Publishing Deployment Runs to Consumers
Asset Publishers now have the ability to share reserved Deployment Runs with Consumers who access resources through the Express User Interface. Unlike publishing from Scenarios, which creates resources that Express Users can manage on their own, publishing Deployment Runs allows the publisher to maintain control of the resource lifecycle. Consumers accessing the deployed Hosts through the Express User Interface will be allowed to connect to the remote Host with the click of a button, provided the publisher has provided them credentials.
Publishers can read more about this feature in the associated Knowledge Base article.
For more information about managing what Consumers see in the Express User Interface, consult the Express User Interface guide.
First Quarter Fixes
- Added the ability to land on a c5n.4xlarge instance type in EC2 Cloudspaces
- Routing issues when clicking links in CONS3RT-generated emails
- Inconsistencies in metrics data reporting across Projects
- Microsoft Azure OS templates were not being filtered by region in all cases
- Some Team Managers were not able to see dashboard metrics for their Projects
- Deployments containing only a single Physical Host would sometimes fail to bind to a Cloudspace
- By default, AWS security groups restricted traffic across networks within a Cloudspace
File Transfer for VNC Connections
You asked for it, and we delivered.
Remote Access-based file transfer is now supported when connecting to your Host using a VNC Remote Access Connection. As with RDP and SSH Remote Access, users are now able to upload and download files using the “Drag-and-Drop” method, the Remote Access sidebar, or through the On-screen Clipboard.
To combat VNC’s lack of native file transfer capability, this solution is built on top of the existing secure file copy functionality of SSH. As with SSH remote access connections, only the initial user credentials set by the owner of the Run during deployment can be are used for determining file and folder permissions. Changing to a root user, or any other user on the system, won’t impact the files and folders you can upload and download.
File transfer is now standard on all VNC remote access connections. If you connect to your remote Host using credentials that aren’t managed by the CONS3RT Host provisioning process, you’ll need to define a custom connection with the correct credentials and use that definition to access your Host.
GPUs in Commercial Clouds
Users can access GPU instance types in commercial Cloud providers for their advanced compute requirements. Support includes:
- AWS: P3 (NVIDIA Tesla V100) and G4 (NVIDIA T4 Tensor Core)
- Azure: NC (NVIDIA Tesla K80), NCv3 (NVIDIA Tesla V100) and NV (NVIDIA Tesla M60)
Use of GPUs in commercial Cloud requires the installation of the appropriate drivers. There is a Certified, shared Asset (GPU Driver) that includes the drivers for all supported instance types. Please remember to include it the deploy.
Cloudspace Network Management
Simplification of options and presentation for cloudspace network configuration.
New internal certificate management reduces complexity and change-over to ensure greater uptime.
Fourth Quarter Fixes
- Resolved “oops” error when multiple clicks were made in project member management
- Corrected an issue with vCloud template catalog sharing
- Some users experienced a crash when accidentally uploading media in the Asset script windows
- Slack account and channel creation sometimes hung when Slack was slow to respond
- Some users could not connect to a Deployment Run more than once per session.
- ReST API fixes
- Smoother presentation on Composition Builder interface
- Addressed jScript CVEs
- Assets shared to everyone can be downloaded non-members of the Project
- RAM and CPU sliders were showing inaccurate info
- Some Team managers could not enable Snapshot feature
- Quickly changing projects sometimes caused lost project context or UI stall
- Azure networks would only be /16
- ReST queries to retrieve Software or Container Assets were not sorted and would return a different list each time
- Incomplete Network settings would cause a Run to fail
- Large metric retrieval would cause some users to see a Maintenance Page
Cloud Resource Scheduler
Project resource managers can schedule all Systems to be automatically powered off and back on in order to save money when they are not in use. They can create a weekday and/or weekend sunset/sunrise schedule for all Systems in their Project. For more information, please see the Knowledge Base article.
Increased the maximum upload size via browser from 3GB to 4GB.
The Cloud Security overlay is now standard on all Clouds.
Launch Error Emails and User Timezones
Launch Error Emails
Express users will receive an email notification if their Run fails to launch.
Profiles now have a user-definable timezone. These timezones are used for managing recurring and power management schedules.
Domain Login Options
When making RDP Remote Access connections, users can choose to enter their domain credentials when setting up their connection. The Team Managers can define a domain name per Cloudspace to autofill the field.
Compositions and Express User Interface
A whole new way for users to interact with the Systems.
Compositions allow users to create and publish pre-configured Scenarios for consumption by the Team. In addition to the standard Scenario design, the publisher defines the launch parameters, making for a quick and easy user experience. Compositions are available to users of the new Express User Interface (see below). For more details, please see the Knowledge Base article.
