5.x Release Notes

Release Notes for 5.x

To receive email notifications of new releases, please subscribe to this SUSE mailing list: https://lists.suse.com/mailman/listinfo/neuvector-updates

5.4.1 November 2024

New Features:

  • NVSHAS-8583: Setting granular policy modes for rule sets, separate network policy mode and profile mode at per group level.

  • NVSHAS-9440: Support separate network mode and Process and File mode in CRD.

  • NVSHAS-9369: Add debug log category via helm deployment support for controller.

  • NVSHAS-9040: Improve syslog message when admission control rule is denied in monitor mode.

Bug Fixes:

  • NVSHAS-9416: [Scanner] activemq-all-5.8.0.redhat-60024.jar can NOT be detected with any vul (but previous scanner build can).

  • NVSHAS-9447: Controller/Scanner pods crashing - "Unsupported system Exit".

  • NVSHAS-9278: CVE-2024-41110 is found in the latest scanner image.

  • NVSHAS-9467: Custom group defined by the pod label does not propagate its profile data on the children containers.

  • NVSHAS-9442: Deployment issue on ArgoCD.

  • NVSHAS-9436: Possible CVE false negative against CVE-2024-7347.

  • NVSHAS-9468: Fix CVE-2020-26160 to replace jwt-go with jwt:v5.

  • NVSHAS-9517: Admission control is not consistent, getting incorrect results.

  • NVSHAS-9532: The image scan is completed but deployment is still not allowed.

  • NVSHAS-9558: JWT token expire reports http.StatusRequestTimeout 408.

  • NVSHAS-9576: Clear password field for registry data when user uses controller mode with Jenkins to scan.

  • NVSHAS-9425: Create nfq when container has vxlan.

  • NVSHAS-9571: [Registries] Filter for all scanned image does not work well.

  • NVSHAS-9589: Managed clusters disconnected - Version mismatch with primary cluster.

  • NVSHAS-8824: User fails to delete own groups, cannot create namespace-scoped groups.

  • NVSHAS-9605: Export group with invalid policy mode & process profile mode values is mistakenly allowed.

  • NVSHAS-9608: Scanner does not report any error when controller reports an error for huge scan results ~23MB.

  • NVSHAS-9534: Display error in admission controls.

  • NVSHAS-9600: Cannot disable controller debug.

  • NVSHAS-9631: Reduce some enforcer errors.

  • NVSHAS-9645: Pre-existing CRD processing fails.

  • NVSHAS-9592: No new scan despite new DB version.

  • NVSHAS-9212: Display alerting msg in GET(/v1/eula) if the neuvector-binding-secret role(binding) is incorrect.

  • NVSHAS-9367: Enhance error messages when registry fails to be connected.

  • NVSHAS-9475: Background grid print is not fully covering when menu is collapsed.

  • NVSHAS-9485: Incorrect message for 'Network Security Policy Mode' in UI.

  • NVSHAS-9480: NV UI deployed on Rancher downstream cluster throws HTTP/403 after Rancher logout.

  • NVSHAS-9547: Sorting is broken on the security risks -→ vulnerabilities table.

  • NVSHAS-9570: [Vulnerabilities] Change the legend description for different statuses on assets.

  • NVSHAS-9561: Dashboard board overall security score should match the actual score.

  • NVSHAS-9572: [Vulnerabilities] Filtered data was kept no matter user refresh or re-login on page.

  • NVSHAS-9597: UI doesn’t respond to any error when the controller returns 403 for POST(v1/group).

  • NVSHAS-8682: CRD webhook service needs to be moved from crd helm chart to application helm chart.

Known Issues

  • In the 2.8.3 chart release, we have moved a previously misallocated resource from crds to core. If you use both crds and core charts, you might see issues during upgrade if you deploy core first. To resolve this, upgrade the crds first and then core charts.

5.4 September 2024

  • UI Improvements:

    • Display Rancher SSO users.

    • Manage JWT tokens.

    • Enhanced image navigation, and scan result links.

  • Security Enhancements:

    • New compliance filters.

    • Support for CIS benchmarks, and OCI image signing.

  • Network & Monitoring:

    • Advanced bandwidth and session tracking.

    • DDoS monitoring.

    • Multus network support.

  • Cert Management:

    • New notifications for expiring internal certificates, including rotation capabilities.

  • Automation & Integration:

    • Federation automation.

    • Rancher RBAC integration.

    • Improved admission control.

  • Performance & Efficiency:

    • Reduced memory usage.

    • ISP data charge reduction.

    • Scanner cache stats exposure.

  • Usability Improvements:

    • Bootstrap password support.

    • Cloud billing data archiving.

    • Namespace boundary enforcement.

New Features:

  • NVSHAS-9012: Displaying Rancher SSO users on NV UI that have the same user name.

  • NVSHAS-8939: Provide an option on NV UI so that Rancher SSO session users can drop the current JWT token (i.e. logout).

  • NVSHAS-7522: Easy image navigation through registries.

  • NVSHAS-8148: Link from container image to registry image scan results.

  • NVSHAS-9258: Add a new notification for expiring certificates and internal certs.

  • NVSHAS-8915: Support for new compliance filters and Compliance report.

  • NVSHAS-9403: Filemonitor-UI: Allow user to delete predefined file monitor rule.

  • NVSHAS-8423: Detect group-level bandwidth, active session count, and session-rate violation based on configured thresholds.

  • NVSHAS-9218: Support for federal and CRD groups for DDoS monitoring.

  • NVSHAS-8461: Support CIS benchmarks for managed k8s services in the cloud.

  • NVSHAS-7664: Reduce ISP data charges during registry scanning.

  • NVSHAS-8868: Expose scanner cache statistics.

  • NVSHAS-8676: NV Protect improvement for benchmark scripts.

  • NVSHAS-9255: Customize Admission control search registries for image names without FQDN.

  • NVSHAS-9144: ID added for vulnerability profile for easy identification.

  • NVSHAS-7687: Support configuring log level (debug/error/info/warn) for enforcer and controller from CLI.

  • NVSHAS-7518: Change internal certificates for SUSE® Security components.

  • NVSHAS-9287: Enable internal cert rotation.

  • NVSHAS-8562: Add internal cert expiration notification.

  • NVSHAS-8486: Support Multus network interface.

  • NVSHAS-7447: Rancher RBAC integration with SUSE® Security.

  • NVSHAS-7822: Federation automation without scripting API calls.

  • NVSHAS-8799: Create a Compliance Framework for importing Compliance Templates.

  • NVSHAS-8773: Bootstrap password support during initial deployment.

  • NVSHAS-6740: Improvement of zero-drift baseline profile by enforcing the learned list in protect mode.

  • NVSHAS-8325: Enforce container namespace boundary for network rule.

  • NVSHAS-8723: Archive cloud billing data.

  • NVSHAS-9086: Reduce controller process memory usage by eliminating vulTrait data structure.

  • NVSHAS-6979: Ability to include comment of response rule in alert content.

  • NVSHAS-8845: Create APIKEY with role FedReader and FedAdmin.

  • NVSHAS-9306: Admission Control configuration assessment shows rule ID responsible for allowed or denied deployments.

  • NVSHAS-9078: Support for image signing for OCI images.

  • NVSHAS-7945: Support DISA STIG benchmark for Kubernetes.

  • NVSHAS-8234: Admission Control Logic allowing images that should be denied.

Bug Fixes:

  • NVSHAS-9005: TypeError in registries: Cannot read properties of undefined (reading 'total_records').

  • NVSHAS-9085: Assets View PDF report shows 0% vulnerability even with present vulnerabilities.

