azure-security (2.35.0) stable; urgency=low
  * Enable GIG in all public cloud
  * Enable optimized libbpf based network telemetry in all public cloud

 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 27 Feb 2026 12:00:00 +0800

azure-security (2.34.0) stable; urgency=low
  * Enable GIG in Canary
  * Update redaction rules and enable Nginx scanner in all regions
  * Enable Blueshift for LinuxAsmAudit logs in AGC
  * Improve tamper detection module

  * VSA Node Scanner
    - Scoped remote configuration

 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 29 Jan 2026 12:00:00 +0800

azure-security (2.33.2) stable; urgency=low
  * VSA Node Scanner
    - Added endpoints for Bleu to download manifest from
    - Added support for CCME certificates
    - Added default manifest, in case we cannot download manifest or have certificate validation for manifests

 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 16 Dec 2025 12:00:00 +0800

azure-security (2.33.1) stable; urgency=low
  * VSA Node Scanner
    - Fixed Qualys crash caused by hidden tracking file (regression on Qualys side)

 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 04 Nov 2025 12:00:00 +0800

azure-security (2.33.0) stable; urgency=low
  * Enabled Nginx log collector on limited prod regions in public cloud
  * Enabled Optimized network telemetry in canary non-prod for ubuntu and mariner distros.
  * VSA Node Scanner
    - Added performance metrics of SCA to logs
    - Added kill switch through remote config
    - Added thumbprint for AMEv2 certificate before we remove pinned certificates from client altogether
  * Container Inv Scanner
    - Added new binary for communication to collect Kubernetes Pod data running using containerd as a runtime.
    - Added Collection Enhancement for image report using Pod Annotations.
    - Created new Pod Report
  * Code Integrity Scanner
    - Added dependency updates per SFI items

azure-security (2.32.1) stable; urgency=low
  * Enabled Nginx log collector on 5 prod regions

azure-security (2.32.0) stable; urgency=low
  * Enabled Nginx log collector on canary prod regions
  * VSA Node Scanner
    - Rollback Qulays agent version to 1.5.0-1
  
azure-security (2.31.0) stable; urgency=low
  * Enabled Nginx log collector on canary non-prod regions
  * Ignore OOM kill events for ASA tamper detection
  * CertsInUse scanner
    - Fixed issue where the CertsInUse scanner does not show data on AZL3

azure-security (2.30.1) stable; urgency=low
  * Enabled ASA tamper detection on all public cloud x64 machines
  * CertsInUse scanner
    - Fixed issue where KeysInUse-OpenSSL package was no longer automatically installed by CertsInUse scanner on Mariner 2
    - Fixed issue where CertsInUse scanner didn't pick up events on arm64 Azure Linux 3

azure-security (2.30.0) stable; urgency=low
  * Not creating a separate AzSec c-group where cgroup v2 is supported, to use the default systemd-assigned c-group and allow customized system-level overrides.
  * Updated LinuxAsmAuditDerived to LinuxAsmAuditDerivedAZDP and updated scrubber rule for LinuxAsmAudit.
  * [RUST Migration] Added IMDS Rust library with fallback to existing Go implementation.
  * Updated ASA tamper detection to use the precompiled BPF library to reduce CPU and memory consumption
  * Updated configs to add zrs storage replication type for 4 events - LinuxAsmSecurity, LinuxAsmSyslog, AsmAuditCPRPMISE, LinuxAsmAuditDerived
  * Reduced the retention time of AsmVsaFMSnap event to 30 days
  * VSA Node Scanner
    - Updated qualys version from 1.5.0-1 to 1.7.0-1
    - Deprecated OEL7 and switched to OEL8
    - Added inhouse sca build
  * Code Integrity Scanner
    - Go lang component governance updates
  * Container Inventory Scanner
    - Updated container module
    - Reduction in volume of events

azure-security (2.29.0) stable; urgency=low
  * Enabled NetSecMon support for arm64 machines
  * Enabled ASA tamper detection on all public cloud non-prod x64 machines
  * Added new baseline rules for AzureLinux distro
  * Added AzSecPack support to Debian 12 x64 machines
  * Added cgroup V2 support
  * Added an extra signing for extension packages using ESRP
  * VSA Node Scanner
    - Added a logic to remove all older versions of Qualys before install
  * CertsInUse Scanner
    - Update CertsInUse scan to enable KeysInUse for OpenSSL 3

azure-security (2.28.1) stable; urgency=low
  * Enables Tamper detection feature on non prod Canary regions for autoconfig enabled resources.