Express User Interface
The Express Interface shows the available Compositions and allow users top quickly deploy, connect to, and/or undeploy their runs. There is no need for them to navigate the whole library or to build up Systems and Scenarios.
Ubuntu 18 in vCloud
The network issues with Ubuntu 18 in vCloud have been addressed with new customization via CONS3RT.
The Container workflow will pull name and tag information from the uploaded image rather than making the user enter it.
If there are no IPs in the Cloud pool, an IP address will be dynamically assigned.
Windows 2019 and Ubuntu 18 Support
Windows 2019 and Ubuntu 18 added as fully supported Operating Systems across Cloud providers.
Users across all Clouds can now take and restore from a single Snapshot. Note: Snapshots are not intended to replace the proper use of assets for System Design and management, but rather to augment the iterative development process. Snapshots come with a performance hit and storage cost.
Team Managers can enable or disable the new Snapshot functionality for their Team.
Admins can change the owning Project of an active Deployment Run.
Third Quarter Fixes
- RHEL 7 converted to use firewalld for default security configuration
- Resolved issue with additional disk naming and CentOS 7
- Able to edit Container Asset names
- Adjusted timeouts to allow larger Deployments Runs in slower Clouds
- New Project members were not getting added to the existing community Slack channel
- Authentication issue on OpenStack Clouds using Keystone v3
- Scenario link missing when Host had a Container Asset
- In vCloud-based Cloudspaces, the maximum number of provisioned networks can now be edited
- More depth to ReST calls for configuring Cloudspaces
- Corrected routing issues on cons3rt-net for Windows Systems
- Some new users without a default Project experienced navigation errors
- The order of all storage Disks on deployed System is consistent throughout the provisioning process; UI views have been updated to maintain this order
- Updates to contact info on pricing page
- Security enhancements
Added support for OpenStack Stein.
Container Assets Metadata and Host Action Status
Container Assets Metadata Additions
Two new fields (i.e., name and ports) added to Container Assets as part of improving the management of Run arguments.
Host Action Status
Added status messages to host actions - power on, restart, snapshot, etc.
Updates to workflow, algorithms, and versions of component.
Uniform Remote Connection Timers
All “Connect” buttons now use the same timer mechanism for monitoring user access and maintaining session activity.
Asset Submission Service
Users can push their Container Images from the Asset Library to an external Docker Registry or an SFTP-based Submission Service.
All connections (GUI, ReST) must be at TLSv1.2.
Optimized process when importing Assets to reduce file transfer times.
Azure Instance Mapping
Refined matching algorithm to optimize instance type selection in Azure.
Oracle Linux in Azure
Added templates for Oracle Linux in all active cloud regions.
Azure Network Management
More dynamic management of NICs on Azure Systems.
Azure Cloud Security Overlay
Updates to securing Azure Cloudspaces.
Java 11 Support
CONS3RT infrastructure has been updated to run on Java 11.
Messaging Security Configuration
Moved messaging infrastructure to TLS1.2 and updated security configuration for latest attack vectors.
Smart Card Pass-Through (Beta)
Using a new Remote Access connection type, users can now present their local smart card (i.e. CAC) on their deployed System to authenticate to services from that deployed System. Contact Support if interested in participating in the public Beta.
Second Quarter Fixes
- Multiple ReST fixes for endpoints and calls; see the ReST documentation
- Prevent situation where Project expiration date could be set later than Team expiration date
- Added redirect to prevent
403error is users tries goes direct to
- Corrected dependency check to allow projects to be deleted
- Eliminated “Oops..” warning on successful remote access connection
- Fixed broken links on spotlight content
- Updated multiple knowledge bases articles
- Fixed an issue when there is an error connecting to Slack that left the request in limbo
Updates to PKI Providers and Notice & Consent
Added new approved PKI providers and removed expired ones.
Notice & Consent Flow
Updated Notice & Consent flow to improve performance and security.
Docker Registry and BYOC ATO Consent
We have added a Docker Registry interface to the Asset Library. Container Images can be pulled and redeployed either via the standard Asset install or using Docker commands.
Bring Your Own Cloud (BYOC) ATO Consent
When users register their existing Clouds to a site, they acknowledge that they have the security responsibility for those resources.
ElasticTest Push Results and Asset Clean Up Utilities
ElasticTest Push Results
ElasticTest results can be set to push the results to a designated endpoint at the end of the run.
Asset Clean Up Utilities
Admin functions to clean up the data for a CONS3RT site.
