Changelog
Version 3.20
version release 11/11/2021
The following items presented in this changelog have been introduced, improved and fixed in the 3.20.0 version of senhasegura.
The changes presented are aligned with the version of the entire platform. Part Number segmentation is not considered in this document. Consult our commercial department, or your reseller, to acquire other functionalities
What’s new in this version
For details on which features have been enhanced or corrected for each component, see the next chapter in each module section.
For details on how the new items or improvements were introduced to the solution, see our documentation.
Just-in-time credentials (JIT) for proxy sessions
The credentials receive a JIT configuration tab. In this tab you can configure the behavior of the credential in two different dynamic provisioning situations:
Create and Delete: In this category, the registered credential will be used to create a new random credential on the target device, obeying the instructions of the creation and removal template configured by the administrator. So the operator user will always use a new credential to each access;
Enable and Diable: In this scenario, the credential itself will be the target of the activation and inactivation template configured by the administrator. The credential is perpetuated on the target device, but its state will be managed by senhasegura;
The Administrator may manage the creation of these credentials through a report dedicated to the operation of these credentials, accessible by the menu PAM ➞ Credential ➞ Just in time.
Exceptional access for credentials
At the Credentials report, the credentials receive an exceptional access provisioning action. In this action the administrator can set a list of users and a period of time by which they can access the target credential. Users can receive individual permissions viewing the password or use it in proxy sessions.
With this feature, the administrator may grant additional access plus the access groups to which users are part. Bringing greater granularity and security in exception scenarios. Avoiding access groups to be constantly reviewed and fractioned.
A set of reports and screens support the administrator in the management and use of these accesses.
Emergency button
In an exception scenario, the administrator can immediately interrupt all running proxy sessions.
This action demands the use of MFA Token, and its execution will be echoed through syslog message.
New Languages Support
Support for Russian and Croatian keyboard layout.
Dynamic Profile Support Google Cloud Platform
We incorporate the GCP SDK features to be possible to manage Projects and Roles to be provisioned to dynamically on a GCP account, through senhasegura Cloud.
Just-in-time access support (JIT) for AWS STS
You can perform a monitored JIT access to AWS console through a JIT credential using a STS token.
Changelog
senhasegura
| Item | Description |
|---|---|
| New feature 581 | You can now batch import protected information. |
| New feature 2803 | Created just-in-time credential functionality (JIT) for senhasegura Web Proxy. Accounts can be created and removed, or enabled and enabled, dynamically. |
| New feature 2946 | Possibility of allocating exceptional access to credentials for a given time without the need to modify access groups. |
| New feature 2794 | Created the Emergency button. When used, all proxy sessions, and web sessions will be interrupted immediately. |
| New feature 2998 | New papers permissions report.Accessible by menu Reports ➞ Permissions ➞ User management ➞ Permissions by role |
| New feature 2987 | New executor plugin, based on selenium, for web password exchange. |
| New feature 3095 | Created an action for immediate execution, into execution module operation report. |
| Improvement 2838 | In privileged information, created the possibility of determining different expiration notification criteria for each user. |
| Improvement 2553 | The computer MFA token trust period setting has been changed from days to hours. |
| Improvement 2943 | Added Syslog message for e-mail report scheduling events: - When the user creates a new schedule; - When the user edits an existing schedule; - When the user inactivate an existing schedule; |
| Improvement 3437 | System default roles permission adjusted. |
| Improvement 3202 | Change of term \mtq{Safety} to \mtq{Security} in the menu paths and screens names |
| Bugfix 2840 | Fixed error in the batch import of devices and credentials that allowed to import a domain credential more than once using different devices. |
| Bugfix 2911 | Report filter Credential Type fixed at Access Control History report. |
| Bugfix 2885 | Fixed page redirection after SSH keys batch disabling. |
| Bugfix 2871 | Correction in the history of password changes for SSH key. |
| Bugfix 2847 | Fixed automatic password exchange after the start of a proxy session. |
| Bugfix 2968 | Fixed automatic lock of a senhasegura user account who reach the audited command executions tries, when the audited command is configured to block the user account. |
| Bugfix 3049 | Fixed system management for nonexistent URLs. |
| Bugfix 3426 | Fixed credential password persistence where the password is composed by the characters & and ; |
| Bugfix 2739 | Fixed SSH keys persistence for private keys at the automatic exchange process. Fixed public key publishing into authorized_keys file at target servers, in the automatic exchange process. |
| Bugfix 3439 | Fixed database writing concurrency into large scale cluster environments, which causes access group processing failure. |
| Bugfix 2984 | Fixed IP usage failure in SAML server configuration |
| Bugfix 3231 | Fixed UTF-8 Cyrillic language support. |
| Security 3458 | A new special configuration for external MFA solutions usage has been developed. |
| Security 3050 | Default URL redirections was revised. |
The following itens are no longer supported by senhasegura.
