Release Notes

New Features

New Features

Product Enhancements 

Product Enhancements 

Product Enhancements 

MSQL Data Gathering Configuration 

A new tab for MSQL has been added to the license manager data configuration page. This allows you to enter information about your MSQL databases so OpsCompass can include MSQL databases in configuration and compliance scans. The same functionality has also been added to the license-manager module in the OpsCompass CLI. 

Mitigations and Exceptions Filter 

In this release, we have updated the filters in the Mitigations and Exceptions feature so customers can now filter by exception, checks, resources, and creator in addition to the type and status. These filtering options make it easier for customers to find what they are looking for. 

New Authorization Flow for Microsoft 365 Exchange and SharePoint Tenant Scanning 

We introduce a new flow for authorizing OpsCompass to scan Exchange Online and SharePoint tenant settings. Now we use an Azure AD Application to gather the Exchange and SharePoint data rather than using a username and password to connect to the Exchange Online and SharePoint Online PowerShell environments. 

To use this scanning flow, follow the steps to connect a Microsoft 365 tenant to OpsCompass. After the initial Azure AD authorization step, which authorizes OpsCompass to read resources like users and groups, you can authorize this second OpsCompass Azure AD application. 

After authorized, to allow OpsCompass to read your Exchange Online settings, you’ll need to add the new application to the “Global Readers” role for your tenant. OpsCompass provides you these details during the setup process. 

Oracle Database CIS Benchmark 

OpsCompass offers Oracle 19c CIS Benchmark support! Users can now track their Security Compliance status of their Oracle Database Instances within OpsCompass. OpsCompass implements over 100 different compliance checks based on the benchmark recommendations, covering User Access Auditing, Least Privilege Access Recommendations, Connection Restrictions within your instance, as well as best practices for database parameter settings. For more information on installing data gathering scripts, or if you are interested in trying out Phase 2 of support, please contact your OpsCompass representative. 

Bug Fixes / Enhancements 

• With the CLI, when you update your data gathering scripts, we’ll no longer warn you that your scripts are out of date. 
• On the Mitigations and Exceptions page, when you select multiple records the page should tell you the correct number of records you’ve selected. 
• When filtering the Drift view by a change date range, the dates in the filter summary should match the dates in the filter view. 
• When creating or editing Drift Concerns, the fields no longer take up the full window width available to them. 
• When you click on the “Notifications” bell while you have no notifications, you now see a message that you have no notifications. 
• We updated the recommended action when an AWS S3 bucket allows non-HTTPS traffic to recommend making a policy blocking non-HTTPS traffic for all S3 actions. 

Product Enhancements 

Oracle Database CIS Benchmark 

OpsCompass is beginning to roll out Oracle 19c CIS Benchmark support! Users with initial access can now track their Security Compliance status of their Oracle Database Instances within OpsCompass. For more information on installing data gathering scripts, or if you are interested in trying out Phase 1 of support, please contact your OpsCompass representative. 

Additional Feature Development 

Mitigations and Exceptions 

OpsCompass users will be able to view and edit their previously created compliance mitigations and exceptions. The feature also supports bulk editing and advanced filtering capabilities. This feature can be found within the compliance section in the main side menu. 

Note: In our next release there will be more filtering options so users can see which mitigations and exceptions are expiring soon. 

License Manager: Data Gathering Config Script Integration 

To support the upcoming addition of Security Compliance monitoring on Oracle Databases, Oracle Database Connections tracked through OpsCompass can now have multiple actions associated with them. These actions allow for the separation of permissions on different users OpsCompass may connect with, or to disable connections from being used entirely. 

Bug Fixes / Enhancements 

We have updated the license manager display columns and modals to provide accurate, streamlined information. 

This release of OpsCompass includes exciting new features like License Manager Data Gathering Configurations, updates to existing features like the License Manager Reports, and other fixes. 

New Logo 

To be consistent with our marketing and branding, there’s a new logo in the web application. As with all brand updates, you may still see old branding in certain places that haven’t been updated yet. 

Available Feature: License Manager Data Gathering Configurations 

OpsCompass License Management users will be able to configure the OpsCompass License Manager data gathering scripts directly from the OpsCompass web application. 