  • NVSHAS-9084: Assets View PDF report shows NaN when image list is empty.

  • NVSHAS-9128: Security Events: Container cannot be displayed if there is no workload’s namespace value.

  • NVSHAS-9025: Neuvector vulnerability acceptance scope for containers.

  • NVSHAS-9155: Registry Scan Image incorrect column name and missing File Name

  • NVSHAS-9122: Neuvector master logs out any time when using "Multiple Cluster" with Rancher SSO login.

  • NVSHAS-9266: Registry scan: Scan Report by Layer button should be hidden or disabled when there’s no vulnerability.

  • NVSHAS-9219: Allow users to enable server cert validation for auth servers.

  • NVSHAS-9246: Filtering for CSV/PDF export does not work.

  • NVSHAS-8947: Cannot import NV configuration when authenticated through Rancher SSO.

  • NVSHAS-9282: UI: Editing OpenShift registry entry fails due to a missing token.

  • NVSHAS-9098: Enhance risk page loading user experience.

  • NVSHAS-9267: Do not allow UI on 5.4 master cluster to switch to pre-5.4 managed clusters because of REST API changes.

  • NVSHAS-9285: UI: Dropdown list button overlaps with other elements.

  • NVSHAS-9302: Cannot create APIKEY with role FedReader and FedAdmin.

  • NVSHAS-8539: Reconfigure proxy setting loses password.

  • NVSHAS-9293: Removal of unrelated image details in the vulnerability reports.

  • NVSHAS-9238: UI doesn’t refresh the displayed cluster name after it’s changed.

  • NVSHAS-9363: Notification Configuration > Webhooks grid are not properly aligned.

  • NVSHAS-9362: Security Risk Vulnerabilities filter returns 0 results.

  • NVSHAS-8699: Unable to distinguish the user if Rancher AD user is the same.

  • NVSHAS-9062: Displaying Rancher SSO users on NV UI that have the same username (Conversion on controller).

  • NVSHAS-9071: Some modules are not reported in the container scan only.

  • NVSHAS-8242: gRPC call to test if controller handles critical severity.

  • NVSHAS-8908: Parse X-Forwarded-Port correctly considering comma separator.

  • NVSHAS-9024: AdmissionControl Risky Role Perf.

  • NVSHAS-9091: Unable to report all modules under ol:9.1, photon:5.0, rhel:9.1, and amzn:2023 source in repo, registry, and standalone scan.

  • NVSHAS-8997: Largely reduce per node policy slot number to improve performance.

  • NVSHAS-9059: CRD groups visible in NV even after deletion from K8s.

  • NVSHAS-9107: Goroutine crash at rest.handlerConfigLocalCluster.

  • NVSHAS-9108: Port 18500 shouldn’t be open.

  • NVSHAS-9119: Goroutine crash at probe.(*FileNotificationCtr).AddContainer().

  • NVSHAS-9125: CRD entry with invalid settings should not be allowed to create.

  • NVSHAS-9124: Docker: many unexpected healthcheck process incidents are reported.

  • NVSHAS-9111: NV should check --event-qps > 0.

  • NVSHAS-9130: Unexpected Container.Package.Updated incidents are found after a specific container is started.

  • NVSHAS-9080: Fed reader user is unable to access some REST APIs.

  • NVSHAS-9092: Namespaced user should not see global assets.

  • NVSHAS-9116: The worker cluster is able to leave if the connection is dropped.

  • NVSHAS-8980: Get host and tunnel interface on node successfully in oc 4.15.

  • NVSHAS-9188: Set mgmt-br interface as host interface for harvester node.

  • NVSHAS-4858: Not expand containers group in controller to improve policy deployment performance and reduce CPU and memory usage.

  • NVSHAS-8700: Rancher AD user is unable to log in to SUSE® Security sometimes.

  • NVSHAS-9121: Group’s Network Monitoring Threshold setting cannot be edited.

  • NVSHAS-9189: Scan will get stuck in scheduling after controller is shutdown and restarted.

  • NVSHAS-9019: Fix unsynchronized link state for host interface.

  • NVSHAS-8305: Remove built-in certificate.

  • NVSHAS-9013: Removing BPF filter on the process monitor.

  • NVSHAS-7853: TLS handshake EOF.

  • NVSHAS-9290: User-added process profile rule not taking effect with ZD enabled.

  • NVSHAS-9301: NV deployed on Rancher Prime cannot tell it’s Rancher flavor.

  • NVSHAS-9289: Allow upgrade when RBAC is missing.

  • NVSHAS-7601: Improve restore from PV config backup during scenarios.

  • NVSHAS-7687: Add syslog level setting for enforcer.

  • NVSHAS-9292: Fix Ingress Egress exposure shows 0 Vulnerabilities.

  • NVSHAS-9270: Support k3s for CIS benchmark pipeline.

  • NVSHAS-9338: Alert 'Managed cluster [id] is disconnected from primary'.

  • NVSHAS-9358: Image scan using proxy would fail.

  • NVSHAS-9337: Send log message when SYN flood is detected.

  • NVSHAS-9209: Delete domain cache when namespace is deleted from k8s.

  • NVSHAS-8985: Federated registries disappear after controller restart.

Known Issue:

  • NVSHAS-9443: Upgrade/Install through ArgoCD fails as it cannot create leases.coordination.k8s.io object.

  • Workaround: Create the given lease objects before upgrading to 5.4.0 using ARGO CD. Change the namespace if it is different than neuvector.

    cat <<EOF | kubectl apply -f -
    apiVersion: coordination.k8s.io/v1
    kind: Lease
    metadata:
      name: neuvector-controller
      namespace: neuvector
    spec:
      leaseTransitions: 0
    ---
    apiVersion: coordination.k8s.io/v1
    kind: Lease
    metadata:
      name: neuvector-cert-upgrader
      namespace: neuvector
    spec:
      leaseTransitions: 0
    EOF

5.3.4 July 2024

Bug Fixes

  • The host and tunnel interface are successfully retrieved with OpenShift CLI v4.15.

  • The IP range 169.254.x.x is excluded from the host interface IPs.

  • Reexam host interface after 1 minute of enforcer startup.

  • Fixed an issue where the OpenID issuer URL regex was failing.

  • Remediates following CVEs:

    CVE Applies to Impact

    CVE-2023-42364

    busybox

    🟡 Medium

    CVE-2023-42365

    busybox

    🟡 Medium

    CVE-2024-6197

    curl

    🟡 Medium

    CVE-2024-6874

    curl

    🟡 Medium

    CVE-2024-5535

    openssl

    🔴 Critical

    CVE-2024-4741

    openssl

    🟡 Medium

5.2.4-s5 July 2024

  • Remediates following CVEs:

CVE Applies to Impact

CVE-2023-42363

busybox

🟡 Medium

CVE-2023-42364

busybox

🟡 Medium

CVE-2023-42365

busybox

🟡 Medium

CVE-2023-42366

busybox

🟡 Medium

CVE-2024-6197

curl

🟡 Medium

CVE-2024-6874

curl

🟡 Medium

CVE-2024-5535

openssl

🔴 Critical

CVE-2024-4603

openssl

🟡 Medium

CVE-2024-4741

openssl

🟡 Medium

5.3.3 June 2024

Enhancements

  • Allow users to block the usage of specific storage classes from the Admission Controls page.

  • The LDAP Authentication has separated fields for baseDN and groupDN configuration.

  • The Egress and Ingress chart has a new vulnerability column which contains the High and Medium vulnerability count for each service.

Bug Fixes

  • Fixed bug related to regex when using a comma (,) in a multi-entry Admission Control user criteria.

