FireMon is pleased to release Lumeta Enterprise Edition 4.0 for general availability. This release is required for all Lumeta Enterprise Edition users.
|Lumeta Enterprise Edition 4.0|
The Lumeta 4.0 upgrade file bundle is now available on the Downloads page of the FireMon User Center. This upgrade package upgrades all versions of the Lumeta Enterprise Command Center, and Enterprise Scout.
Lumeta 4.0 is compatible with Lumeta Cloud Scout 1.1 (release 1.20200401.105457.dev). No changes have been made to Lumeta CloudVisibility.
Given the nature of this release and the many changes that have been made, Lumeta 4.0 systems are not backward-compatible with previous versions of Lumeta installs. This means that 3.X versions of Enterprise Scouts are not backward compatible with the 4.0 version of the Command Center.
New & Enhanced Features
This major release offers several upgraded components, chief among which are the CentOS 7.7 operating system (upgraded from CentOS 6.7) and a new partitioning scheme that is STIG compliant.
New Partition Scheme
Lumeta 4.0 provides a new partition scheme that makes the platform compliant with the Red Hat Enterprise Linux 7 Security Technical Implementation Guide STIGIDs: SV-72059, V-72061, V-72063, V-72065. This partition scheme separates the boot and data partitions. It also reserves space for emergency recovery operations.
The Logical Volume Management (LVM) Virtual Groups (VG) are as follows:
swap: An area that allows Linux to utilize as virtual memory when memory pressure increases or as an opportunist place to create more free RAM space (per the --recommended flag, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-disk-partitioning-setup-x86#sect-recommended-partitioning-scheme-x86 ).
/home: Small space to store files for individual users (2% of vg_sys, mounted nosuid to comply with V-72041)
/var/log/audit: Location for the Linux Audit Framework to store data. These logs show who did what and when. While this is technically a log, STIGs specify that the audit log must be in it's own space (2% of vg_sys).
/var: A place for persistent data to be stored for applications such as the Lumeta database. Also, logs are stored in this location (70% of vg_sys).
/tmp: A space for temporary files to be stored. Lumeta does not currently clean this (2% of vg_sys).
- : The root of the file system. This is the top level directory for all other files (10% of vg_sys).
Configurable Data Expiration
Before this 4.0 release, non-system attributes and non-user-defined attributes were aged-out after two days of their associated device not receiving a response. Customers had requested that this variable be made user-configurable so that they could retain the attribute values for a longer period of time, and we've done so.
With this 4.0 release, you can now configure the expiration cadence from either the Command Center CLI or via the Lumeta API using these commands:
command is "system expire-data-interval [ minutes ]"
Display current setting by leaving off minutes. Set the value by including minutes.
Lumeta now has a certified plug-in in the ServiceNow marketplace. FireMon's integration with ServiceNow brings API communication between Lumeta and one of the largest security orchestration, automation and response (SOAR) vendors in the industry. Lumeta highlights missing network data that the ServiceNow "Orlando" platform pulls in via API on a scheduled basis. Or, ServiceNow populates its Configuration Management Database (CMDB) with Lumeta's real-time visibility and device discovery data.
For information on configuring the integration within ServiceNow, and how to get the ServiceNow plug-in, see ServiceNow(SNOW) Integration.
Scout Discovery Results Resilience
This feature ensures that when the discovery process restarts on an Enterprise Scout, Lumeta retries targets that were in progress during the restart. For example, if Host discovery were interrupted on a target of 10.0.0.0/8, which covers more than 16 million addresses and takes a while, Lumeta would scan that target again.
Device Behavior Changes
Devices respond differently depending on how they have been consolidated. When a network device is consolidated and the reference IP or “parent” IP is selected to represent the device, the responsiveness of the device may be impacted. For this release, we've examined whether an incoming response should be associated with a known (already-discovered) device or a newly discovered device. This analysis yielded a new algorithm that has been implemented. It allows device decisions to be made with a high level of confidence and with significant improvements in efficiency. See Selecting & Processing a Reference ID for more.
Lumeta has a certified plug-in in the Splunk app store. After installing this plug-in, you'll be able to use the Lumeta API to populating Splunk application with Lumeta security intelligence. See these pages to learn how to configure the integration in Lumeta and in Splunk, and where you'll find the results:
- Configuring Splunk on Your Lumeta Command Center
- Installing & Configuring the Lumeta App on Splunk
- Lumeta Dashboards in Splunk
- Search Results in Splunk
Forward DNS Lookups
A device on your network with an IPv4 address and hostname can now report its related IPv6 address to Lumeta (and vice versa). Two devices sharing the same name––one of them with an IPv4 address and the other with IPv6––can both be reported out by Lumeta. You can use the checkboxes to specify which related hosts you want to retrieve (i.e., all related, IPv4-related, IPv6-related, or none). This enables Lumeta to discover and profile more IPv6 hosts.