This allows users to provide Oracle database connection strings, VCenter connection info, or modify general settings without logging into the server where the scripts are installed. 

Note: These configurations require installing updated OpsCompass License Manager data gathering scripts in your environment. These scripts will be provided at a future time. 

These configurations can also be managed through the OpsCompass API and OpsCompass CLI. 

Enhanced Feature: OpsCompass License Manager Reports 

We’ve updated the layout of License Manager reports. We’ve replaced the side-by-side tables with a drill-in window. 

In addition to updating the basic layout of the primary table on each of the four report tabs, the three tabs with additional information (Entitlements, License Usage Map, and Deployment Details) now use a “flyout” mode for the additional information. This reduces the need to scroll horizontally and lose context as you click through the report details. 

New Feature: Switch Active Company 

Users who are members of multiple OpsCompass companies can now switch between them directly in the web application. 

Switching companies this way will take you to the default view of the new company (usually the OpsCompass Dashboard). If a user is a member of only one company, they will not see this “Switch Active Company” option. 

Enhanced Feature: Entitlement Manager Numbers and Costs 

When displaying quantities and costs, License Manager Entitlement Manager now renders costs as currency ($1,234.00) and quantities with digit separators (1,234) rather than rendering them as plain numbers (1234). 

New Resource Type: Amazon SQS Queues 

OpsCompass now scans Amazon SQS Queues, allowing you to see inventory and drift on your SQS queue configurations. 

This release of OpsCompass brings new features and some bug fixes for some older features. 

New Feature: License Manager License Entitlements 

The License Manager area of OpsCompass now has a section for License Entitlements, a place for you to store and manage your licenses for Oracle products. Navigate to License Entitlements from the new License Manager Dashboard. 

The Entitlements area shows the products you’ve purchased from Oracle, which orders, and how many of the appropriate metric you’ve purchased (processor or named user licenses). It also shows usage limitations and the support begin and end date, where applicable. 

Clicking on one of the products shows the details for that product: the summarized totals as well as the individual orders that add up to those totals. These details can be dismissed by clicking the background outside the details or by pressing the “Escape” key on the keyboard. 

Add new entitlements by exporting your support data from Oracle and uploading the resulting CSV into OpsCompass. Click on the “Upload Entitlements” button and upload your data. 

Once the data has been uploaded and processed, you can review your uploaded data from the notification in the Notifications area or by clicking the “Review Upload” button on the Entitlement Manager. 

Users can edit this entitlement data before submitting it by clicking on the “Edit” button. This allows users to add data that’s not provided by Oracle’s export or to add additional information found outside Oracle’s system. 

Once submitted, the data will be added to the current entitlement data. Any incomplete data will be flagged for the user to update before submitting. 

New Feature: AWS Marketplace Integration 

Users can now sign up for a paid OpsCompass subscription using the AWS Marketplace. 

New Resource Type: Amazon SNS Topics 

OpsCompass now supports Amazon SNS Topics as a resource type for AWS accounts. This resource type has basic support for inventory and drift, though we don’t currently have any compliance checks for SNS topics. 

Improvement: Layout for Deleting Data 

Users with broad access to a company have a more consistent experience on their “Settings” page for the data they can delete. The layout on this page was not consistent before. 

The February 2022 release of OpsCompass comes with a brand-new feature, Document Manager, as well as a variety of other smaller changes to improve the app’s experience. 

Highlights: 

• • New Feature: Document Manager 
• • New Feature: Activity Report 
• • Updated Admin Area 

New Feature: Document Manager 

You can use OpsCompass to share documents with your team and with OpsCompass employees. This new functionality is available under the “Document Manager” heading in the main navigation. Document Manager comes with some default directories for certain report outputs. You can also make new directories and upload documents into those directories. 

By default, users in the “Company Sysadmin” role were granted access to the Document Manager feature. You can grant people access to all the company’s documents in OpsCompass by granting them the “Document Administrator” role. You can also grant people access to specific directories rather than the whole directory tree. 

Creating Directories 

Before you can upload any documents, you need to create a directory to upload those documents to. 

 Provide the name of the new directory in the dialog that appears. 

More Information 

Detailed instructions for all the features of Document Manager are available in our Knowledge Base, including detailed steps for managing the documents, generating a report of which documents were uploaded, downloaded, and deleted, and managing access to documents. 