azure-security (2.28.0) stable; urgency=low
  * Support added for Azure Linux 3 and ubuntu 24 distributions.
  * Dynamically managing installation and health of auoms and azure-monitor pkgs based on auditbeat status
  * Enable netsecmon to support nclouds and AGCs.
  * Enable netsecmon to support all the AzSecPack supported distros in amd64 architecture. 
  * VSA Node Scanner
    - Update vsa-nodescan-agent to 1.14.0-1 and qualys command line agent to 1.5.0-1
    - Adds support for Azure Linux 3
    - Handles file system types to exclude
    - Enables SCA for canary assets along with previously enabled non-prod assets
    - Run SCA once a day instead of with each scan run
    - Log SIGTERM gracefully from AzSecPack
   * VSA-TLS Scanner
    - Gather process names for active tcp sockets
azure-security (2.27.0) stable; urgency=low
  * Enable netsecmon in prod canary for autoconfig enabled resources.
  * Container Inv Scan
    - Changing the names of the fields for PodDetails and KubernetesDetails
    - Updating the logic to only produce one PodDetails object per combination of namespace and managedby label to reduce the payload
  * VSA Node Scanner
    - Increased the hard timeout value for VSA nodescan
    - Enables tls scanner by default for all regions
    - Excludes localhost scanning
    - Translates wildcard addresses to localhost for scanning, but retains wildcard address for reporting
    - Adds ipv6 support
    - Adds address field & region for reporting
azure-security (2.26.1) stable; urgency=low
  * Enable netsecmon in non-prod and add performance metrics report
azure-security (2.26.0) stable; urgency=low
  * Enable netsecmon in canary region 1 and dynamically via tags
  * Updated install operations for Arc canary and Arm canary non-prod
  * Enable AzSecPack AutoConfig Troubleshooting Logs Collection
  * Fix Mariner 1P Baseline rules
  * Removed cld from signature file download type
  * Enable scrubber for all AzSecPack central namespaces
  * Overlake
    - Remove boost dependency from ASMLinuxAuditResource resource
    - Updated AgentPackageBuildDrop path for AzSecPack agent - OES
  * Process Investigator
    - Increase timeout for PI to 30s
    - Correct commandline for periodic scans
  * VSA Node Scanner
    - Updated vsanodescan to 1.12.0 and qualys CLA x86 to 23.11.0-3
    - SCA Opt-in model via resource tag
    - Exclusion of network file systems in SCA scan
    - Logging enhancements
    - Persisting local changes to vsa-nodescan-agent.config through package upgrades
    - Parsing telemetry fields in cases of scan error
azure-security (2.25.0) stable; urgency=low
  * Removed MDE installation as part of AzSecPack
  * Updated disable operation for ASA extension to reduce dependency on public settings
  * Updated logic for reading public settings to display settings when Unmarshal failed
  * Added Mariner 2 FIPS image to DevTest pipeline. Also, updated SKUs for d11x, s15x, r7x
  * Updated install, enable, disable and uninstall steps for Arc canary and Arm canary non-prod euap
  * Updated Retention settings for multiple scan events
  * VSA Node Scanner
    - Update vsanodescan to 1.9.6-0 and qualys-command-line-agent for x86 to 22.0.0-18

azure-security (2.24.3) stable; urgency=low
  * VSA Node scanner
    - Reverting back to behavior from 2.24.1
    - Disables SCA feature for prod

azure-security (2.24.2) stable; urgency=low
  * Restricting GIG enablement to only non-prod Canary resources with AzSecPack
  * VSA Node scanner
    - Reenables SCA feature for prod
    - SCA feature now excludes networked filesystems by default, by running in a bind mount
    - Added support for central management of some settings, such as SCA exclude directories, by VSA team
  * VSA-TLS Scanner
    - Decommissioned sslyze
    - Added opt in feature flag, controlled by resource tag
    - Updated nmap args to exclude null byte packets in payload
  * ContainerInv scanner
    - Updated container inventory scanning container report to have additional fields in both docker and containerd scans
    - Added time unification for duplicate images in container inventory scanning image report  for containerd
    - Added new fields to container inventory scanning image report for container inventory scanner, and updated prioritization logic for image launch and exit time collection
  
azure-security (2.24.1) stable; urgency=low
  * Reverts vsanodescan to version 1.9.4-1 and reverts SCA scan to azsecpack:nonprod-only

azure-security (2.24.0) stable; urgency=low
  * Implemented ESM on AzSecPack build image
  * Updated baseline rules for FIPS detections
  * Added AzSecPack support for Arc machines
  * Added preview scanner using nmap for vsatlsscanner to only affect nonprod machines. 
    - Fallback switch "vsatlsscannerfallback" to fall back to previous sslyze
    - Includes added support for aarch64
  * Updated containerinventory scanner to version 1.1.
    - Added warning parsing for the docker scans in case docker is not setup correctly
    - Added collection of platform's architecture and Os for containerd reports
    - Added repo generation for images with no repo in specific cases
    - Switched fallback in containerinvscan to use both docker and containerd if both are present
  * Fixed an issue in ASA extension where the vsanodescan config file would be overwritten with default settings on machine restart.
  * Updated keysinuse scanner version to 0.3.4-90
    - Fixed memory leak in high reload, client only keys

azure-security (2.23.0) stable; urgency=low
  * Added a preview scanner “rcvscan” for collecting telemetry from RCV agent.
  * Added retry logic for download of vsa-nodescan-agent.config file from blob storage within the AGCs
  * Resolved invalid start time for docker and kube scans in heartbeat log and azsecd status output.
  * Updated KeysInUse engine installed by CertsInUse scanner with fixes for applications statically linked to OpenSSL
  * Improved data collection, and testability for image report of the container inventory scanner
  * Added mdsd-coreagent and azuremonitor-coreagent service status to AzSec heartbeat

 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 20 Jun 2023 12:00:00 +0800
 
 azure-security (2.22.2) stable; urgency=low
  * GIG Enablement logic update
  * Added kubelet identities for AKS machines
  * Added retry logic for package install fails on RPM machines

 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Thu, 26 May 2023 12:00:00 +0800

 azure-security (2.22.1) stable; urgency=low
  * Switched certsinuse scanner to uninstall keysinuse due to a regression on some targets