To support this host acquisition capability, we've added a new option to the Settings > Zones > DNS tab. This "Use host names to find related IP addresses" checkbox will enable you to target a host whose name is associated with multiple IPv4 and IPv6 records and use the discovered host name to retrieve any IPv4 or IPv6 addresses associated with that name.
If, for example, you were to target the zone collector to 172.18.1.1 and choose "find related" in the DNS configuration, shown below, and use internal DNS server 172.16.53.5, the zone would find not only 172.18.1.1 but also 2600:802:460:425::1 and 172.18.1.254.
For more on the results report, dashboard, and CLI commands, see Reporting: DNS.
BGP IPv6 only interface, router ID
Lumeta requires a 32-bit router ID to establish a connection to a BGP peer and uses the scanning/collector interface's current IPv4 interface to serve in that capacity. This release's enhancement is to provide a near-term process for when the current interface is not an IPv4 but an IPv6 address.
- Use the first available IPv4 address of the scanning interface as the BGP Router ID.
- If there isn't one (like on an IPv6-only interface), use the discoveryagent.bgpRouterId property to make the connection
- Otherwise, use 126.96.36.199
New "Last 24 Hours" Report
Wondering what the Lumeta system has found in the last day or so? This new "All Devices Discovered in the Last 24 Hours" report provides the details.
|IP||IPv4 device identifier|
|MAC||Mac device identifier|
|Identity||Data recipient, such as collector:local:eth0|
|DNS name||Domain Name Service identifier|
|Active||Whether or not the device is responsive|
|OS||Operating system name|
|Device type||Category of asset such as router, printer, switch|
|First observed||Date and time stamp indicator|
|Model||Model number provided by device vendor|
|Version||Release number as provided by device vendor|
|SNMP responder||Whether or not the device responded to SNMP protocol|
|SNMP accessible||Whether or not the device has been detected by SNMP protocol|
Set Port on Rapid7 Integration
Lumeta 4.0 brings you the added flexibility to connect Lumeta with your Rapid7 sever using a port number you specify. Or you can stick with the default port 3780. See Rapid7 Integration for more.
|In Lumeta||In Rapid7|
Qualys Integration Enhancement
You can now opt to selectively push data to Qualys' Lumeta Asset Group.
- Mapping zones using Qualys Network IDs,
- Selecting the "Asset Mapping by Zone" option, and
- Selecting the Lumeta Zones whose assets you want transferred to Qualys.
See Qualys Integration Enhancement for more.
An update to the Lumeta database yielded several improvements:
- The findings capacity of Lumeta CloudVisibility scaled up by 65%
- A timestamp has been added to Lumeta CloudVisibility findings.
- A delay in the startup of Command Centers has been eliminated
- Data tables nested below pie chart reports stay populated after table columns are sorted
Five views that were created for use with query builder have been streamlined down to the two that apply to all zones: devicemodel and devicemodel_allzones. The three views that apply to a specific zone––devicemodel, devicemodel_zone, and devicemaster––were eliminated.
If you have any saved queries based on the views devicemodel, devicemodel_zone, or devicemaster, please update them to point to either devicemodel or devicemodel_allzones (and sorry for the inconvenience).
- If the Lumeta system prompts you to change a password while the Password Controls option is set to "enabled," the new password you set must not have 4 or more repeated or sequential characters in any character class. This is to accommodate new STIG security controls.
Examples of invalid passwords:
- Vanilla ####
- OS Auditing - In the CLI, enable auditing by entering the system audit enable command twice. By running this command twice, you will generate accurate results and avoid a known issue in which some lines of audit output are missing.
Security Updates & STIG
Lumeta 4.0 resolves Common Vulnerabilities & Exposures (CVEs) and incorporates a variety of security-related (and non-security-related) enhancements. A list of CVEs resolved in this 4.0 release will become available soon.
This Q3 2020 database schema, generated 7/10/2020, shows a visual representation of the Lumeta database.
The SWADLed WADL is our swagger-styled WADL documentation viewer. It comes from an auto-generated WADL that has been converted into human-readable documentation. The 4.0 WADL is available now:
LUM-1537 - What is a device?