New Feature: Activity Report 

We’ve created an activity log for OpsCompass. At this time, the only activities being logged involve the Document Manager, logging creations, deletions, and downloads of documents and directories. You can generate a report from the Manage Users Page.

Over time, additional OpsCompass activities will be logged here. 

Updated Feature: “Admin” Navigation 

We’ve merged the Teams, Drift Concerns, and Users pages together into a single “Admin” section. 

Once you enter the “Admin” section, you can switch between the areas using a tabbed navigation. 

• Compliance Reporting has been expanded to include a new PDF report.  
• OpsCompass License Manager has been improved with new data gathering script packaging and deployment.  
• OpsCompass License Manager has been improved with automated data ingestion.  
• OpsCompass API Command Line Interface (CLI) is available as a downloadable NPM package. 
• New APIs have been added for listing accounts.  
• Added checks for AWS Password Policy 
• Added checks for AWS S3 bucket configuration & security 
• Added checks for AWS EC2 EBS volumes 

Bug Fixes/Improvements

• The Drift View has been updated to change the visual indicators. Now shaded green/red areas show additions and deletions, and a teal bar has been added to show the area of JSON detected in the evaluation. 
• Fixed a bug that caused the Virtual Machine Name to disappear in the deployments section of OpsCompass License Manager.  
• Added CloudFormation Templates to Event Driven scanning for faster detection of changes. 
• Minor fixes and improvements to compliance checks, improving rule names, error messages, framework assignments and attribution.  
• Fixed a bug where the latest resource version would incorrectly show “undefined.” 
• Improved the user experience for conditions where no new alerts exist. 

• OpsCompass API Preview – A new API for OpsCompass is available as a preview. This API allows authenticated access to resource information in the product via API. The initial release of the OpsCompass API will include a handful of functional interfaces with more to be added over time. Initially, OpsCompass will provide a ‘resources’ API that will get resource configuration information, recent drift notifications, and compliance problems. A command line interface will be released during the week of September 20. 
   
• Notification Bar – OpsCompass now includes a notification experience to alert users to drift concerns and newly found compliance problems. A new notification feed page is available to navigate through a 2-week history of alerts. 
   
• AWS Account Connections – the AWS account connection experience has been redesigned to provide a more reliable experience. A new progress bar and user notification experience helps users understand progress in connecting accounts. Newly connected accounts have prioritized scanning to ensure the fastest possible connection experience. New CloudFormation Templates allow users to create appropriate and safe roles for OpsCompass, to enable scanning and event detection. New Command Line Interface (CLI) instructions are available to enable OpsCompass through AWS CLI directly. 

Bug Fixes/Improvements

• Last Scanned time has been changed to reflect the last periodic scan, rather than the last event detected.
• Resources listed on the Check Page now reflect a status icon specific to that check, rather than indicating a general error state. 
• Fixed an issue where Related Resources were not detected correctly due to excessive request size. 
• Fixed an issue in account connections, to prioritize new account resource scanning and avoid new account processing delays. 
• Fixed an issue where AWS account setup would fail during periodic scanning setup, leaving users stuck in the sign-up process. 
• Fixed an issue where newly created AWS account connections were not processing notifications consistently. 
• Fixed a scale limitation in AWS account setup limiting AWS account connections. 
• Fixed an issue where errors in the AWS account setup process were not being displayed to users. 
• Eliminated excessive drift alerts caused by Microsoft 365 “originating server” drift, AWS Dynamo data record count changes, and certain non-event CloudTrail alerts. 

• Receive alerts without having to log in via our Slack Integration! Drift Concern alerts can now be sent to a Slack channel. More detail can be found in our Slack KB article
• CIS Controls v7.1 have been updated to CIS Controls v8
• The navigation sidebar is now collapsible, yielding more room for your resource details
• The Compliance Dashboard headline numbers previously showed total/high/medium/low counts that summarized all selected frameworks. Due to adding frameworks, these numbers have been growing and are not best serving user understanding of their compliance landscape. To address this, OpsCompass will now show the number of: Compliant Resources, Open Problems, Policy Exceptions, and Mitigations.