  • Fixed bug where the CVE scan of jar packages would not show all packages affected by a same CVE. Now all occurences are reported.

  • Remediates following CVEs:

CVE Applies to Impact

CVE-2024-35195

python:requests

🟡 Medium

CVE-2024-21011

openjdk11

🟢 Low

CVE-2024-21012

openjdk11

🟢 Low

CVE-2024-21068

openjdk11

🟢 Low

CVE-2024-21085

openjdk11

🟢 Low

CVE-2024-21094

openjdk11

🟢 Low

Other

  • Allow users to set resources for updater-cron-job when installing SUSE® Security with the Helm chart.

  • Prometheus exporter container versioning reviewed and dissociated to the controller versioning.

  • (Scanner) Detect the R package/module in Ubuntu and Red Hat Enterprise Linux.

  • (Scanner) Added support for PHP Composer scan.

5.2.4-s3 April 2024

  • Remediates following CVEs:

CVE Applies to Impact

CVE-2021-40633

giflib

🟠 High

CVE-2023-48161

giflib

🟠 High

CVE-2024-28757

expat

🟠 High

CVE-2023-39742

giflib

🟡 Medium

CVE-2023-45288

go:golang.org/x/net

🟡 Medium

CVE-2024-25629

c-ares

🟡 Medium

CVE-2024-3651

python:idna

🟡 Medium

CVE-2024-2511

openssl

🟢 Low

5.3.2 April 2024

Bug Fixes

  • After upgrading to v5.3.1 from a previous SUSE® Security release, pre-existing NvClusterSecurityRule custom resources may be deleted inadvertently. NOTE: The 5.3.1 version has been removed from docker hub in order to prevent the upgrade issue.

5.3.1 April 2024

The 5.3.1 version has been removed from docker hub in order to prevent the upgrade issue fixed in 5.3.2. Please use the 5.3.2 release.

Enhancements

  • Allow users to define ‘accepted’ vulnerabilities when using Github actions so they don’t affect workflows.

  • Add Severity, Score level and Feed Rating filters to Assets > Registry > Image Vulnerabilities view.

  • Allow when configuring a registry if it should use the defined proxy for the registry image scans.

Bug Fixes

  • Security Risks > Vulnerabilities > Advanced Filter doesn’t filter 'CVE without Fix'

  • Unexpected violation from container to hostmode container

  • Accept OCI image format when switching to docker api 1.24

  • Registry Scan should not scan non-image artifacts / not log an error

  • Allow for rootless key pair image signature verification without internet or sigstore dependence.

  • Security Events not getting permitted by network rules in a specific node (related to "Container Task chan full" error messages)

  • Container is unable to add to workload successfully (frequent occurences). Resulting from deadlock from channel messages.

Other

  • Update the scanner plugins for Jenkins, GitHub action, and Bamboo.

  • (Scanner) Accept OCI image format when switching to docker api 1.24.

  • (Scanner) Registry Scan should not scan non-image artifacts / not log an error.

  • (Scanner) Add support for php composer scan.

SUSE® Security UI Extension v. 1.0 for Rancher March 2024

  • After installation of SUSE® Security, enabling/installing the SUSE® Security UI Extension from Rancher will display a Dashboard for the cluster, including links to SSO to the full SUSE® Security cluster. NOTE: The extension may display as Third Party, which will be fixed in a future release. Also, after installation, Rancher 2.7.x users may see two SUSE® Security UI Ext icons in the list (bug). One icon will say Uninstall (meaning it is installed), and the other should say Install. This can be left as is, ie, don’t Install again if the extension is already installed.

5.2.4-s2 February 2024

  • Remediates following CVEs:

  • High cve: CVE-2023-52425 in expat, CVE-2024-20952 and CVE-2024-20918 in openjdk11

  • Med cve: CVE-2023-52426 in expat, CVE-2024-20926, CVE-2024-20921, CVE-2024-20945 and CVE-2024-20919 in openjdk11, CVE-2024-0727 and CVE-2023-6237 in openssl

5.3.0 February 2024

Enhancements

  • Show external destination URLs (FQDN) in Dashboard (egress), PDF and CSV reports, as we well as in Network Activity screen and Security Events (violations) lists

  • In Discover mode, learn egresses to external FQDN address groups automatically. A new external FQDN custom group will be created unless the external connection matches an existing rule.

  • Enable ICMP learning (Discover mode) and blocking (Protect mode) through new Controller environment variable CTRL_EN_ICMP_POLICY = 1

  • Export CRDs into Github to support gitops to a default repo using console or REST API.

  • Support SAML SSO single logout with ADFS iDP

  • Add support for ARM64 platform. Pulling from ARM based platforms will automatically pull the appropriate ARM64 SUSE® Security images.

  • Support webhooks through a proxy

  • Improve admission control auditing function to include results of all rules. List the result of every rule, and adds another entry for the final action the would occur when evaluated in a live admission control deployment.

  • Apply disabled Admission Control rules via CRD or yaml (kubectl)

  • Vulnerability Profile export / import through console, CRD, or REST API. Importing will replace the existing profile. Deleting the CRD will result in an empty profile.

  • Compliance Profile template export / import through console, CRD, or REST API. Importing will replace the existing template.

  • Add a 'Manual' status in the compliance reports for CIS benchmarks that must be run manually by users (not run by SUSE® Security).

  • Improve UI loading/performance of Vulnerabilities page

  • Unify browser session login. With this, all tabs in the browser share the same login session, opening a new tab from an existing session does not ask for credentials, and when one tab logs out, all tabs are logged out.

  • Enhancements to security of console (UI): 1) add mandatory security headers (X-Content-Type-Options nosniff; X-XSS-Protection 1; mode=block; X-Frame-Options SAMEORIGIN; Cache-Control private, no-cache, no-store, must-revalidate HTTP Strict Transport Security max-age=15724800, 2) add CSP header (e.g. set a ‘default-src’ directive), 3) remove server name disclosure

  • Support newer versions of CIS benchmarks. Kubernetes (1.8.0), Kubernetes V1.24 (1.0.0), Kubernetes V1.23 (1.0.1), RedHat OpenShift Container Platform (1.4.0)

  • Show in Assets → Containers → Container details containers which were scanned in registries versus runtime

  • Add link to Group in Security Risks → Vulnerabilities → Impact popup to easily edit group mode

  • Support deep linking in URL’s to image and/or container vulnerability page

  • Add password reset option for admin to reset user password in console Settings → Users

  • Allow sending event logs to controller pod logs in Settings → Configuration → Notification. The events sent will begin with 'notification=' and be saved only to the leader controller pod. Note that there is a bug in this version where, in order to change the event level SYSLOG must be enabled (and can be disabled if desired after changing the level).

  • Remove requirement for controller/enforcer to mount "/host/cgroup".

  • Add Get Support menu with links to slack, documentation, and other resources

  • Fill message field to /v1/log/activity logs

Bug Fixes

  • Internal Server Error in Security Risks → Vulnerabilities with a high number of CVEs

  • SIGSEGV: segmentation violation on controller

  • Deleting vulnerable files (e.g. jar) doesn’t remove from vulnerability list

  • Invalid Syslog certificate using the signature algorithm SHA256withECDSA

  • SUSE® Security shows security events that should be allowed by a Network Rule

  • Un-managed node with "zombie" enforcer running

  • Advanced Filter shows Remediation and Impact fields blank

  • Fix string handling to prevent unexpected Enforcer restart

  • Unexpected violations relating to built-in groups

  • Support-bundle enforcer debug RPC call for data returns error

  • Group is not matching in Security Events

  • Send events to slack is not working - with proxy

  • Showing security events for allowed network rules

Other

  • Add run-time container engine (socket) automatic detection to Helm chart

  • Remove setting for running controller in privileged mode in Helm chart, and requirement for controller/enforcer to mount "/host/cgroup".