 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Thu, 30 Mar 2023 12:00:00 +0800

azure-security (2.22.0) stable; urgency=low
  * Update Public Cloud AutoConfig namespace version to 1.7
    - Add MDE event names
    - Add OpenTelemetry event names
    - Explicitly set immutability flag in event names
  * Update certsinuse scanner's engine install logic so uses offcial repo interface for retching and validating packages.
  * Add "kube-proxy" to vsatlsscan exclusion list
  * Change TimeoutStopSec in .service files to 10 seconds
  * Fix mdsd .qos file parsing but that caused heartbeat crash
  * Improved MDE install logic so that MDE bundle will get installed if opt-in tag is added after ASA is installed
  * Added detection of XBoxRazor VMs (XCLOUD hardware running Singularity jobs)
  * Changed Overlake AssetIdentity value from machine-id to hostname
  * Fixed "azsecd manual" so that correct cgroup is applied when scan is run.
  * Add AsmVsaFMSnap to MDSD_LOCALSINK_DISCARD_EVENTS (when AutoConfig is enabled)
  * Add detection of AKS and Custom Identity for AutoConfig (reported in heartbeat and "azsecd status")
  * Added IMDS result caching to reduce chance of "spamming" IMDS
  * Added baseline rule that checks if FIPS is enabled
  * Update vsanodescan to version 1.9.3
    - Preview: Enabled SCA detections on azsecpack:nonprod machines
    - Logging & telemetry improvements

 - Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 28 Feb 2023 12:00:00 +0800

azure-security (2.21.0) stable; urgency=low
  * Improved detection of dpkg lock state during package operation retry loop
  * Fixed bug in lastScans file path logic
  * Added qualys package to required package list for heartbeat
  * Added VSA requirements check to namespace config validation
  * Added cgroup assignment for azsecpack services information to heartbeat
  * Changed vsanodescan so that it will both send report and return error code if there was a failure.
  * Add timeouts to vsanodescan and vsatlsscan scanner config
  * Added "Watson Enabled" baseline rule.
  * Added basic analysis of mdsd.qos file to heartbeat
  * Re-order certsinuse alert collection to reduce volume
  * Baseline changes
    - Add Linux STIG baseline
    - Tweaked "fix-cron-file-perms" baseline remedation rule
    - Added "Ensure system-wide crypto policy is not over-ridden" rule
    - Fix description for 38.4 and 38.5
  * Update auoms version (included in extension) to 2.7.0-11
  * Add vsatls exclusion for Hadoop yarn NodeManager
  * Added mdsd qos file analysis to heartbeat/status
  * Update AutoConfig namespace config version in public from 1.1 to 1.6
    - Config change includes adding MDE and IxfAudit sources/routes
  * Fixed so ContainerId is fetched from WireServer instead of parsing GuestAgent files.
  * Embedded build version into binaries (obtainable with"-v" option azsecd/azsecmond and in heartbeat)
  * Add 'fake' azure-security package with real version for Overlake
  * Fix CheckUserDirs() so owner check passes if dir is owned by root
  * Add basic cpu/mem use metrics for reporting in heartbeat
  * Fix yum GetAvailableUpdates() so it doesn't process obsolete entries
  * ASA Extension Changes
    - Update auoms version to 2.7.0-11
    - Add MDE integration (opt-in)

 - Azure Security Monitoring Team <asmteam@microsoft.com>  Wed, 23 Nov 2022 12:00:00 +0800

azure-security (2.20.2) stable; urgency=low
 * Off-node Vulnerability Scanning
  - Fixes a bug in 2.20.1 where AME machines are incorrectly detected as microsoft.com tenant.
    This broke automatic Qualys binary download for AME machines, and could break scanning for newly-created AME machines.

 - Azure Security Monitoring Team <asmteam@microsoft.com>  Wed, 29 Jun 2022 12:00:00 +0800

azure-security (2.20.1) stable; urgency=low
 * Fixed so per-scanner cgroup override is honored
 * Changed heartbeat cycle logic to minimize chance of less than 1 hour cycles
 * Changed health report so MSI checks are only done if ToGeneva is enabled.
 * Fixed PwState logic in usergroup report
 * Simplified mdsdclient code to minimize memory usage
 * Add support for newer versions of McAfee in antimalware report.

 - Azure Security Monitoring Team <asmteam@microsoft.com>  Thu, 16 Jun 2022 12:00:00 +0800