LUM-1913 - Upgrade CentOS to CentOS 7
LUM-2015 - Lumeta integration with ServiceNow
LUM-2046 - Support issues for Lumeta 4.0
LUM-386 - CLISH Shell does not handle shell disconnects gracefully
LUM-481 - snmpDetails response with a previously discovery device with a missing parent interface doesn't update child
LUM-482 - snmpDetails response with new interface for an existing parent device causes has device_id and meta flag on update error
LUM-787 - ERROR: device record has device_id and meta flag on update seen at Customer site
LUM-1393 - Get IPs list request is timing out when BAM has 6000+ IPs in one of the network configurations
LUM-1528 - Discrepancies in snmpDetails response
LUM-1750 - (X15) Reports type with Pie Chart after drill down to table widget, sorting removes / decreases the data in grid
LUM-1806 - Runtime exception for cloud visibility accounts
LUM-1845 - (X15) AWS Cloud Scout scale up to 28,000 findings fails with X15 error 'java.lang.IndexOutOfBoundsException: Range -16878512..-16878510 out of legal range 0..33554431
LUM-1857 - Discovery-Agent No Longer Builds
LUM-1862 - Maven Repository Should Use HTTPS Instead of HTTP
LUM-1875 - Device gets processed twice where raw file contains multiple responses for same device
LUM-1930 - Discovery runs out of memory when presented with too many packets
LUM-1984 - Tweak autonetbooter and test scripts to allow 3 and 6hour to work with Lumeta 4.0+
LUM-1986 - Auto-net boot current boxes having issues
LUM-1991 - Netboot target to 'esi-current' systems failing at initialization setup, impacted auto netboot systems
LUM-2010 - esi-current fails to login with default admin password and launch initial setup
LUM-2064 - Error enabling service via /api/rest/service/enable/SNMPD call
LUM-2067 - logrotate email shows trouble with perms of lumeta-webapp
LUM-2070 - tfa netboot error message with pam_securid.so path
LUM-2074 - CentOS7 - Spectre 4.0 - Regression Testing Lumeta CC, Scout and Portal
LUM-2076 - Browse Real-Time Reports-->Device Profile Statistics--> Spell mistake in "Active" Column name of the table, Showing "acrtive" instead of "active"
LUM-2080 - Wrong label in GUI for DNS forwarding settings
LUM-2082 - Feed not getting downloading from Rapid7 server, Json parser error showing in lumeta-webapp.out console
LUM-2084 - CentOS7-->PKI authentication fails in CLI
LUM-2085 - CentOS7-->AD authentication taking more time to login via GUI and CLI
LUM-2088 - Open Session Does Not Check Source Properly
LUM-2090 - Data is not downloaded from tenable server.
LUM-2091 - CentOS7--> Syslog service is not Active/running
LUM-2092 - Remove extraneous "code" from scan agent spec file
LUM-2095 - Data is not populated in Firemon dashboards
LUM-2099 - Add filter for interface.ip
LUM-2100 - CentOS7-->Login Banner functionality failed in CLI
LUM-2122 - Update X15 RPMs to 14.6
LUM-2128 - System startup order is not correct
LUM-2137 - 'support snmp' command is printing line break (^M) characters in output
LUM-2155 - during 4.0 initialization if the user chooses manual network configuration, restore from backup is not asked
LUM-2164 - snmpd is not started after 4.0. upgrade after enabled prior to upgrade
LUM-2177 - System is in maintenance mode after installing Scout license
LUM-2178 - Fix DB Command Error
LUM-2179 - Postgres Restore Fail
LUM-2185 - Do Not Unzip Files Not Being Restored
LUM-2186 - UI session timing out within 5 minutes get 403 not logged in errors
LUM-2189 - running database DDL fails in restore
LUM-2194 - httpd service is not running in a fresh netbooted system
LUM-2200 - Backup file not found
LUM-2202 - restore option is not available in CLI under system you have to type 'top' first to view it.