  • The sample kubernetes deployment files have been removed from the SUSE® Security docs. Please refer to the link for examples.

Highlighted Changes Which May Require Changes for Manual Deployments (all changes are already reflected in latest Helm chart for 5.3.x)

  • Auto detection of container run-time (socket) removes the need to specify the container run-time and socket path.

  • Removal of requirement to run the controller in privileged mode removes the need for mounting runtime socket and mounted /host/cgroup/

  • Added role/role binding for neuvector-binding-secret as well as neuvector-secret in yaml.

  • New service accounts and role bindings required for 5.3

  • All referenced deployment yaml files now have /5.3.0/ in their paths

5.2.4-s1 January 2024

Security Patch Release

  • Remediates CVE-2023-6129 in openssl, and CVE-2023-46219, CVE-2023-46218 in curl.

5.2.4 November 2023

Bug Fixes

  • Azure AKS ValidatingWebhookConfiguration changes and error logging.

5.2.3 November 2023

Enhancements

  • Add support for NVD API 2.0 in Scanner.

  • Scan the container host in scanner standalone mode.

docker run --rm --privileged --pid=host neuvector/scanner -n

Bug Fixes

  • Scan on a node fails due to deadlocked docker cp / grpc issue.

5.2.2-s1 October 2023

Security Update

  • Update packages to remediate CVEs including High CVE-2023-38545 and CVE-2023-43804.

5.2.2 October 2023

Security Advisory for CVE-2023-32188

  • Remediate CVE-2023-32188 “JWT token compromise can allow malicious actions including Remote Code Execution (RCE)” by auto-generating certificate used for signing JWT token upon deployment and upgrade, and auto-generating Manager/RESTful API certificate during Helm based deployments.

    • Certificate for JWT-signing is created automatically by controller with validity of 90days and rotated automatically.

    • Auto-generation of Manager, REST API, and registry adapter certificate requires using Helm-based install using SUSE® Security helm version 2.6.3 or later.

    • Built-in certificate is still used for yaml based deployments if not replaced during deployment; however, it is recommended to replace these (see next line).

    • Manual replacement of certificate is still supported and recommended for previous releases or yaml based deployments. See the SUSE® Security GitHub security advisory here for a description.

    • Use of user-supplied certificates is still supported as before for both Helm and yaml based deployments.

  • Add additional controls on custom compliance scripts. By default, custom script are now not allowed to be added, unless the environment variable CUSTOM_CHECK_CONTROL is added to Controller and Enforcer. Values are "disable" (default, not allowed), "strict" (admin role only), or "loose" (admin, compliance, and runtime-policy roles).

  • Prevent LDAP injection - username field is escaped.

Enhancements

  • Add additional scan data to CVE results sent by SYSLOG for layered scans

  • Support NVD API 2.0 for scan CVE database

  • Provide container image build date in Assets → Container details

  • Adjust sorting for Network rules: disable sorting in Network rules view but enable sorting of network rules in Group view.

  • Enable/disable TLS 1.0 and TLS 1.1 detection/alerting with environment variables to Enforcer THRT_SSL_TLS_1DOT0, THRT_SSL_TLS_1DOT1. Disabled by default.

  • Add environment variable AUTO_PROFILE_COLLECT for Controller and Enforcer to assist in capturing memory usage when investigating memory pressure events. Set value = 1 to enable.

  • Configuration assessments against Admission Control should show all violations with one scan.

  • Add more options for CVE report criteria in Response Rules. Example 1 - "cve-high-with-fix:X" means: When # of (high vulnerability that have been fixed) >= X, trigger the response rule. Example 2 - "cve-high-with-fix:X/Y" means: When # of (high vulnerability that were reported Y days ago & have been fixed) >= X, trigger the response rule.

Bug Fixes

  • Export of group policy does not return any actual YAML contents

  • Improve pruning of namespaces with dedicated function

  • SUSE® Security namespace user cannot see assets-→namespaces

  • Skip handling the CRD CREATE/UPDATE requests if the CR’s namespace is already deleted

  • Provide workaround for part of CRD groups which cannot be pruned successfully after namespaces are deleted.

5.2.1 August 2023

Enhancements

  • Report layered scan results and additional CVE data in SYSLOG messages. This is enabled through a checkbox in Settings → Configuration → SYSLOG

  • Export NIST 800-53 mappings (to docker CIS benchmarks) in the exported csv compliance report

  • Support Proxy setting in image signature verification

  • Include image signature scan result in the downloaded CVE report

  • Support pod annotations for Admission Control Policies, available through the Custom criteria

  • Add Last Modified field to filter for vulnerabilities report printing, as well as Advanced Filter in Vulnerabilities view

Bug fixes

  • Do not create default admin with default password in initial SUSE® Security deployment for AWS billing (CSP adapter) offering, requiring user to use a secret to create admin username and password

  • Fix .json file which increased size and crashed a kubernetes node

  • Improve SQL injection detection logic

  • When installing the helm crd chart first before installing the SUSE® Security core chart, service accounts are missing

  • Image scan I.4.1 compliance result is incorrect

  • Vulnerability advanced filter report showing images from all other namespace

5.2.0 July 2023

Enhancements

  • Support tokens for SUSE® Security API access. See Settings → User, API Keys…​ to create a new API key. Keys can be set to default or custom roles.

  • Support AWS Marketplace PAYG billing for SUSE® Security monthly support subscriptions. Users can subscribe to SUSE® Security by SUSE support, billed monthly to their AWS account based on previous month’s average node count usage. Details here.

  • Support image signing for admission controls. Users can require SUSE® Security to verify that images are signed by specific parties before they can be deployed into the production environment, through an integration with Sigstore/Cosign. See Assets → Sigstore Verifiers for creating new signature assets. Rules can then be created with criteria Image Signing and/or Image Sigstore Verifiers.

  • Enable each admission control rule to have its own mode of Monitor or Protect. A Deny action in Monitor mode will alert, and a Deny action in Protect mode will block. Allow actions are unaffected.

  • Add a new regex operator in Policy > Admission Control > Add Rule for Users and User Groups to support regex. Support operators "matches ANY regex in" and "matches NONE regex in".

  • Add support for admission control criteria such as resource limits. A new criteria is added for Resource Limits, and additional criteria are supported through the Custom Criteria settings.

  • Support invoking SUSE® Security scanner from Harbor registries through the pluggable scanner interface. This requires configuration of the connection to the controller (exposed API). The Harbor adapter calls controller endpoint to trigger a scan, which can scan automatically on push. Interrogation services can be used for periodic scans. Scan results from Federation Primary controllers ARE propagated to remote clusters. NOTE: There is an issue with the HTTPS based adapter endpoint error: please ignore Test Connection error, it does work even though an error is shown (skip certificate validation).

  • Searchable SaaS service for CVE lookups. Search the latest SUSE® Security CVE database to see if a specific CVE exists in the database. This service is available for SUSE® Security Prime (paid support subscription) customers. Contact support through your SCC portal for access.

  • Allow user to disable network protection but keep WAF/DLP functioning. Configure Network Policy Enablement in Settings → Configuration.

  • Use less privileged services accounts as required for each SUSE® Security component. A variable “leastPrivilege” is introduced. The default is false. NOTE: Using the current helm chart with this variable on a release prior to 5.2.0 will not function properly.

  • Bind to non-default service account to meet CIS 1.5 5.1.5 recommendation.