Bug Fixes/Improvements

• Fixed a scanning bug with gke#cluster resources where regional clusters were marking zonal clusters as deleted
• On the Dashboard, moved ‘Add Account’ icon from Accounts card to the Inventory card
• Made phrasing consistent on the Add Account Page
• Updated sender on weekly digest from ‘digest’ to ‘OpsCompass Weekly Digest’
• Modified an S3 bucket check to meet new CIS recommendation to block all public access for every bucket, not just CloudTrails
• AWS: Connecting Account Field Validation
• Improved user input validation associated with adding Cloud Accounts
• Improved resource type filtering for Inventory

• OpsCompass is adding two-factor authentication (2FA) as a requirement to further protect all user accounts. For more information read ‘How to Enable 2FA Within OpsCompass’ 
• Added CIS Controls Version 8 framework

Bug Fixes/Improvements

• Fixed an issue where a resource’s details could fail to load if related resources did not return as expected
• Fixed an issue where the compliance status of a check for a resource could continue to display “Not compliant” after the issue with the resource was resolved in a rare initial condition that affected about 0.2% of resources
• Fixed a bug where Drift for some Azure Resource Types erroneously was showing resources being removed and re-added
• Changing sort order will display the resource card of the first resource in the list
• Changed session cookie timeout value to one (1) hour
• Upgraded jQuery to latest version 3.6.0
• Session cookies are now properly destroyed on logout

• Inventory now includes a card that displays resource details so that users can better understand the activity and detail of specific resources while remaining in the context of an inventory filter

Bug Fixes/Improvements

• Removed ‘Cloud Provider’ tab from Inventory page since Scope is used for filtering by Cloud Provider the utility of this tab as a drilldown has been diminished
• Removed ‘Region’ and ‘Created On’ from the Inventory Resource table since these are displayed on the new Resource card
• OpsCompass now checks for the use/configuration of AWS Secrets Manager and checks for the use of secret rotation scheduling.
• Removed cloud provider prefix from Resource Types as it is redundant information
• Fixed a bug where sometimes GCP scans would run out of memory; this typically only happened with new GCP accounts
• Changed the target of Dashboard’s ‘View all Inventory’ link to land on Resources tab
• Fixed Export Report function on compliance status for all resources page
• Fixed a bug where in certain cases users were not able to export Compliance reports
• Fixed a bug where EC2 SecurityGroup relations were not being properly parsed even though they were present in the scan
• Added sql#database resource type (GCP)
• Expanded type dependency scanning to cover Azure
• Expanded type dependency coverage of GCP scanning
• Break up `sync-subscription-resources`
• Corrected remediation steps for AWS CloudWatch KMS Key management
• Updated style of buttons and icons used on Inventory page
• Added check for AWS S3 Buckets to ensure CloudTrail buckets are not exposed to the internet.
• Authored compliance check for AWS accounts to ensure there are more users than just root
• Corrected the remediation steps for AWS CloudWatch compliance checks

• OpsCompass now checks for the use/configuration of AWS Secrets Manager and checks for the use of secret rotation scheduling.
• To remove confusion introduced by showing framework-specific severity levels for problems, OpsCompass has removed the framework-specific severity levels and now shows only the framework control references. Note that the Severity is still present at the control/requirement level.
• Corrected the remediation steps for AWS CloudWatch compliance checks
• Changed the target of Dashboard’s ‘View all Inventory’ link to land on Resources tab
• Fixed a couple issues that caused compliance problems for deleted resources to be counted on the dashboard and inventory.
• Fixed a bug where in certain cases users were not able to export Compliance reports
• Changed header on Exception/Mitigation modal popup when no resources selected
• Improved check coverage for NIST CSF v1.1
• Display popup to show “Select resources using checkboxes” on clicking Add exception button on check page
• Changed default tab in inventory to ‘Resources’
• Added tags for severities to the controls display on disabled checks
• Tabular display of related resource for resource no longer contains entry for itself
• Fixed bug where duplicate Compliance Framework sub controls displayed on resource in inventory.
• Added additional check information to Inventory Resource page
• Improved loading message in inventory
• Updated paging controls and entries per page styles used in DataTable
• Authored compliance check to ensure Redis Cache is not publicly exposed
• Assigned network checks to CIS AWS Benchmark 5.2 control
• Assigned network checks to CIS AWS Benchmark 5.1 control
• Improved sort widget indicators
• Updated References: Update references to Compliance Status for Resource page
• Updated References: Run migration script to migrate rule data to checks
• Clean Up: Remove (now obsolete) Rule Pages
• Updated References: Replace disabled checks card with disabled rules
• Top Fix card now links to new Check Page
• Refactored Manage Check Page to improve use and presentation
• Created Manage Check Page