LUM-2210 - Can't ssh to system (172.18.1.19) after 336 upgrade
LUM-2213 - fips setting is not getting restored
LUM-2215 - after restore and reboot only one eth interface is getting connections
LUM-2217 - We append addresses to /etc/sysconfig/network-scripts/ifcfg-eth<n> rather than replacing
LUM-2220 - Expire response decision data that is over a certain interval old
LUM-2221 - CEF isn't working in fresh netboot system
LUM-2222 - Active directory is disabled in system after restore
LUM-2223 - Device Details is not displaying Open and Closed ports
LUM-2224 - webapp isn't started for latest netboot. no lumeta-webapp.log file to view
LUM-2225 - Not able to configure AD netbios name in upgraded system
LUM-2229 - Sometimes when data is large in cc, backup command exits with error while backup create process is still running in background
LUM-2230 - rpms don't match comparing netboot to IOS boot
LUM-2231 - getting a NullPointerException during snmpDetails process
LUM-2232 - Upgrading pki enabled 3.3.5 scout to 3.3.6 ssh doesn't work
LUM-2233 - Pki enabled cc on 3.3.6 create back fails
LUM-2237 - Connected Scout isn't getting restored, missing from 'Available System' list
LUM-2245 - Error Copying Backup
LUM-2246 - lumeta-webapp.service Job Failing with Exit Code
LUM-2247 - NACK clean up routine removes the iftable_id affecting the updated device processing
LUM-2249 - Cache is not cleaned when the CheckDeadDevices code runs causing sync issues
LUM-2251 - System defined custom attributes aren't populating correct value in Configured CIDR field
LUM-2252 - cron email being sent to root
LUM-2258 - error on login '/etc/profile.d/tmout.sh: line 2: syntax error near unexpected token `fi' /etc/profile.d/tmout.sh: line 2: `fi'
LUM-2259 - X15 Provided Scripts Leaving X15 in Wrong State
LUM-2261 - CloudDiscovery not inserting interfaces
LUM-2262 - password controls remain active after disabling them
LUM-2263 - "system fips disable" doesn't update /etc/sysconfig/lumeta_stigs
LUM-2265 - Devices(child) with reference ip aren't showing custom attributes in device details
LUM-2267 - restore_system is leaving SSLOCSPEnable on commented out in /etc/httpd/conf.d/ssl.conf
LUM-2269 - 'Can't open /home/admin/.esicookies.txt' error on cli login after restore
LUM-2272 - restore is copying /etc/httpd/conf/httpd.conf and reverting change in LUM-2120
LUM-2275 - maclastobserved of container is not set
LUM-2277 - After restore, custom user with sysadmin role and with superuser flag true is not able to see administration commands like 'support', 'user new', 'organization new'
LUM-2280 - ndisc6 rpm should be installed in 4.0 netboot and ISO
LUM-2283 - db alias forces local login despite NOPASSWD sudoer rights (4.0 RC2)
LUM-2288 - Leaks By Direction Report doesn't display the data returned
LUM-2290 - Symlinks in /etc/pam.d are changed to separate files after upgrade to 4.0
LUM-2291 - discrepancies between devicemodel and API getDevices queries
LUM-2294 - 3.3.5 system PKI enabled when upgraded to 4.0 still needs password to login
LUM-2295 - Custom logos are not getting restored
LUM-2296 - Cannot disable CEF remote CEF logging from GUI
LUM-2297 - After backup create is finished system complains about some critical service not running on cli login also doesn't allow GUI login
LUM-2299 - Getting 'Can't open /home/admin/.esicookies.txt' error on cli login after restore is done
LUM-624 - httpd mpm prefork warning in error_log
LUM-1773 - Design and implement the Existing Device Detection (EDD) Functionality
LUM-1774 - Update the current device creation functionality
LUM-1778 - Implement Existing Device Functionality
LUM-1779 - Design and implement a new reference (parent) device strategy and algorithm
LUM-1780 - Update port handling to support the proposed new reference/parent device strategy
LUM-1781 - Update attribute handling to support the proposed new reference/parent device strategy
LUM-1783 - Update device response handling to support the proposed new reference/parent device strategy
LUM-1784 - Update device profiling to support the proposed new reference/parent device strategy
LUM-1785 - Update layer 2 host handling to support the proposed new reference/parent device strategy
LUM-1786 - Update MAC/IP pair handling to support the proposed new reference/parent device strategy
LUM-1787 - Update route handling to support the proposed new reference/parent device strategy
LUM-1788 - Update target query to support the proposed new reference/parent device strategy
LUM-1892 - Ingest SM device packs into Lumeta
LUM-1893 - Remove static references to firemonArtifactId and firemonGroupId to retrieve it from ingested devicepack data
LUM-1915 - Add forward DNS lookups for Host Acquisition
LUM-1921 - Configure syslog-ng to not log to /dev/null (causes SELinux warnings)
LUM-1924 - Remove collectd / carbon etc.