  • Enable administrator to configure user default Session Time out in Settings → Users, API Keys & Roles.

  • Customizable login banner and customizable UI header text for regulated and government deployments. Requirements for configuration can be found here.

  • SYSLOG support for TLS encrypted transport. Select TCP/TLS in Settings → Configuration for SYSLOG.

  • Enable deployment of the SUSE® Security monitor helm chart from Rancher Manager.

  • Remove upper limit for top level domain in URL validator for registry scanning.

  • Scan golang dependencies, including run-time scans.

  • Support Debian 12 (Bookworm) vulnerability scan.

  • Add CSV export for Registry / Details to export CVEs for all images in configured registry in Assets → Registries for a selected registry.

  • Allow SUSE® Security to set several ADFS certificates in parallel in x.509 certificate field.

  • Add and display the comment field for Response Rules.

  • Specify what SUSE® Security considers to be system containers through environment variable. For example, for Rancher and default namespaces: NV_SYSTEM_GROUPS=*cattle-system;default

  • Add support for Kubernetes 1.27 and OpenShift 4.12

Bug Fixes

  • Reduce repeating logs in enforcer/controller logs.

  • Multiple clusters page does not render.

  • Empty group auto-removal takes 2 hours to delete instead of 1 hour according to schedule.

  • Manually allowed network rule not getting applied and resulting in violation for pause image.

  • Blocking SSL connections even if a network rule permits the traffic under certain initial conditions.

  • Security events warning even with allowed network rules due to policy update issue in synchronization.

  • Network Activities wrongly associating custom group traffic to external.

  • Default service account token of the namespace mounted in each pod is too highly privileged.

  • Despite defining the network rules, violations getting logged under security events (false positives) when the container has stopped due to out of memory (OOM) error.

  • Allow user to disable/enable detection and protection against unmanaged container in cluster. This can be set through the Manager CLI:

set system detect_unmanaged_wl status -h
Usage: cli set system detect_unmanaged_wl status [OPTIONS] {true|false}

  Enable/disable detect unmanaged container

Other

  • Add "leastPrivilege" setting in Helm chart. Add helm option for New_Service_Profile_Baseline. A new Helm chart (core) version is published for 5.2.

  • Enable AWS Marketplace (billing adapter) integration settings in Helm chart.

  • Update configmap to support new features (multiple ADFS certificates, zero drift, New_Service_Profile_Baseline, SYSLOG TLS, user timeout)

  • Update supported Kubernetes versions to 1.19+, and OpenShift 4.6+ (1.19+ with CRI-O)

5.1.3 May 2023

Enhancements

  • Add new vulnerability feed for scanning Microsoft .NET framework.

  • Enforcer stats are disabled by default in Prometheus exporter to improve scalability.

  • Usability improvement: Using scanner to scan single image and print the result (see example below).

  • Add imagePullPolicy check in admission control rules criteria.

  • Show warning message when CRD schema is out of date.

Bug Fixes

  • Network Activity screen does not render or incorrectly renders.

  • Empty group auto-removal takes 2 hours to delete instead of 1 hour according to schedule.

  • Compliance profile doesn’t show in UI console.

  • Advanced Filter in Security Events Missing "Error" Level.

  • Saved password with special character fails on future authentication attempt.

  • Multiple clusters page does not render properly when requests are high.

  • Registry detail (bottom) pane not updating.

Scanner Sample Output

Image: https://registry.hub.docker.comlibrary/alpine:3.4
Base OS: alpine:3.4.6
TOTAL: 6, HIGH: 1, MEDIUM: 5, LOW: 0, UNKNOWN: 0
┌─────────┬───────────────┬──────────┬───────────┬───────────────┬────────────┐
│ PACKAGE │ VULNERABILITY │ SEVERITY │ VERSION   │ FIXED VERSION │ PUBLISHED  │
├─────────┼───────────────┼──────────┼───────────┼───────────────┼────────────┤
│ openssl │ CVE-2018-0732 │ High     │ 1.0.2n-r0 │ 1.0.2o-r1     │ 2018-06-12 │
│         ├───────────────┼──────────┤           ├───────────────┼────────────┤
│         │ CVE-2018-0733 │ Medium   │           │ 1.0.2o-r0     │ 2018-03-27 │
│         ├───────────────┤          │           ├───────────────┼────────────┤
│         │ CVE-2018-0734 │          │           │ 1.0.2q-r0     │ 2018-10-30 │
│         ├───────────────┤          │           ├───────────────┼────────────┤
│         │ CVE-2018-0737 │          │           │ 1.0.2o-r2     │ 2018-04-16 │
│         ├───────────────┤          │           ├───────────────┼────────────┤
│         │ CVE-2018-0739 │          │           │ 1.0.2o-r0     │ 2018-03-27 │
│         ├───────────────┤          │           ├───────────────┼────────────┤
│         │ CVE-2018-5407 │          │           │ 1.0.2q-r0     │ 2018-11-15 │
└─────────┴───────────────┴──────────┴───────────┴───────────────┴────────────┘

5.1.2 March 2023

Enhancements

  • Support virtual host based address group and policy matching network protections. This enables a use case where two different FQDN addresses are resolved to the same IP address, but different rules for each FQDN should be enforced. A new custom group with ‘address=vh:xxx.yyy’ can be created using the ‘vh:’ indicator to enable this protection. A network rule can then use the custom group as the ‘From’ source based on the virtual hostname (instead of resolved IP address) to enforce different rules for virtual hosts.

  • Compliance containers list to exclude exited containers.

  • Enhance DLP rules to support simple wildcard in the pattern.

  • Add support for cri-o 1.26+ and OpenShift 4.11+.

  • Make gravatar optional.

  • Display cluster namespace resource in console / UI.

  • Display source severity/classification (e.g. Red Hat, Ubuntu…​) along with NVD severity score in console.

  • Don’t allow SSO/RBAC disabling for Rancher and OpenShift if user is authenticated through SSO.

  • Add auto-scan enablement and deletion of unused groups aging to configMap.

  • Include IP address for external source/destination in csv/pdf for implicit deny violations

  • Various performance and scalability optimizations for controller and enforcer CPU and memory usage.

Bug Fixes

  • Fix application slowness on GKE Container Optimized OS (COS) nodes when in Protect mode.

  • SUSE Linux (SLES) 15.4 CVE not matching in scanner. With this fix, if the severity is provided in the feed, the vulnerability will be added to the database, even if the NVD record is missing. It is possible that the report includes vulnerabilities without CVE scores.

Other

5.1.1 February, 2023

Enhancements

  • Add “package” as information to the syslog-event for a detected vulnerability.

  • Add Enforcer environment variable ENF_NETPOLICY_PULL_INTERVAL - Value in seconds (recommended value 60) to reduce network traffic and resulting resource consumption by Enforcer due to policy updates/recalculations. (Note: this was an undocumented addition until August of 2023).

           - name: ENF_NETPOLICY_PULL_INTERVAL
             value: "60"   <== regulate the pulling gap by 60 seconds

Bug Fixes

  • Empty group deletion errors "Object not found"

  • Traffic within the same container alerting/blocking

  • Unexpected implicit violations for istio egress traffic with allow rule in place

  • When upgrading from SUSE® Security 4.x release, incorrect pod group membership causes unexpected policy violation

  • OIDC authentication failed with ADFS when extra encoding characters appear in the request

  • High memory usage by dp creating and deleting pods

  • Update alpine to remediate several CVEs including Manager: CVE-2022-37454, CVE-2022-42919, CVE-2022-45061, CVE-2021-46848; Enforcer: CVE-2022-43551, CVE-2022-43552

  • Various UI bugs fixed

Other

  • Helm chart updated to enable replacement of certificate for internal communications

5.1.0 December, 2022

Enhancements

  • Centralized, multi-cluster scanning (CVE) database. The primary (master) cluster can scan a registry/repo designated as a federated registry. The scan results from these registries will be synchronized to all managed (remote) clusters. This enables display of scan results in the managed cluster console as well as use of the results in admission control rules of the managed cluster. Registries only need to be scanned once instead of by each cluster, reducing CPU/memory and network bandwidth usage.