• OpsCompass now includes support for FedRAMP (technical controls of the Moderate Baseline template)
• Compliance Problems and Top Fix links now link to a new Check page that improves the use and presentation of compliance information for resources

Bug Fixes/Improvements

• Changed default tab in Inventory to ‘Resources’
• Updated paging controls and entries per page styles used in DataTable
• Improved sort widget indicators
• Added tags for severities to the controls display on disabled checks
• Tabular display of related resource for resource no longer contains entry for itself
• Improved loading message in inventory
• Changed text for Exception/Mitigation modal popup when no resources selected
• Top Fix card now links to new Check Page
• Fixed intermittent datatable initialization issue
• Fixed bug where duplicate Compliance Framework sub controls displayed on resource in inventory.
• Removed legacy artifacts from setupEventForwarding AWS Lambda
• Added OpsCompass Master Control expansion to checks on controls on upload
• Fixed compliance rules upload script bug where proper cloud rule was not being generated
• Added mapToKey functionality in Auger processConfig function
• Make getResourceRelationships return a better JSON object
• Authored compliance check: AWS EKS Ensure clusters are created with private endpoint enabled and public access disabled
• Authored compliance check: AWS EKS Restrict access to the control plane endpoint
• Authored compliance check for: CIS AWS EKS 2.1 Enable audit logs check
• Added additional check information to Inventory Resource page
• Authored compliance check to ensure Redis Cache is not publicly exposed
• Assigned network checks to CIS AWS Benchmark 5.2 control
• Ignore disabled checks during compliance scan
• Updated References: Update references to Compliance Status for Resource page
• Updated References: Run migration script to migrate rule data to checks
• Removed Compliance Status for Resource page
• Updated References: Replace disabled checks card with disabled rules
• Updated References: Update Inventory Resource Page to Link to Check Page

• OpsCompass now includes support for NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf). Technical controls are evaluated for adherence to the NIST defined requirements.
• Resource Inventory now includes a ‘Related Resources’ tab that shows resources that have a direct relationship to the current resource. This helps users identify change impact and better understand workload resources. The tab contains resource name, related by information, resource type, region, problems, changes, and created date. All columns are sortable.

Bug Fixes/Improvements

• Authored compliance check for AWS accounts to ensure there are more users than just root
• Authored compliance check for signing certificates on AWS root account
• Authored compliance check for MFA on AWS Root account
• Authored compliance check for the presence of Access Keys for AWS root user
• Standardized checkbox classes used in UI
• Added AWS Account Summary Resource Type

• OpsCompass will now send out Dashboard-level information to users on a weekly basis. This weekly report provides you with high-level visibility of your cloud infrastructure’s security posture without needing to login and without including sensitive information.

Bug Fixes/Improvements

• Fixed bug with CIS rule requiring MFA devices when users do not have console access
• Fixed an issue where AWS S3 buckets showed the wrong region in OpsCompass
• Re-enabled initial email for account validation
• Fixed text box that allows searching inventory by resource name
• Updated the framework “MLSS” to “Oracle Database Licensing”

• New users will be able to sign up for accounts secured with a password again, rather than being forced to use Microsoft or Google to log into the app.

Bug Fixes/Improvements

• Updated Terms of Service for April 2021. Note that you will need to review and approve.
• Users who use a password to log in to OpsCompass can change their password through their “Settings” page.
• Fixed bug that caused a deleted user to not be immediately logged out.
• Fixed bug where a modal could not be dismissed after a company was downgraded to Free Tier.

