Tenable Cloud Security 2023 Release Notes

• Tenable Cloud Security CLI now provides detailed error logging for single image scans.

  Download the latest CLI from the Tenable Downloads page.

The Workspace page appears when you log in to Tenable. In addition, administrators can change which custom roles can access which Tenable One apps.

• To set a default app on the Workspace page, click on the app tile and select Make Default Login. This app now appears when you log in.

• To remove a default app on the Workspace page, click on the app tile and select Remove Default Login Page. The Workspace page now appears when you log in.

• (Tenable One-only) To control which custom roles can access which Tenable One apps, use new role settings. For more information, see Create a Custom Role.

• You can now scan Harbor registries using robot accounts. For more information, see Scan a Harbor Container Registry.

  Download the latest CLI from the Tenable Downloads page.

You can now export misconfigurations to a CSV report from the Findings > Misconfigurations page. You can do the following to configure your export:

• Select up to five or all misconfigurations in the exported report.

• Select the fields you want to include in the report.

• Schedule the time and frequency for generating the report.

• Schedule and send emails with a link to download the report to a list of recipients.

For more information, see View Misconfigurations.

• On the Findings page, you can now filter misconfigurations and vulnerabilities by age using the Last Seen filter. Values can be Within 1 day, Within 7 days, Within 14 days, Within 30 days, or Within 90 days.

• When you export the list of vulnerabilities, Tenable Cloud Security now retains the filters applied in the exported CSV file.

When you export the Compliance Report, Tenable Cloud Security now retains the filters applied in the exported CSV file.

In the Project page, the link to download the Tenable Cloud Security CLI for scanning your code repositories now directs you to the Tenable Downloads page. For more information about the download location for your operating system, see Install or Upgrade the CLI.

• New Policies

  • Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (AC_AZURE_0588)
  • Ensure 'log_duration' is set for Azure PostgreSQL Configuration (AC_AZURE_0589)
  • Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server (AC_AZURE_0590)
  • Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (AC_AZURE_0591)

• Updated Policies

  • Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - azurerm_postgresql_server (AC_AZURE_0397)
  • Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - azurerm_postgresql_server (AC_AZURE_0396)
  • Ensure that HTTP(S) access from the Internet is evaluated and restricted (AC_AZURE_0059)

• Deprecated Policies

  • Ensure Web Application Firewall(WAF) is enabled for Azure Application Gateway (AC_AZURE_0189)
  • Ensure that a 'Diagnostics Setting' exists (AC_AZURE_0216)
  • Ensure that Diagnostic Logs Are Enabled for All Services that Support it (AC_AZURE_0210)
  • Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (AC_AZURE_0412)
  • Ensure 'log_duration' is set for Azure PostgreSQL Configuration (AC_AZURE_0411)
  • Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - azurerm_postgresql_configuration (AC_AZURE_0413)
  • Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - azurerm_postgresql_configuration (AC_AZURE_0414)
  • Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (AC_AZURE_0409)

The following APIs now include Container Security changes:

• List Metrics

• List Resources

• List Violations

• You can now discover all repositories and tags in your container registry and generate a CSV report. The tcs consec registry command now includes the --mode option that allows you to list the repositories and generate a CSV report. For more information, see Generate a Report of Images in a Container Registry.

  Download the latest CLI from the Tenable Downloads page.

• Tenable Cloud Security now supports scanning Azure Container Registry either using a service principal or a managed entity. Download the latest CLI from the Tenable Downloads page.

  For more information about scanning an Azure Container Registry, see Scan an Azure Container Registry.

You can now group the Compliance Report by Benchmark or Resource Type.

• If you have applied filters on the Findings > Misconfigurations page when exporting the data to CSV, Tenable Cloud Security exports the filtered data.

• The Misconfigurations export now includes the policy URL on the Tenable Cloud Security Policies portal instead of remediation text.

• Cloud account onboarding: The cloud onboarding workflow for all cloud providers now includes a Choose Prerequisites section. You must now confirm that you have met all prerequisites for onboarding a cloud account, including providing permissions to Tenable Cloud Security for scanning and creating snapshots for Agentless Assessment.

• Filter improvements: The user interface for filters on the Policies tab is now consistent with other pages.

• Alert Rules: The Manage Alerts button in the Alerts >Alert Rules tab is now renamed to Manage Notifications.

• Vulnerabilities: The Findings > Vulnerabilities tab includes the following changes:

  • The Resources view for impacted resources in the Vulnerabilities plane is now removed. You can only view the list of impacted resources.

  • The Vulnerabilities tab KPI now shows the total count of vulnerabilities instead of 200+, when the count is greater 200.

• New and updated policies to support CIS Microsoft Azure Foundations Benchmark 2.0.0

• New and updated policies to support CIS Amazon Elastic Kubernetes EKS 1.3.0

• New and updated policies to support CIS Azure Kubernetes AKS 1.3.0

• New Policy

  • Ensure access to Azure SQL Servers is restricted within Azure Infrastructure via Azure SQL Firewall Rule (AC_AZURE_0580).

• Updated Content in Policies

  • Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible (AC_AZURE_0232).

  • Ensure that 'Public access level' is disabled for storage accounts with blob containers (AC_AZURE_0366).

  • Ensure public access is not enabled for Azure Storage Account (AC_AZURE_0370).

• Deprecated Policies

  • Ensure IAM password policy requires minimum length of 14 or greater (AC_AWS_0136).

  • Ensure that IAM policy does not exceed the identity policy quota for AWS IAM Policy (AC_AWS_0499).

  • Ensure IAM Policies were not configured with versions in AWS IAM Policy (AC_AWS_0496).

  • Ensure access to Azure SQL Servers is restricted within Azure Infrastructure via Azure SQL Firewall Rule (AC_AZURE_0381).