LUM-1932 - Unable to fetch or push data from our plugin to ePO server to version 5.10
LUM-1933 - Test Lumeta CC, Spectre and Portal on Centos 7 in feature branch and find and fix all issues
LUM-1980 - Change calls to service and init.d to systemd
LUM-1981 - Modify stigs script to use systemd
LUM-1989 - Identify and Define CentOS 7 Upgrade Path
LUM-1999 - UI Enhancement for DNS lookup
LUM-2017 - Create Database Backup
LUM-2018 - Generate Upgrade Backup File
LUM-2019 - Add API to Create Backup
LUM-2020 - Add CLI for Migration Backup
LUM-2021 - Upgrade All Packages for Security in Trunk
LUM-2023 - Create Restore Utility
LUM-2025 - Create CLI For Backup Restore
LUM-2028 - reboot does not work
LUM-2034 - pam_cracklib has been replaced by pam_pwquality
LUM-2035 - Create Seperate Partitions for OS and Data
LUM-2036 - Feature Request to Support Rapid7 Integration over other ports besides 3780
LUM-2037 - Update device values to support the proposed new reference/parent device strategy
LUM-2040 - Rework gather_diagnostics to include tools from CentOS 7
LUM-2041 - Delete all parents and children as part of the upgrade
LUM-2049 - Feature Request: Allow user to stop pushing data to Qualys Lumeta Asset group
LUM-2056 - Write 188.8.131.52 to 4.0 upgrade specific tests to cover backup, restore of data with centos 7
LUM-2069 - Service Command Output
LUM-2089 - Restore users into isobooted box from the system backup
LUM-2093 - Restore license into isobooted box from system backup
LUM-2096 - Improve handling of Port scanned devices during low load
LUM-2104 - Scrub the Java and SQL code for parent/child processing using the old parent paradigm
LUM-2109 - Update isoboot build to match netboot
LUM-2115 - add an optional boot item to isoboot menu for small-size partitioning
LUM-2120 - Add the first line of request %r back to the apache logs format
LUM-2121 - Restore network configs in 4.0 upgrade
LUM-2124 - Restore syslog-ng configs
LUM-2126 - Restore iptables/firewall in 4.0
LUM-2127 - Restore snmpd settings in 4.0 upgrade
LUM-2132 - Merge branch esi-3.3.4-LUM-1537 to trunk
LUM-2133 - Restore sshd settings in 4.0
LUM-2134 - Restore ntp and timezone in 4.0
LUM-2135 - Restore PKI settings in 4.0
LUM-2136 - Restore certs for lumeta-dxl and cisco-ise-pxgrid in 4.0
LUM-2138 - Restore proxy settings and httpd settings
LUM-2140 - Restore /etc/sysconfig/lumeta_stigs configuration
LUM-2142 - Restore ospf, bgp and bird configuration files
LUM-2143 - Restore postgresql configs in 4.0
LUM-2145 - Restore users home dir, Active Directory, password-controls
LUM-2148 - Add ddl updates, run normal and new sql cleanup in 4.0
LUM-2149 - httpd ssl.conf SSLOCSPUseRequestNonce on directive unknown
LUM-2150 - There is currently no mechanism to update interface address when a device is deleted
LUM-2152 - Remove vestiges of NMAP from Spectre/Lumeta
LUM-2154 - lumeta-webapp should not start unitl X15-server is up
LUM-2156 - Restore the properties files at /usr/local/lumeta/*/*.properties
LUM-2159 - Ignore hangup signals like sshd timeout in backup and restore
LUM-2160 - Improvements for backup logging
LUM-2162 - Restore failed to drop the db, logs recorded that
LUM-2163 - Restore of x15 failed with not accepting connections yet
LUM-2171 - STIGs for centos 7
LUM-2176 - Update syslog-ng to not log to /dev/null (causes selinux errors)
LUM-2188 - 2 changes must be copied from 3.3.6 to trunk
LUM-2198 - update x15 ddls to look at device_response of children for a container device
LUM-2209 - Release candidate(s) for release 4.0
LUM-2234 - Cannot install an SSH key
LUM-2240 - Change spec of DiscoveredEndpointsCountSnapshot X15 table so customer can ingest exported data
LUM-2260 - upgrade from 4.0 to a higher version
LUM-2268 - There is temporary code in restore_system for pg_hba.conf, remove it.
LUM-2276 - boot into single user mode doesn't accept root password
LUM-2281 - root's password is not restored from the backup, uses netboot password
LUM-2282 - Save and restore password controls
LUM-2284 - improve performance of stigs script to reduce 5 minute wait.
LUM-2298 - Copy changes from netboot kickstart file to isoboot file
LUM-2301 - remove the isoboot "4.0 (small-system)" boot option