• Improved No Results Messaging for (most) Pages that Use Page Filters
• Addressed empty OLM deployment details table date rendering
• Improved consistency with names used in navigation, breadcrumbs and page titles
• Added friendly message to user when scope conflicts with a saved filter
• Added more descriptive text indicating what is filtered on a page
• We inform the user when they authorize OpsCompass in Azure AD but don’t have permissions to set up OpsCompass in any subscriptions.
• Improved sizing on Dashboard for smaller screens so that Top Fixes show properly

• Compliance and Drift pages have a new filtering interface! Filters are now presented as a modal window with collapsible sections to improve usability. Of course, Saved Filters are still supported; now accessed through a dropdown list right next to the Filter button.

Bug Fixes/Improvements

• Updated labels in JSON differencing view in Drift to be bold, black text.
• Fixed for issue with viewing drift change where if more than one concern was tied to a change the carets associated with the first concern pointed the wrong direction.
• Confirm user delete action
• Fixed a bug where whitespace provided with AWS role or external ID would cause an AWS account to fail to connect.
• Prevented users from accessing Add Account if they do not have permission to add accounts
• Clarified Azure/O365 onboarding instructions to highlight that CSCM only requires read-only access
• Fixed a bug with Azure Key Vault Soft Delete Compliance Check checking for Purge Protection property
• Resources that are removed from cloud should not display in inventory or dashboard

• Users can now delete user accounts for their company or initiate a delete for their company. If deleting a user or company, the user is brought to a page thanking them for trying OpsCompass. The page has a link back to https://www.opscompass.com/. User deletions are prevented if the user is the only user with the role “company_sysadmin”. They are instructed that they need to transfer the role before the deletion can be completed. All deletion types tell the user the deletion can take up to 30 days to complete.

Bug Fixes/Improvements

• Fixed not submitting the form for Bulk Mitigation/Policy Exception
• Fixed extra ‘Last Known Configuration’ text on resource page
• Fixed a bug where a ‘removed’ tag was displaying next to active accounts.
• Fixed issue with inconsistencies between Drift Concerns counts on Dashboard and on Drift Page
• Modified styles associated with editing Drift Concerns
• Added support for assigning teams when creating/updating Drift Concern
• Updated column name on Companies page in admin portal from “Age” to “Created On”

• New Accounts Filter Experience on Drift: We have a new way to select the accounts you want to see on the Drift page. This feature will be expanded and grown over time. Try it out and let us know what you think!

Bug Fixes/Improvements

• Accounts Filter Updates: Every page that has the option to filter by cloud accounts now sorts them by cloud then alphabetically. This is the same order the accounts appear on the dashboard.
• Updated teams page to have label ‘Drift Concerns’ instead of ‘Alert Concerns’
• New URLs for the “Upgrade” and “Free Trial” links: these now link to new pages in our dot-com experience. Upgrade links to our Pricing Page and the “free trial” links to our “Start for Free” page.
• Fixed time zone issue with setting mitigations/policy exceptions on resources that leads to incorrect history information
• Modified Welcome pages 14-day Free Trial link
• Ignoring realtime event processing errors related to short-lived Azure resources (such as Databricks resources)

• N/A

Bug Fixes/Improvements

• Support AWS CloudFormation template: So that OpsCompass can successfully discover and monitor resources while using only read-access permissions within AWS, we have authored a forwarding rule. The forwarding rule monitors all AWS service events, both raw and CloudTrail sourced, that sends events to OpsCompass and stores them in an S3 bucket. To ensure that data sources are not readable to OpsCompass a deny policy is used to explicitly prevent access of data source contents.
• Added additional information to ‘Add Account’ page including KB references and invite user button
• Updated new AWS signup experience to Pharos Styles
• Chrome browser issue – Fix mega-caret issue seen on compliance framework page
• Updated time zone should not give you a confirmation prompt about legal settings
• Updated AWS Lambdas to allow non-administrative signup
• Updated ‘Add Account’ workflow to use new Pharos styles and colors
• Corrected inconsistency between number of accounts displayed on dashboard and inventory
• Updated styles and layout in Inventory pages
• Updated Inventory Page to use Pharos Colors and Icons
• Corrected bug associated with MLSS date checking that created unnecessary compliance drift
• Capture CloudFormation stacks with similar names
• Modified CIS check to remove ports 22 and 3389 validation from AWS default security groups
• MS 365: Split scanning functions from HTTP-triggered functions
• Added CIS rule for microsoft.graph.identitySecurityDefaultsEnforcementPolicy