azure-security (2.20.0) stable; urgency=low
 * Added support for ARM64
 * Build using new Pipeline
 * Off-node Vulnerability Scanning
  - Updated vsa-nodescan-agent to version 1.8.1-1, with support for aarch64
  - Fixed a long-standing issue with agent emitting wrong endianness AssetId on some machines
  - Fixes an exception with some versions of waagent
 * Baseline scanner improvements
  - Added MSID 129.2
  - Removed MSID 128
  - Fixed regex for MSID 157.2 and 157.5
 * Usergroup scanner
  - Added required user group report for SOX
 * Swpkg scanner
   - Added JAR file scanning
 * Enabled multiple scanner schedule queues
 * Added memory limits to azsecd service
 * Enabled azsecpack on Debian 11 and Mariner 2 distros
 * Preview: Enabled azsecpack on Alma and Rocky Linux distros
 * Preview: Added improvements to CertInUse scanner
 * Enabled Linux AutoConfig for nClouds and AGCs
 * Improved azsecd health (heartbeat) and status report with the following details 
   - Added Azure resource properties like resource tags, vm extensions (ASA and AMA), identity (default and azsecpack identities), arc/azure, Azure environment, resource group name, sub id, location, resource name, resource type, etc.,
   - Added socket paths report based on FirstParty and ThirdParty scenarios
   - Added AzSecPackCustomerScenario property to StatusReport to convey whether FirstParty and ThirdParty scenarios got enabled
   - Added IsLAScan property to ScannerReport
   - Added changes to report required properties for 1P (GCS) and 3P (AMCS) scenarios
   - Added required changes to report required scanners, packages, and services in the ThirdParty scenario
   - Sorted scanner report in azsecd status output
   - Added CgroupInfo and EnforceCgroupLimits
 * Reduce ASA extension zip size
   - Merged azsecmond and azsec-clamscan into azsecd
   - Removed azsecmond from azsec-monitor and hard link to azsecd
   - Removed azsec-clamscan and run as builtin instead
   - Added the ability to create "dehydrated" .deb files
   - Modified asm-extension so rehydrate .deb files if needed
 * Added required changes to remove/skip the events older than the last 36 hours
 * Support AMA custom configuration using AMASocketBasePath ASA extension setting
   - Added separate settings in azsec config for AMA LA Socket paths
   - AutoConfig will not be enabled when the service team uses custom tenant socket paths
 * MDC (3P) improvements
  - If only a third party (LA) scenario is enabled, added required changes to disable all the scanners except the heartbeat scanner before retrieving the AMCS configuration
  - Added required changes to support scanner frequency updates through DCR and disabled non-LA scanners when first-party (Geneva) is not enabled
* Process Investigator (PI) improvements (update to version 1.21.0424.0002)
  - Improved detections (Kernel Privilege Escalation, CVE-2021-3490, CVE 2021-4034)
  - Fixed FPs for known security software products
  - Fixed bug that caused RSS spike in scanned processes
  - Improved ELF parsing logic to prevent hangs
  - Increase timeout to 20 seconds
  - Added support for AARCH64

 - Azure Security Monitoring Team <asmteam@microsoft.com>  Fri, 15 Apr 2022 12:00:00 +0800

azure-security (2.19.1) stable; urgency=low
 * Fixed so azsecmond MdsdFluentSockPath is also set in autoconfig mode

 - Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 11 Jan 2022 12:00:00 +0800

azure-security (2.19.0) stable; urgency=low
* Enabled Linux AzSecPack to run on Azure Arc Connected machines
* AzSecPack AutoConfig
  - Enabled AutoConfig on resources with multiple UserAssigned identities without SystemAssigned identity
  - Enabled AutoConfig on Azure Arc Connected Machines
* Added Secure Baseline Linux rules for M365
* vsatlsscan: added metricsextension to the default exclusion list
* [Preview] Updated certsinuse scan to be more robust

- Azure Security Monitoring Team <asmteam@microsoft.com>  Thu, 11 Nov 2021 12:00:00 +0800

azure-security (2.18.0) stable; urgency=low
* Off-node Vulnerability Scanning
  - Updated vsa-nodescan-agent to version 1.7.1-1, with support for CBL-Mariner
* Update Process Investigator (PI) to version 1.21.00819.0001
  - Address FPs for known Security and Remote Management Software
  - Redact raw indicator string if it contains passwords
  - Add file hash to file-based alerts
  - Update timestamps to ISO 8601 format
* Baseline
 - Fixed regular expressions and descriptions of some baseline rules
 - Fixed kernel module enforcement (KMCI) remediation
 - Refactored baseline rule files
 - Fixed mount option rules
 - Fixed MSID 68 for SLES15
* Code Integrity
  - Improved dbx vulnerability checks
* [Preview] Added optional CertsInUse scanner  
  - It generates three report types, each with it's own scan name
    **certsinuse_hostkey**: Key usage events logged by the openssl telemetry engine
    **certsinuse_hosterr**: Errors logged by the telemetry engine
    **certsinuse_hostalert**: Alerts for service owners relevant to cert usage, but not related to events logged by the telemetry engine

-- Azure Security Monitoring Team <asmteam@microsoft.com>  Fri, 03 Sep 2021 12:00:00 +0800

azure-security (2.17.0) stable; urgency=low
- containerinvscan scanner
  - Added support for scanning images, containers, namespaces in containerd runtime
  - Defaults to docker if both docker and containerd are available
- Bug fix
  - Fixed a persistence-related issue for bool properties in /etc/azsec/azsec.xml config file

-- Azure Security Monitoring Team <asmteam@microsoft.com>  Thu, 15 Jul 2021 12:00:00 +0800

azure-security (2.16.1) stable; urgency=low
- Fixed azsec.xml config read and write issue related to the empty values
- Fixed azsecd config so required values revert to default if empty in azsec.xml
- Added CertExtensionCheckDisabled option to the certstore scanner to disable certificate file extension checking

-- Azure Security Monitoring Team <asmteam@microsoft.com>  Thu, 24 Jun 2021 12:00:00 +0800

azure-security (2.16.0) stable; urgency=low
* Off-node Vulnerability Scanning
  - Updated manifest endpoints selection logic based on VM tags set by autoconfig.
  - Added CDN endpoints instead of a single manifest endpoint for test and prod environments.
  - Fixed AME cert download issue with RedHat 8.
  - Added support for bare metal assets.
* Baseline
  - Add MSID 1.1.21.1 for ensuring all USB devices are disabled
  - Updated MSID 31 for ensuring all bootloaders have password protection enabled
* Added default timeout capability for security scanners
* Refactored auoms config management
* Hardened the executable binary files (using -buildmode=pie flag) to leverage available platform security mitigations   
* Added support for AzureMonitorLinuxAgent 2.0 in Linux AzSecPack AutoConfig
* Bug fixes
  - Added logging of failed scans by vsatlsscan
  - Updated SMBIOS UUID featch logic to support SMBIOS >= 2.6

