
  • Fixed a bug where previously suppressed checks were displayed as unsuppressed on an update to group settings or to azure access settings.
  • Fixed an issue wherein the ‘View by Resources’ tab, not scored checks were displaying and counting as failed checks.
Custom Policy Updates
  • The permission added is: ‘iam:GetAccountAuthorizationDetails’
New Rules
GCP
  • ComputeEngine-003: Disable Interactive Serial Console Support: This rule ensures that interactive serial console support is disabled for all your production Google Compute Engine instances.
  • ComputeEngine-004: Disable IP Forwarding for Virtual Machine Instances: This rule ensures that the IP Forwarding feature is disabled at the Google Compute Engine instance level for security and compliance reasons, as instances with IP Forwarding enabled to act as routers/packet forwarders.
  • CloudSQL-008: Enable 'log_connections' Flag for PostgreSQL Database Instances:This rule ensures that PostgreSQL database instances have the 'log_connections' configuration flag enabled.
  • CloudSQL-009: Enable "log_disconnections" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the "log_disconnections" flag enabled.
  • CloudSQL-010: Enable "log_checkpoints" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have "log_checkpoints" flag enabled.
  • CloudSQL-011: Enable "log_lock_waits" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the "log_lock_waits" flag enabled.
  • CloudSQL-012: Enable 'log_temp_files' Flag for PostgreSQL Database Instances: This rule ensures that "log_temp_files" database flag is set to 0 (enabled) for all your Google Cloud PostgreSQL database instances.
  • CloudSQL-013: Configure "log_min_error_statement" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the appropriate configuration set for the "log_min_error_statement" flag.
  • CloudSQL-014: Disable "local_infile" Flag for MySQL Database Instances: This rule ensures that MySQL database instances have the "local_infile" flag disabled.
Azure
  • AppService-017: Disable Plain FTP Deployment: This rule ensures that your Microsoft Azure App Services web applications are not configured to be deployed over plain FTP. Instead, the deployment can be disabled over FTP or performed over FTPS. FTPS (Secure FTP) is used to enhance security for your Azure web application as it adds an extra layer of security to the FTP protocol and helps you to comply with industry standards and regulations.
  • VirtualMachines-036: Use Customer Managed Keys for Virtual Hard Disk Encryption: This rule ensures that your Microsoft Azure Virtual Hard Disk (VHD) volumes are using Customer Managed Keys (CMKs) instead of Platform-Managed Keys (PMKs – default keys used by Microsoft Azure for disk encryption) in order to have full control over your VHD data encryption and decryption process.
  • Network-015 (Check for Unrestricted UDP Access)e: This rule ensures that Microsoft Azure network security groups (NSGs) do not allow unrestricted inbound access (i.e. 0.0.0.0/0) on UDP ports.
  • ActivityLog-027 (Create Alert for "Delete Policy Assignment" Events): This rule ensures that an Azure activity log alert is used to detect "Delete Policy Assignment" events.
Rule Updates
  • RDS-023: Amazon RDS Public Snapshots: We’ve updated this rule to prevent stale checks due to throttling.
  • Updated the following rules so that checks won't be deleted if triggered by DeleteAccessKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteLoginProfile, DeletePolicyVersion events:
  • IAM-004: Unnecessary Access Keys
  • IAM-013: MFA For IAM Users With Console Password
  • IAM-016: IAM User Policies
  • IAM-024: IAM User With Password And Access Keys
  • IAM-025: Unnecessary SSH Public Keys
  • IAM-028: Inactive IAM Console User
  • IAM-029: Unused IAM User
  • IAM-036: AWS IAM Users with Admin Privileges
  • IAM-058: Check that only safelisted IAM Users exist
  • IAM-070: Check for IAM User Group Membership
  • IAM-071: Receive Permissions via IAM Groups Only
Bug Fixes
  • SSM-003:Check for SSM Managed Instances: Fixed a bug where the checks were generated for EC2 instances in a state that is not pending or running.
  • Fixed a bug that prevented RTM from generating checks for the following rules when DB cluster events are triggered:
  • RDS-007: RDS Multi-AZ
  • RDS-035: Cluster Deletion Protection
  • RDS-042: Enable Aurora Cluster Copy Tags to Snapshots