Release Notes for Compliance Scanner for PCF

Page last updated:

These are release notes for Compliance Scanner for Pivotal Cloud Foundry (PCF).

v1.0.0 - General Availability (GA)

Release Date: July 31, 2019

This is the General Availability release of Compliance Scanner for PCF.

Features

New features and changes in this release:

  • Changes the default port for the oscap_store VM to avoid port range collision and installation issues.
  • Increases the default value for Scanner Timeout to 1200.
  • Changes the default machine type for the oscap_store VM to use 2 CPUs and 2 GB of memory.
  • Provides additional information in scan results, for an improved experience when using the STIG Viewer tool published by DISA:
    • Includes the benchmark used in the test results for checklist creation in the viewer.
    • Adds the severity level field to Xenial benchmark test results.
    • Adds the group field to test results.
    • Adds test categories in the Recommended Security Baseline and Strict Security Practices benchmark test results.

Known Issues

This release has the following known issue:

  • BOSH DNS cannot resolve the oscap_store VM URL if there is any capitalization in the network name.

v1.0.0-beta.63

Release Date: July 8, 2019

Features

New features and changes in this release:

  • Compliance Scanner for PCF now uses a client-server architecture for initiating and generating scan results. This new architecture results in the following changes:

    • Secures the communication between the store VM and all of the scanner VMs through the implementation of mutual TLS (mTLS).
    • Removes credentials needed to trigger scans from the oscap_store VM.
    • Now uses Ops Manager Root CA certificate to sign the mTLS certificates.
  • Adds a configurable Scanner Timeout field to limit how long a scan takes. For how to configure this field, see Configure Scans.

Resolved Issue

This release fixes the following issue:

  • Compliance Scanner for PCF is now compatible with foundations using federated Single Sign-On (SSO) and authorization.

v1.0.0-beta.25

Release Date: April 3, 2019

Features

New features and changes in this release:

  • Updates OpenSCAP to v1.3.0.
  • Adds index.html to provide HTML results.
  • Removes dependencies requiring the Pivotal Application Service (PAS) tile. This enables scans on Enterprise Pivotal Container Service (Enterprise PKS)-only environments.

Resolved Issues

This release fixes the following issue:

  • Fixes an issue when scanning environments without other tiles.

Known Issues

This release has the following known issue:

  • No support for federated SSO and authorization.

v1.0.0-beta.7

Release Date: December 21, 2018

This is the first release of Compliance Scanner for PCF.

Features

New features and changes in this release:

  • Features the ability to scan all BOSH-managed VMs to verify secure platform configuration
  • Contains four bundled benchmarks with tests developed for cloud-native OS stemcells
  • Allows high-level scan reports for each VM in LOG, XML, and HTML formats

Known Issues

This release has the following known issues:

  • If Compliance Scanner for PCF is scanning a deployment and that deployment is destroyed before the scanning errand is finished, then Apply Changes errors out with the message: Cannot iterate over null (null).

  • Some Base Xenial benchmark tests fail. The following table lists the tests that fail and which components they fail on:

Components ID of Failed Test
  • Diego VM
  • SV-90191r1
  • SV-90193r3
  • SV-90235r1
  • SV-90237r1
  • SV-90263r2
  • SV-90277r3
  • SV-90491r4
  • Clock Global
  • Cloud Controller
  • Cloud Controller Worker
  • SV-90191r1
  • SV-90491r4
  • All components
  • SV-90277r3