-- Azure Security Monitoring Team <asmteam@microsoft.com>  Mon, 7 Jun 2021 12:00:00 +0800


azure-security (2.15.1) stable; urgency=low
* Added Linux Defender antimalware assessment
* Added support for enabling AzSecPack AutoConfig with enableAutoConfig setting on AzureSecurityLinuxAgent vm extension

-- Azure Security Monitoring Team <asmteam@microsoft.com>  Wed, 7 Apr 2021 12:00:00 +0800

azure-security (2.15.0) stable; urgency=low
* Off-node Vulnerability Scanning
  - Updated code for Linux manifest validation to use AME root certificate instead of cert bundle. Affects Linux platform only.
  - Fixed timeout issues with the agent
  - Updated vsa-nodescan-agent to version 1.5.0-1.
* Increased CertStore scanner frequency to 4 hours
* Added support for DerivedEvent as valid alternative route for MdsdEventSource in mdsd config validation
* Updates to Code Integrity (CI) scanner
  - Remove unused/unnecessary reports to reduce volume of CI data by about 90%.
  - Consolidated Kernel Module CI and SB enforcement info in one report for better reporting and alerting at backend.
  - Added Kernel Module CI and SB enforcement info to Kernel Module CI and SB reports respectively.
  - Updated UEFI CA dbx template.
  - Updated remediation steps for Secure Boot enforcement Baseline check.
  - Removed 'trustedkeyinfo' tool, as it was not used.

* Bug fixes
  - Resolved Issuer and Subject values in CertStoreInventory report
  - Fixed a hang issue in installing the clamav dependency as part of clamav scanner
  - Baseline rule MSID 122: Fixed a regex issue

-- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 16 Mar 2021 12:00:00 +0800

azure-security (2.14.0) stable; urgency=low
* Enabled heartbeat scanner to run in parallel with other scanners
* Baseline
  - Update MSID 185 to check if samba service is running vs the config is present
  - Removed MSID 6.7 (UDF driver) rule
  - Updated ssh audit rules

* Off-node Vulnerability Scanning
  - Updated code for certificate validation and Linux manifest validation to use AME certificate. Affects Linux platform only.
  - Updated vsa-nodescan-agent to version 1.4.0-1.

* Updates to Code Integrity (CI) scanner
  - Use DBX on the VM instead of updated default DBX to verify bootloaders and kernels
  - Add dbxinfo report to collect DBX on the VM

* ASC
  - Added support for AMCS/AMA Config V2

* Bug fixes:
  - Updated Time Sync Scanner to more accurately represent the status of time sync services running on nodes
  - Linux AzSecPack now checks and fixes cgroup limits if cgroup already exists
  - Fixed mdsd socket path update issue in watchdog implementation
  - Constrained the output of 'docker inspect' in the container image scanner

-- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 5 Jan 2021 12:00:00 +0800

azure-security (2.13.0) stable; urgency=low
* Update Process Investigator (PI) to version 1.20.0929.0001
  - Add Persistence detector for crontab based persistence
  - Extract user account information in containers
  - Extract open handles for malicious processes
  - Address FPs for known Security Software
  - Reduce memory footprint
* Updates to Code Integrity (CI) scanner
  - Add CI scanner option to take list of allowed files as input
  - Update default DBX
  - Add UEFI CA in default DB
  - Merge Default DB/DBX with firmware DB/DBX before running validation
  - Add init_module and finit_module syscall monitoring to OneAgent auoms rules  
* Improved memory cgroups to include the soft limit
  - Added soft_limit_in_bytes setting in memory cgroup
  - Changed default hard limit to 1GB and default soft limit to 512MB
* Improved Azure resource detection logic for AssetIdentity
* Baselines
  - Added 77 new audits to oms_audits for parity with CIS Linux Benchmark
* Added support for Linux AzSecPack AutoConfig
  - Added watchdog command on azsecd to set the desired state for Linux AzSecPack AutoConfig
  - Added cron job for invoking watchdog command on azsecd with 5-minute frequency
  - Added support for discarding LinuxAsmSyslog and LinuxAsmSecurity events in default mdsd config
    - This functionality is needed to avoid duplicate logging of LinuxAsmSyslog and LinuxAsmSecurity events when Linux AutoConfig is enabled
    - This automatic update can be skipped by adding the retainsyslogcollection tag to the Azure resource
  - Also enabled ClamAV scanner in AzureSecurityLinuxAgent (ASA) vm extension installation
* Bug fixes
  - Heartbeat message includes auditd and mdsdmgr services status
  - vsatlsscan: force 90s timeout per port scanned to eliminate TLS scanner hangs
* ASC
  - Added support for retrieving the extension configuration from Azure Monitor Configuration Service (AMCS) Date Collection Rule (DCR)
    - Scanner configurations get updated based on extension settings in the DCR
  - Added an amcsconfig command option on azsecd for manually updating the scanner configurations
  - Added changes to upload the scanner diagnostics logs to OPERATION_BLOB LA datatype

-- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 20 Oct 2020 12:00:00 +0800

azure-security (2.12.0) stable; urgency=low
  * Turns on TLS scanner by default with run frequency of twice a day.
  * Update Process Investigator (PI) to version 1.20.0630.0001
    - Add detector for analysis of elf executed via ld.so
    - Improved detections of ld_preload based attacks
    - Retrieve the setuid information for tasks exhibiting EoP behavior
    - Capture network connections and list the sockets in TCP_LISTEN state for compromised users
    - Address FPs for known Security Software
  * Added support for Ubuntu 20.04, Debian 10, and RHEL/CentOS/Oracle 8
  * Update CI scanner
    - Added validation of Secure Boot against UEFI db/dbx and MOK db/dbx
    - Added ARM ResourceId to machine data
  * Update vsa-nodescan-agent to version 1.2.1-1
    - Upgraded IMDS calls to use the 2019-08-15 API version
    - Updated settings initialization logic to use separate default endpoint values when running in an Airgapped cloud
    - Added "AuthenticateQualysDownload" configuration item to determine whether or not to attempt to retrieve an MSI token to use in download request for Qualys package binary (set to true by
      default in public, false in Airgapped clouds)
    - Added "ManifestCertSubjectCN", "ManifestCertIssuerFields", "ManifestCertRootSubjectFields", and "ManifestCertRootFingerprint" configuration items for finer-grained control over values when
      verifying the signing certificate
  * Bug fixes
    - Fixed a race condition in mdsdclient
    - AssetIdentity: Improved reliability
    - Removed MSID 37 from OMS Baselines
    - Updated OMS Baseline MSID 116 to check for dhcpd service to be disabled
    - OS Baseline MSID 40.2: If IPv6 is disabled, this check should pass
    - Mdsd configuration validation
      - Enabled for Airgapped clouds
      - Handled a case of multiple mdsd instances on a VM
    - Handle 404 error in IMDS API
     
-- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 14 Jul 2020 12:00:00 +0800

azure-security (2.11.1) stable; urgency=low
  * Put TLS scanner in preview mode as off by default. Enable with 
    'sudo /usr/local/bin/azsecd config -s vsatlsscan -d PT12H'

azure-security (2.11.0) stable; urgency=low
  * Added TLS scanner that performs SSL handshake with any listening TCP ports on local node checking for supported functionality including
    - Cipher suites for SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2
    - Server cipher preference order for TLSv1_2
    - Whether client-initiated renegotiation and/or secure renegotiation are supported
  * Update PI to version 1.20.0417.0001
    - Add ELF analysis for high value processes on disk
    - Address FP detections with other AV software
    - Update output format to allow for easier processing
    - General performance and detection logic improvements
  * CodeIntegrity scanner improvements
    - Add EFI variable parser
    - Update logic to get current bootloader images using new EFI variable parser
    - Add Secure Boot and Kernel module enforcement state reports and baselines
    - Add trusted Secure Boot root certs
    - Update logic to verify certificate trust chain
    - Add option to relax certificate signing time validity check
    - Update sbinfo tool to output Secure Boot and Kernel module enforcement states
    - Fix non-0 padding in PKCS7 ContentInfo array
  * Bug fixes
    - AssetIdentity: Fallback to smbios uuid if IMDS query fails
    - AssetIdentity: If IMDS route and DHCP option 245 are missing, try IMDS but with short (2s) timeout
    - Docker baseline MSID 1.01 now correctly identifies mounts
	  - OS Baseline MSID 89 now checks the correct files for RedHat and CentOS
	  - OS Baseline MSID 107 now correctly excludes irrelevant operating systems
    - OS Baseline MSID (15 & 17): Exclude /var/lib/docker
	  - Timesyncd NTP status is now correctly reported and parsed

-- Azure Security Monitoring Team <asmteam@microsoft.com>  Fri, 10 Apr 2020 12:00:00 +0800 

azure-security (2.10.0) stable; urgency=low
  * Updated PI version to 1.19.1018.0001
    - Enhanced support for ld_preload based rootkits
  * 1.2.0-1 version of vsa-nodescan-agent binaries are now included in the azure-security package.
    - Deprecated vsa-nodescan-agent package
  * CodeIntegrity scanner improvements
    - Extended CI scanner to cover EFI boot loaders
    - Added signing time validation and removed certificate validity validation
      - Added signing time validation: A signature is considered valid if it was made when the corresponding validation cert was valid. But if the signing time is not present skip signing time validation.
      - Removed certificate validity validation: Certificate itself is considered always valid for validation.
    - Added Authenticode hash verification for PE files
    - Added support for xz compressed Kernel modules
  * Added oms_audits.xml and oms_docker_audits.xml files to the azure-security package
  * Opt-in feature: Updated AzSecPack baseline scanner to audit and enforce Kernel module signature
  * Added Baseline audits for CIS Kubernetes Benchmarks Section 2.1
  * Added all Not Scored docker baseline rules as NotApplicable
  * Improved AssetIdentity and NodeType logic
  * Improved mdsd analysis logic
  * Added support for CBL-D distro
  * Bug fixes
    - Fix to move the Software scan results into the LinuxAsmSoftware event name
    - Fix container details report collection error in ContainerInv scanner
    - Fix heartbeat so it only reports auoms service status if version is 2.0+
    - Fix to handle mdsd config with ISO-18859-1 encoding
    - Fix to properly log the IMDS error response
    - Fix for Kernel path failures for different distros
    - Fix leading zeros in PKCS7 signer info's serial number
    
 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Thu, 14 Nov 2019 12:00:00 +0800 

azure-security (2.9.1) stable; urgency=low
  * Fix bug in plugin log protocol.