| Deprecated 4638 | Windows SMB is no longer a suported Execution Plugin. |
senhasegura.go
| Item | Description |
|---|---|
| New feature 2806 | New report for Application Malware Analysis. The analysis are executed by senhasegura.go using the VirusTotal1 service, and its results are forwarded to the senhasegura server. Configured users will be notified about analysis results. |
| New feature 2949 | Regular expression can be used to configure allowed commands for senhasegura.go for Windows. |
| New feature 2950 | You can now configure a new application policy using a record from execution event report. |
| New feature 2957 | New workstation logins and activity monitoring service and report. The registered events will be available into a report in the senhasegura server. |
| Improvement 3322 | Added support for automation binary arguments. |
| Improvement 3434 | Improvement into server communication with client, when sending a session macro. |
| Improvement 3435 | The application access lists are now based on it hash. The list setup will display the application hash over the application name. |
| Removed 3438 | The Default action without allowlist option will be removed from the senhasegura.go global definitions. |
senhasegura.go for Linux
| Item | Description |
|---|---|
| New feature 2932 | Created monitoring of logins and execution of commands performed on stations with senhasegura.go Linux. Data can be accessed by a report on the senhasegura server. |
| Improvement 3459 | The senhasegura.go for Linux configuration file will be overwritten with each installation. |
| Bugfix 3460 | Fixed the persistance of allowed events for senhasegura.go for Linux. |
| Bugfix 3464 | Correction in the default configuration of audited applications in environments that use senhasegura.go for Linux. |
senhasegura.go for Windows
| Item | Description |
|---|---|
| New feature 3317 | Created an action to immediately synchronize the credentials. This action is available from the system tray context menu. |
| New feature 3318 | Created an action to immediately synchronize the policies. This action is available from the system tray context menu. |
| New feature 3360 | Created support for automation audit recording. |
| New feature 1836 | A new rule for unknown file executions. |
| Improvement 3234 | Expansion of the application execution block policies. The senhasegura.go will now monitoring and block applications which was started outside it control, no matter which privilege the target application credential is using. |
| Improvement 3450 | If the malware analysis is enabled, the target application will be executed only if it was analised once. If the workstation is offline, the target application will not be executed. |
| Bugfix 3449 | Fixed error into the malware analysis which causes the execution block without considering the analysis result. |
| Bugfix 3432 | The user's default credential was not selected when the client start. |
| Bugfix 3430 | Fixed the Just-In-Time User Provisioning (JIT) for domain users. |
| Bugfix 3436 | Fixed the interaction block while automation is running. |
| Removed 3375 | Removed support to Microsoft Internet Explorer in automation. |
WebService A2A
| Item | Description |
|---|---|
| Bugfix 2852 | Fix in A2A endpoint response for device registration with non-existent domain. Previously returned an HTTP 500 error with the message Unexpected error. Now returns an HTTP 400 error with exception code 1029 and the message It is not possible to enter a domain that has not been previously registered. |
senhasegura Proxy
| Item | Description |
|---|---|
| Improvement 2868 | Improved argument handling for sudo automation in Terminal and Web SSH proxies. |
| Bugfix 2983 | Fixed bug in sudo automation for target servers with high communication latency. |
senhasegura Web Proxy
| Item | Description |
|---|---|
| New feature 3377 | Added keyboard layout support for UTF-8 Cyrillic and Croatian keyboard layout. |
| Bugfix 2886 | imezone settings were not being replicated in the embedded browser that supports HTTP web proxy sessions. |
| Bugfix 3093 | Fixed use of SSH key for senhasegura Web Proxy X11 sessions. |
| Security 3164 | Changed configuration of the embedded browser that allowed saving the password of the website accessed. |
senhasegura Cloud
| Item | Description |
|---|---|
| New feature 1461 | Support for dynamic profile provisioning using Google Cloud Platform (GCP)2 |
| New feature 2240 | Just-in-time (JIT) account support for AWS STS platform3. |
| Security 2945 | The ***Secret Access Key} field is no longer displayed on the Cloud IAM account update form. |
Scan & Discovery
| Item | Description |
|---|---|
| Bugfix 2857 | Fixed discovery for self-signed certificates on Microsoft IIS servers. |
| Bugfix 3461 | Fixed the display of Devices services, View logs and Last debugs reports from a discovery result. |
senhasegura Domum
| Item | Description |
|---|---|
| Improvement 2743 | Added changes to Domum parameters in audit reports. Changes will also be notified via SYSLOG. |
| Improvement 2809 | Adjust screen size for third-party access creation. |
| Improvement 2810 | Added Third-Party User photo to Third-Party User registration change form. |
| Improvement 2733 | Added changes to Domum Employee Groups to audit reports. Changes will also be notified via SYSLOG. |
| Improvement 2734 | Added changes to the records of Domum Suppliers and Third Parties in the audit reports. Changes will also be notified via SYSLOG. |
| Improvement 2775 | In the Suppliers register, the Users tab was removed at the time of creation. Upon change, it will be made available for read only. In the registration of Third Parties, the Accesses tab was removed at the time of creation. Upon change, it will be made available for read only. The screen Remote Access - Partner User has been renamed to Access Request - Third Party User. When requesting new access, the start date field will be populated with the current date. |
| Improvement 2906 | For Domum users that are configured with login via SSO, access to Domum will only be possible using the username and password. |
| Improvement 3396 | Improved photo upload validation for Third-Party User registration. |
| Bugfix 3425 | Fixed validation failure in inactivating Suppliers action. |
| Bugfix 3394 | Fixed Third Party User filter crash on Third Party User dashboard. |
| Bugfix 3395 | Fixed inactivation of Suppliers. Vendor inactivation will also inactivate related Third Party Users. |
| Bugfix 3409 | Fixed joint usage of Domum with AD services where syncing with AD disables Domum accounts. |