  • Ensure a log metric filter and alarm exist for unauthorized API calls (AC_AWS_0586).

  • Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (AC_AWS_0558).

  • Ensure a log metric filter and alarm exist for usage of 'root' account (AC_AWS_0587).

  • Ensure a log metric filter and alarm exist for IAM policy changes (AC_AWS_0561).

  • Ensure a log metric filter and alarm exist for CloudTrail configuration changes (AC_AWS_0562).

  • Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (AC_AWS_0588).

  • Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (AC_AWS_0564).

  • Ensure a log metric filter and alarm exist for S3 bucket policy changes (AC_AWS_0565).

  • Ensure a log metric filter and alarm exist for AWS Config configuration changes (AC_AWS_0566).

  • Ensure a log metric filter and alarm exist for security group changes (AC_AWS_0567).

  • Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (AC_AWS_0568).

  • Ensure a log metric filter and alarm exist for changes to network gateways (AC_AWS_0569).

  • Ensure a log metric filter and alarm exist for route table changes (AC_AWS_0570).

  • Ensure a log metric filter and alarm exist for VPC changes (AC_AWS_0571).

  • Ensure a log metric filter and alarm exists for AWS Organizations changes (AC_AWS_0572).

  • Ensure a log metric filter and alarm exist for AWS NAT Gateways (AC_AWS_0150).

Downloads: Tenable Downloads

Tenable Cloud Security now supports container image and container registry scans for detecting vulnerabilities and enforcing policies. You can scan container images securely without sending the images outside your organization's network.

• Scan images in registries: Continuously monitor and scan registries to detect new vulnerabilities that may have been introduced over time.

• Integrate with CI/CD pipelines: Incorporate security scans, policy enforcement, and compliance seamlessly into pipeline stages by integrating with popular CI/CD tools.

• Scan local images: The container security feature enables developers to identify and address potential vulnerabilities and security issues early in the development lifecycle by scanning local images.

• Create comprehensive container security policies: Allow security teams to write complex policies leveraging the Tenable Cloud Security no-code Rego policy editor. The container security feature empowers security teams to create complex Rego-based policies effortlessly using our built-in no-code policy editor without the need for extensive coding knowledge. These policies can then be enforced in the DevOps pipelines to provide enhanced security guardrails. For more information, see Create a Custom Policy.

• Unified and comprehensive view of cloud security: With the addition of container security, you can now have an all-encompassing perspective on vulnerabilities within your containerized environments.

Scan images and registry using Tenable Cloud Security CLI

Scan any OCI-compliant Docker image using the Tenable Cloud Security CLI. To run container image and registry scans, download and install Tenable Cloud Security CLI v2.2.0. After your scan completes, you can view the scan results in the Tenable Cloud Security Console. Tenable Cloud Security also provides key insights about the container scans on the Containers and Vulnerabilities dashboards.

For more information about container security, see Container Security with Tenable Cloud Security.

• The Vulnerabilities dashboard now includes data for images along with cloud.

• You can now filter the dashboard by the source of vulnerabilities — Cloud or Image.

• The Key insights provide a quick overview of the following actionable metrics:

  • Total vulnerabilities in cloud.

  • Total vulnerabilities in registry.

  • Critical vulnerabilities.

  • Resources with critical vulnerabilities.

• The dashboard now includes the following new widgets:
  • Vulnerabilities accessible from 0.0.0.0/0: Displays the number of vulnerabilities, organized by its severity, with public IP addresses.
  • Top 5 OS / Hosts with critical & high vulnerabilities: Lists the top five operating systems or hosts affected with the maximum number of critical and high severity vulnerabilities. Tenable recommends that you remediate these vulnerabilities first.
  • Vulnerability distribution by asset type: Lists the different asset types and their vulnerabilities distributed by VPR score.

• You can use the Data Lifecycle Manager (DLM) service to automate the creation of snapshots from EC2 instances according to a schedule. To get you started, an example is provided to deploy DLM automatically on Tenable GitHub.

• To automate Azure Virtual Machine snapshot creation, an automated solution is provided on Tenable GitHub.

• On the Policies > Policy Groups page, the Policy Group panel for each policy group now includes details of all benchmarks. You can also filter the policies in the policy group by benchmark.

  To view the Policy Group panel, click any policy group in the Policies > Policy Groups page.

• Improved filtering and sorting on the Alert, Alert Rules, and Remediate pages.

• Filter improvements:

  • The filters applied on pages persist until you clear it explicitly or the filter criteria changes due to drilling down from other pages.

  • The filter component is now scroll friendly.

Tenable Cloud Security now supports the following API endpoints for bulk onboarding:

• POST /cns/discovery/v1/account/create — Accepts one or more cloud account details and creates the corresponding records in Tenable Cloud Security.

• POST /cns/discovery/v1/account/configure — Configures the cloud accounts with credentials and associates them with projects.

• POST /cns/discovery/v1/account/fetch — Returns the cloud account details.

• PUT /discovery/v1/account/update — Updates the cloud account credentials.

• Policy Updates:
  • Policies now include supported Terraform and Provider version.
  • Support for the aws_s3_bucket_lifecycle_configuration cloud resource.
• Deprecated Policies
  • Ensure bucket policy is enforced with least privileges for all AWS S3 buckets.
  • Ensure bucket policy is enforced with least privileges for all AWS S3 buckets - Terraform Version 1.x.
  • Ensure latest generation of instance classes is used by Amazon Relational Database Service (Amazon RDS) instances.
  • Ensure latest version of Azure Kubernetes Cluster is in use.

Tenable Cloud Security now supports Amazon Quantum Ledger Database (Amazon QLDB).