 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Mon, 29 Jul 2019 12:00:00 +0800 

azure-security (2.9.0) stable; urgency=low
  * Removed memorylimitpercentage and memorylimitminbytes cgroup config values
  * Added AssetIdentity and NodeType columns to azsecd and azsecmond events
  * Added kube-apiserver audits: 10000 to 10012
  * Added auoms service status to heartbeat
  * Added ProcessInvestigator scanner
  * CodeIntegrity scanner improvements
    - Fixed bugs in modInfo.IsTrusted and modInfo.IsTainted
    - Added tainted module load alert to azsecd
    - Added file hashes for PE files as it is required by alerting service.
    - Changed to infer trusted keyring id from environment
    - Updated errors and logs
    - Changed to collect constant hash of Kernel module files
    - Added scanning for PE signed Kernel, Grub and Shim
      - pefile: A package to parse and verify pe files.
      - pkcs7: A package to parse and verify signed pkcs7 data.
      - peinfo: A wrapper package to locate files of interest, get info from pefile and organize it as required.
      - sboot: A package to provide trusted root certs.
      - An update to ciscan to scan for Kernel, Grub and Shim during each run of scanner.
      - An update to cidata to generate reports from peinfo.
      - sbinfo: A cmdline tool to get info about Kernel, Grub and Shim
      - gopre: Added the updated debug/pe package for now.
  * Added docker inspect output to the container inventory report
  * Bug fixes
    - Fixed config so it points to the right mdsd protocol listener
    - Fixed monitor so it works with multi-row result files
    - Fixed panic in mdsdclient
    - Fixed azsecd not exiting after SIGTERM bug
  * Added kube scanner
  * Scanner result improvements
    - Enabled capturing scanner logs as a scan result
    - Enabled scanner to return results with a name other than scanner.Name()
  * Added mdsd config validation results to heartbeat
  * Changed to log plugin scanner failure errors along with code
  * Added correct ruleId for 'Ensure TLS authentication for Docker daemon is configured'
  
 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Fri, 19 Jul 2019 12:00:00 +0800 

azure-security (2.8.1) stable; urgency=low
  * Fix plugin scanners so they don't hang
  
 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 7 May 2019 19:00:00 +0800

azure-security (2.8.0) stable; urgency=low
  * Added VSA vulnerability scanner
  * Added CodeIntegrity scanner
  * Fixed Auditctl Canonicalization Issue
  * Added support for running the built-in scanners in separate process
  * Added Cgroup resource (cpu, memory and io) limits for azsecd and plugin scanners
  * Improved GoalState discovery logic  
  * Added MSID as primary key for baseline remediations
  * Added following baseline rules (by MSID)
    - PAM: 157.11, 157.12, 157.14, 157.15, 157.16, 157.17, 157.18
    - SSH: 106.5, 106.7, 106.11
    - Services: 179, 181, 182, 183, 185
  * Removed MSID 139.1 rule
  * Added docker audits from internal to external
  * Added following Docker baselines rules (by MSID)
    - 1.1, 2.08, 4.6, 5.5, 5.24, 5.26, 5.28, 5.31, 7.6, 2.11, 2.12
    - 5.01, 5.02, 5.03, 5.10, 5.13, 5.14, 5.19, 5.29, 7.03, 7.04
  
 -- Azure Security Monitoring Team <asmteam@microsoft.com>  Tue, 30 Apr 2019 12:00:00 +0800

azure-security (2.7.1) stable; urgency=low
  * Fix AzSecID persistence bug
 
 -- Azure Security Monitoring Team <azsecmon@microsoft.com>  Tue, 3 Dec 2018 12:00:00 +0800

azure-security (2.7.0) stable; urgency=low
  * Fix heartbeat so that ContainerId if fetched every time, not just at start-up
  * Added system reboot time to heartbeat
  * Fixed service status checking code for CentOS 7/RHEL 7
  * Added time sync source scanner
  * Fixed newlines are not removed from v2 reports
  * Added Docker security baseline scanner
 
 -- Azure Security Monitoring Team <azsecmon@microsoft.com>  Tue, 13 Nov 2018 12:00:00 +0800

azure-security (2.6.0) stable; urgency=low
  * Added certstore scanner.
  * Added containerinv scanner.
  * Added iptables scanner.
  * Added usergroup scanner.

 -- Azure Security Monitoring Team <azsecmon@microsoft.com>  Wed, 27 Jun 2018 12:00:00 +0800

azure-security (2.5.0) stable; urgency=low
  * Added swpkg scanner.

 -- Azure Security Monitoring Team <azsecmon@microsoft.com>  Thu, 26 May 2018 12:00:00 +0800

azure-security (2.4.1) stable; urgency=low
  * Re-added support for sending to mdsd TCP port.
  * Installer adds default mdsd_socket_path value in config if it is missing.