  • Enhance admission control rules:

    • Custom criteria for admission control rules. Allow users to define resource criteria on all pod related fields and to be used in rules, for example item.metadata.annotationsKey contains 'neuvector', item.metadata.name='xyzzy' etc.

    • Add criteria to check for high risk RBAC settings for service accounts when deploying pods. These include criteria 'any action of workload resources', 'any action on RBAC', 'create workload resources', 'listing secrets', and 'exec into a container'.

    • Add semantic version comparison to modules for admission control rules. This enables > or < operators to applied to version numbers in rules (e.g. don’t allow module curl<6.2.0 to be deployed). This allows specific version checks on installed packages.

    • Add an admission control rule for Pod Security Admission (PSA) supported in Kubernetes 1.25+.

  • Add new env variable NO_DEFAULT_ADMIN which when enabled does not create an 'admin' user. This is used for Rancher SSO integration as the default. If not enabled, persistently warn the user and record events to change the default admin password if it is not changed from default.

  • Blocking login after failed login attemps now becomes the default. The default value is 5 attempts, and configurable in Settings → Users & Roles→ Password Profile.

  • Add new env variable for performance tuning ENF_NO_SYSTEM_PROFILES, value: "1". When enabled, it will disable the process and file monitors. No learning processes, no profile modes, no process/file (package) incidents, and no file activity monitor will be performed. This will reduce CPU/memory resource usage and file operations.

  • Add a custom auto-scaling setting for scanner pods, with value Delayed, Immediate, and Disabled. Important: Scanner auto-scaling is not supported when scanner is deployed with an OpenShift operator, as the operator will always change the number of pods to its configured value.

    • Delayed strategy:

      • When lead controller continuously sees "task count" > 0 for > 90 seconds, a new scanner pod is started if maxScannerPods is not reached yet

      • When lead controller continuously sees "task count" is 0 for > 180 seconds, it scales down one scanner pod if minScannerPods is not reached yet

    • Immediate strategy:

      • Every time when lead controller sees "task count" > 0, a new scanner pod is started if maxScannerPods is not reached yet

      • When lead controller continuously sees "task count" is 0 for > 180 seconds, it scales down one scanner pod if minScannerPods is not reached yet

  • Custom groups are now able to use namespace labels, including Rancher’s namespace labels. Generally, pod and namespace labels can now be added to Custom Groups.

  • Add ability to hide selected namespaces, groups in Network Activity view.

  • Full support for Cilium cni.

  • Full support of OpenShift 4.9 and 4.10.

  • Build tools are now available for the SUSE® Security/Open Zero Trust (OZT) project at https://github.com/openzerotrust/openzerotrust.io.

  • SUSE® Security now lists the version ID and SHA256 digest for each version of the controller, manager, enforcer at https://github.com/neuvector/manifests/tree/main/versions.

  • Anonymous telemetry data (number of nodes, groups, rules) is now reported to a Rancher cloud service upon deployment to assist the project team in understanding usage behavior. This can be disabled (opt-out) in UI or with configMap (No_Telemetry_Report) or REST API.

  • (Addendum January 2023). Support for ServiceEntry based network policy with Istio. Egress network policy enforcement functionality was added in version 5.1.0 for pods to ServiceEntry destinations declared with Istio. Typically, a ServiceEntry defines how an external service referred by DNS name is resolved to a destination IP. Prior to v5.1, SUSE® Security could not detect and enforce rules for connections to a ServiceEntry, so all connections were classified as External. With 5.1, rules can be enforced for specific ServiceEntry destinations. IMPORTANT: If you are upgrading to v5.1 with an Istio based deployment, new rules must be created to allow these connections and avoid violation alerts. After upgrading, Implicit violations will get reported for newly visible traffic if allow rules don’t exist. New traffic rules can be learned and auto-created under Discover mode. To allow this traffic, you can put the group into discover mode or create a custom group with addresses (or DNS name) and new network rule to this destination to allow the traffic. NOTE: There is a bug in 5.1.0 in the destination reported by the deny violations that do not represent the correct destination. The bug reports both server_name and client_name are the same. This issue will get addressed in an upcoming patch release.

Bug Fixes

  • Reduce controller memory consumption from unnecessary cis benchmark data created during rolling updates. This issue does not occur on new deployments.

  • Remove license from configuration screen (no longer required).

5.0.6-s1 March, 2023

Bug Fixes

  • Update alpine packages to remediate CVEs in curl including CVE-2023-23914, CVE-2023-23915, and CVE-2023-23916

5.0.6 February, 2023

Bug Fixes

  • High memory usage in dpMsgConnection

  • High memory usage on dp process in enforcer if there are many learned policy rules with unmanaged workload (memory leak)

  • tcpdump is unable to start successfully when sniffering a traffic on container

  • Update alpine to remediate several CVEs including Manager: CVE-2022-37454, CVE-2022-42919, CVE-2022-45061, CVE-2021-46848; Enforcer: CVE-2022-43551, CVE-2022-43552

5.0.5 November, 2022

Bug Fixes

  • Upgrading to 5.0.x results in an error message about Manager, Controller, Enforcer running different versions.

  • Enforcers experiencing go routine panic resulting in dp kill. WebUI does not reflect enforcer as online.

  • Unexpected Process.Profile.Violation incident in NV.Protect group on which command on coreos.

5.0.4 October, 2022

Security updates

  • Update alpine to remove critical CVE-2022-40674 in the manager expat library, as well as other minor CVEs.

Enhancements

  • Add support for Antrea CNI

Bug Fixes

  • Fix unexpected process.profile.violation incident in the NV.Protect group.

  • When SSL is disabled on manager UI access, user password is printed to the manager log.

5.0.3 September, 2022

Enhancements

  • Do not display the EULA after successful restart from persistent volume.

  • Use the image filter in vulnerability profile setting to skip container scan results.

  • Support scanner in GitHub actions at https://github.com/neuvector/neuvector-image-scan-action.

  • Add Enforcer environment variables for disabling secrets scanning and running CIS benchmarks

    env:
      - name: ENF_NO_SECRET_SCANS  (available after v4.4.4)
        value: "1"
      - name: ENF_NO_AUTO_BENCHMARK (after v5.0.3)
        value: "1"

Bug Fixes

  • Enforcer unable to start occasionally.

  • Connection leak on multi-cluster federation environments.

  • Compliance page not loading some times in Security Risks → Compliance

5.0.2 July 2022

Enhancements

  • Rancher hardened and SELinux clusters are supported.

Bug Fixes

  • Agent process high cpu usage on k3s systems.

  • AD LDAP groups not working properly after upgrade to 5.0.

  • Enforcer keeps restating due to error=too many open files (rke2/cilium).

  • Support log is unable to download successfully.

5.0.1 June 2022

Enhancements

  • Support vulnerability scan of openSUSE Leap OS (in scanner image).

  • Scanner: implement wipe-out attributes during reconstructing image repo.

  • Verify SUSE® Security deployment and support for SELinux enabled hosts. See below for details on interim patching until helm chart is updated.