 -- Azure Security Monitoring Team <azsecmon@microsoft.com>  Wed, 28 Mar 2018 12:00:00 +0800

azure-security (2.4.0) stable; urgency=low
  * Added kernel version to heartbeat
  * Added scan options to heartbeat
  * Added ability to disable specific baseline checks
  * Added filescan scanner
  * Changed to write to mdsd unix domain socket instead of tcp port
  * Added new v2 report schema

 -- Azure Security Monitoring Team <azsecmon@microsoft.com>  Wed, 7 Feb 2018 12:00:00 +0800

azure-security (2.3.0) stable; urgency=low
  * Added azsec-monitor package tracking to heartbeat
  * Added additional /sys/class/dmi/id values to heartbeat
  * Reduced size of report chunking
  * Added AzSecID to heartbeat and all reports (via SourceHost column)

 -- Azure Security Monitoring Team <azsecmon@microsoft.com>  Mon, 27 Nov 2017 12:00:00 +0800

azure-security (2.2.5) stable; urgency=low
  * Change baseline scan find command args to include "-xdev"

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Fri, 30 Jun 2017 12:00:00 +0800

azure-security (2.2.4) stable; urgency=low
  * Version bump

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Mon, 3 Apr 2017 12:00:00 +0800

azure-security (2.2.3) stable; urgency=low
  * Added support for Ubuntu 17.04
  * Improved logging
  * Fix bug in distro driver that was causing false negative for baseline "CheckServiceEnabeld".

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Mon, 3 Apr 2017 12:00:00 +0800

azure-security (2.2.2) stable; urgency=low
  * Prevent SIGPIPE from terminating azsecd

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Tue, 7 Mar 2017 14:00:00 +0800

azure-security (2.2.1) stable; urgency=low
  * Whitelist ssh-agent and snap-confine in sbi audit 15

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Fri, 28 Oct 2016 09:00:00 +0800

azure-security (2.2.0) stable; urgency=low
  * Added container ID to heartbeat report
  * Implemented telemetry messaging
  * Added 'telemetry_url' attribute to azsec.xml (/etc/azsec/azsec.xml)
    to activate telemetry for azsecd and the scanners.
    Default value is empty string (not activated).

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Thu, 13 Oct 2016 12:00:00 +0800

azure-security (2.1.1) stable; urgency=low
  * Added SMBIOS UUID to heartbeat report
  * Added 'start_delay' attribute to azsec.xml (/etc/azsec/azsec.xml)
    to indicate delay between starting azsecd and invoking the scanners.
    Default value (if not present in azsec.xml) is 1 hour.

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Wed, 27 Jul 2016 12:00:00 +0800

azure-security (2.1.0) stable; urgency=low
  * Added option to copy scanner results to directory specified in azsec.xml
  * Remove checks and remediation for ipv6 secure_redirects, send_redirects, and log_martians
  * Added heartbeat built-in scanner
  * Removed facility from scanner config files (using scanner name instead)
  * Changed baseline result from MISS to SKIP when a distro has no defined check for an audit.

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Mon, 18 Jul 2016 12:00:00 +0800

azure-security (2.0.3) stable; urgency=low
  * Audit 15: Add Ubuntu 16.04 binaries to whitelist
  * Audit 159: Fix logic for detecting/removing unnecessary accounts

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Fri, 3 Jun 2016 12:00:00 +0800

azure-security (2.0.2) stable; urgency=low
  * Added support for Oracle Linux (6,7)
  * Added native RPM packaging

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Thu, 26 May 2016 16:30:00 +0800

azure-security (2.0.1) stable; urgency=low
  * Added support Debian 8
  * Added remediation subcommand to azsecd

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Fri, 29 Apr 2016 16:30:00 +0800

azure-security (2.0.0) stable; urgency=low
  * Ported to go
  * Added support for Ubuntu 16.04, Debian 8, CentOS (6,7), RHEL (6,7), SLES (11,12)
  * Removed rsyslog dependency from scanners

 -- Azure Security Engineering Linux Team <aselinux@microsoft.com>  Mon, 29 Feb 2016 16:30:00 +0800

azure-security (0.1.11) stable; urgency=low
  * Retry apt operations (update/dist-upgrade/install) in apply-secbaseline.sh

 -- Azure Linux Team <azlinux@microsoft.com>  Wed, 17 Feb 2016 12:40:00 +0800

azure-security (0.1.10) stable; urgency=low
  * Bugfix for OSError when creating /var/run/azsecd

 -- Azure Linux Team <azlinux@microsoft.com>  Fri, 12 Feb 2016 15:50:00 +0800

azure-security (0.1.9) stable; urgency=low
  * Bugfix remove cleartext passwords from Ubuntu 12.04 systems

 -- Azure Linux Team <azlinux@microsoft.com>  Mon, 30 Nov 2015 16:30:00 +0800

azure-security (0.1.8) stable; urgency=low
  * Bugfix for parsing unicode command output to ascii
  * Several fixes for the apply-secbaseline script
  * Support multiple scanner config files under /etc/azsec/cfg

 -- Azure Linux Team <azlinux@microsoft.com>  Fri, 20 Nov 2015 10:30:00 +0800

azure-security (0.1.7) stable; urgency=low
  * Add support for systemd (Ubuntu 15.04 and above)

 -- Azure Linux Team <azlinux@microsoft.com>  Thu, 29 Oct 2015 11:45:00 +0800

azure-security (0.1.6) stable; urgency=low
  * Antivirus scanner is removed

 -- Azure Linux Team <azlinux@microsoft.com>  Wed, 28 Oct 2015 16:10:00 +0800

azure-security (0.1.0) stable; urgency=low
  * Initial package release
  * Antivirus scanner for identifying malware
  * Baseline configurator for applying secure config settings
  * Baseline scanner for identifying deviations from applied baseline
  * Patch scanner for identifying patches that have not been installed
  * Software inventory scanner for scanning installed software packages

 -- Azure Linux Team <azlinux@microsoft.com>  Thu, 9 Apr 2015 15:52:00 +0800