  • Distinguish between Feature Chart and Partner Charts in Rancher UI more prominently.+ Improve ingress annotation for nginx in Rancher helm chart. Add / update ingress.kubernetes.io/protocol: https to nginx.ingress.kubernetes.io/backend-protocol: "HTTPS".

  • Current OpenShift Operator supports passthrough routes for api and federation services. Additional Helm Value parameters are added to support edge and re-encrypt route termination types.

Bug Fixes

  • AKS cluster could add unexpected key in admission control webhook.

  • Enforcer is not becoming operational on k8s 1.24 cluster with 1.64 containerd runtime. Separately, enforcer sometimes fails to start.

  • Any admin-role user(local user or SSO) who promotes a cluster to fed master should be automatically promoted to fedAdmin role.

  • When sso using Rancher default admin into SUSE® Security on master cluster, the SUSE® Security login role is admin, not fedAdmin.

  • Fix several goroutine crashes.

  • Implicit violation from host IP not associated with node.

  • ComplianceProfile does not show PCI tag.

  • LDAP group mapping sometimes is not shown.

  • Risk Review and Improvement tool will result in error message "Failed to update system config: Request in wrong format".

  • OKD 3.11 - Clusterrole error shows even if it exists.

CVE Remediations

  • High CVE-2022-29458 cve found on ncurses package in all images.

  • High CVE-2022-27778 and CVE-2022-27782 found on curl package in Updater image.

Details on SELinux Support

SUSE® Security does not need any additional setting for SELinux enabled clusters to deploy and function. Tested deploying SUSE® Security on RHEL 8.5 based SELinux enabled RKE2 hardened cluster. SUSE® Security deployed successfully if PSP is enabled and patching Manager and Scanner deployment. The next chart release should fix the below issue.

Attached example for enabling psp from Rancher chart and given below the commands for patching Manager and Scanner deployment. The user ID in the patch command can be any number.

kubectl patch deploy -ncattle-neuvector-system neuvector-scanner-pod --patch '{"spec":{"template":{"spec":{"securityContext":{"runAsUser": 5400}}}}}'
kubectl patch deploy -ncattle-neuvector-system neuvector-manager-pod --patch '{"spec":{"template":{"spec":{"securityContext":{"runAsUser": 5400}}}}}'

Example for enabling PSP:

[neuvector@localhost nv]$ getenforce
Enforcing
[neuvector@localhost nv]$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

[neuvector@localhost nv]$ kk get psp
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME                      PRIV    CAPS                                      SELINUX    RUNASUSER          FSGROUP     SUPGROUP    READONLYROOTFS   VOLUMES
global-restricted-psp     false                                             RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
neuvector-binding-psp     true    SYS_ADMIN,NET_ADMIN,SYS_PTRACE,IPC_LOCK   RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *
system-unrestricted-psp   true    *                                         RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *
[neuvector@localhost nv]$ nvpo.sh
NAME                                        READY   STATUS    RESTARTS   AGE     IP           NODE                    NOMINATED NODE   READINESS GATES
neuvector-controller-pod-54f69f7f9c-6h822   1/1     Running   0          5m51s   10.42.0.29   localhost.localdomain   <none>           <none>
neuvector-enforcer-pod-jz77b                1/1     Running   0          5m51s   10.42.0.30   localhost.localdomain   <none>           <none>
neuvector-manager-pod-588488bb78-p6vf9      1/1     Running   0          111s    10.42.0.32   localhost.localdomain   <none>           <none>
neuvector-scanner-pod-87474dcff-s8vgt       1/1     Running   0          114s    10.42.0.31   localhost.localdomain   <none>           <none>

5.0.0 General Availability (GA) Release May 2022

Enhancements

  • Automated Promotion of Group Modes. Promotes a Group’s protection Mode based on elapsed time and criteria. Does not apply to CRD created Groups. This features allows a new application to run in Discover for some time period, learning the behavior and SUSE® Security creating allow-list rules for Network and Process, then automatically moving to Monitor, then Protect mode. Discover to Monitor criterion: Elapsed time for learning all network and process activity of at least one live pod in the Group. Monitor to Protect criterion: There are no security events (network, process etc) for the timeframe set for the Group.

  • Support for Rancher 2.6.5 Apps and Marketplace chart. Deploys into cattle-neuvector-system namespace and enables SSO from Rancher to SUSE® Security. Note: Previous deployments from Rancher (e.g. Partner catalog charts, version 1.9.x and earlier), must be completely removed in order to update to the new chart.

  • Support scanning of SUSE Linux (SLE, SLES), and Microsoft Mariner

  • Zero-drift process and file protection. This is the new default mode for process and file protections. Zero-drift automatically allows only processes which originate from the parent process that is in the original container image, and does not allow file updates or new files to be installed. When in Discover or Monitor mode, zero-drift will alert on any suspicious process or file activity. In Protect mode, it will block such activity. Zero-drift does not require processes to be learned or added to an allow-list. Disabling zero-drift for a group will cause the process and file rules listed for the group to take effect instead.

  • Split policy mode protection for network, process/file. There is now a global setting available in Settings → Configuration to separately set the network protection mode for enforcement of network rules. Enabling this (default is disabled), causes all network rules to be in the protection mode selected (Discover, Monitor, Protect), while process/file rules remain in the protection mode for that Group, as displayed in the Policy → Groups screen. In this way, network rules can be set to Protect (blocking), while process/file policy can be set to Monitor, or vice versa.

  • WAF rule detection, enhanced DLP rules (header, URL, full packet). Used for ingress connections to web application pods as well as outbound connections to api-services to enforce api security.

  • CRD for WAF, DLP and admission controls. NOTE: required additional cluster role bindings/permissions. See Kubernetes and OpenShift deployment sections. CRD import/export and versioning for admission controls supported through CRD.

  • Rancher SSO integration to launch SUSE® Security console through Rancher Manager. This feature is only available if the SUSE® Security containers are deployed through Rancher. This deployment pulls from the mirrored Rancher repository (e.g. rancher/mirrored-neuvector-controller:5.0.0) and deploys into the cattle-neuvector-system namespace. NOTE: Requires updated Rancher release 2.6.5 May 2022 or later, and only admin and cluster owner roles are supported at this time.

  • Supports deployment on RKE2.

  • Support for Federation of clusters (multi-cluster manager) through a proxy. Configure proxy in Settings → Configuration, and enable proxy when configuring federation connections.

  • Monitor required rbac’s clusterrole/bindings and alert in events and UI if any are missing.

  • Support criteria of resource limitations in admission control rules.

  • Support Microsoft Teams format for webhooks.

  • Support AD/LDAP nested groups under mapped role group.

  • Support clusterrolebindings or rolebindings with group info in IDP for Openshift.

  • Allow network rules and admission control rules to be promoted to a Federated rule.

Bug Fixes

  • Fix issue of worker federation role backup should restore into non-federated clusters.

  • Improve page loading times for large number of CVEs in Security Risks → Vulnerabilities

  • Allow user to switch mode when they select all groups in Policy → Groups menu. Warn if the Nodes group is also selected.

  • Collapse compliance check items of the same name and make expandable.

  • Enhance security of gRPC communications.

  • Fixed: unable to get correct workload privileged info in rke2 setup.

  • Fix issue with support of openSUSE Leap 15.3 (k8s/crio).

Other Updates

  • Helm chart update appVersion to 5.0.0 and chart version to 2.2.0

  • Removed serverless scanning feature/menu.

  • Removed support for Jfrog Xray scan result integration (Artifactory registry scan is still supported).

  • Support for deployment on ECS is no longer provided. The allinone should still be able to be deployed on ECS, however, the documentation of the steps and settings is no longer supported.

Upgrading from SUSE® Security 4.x to 5.x (prior to 5.2.x)

The instructions below apply to upgrades to 5.0.x and 5.1.x. For 5.2.x, service accounts and bindings have changed, and should be reviewed to plan upgrades.

For Helm users, update to SUSE® Security Helm chart 2.0.0 or later. If updating an Operator or Helm install on OpenShift, see note below.

  1. Delete old neuvector-binding-customresourcedefinition clusterrole

kubectl delete clusterrole neuvector-binding-customresourcedefinition
  1. Apply new update verb for neuvector-binding-customresourcedefinition clusterrole

kubectl create clusterrole neuvector-binding-customresourcedefinition --verb=watch,create,get,update --resource=customresourcedefinitions
  1. Delete old crd schema for Kubernetes 1.19+

kubectl delete -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/crd-k8s-1.19.yaml
  1. Create new crd schema for Kubernetes 1.19+

kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/crd-k8s-1.19.yaml
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/waf-crd-k8s-1.19.yaml
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/dlp-crd-k8s-1.19.yaml
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/admission-crd-k8s-1.19.yaml
  1. Create a new Admission, DLP and WAF clusterrole and clusterrolebinding

kubectl create clusterrole neuvector-binding-nvwafsecurityrules --verb=list,delete --resource=nvwafsecurityrules
kubectl create clusterrolebinding neuvector-binding-nvwafsecurityrules --clusterrole=neuvector-binding-nvwafsecurityrules --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-nvadmissioncontrolsecurityrules --verb=list,delete --resource=nvadmissioncontrolsecurityrules
kubectl create clusterrolebinding neuvector-binding-nvadmissioncontrolsecurityrules --clusterrole=neuvector-binding-nvadmissioncontrolsecurityrules --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-nvdlpsecurityrules --verb=list,delete --resource=nvdlpsecurityrules
kubectl create clusterrolebinding neuvector-binding-nvdlpsecurityrules --clusterrole=neuvector-binding-nvdlpsecurityrules --serviceaccount=neuvector:default
  1. Update image names and paths for pulling SUSE® Security images from Docker hub (docker.io), e.g.

    • neuvector/manager:5.0.0

    • neuvector/controller:5.0.0

    • neuvector/enforcer:5.0.0

    • neuvector/scanner:latest

    • neuvector/updater:latest

Optionally, remove any references to the SUSE® Security license and registry secret in Helm charts, deployment yaml, configmap, scripts etc, as these are no longer required to pull the images or to start using SUSE® Security.

Note about SCC and Upgrading via Operator/Helm

Privileged SCC is added to the Service Account specified in the deployment yaml by Operator version 1.3.4 and above in new deployments. In the case of upgrading the SUSE® Security Operator from a previous version to 1.3.4 or Helm to 2.0.0, please delete Privileged SCC before upgrading.

oc delete rolebinding -n neuvector system:openshift:scc:privileged

Beta 1 version released April 2022

  • Feature complete, including Automated Promotion of Group Modes. Promotes a Group’s protection Mode based on elapsed time and criteria. Does not apply to CRD created Groups. This features allows a new application to run in Discover for some time period, learning the behavior and SUSE® Security creating allow-list rules for Network and Process, then automatically moving to Monitor, then Protect mode. Discover to Monitor criterion: Elapsed time for learning all network and process activity of at least one live pod in the Group. Monitor to Protect criterion: There are no security events (network, process etc) for the timeframe set for the Group.

  • Support for Rancher 2.6.5 Apps and Marketplace chart. Deploys into cattle-neuvector-system namespace and enables SSO from Rancher to SUSE® Security. Note: Previous deployments from Rancher (e.g. Partner catalog charts, version 1.9.x and earlier), must be completely removed in order to update to the new chart.

  • Tags for Enforcer, Manager, Controller: 5.0.0-b1 (e.g. neuvector/controller:5.0.0-b1)

Preview.3 version released March 2022

important

To update previous preview deployments for new CRD WAF, DLP and Admission control features, please update the CRD yaml and add new rbac/role bindings:

kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/latest/crd-k8s-1.19.yaml
kubectl create clusterrole neuvector-binding-nvwafsecurityrules --verb=list,delete --resource=nvwafsecurityrules
kubectl create clusterrolebinding neuvector-binding-nvwafsecurityrules --clusterrole=neuvector-binding-nvwafsecurityrules --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-nvadmissioncontrolsecurityrules --verb=list,delete --resource=nvadmissioncontrolsecurityrules
kubectl create clusterrolebinding neuvector-binding-nvadmissioncontrolsecurityrules --clusterrole=neuvector-binding-nvadmissioncontrolsecurityrules --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-nvdlpsecurityrules --verb=list,delete --resource=nvdlpsecurityrules
kubectl create clusterrolebinding neuvector-binding-nvdlpsecurityrules --clusterrole=neuvector-binding-nvdlpsecurityrules --serviceaccount=neuvector:default

Enhancements

  • Support scanning of SUSE Linux (SLE, SLES), and Microsoft Mariner

  • Zero-drift process and file protection. This is the new default mode for process and file protections. Zero-drift automatically allows only processes which originate from the parent process that is in the original container image, and does not allow file updates or new files to be installed. When in Discover or Monitor mode, zero-drift will alert on any suspicious process or file activity. In Protect mode, it will block such activity. Zero-drift does not require processes to be learned or added to an allow-list. Disabling zero-drift for a group will cause the process and file rules listed for the group to take effect instead.

  • Split policy mode protection for network, process/file. There is now a global setting available in Settings → Configuration to separately set the network protection mode for enforcement of network rules. Enabling this (default is disabled), causes all network rules to be in the protection mode selected (Discover, Monitor, Protect), while process/file rules remain in the protection mode for that Group, as displayed in the Policy → Groups screen. In this way, network rules can be set to Protect (blocking), while process/file policy can be set to Monitor, or vice versa.

  • WAF rule detection, enhanced DLP rules (header, URL, full packet)

  • CRD for WAF, DLP and admission controls. NOTE: required additional cluster role bindings/permissions. See Kubernetes and OpenShift deployment sections. CRD import/export and versioning for admission controls supported through CRD.

  • Rancher SSO integration to launch SUSE® Security console through Rancher Manager. This feature is only available if the SUSE® Security containers are deployed through Rancher. NOTE: Requires updated Rancher release (date/version TBD).

  • Supports deployment on RKE2.

  • Support for Federation of clusters (multi-cluster manager) through a proxy.

  • Monitor required rbac’s clusterrole/bindings and alert in events and UI if any are missing.

  • Support criteria of resource limitations in admission control rules.

Bug Fixes

  • Fix issue of worker federation role backup should restore into non-federated clusters.

Preview.2 version released Feb 2022

  • Minor file and license changes in source, no features added.

Support for deployment on AWS ECS Deprecated

Support for deployment on ECS is no longer provided. The allinone should still be able to be deployed on ECS, however, the documentation of the steps and settings is no longer supported.

5.0 'Tech Preview' January 2022

Enhancements

  • First release of an unsupported, 'tech-preview' version of SUSE® Security 5.0 open source version.

  • Add support for OWASP Top-10, WAF-like rules for detecting network attacks in headers or body. Includes support for CRD definitions of signatures and application to appropriate Groups.

  • Removes Serverless scanning features.

Bug Fixes

  • TBD

Other

  • Helm chart v1.8.9 is published for 5.0.0 deployments. If using this with the preview version of 5.0.0 the following changes should be made to values.yml:

    • Update the registry to docker.io

    • Update image names/tags to the preview version on Docker hub

    • Leave the imagePullSecrets empty