Database Connection Optimization
Improvements to database connections for increased speed and reliability.
First Quarter Fixes
- Username with a
.could not be added to sudo-ers file
- Unable to search on Hosts
- Team Managers are unable to view expired Projects
- User is unable to link directly to Project page
- Remote Access connections sorting is updated real time
- Support added for OpenStack Keystone V3
- Project membership changes reflected immediately in the UI
- Cleaner error message when a Cloud is unreachable
- Corrected inconsistency on units in resource usage tables
Container Images and Web Architecture
Container Images are a new top-level asset type. One or more Container Images can be deployed on a System, and, optionally, along side Application and/or Source Code assets. Container Images can be sourced from the Asset Library or an external repository. They can be redeployed individually on an existing deployment run.
New Web ArchitectureThe front end infrastructure has been re-architected to improve performance, security, and scalability. It is completely container-based with all the benefits. Remote access connections are more direct.
Updates to Main Menu and ElasticTest: Fortify
Main Menu Updates
The main menu has been updated to organize assets and resources into like groups.
Fortify updated to version 18.20.
Availability Zone SDN
The software defined networks have been enhanced to provide support for Availability Zones.
Deployment Properties and User Credentials
primaryNetworkIp have been added to Deployment properties for use in assets and automation.
Editable User Credentials
The default user credentials displayed on the Run screen can be edited with a new value. Doing so will not affect the running system, but it will be used for future remote access connections.
Change from License to EULA
The License tab for Assets is more accurately labeled User Agreement.
ElasticTest – Script and Powershell
Script updated to run on Red Hat 7; Powershell updated to run on Windows 2016 Server.
Jenkins Update and More Regions
Jenkins Plug-In Update
Credentials can be stored at the Admin level or at the User level.
Added support for new commercial and Gov regions in AWS and Azure.
Windows Network Discovery Disabled
The Windows Network Discovery Wizard is disabled by default to prevent problems some users were experiencing during deployment runs.
A new CONS3RT plug-in for Jenkins with the ability to update Assets and/or launch runs as part of a Jenkins job.
Each site now has a dedicated Slack Workspace, which includes a private channel for each team as well as public channels for General News, Support, and Asset Development. Users can sign up for an account on their profile page.
Team Resource Management
Changes to Team resource management allow for individual Projects to have specific or unspecified (open) resource limits. Enforcement will first check the Project limits (if any) and then the Team limit.
Additional Email Fields
Additional fields on System-generated emails to improve readability and security.
Perimeter Appliance Redeploy
In VMware clouds, Cloudspace managers can redeploy the perimeter security appliance in the event of network issues.
In addition to CONS3RT created networks, existing networks in a Cloudspace can be registered so deployed Systems can be configured to connect to them.
Pop-Up Blocker Warning
The System will display an extra warning if the user’s local browser blocks the opening of a Remote Access session tab.
Remote Access Container
To improve redeploy speed and security, the Remote Access System in each Cloudspace is now Container-based.
Windows File Transfer
In Remote Access sessions, users can open the sidebar, where they can browse, upload, and download files from their remote Windows System.
The Script(bash) and PowerShell ElasticTests now have logging output as part of the results available in the UI.
All user session are stored in the database to support better load-balancing. It also improves record-keeping and audit compliance.
Team Managers can set and manage project creation, membership, and resource limits. Resource limits are enforced at the Team level.
Team Managers will be able to directly register Clouds, request Cloudspaces, manage Cloudspace configuration, and create Projects. Project Managers will experience the most significant impact on their workflows. A detailed email will be sent to all existing Project Managers to explain the changes.
Projects can also be designated as Private (i.e. non-browsable).
Appliances Power-On Delay
Appliances now honor the Cloudspace’s Power-On Delay (POD) as part of the launch workflow.
Data Generator Asset
A new web traffic generator asset is available in the Community Library. It includes a user Web UI to allow for managing the type, volume, and destination of traffic.
Windows ElasticTest Agent
The Windows ElasticTest Manager Agent was rewritten in Powershell for better performance and debugging.
ElasticTest – Powershell
Runs and re-test Powershell scripts automatically. Runs on a Windows 10 Virtual Machine.
Run KVM and VMware ESXi hypervisors as VMs in the Cloud.
Remote Access Low-Bandwidth and Maintenance Modes
Remote Access Low-Bandwidth Mode
To improve performance on poor networks, users can select a low-bandwidth mode when opening RDP or VNC Remote Access sessions. This reduces requested resolution (DPI) and color depth for VNC and RDP connections, as well as disabling wallpaper for RDP connections.
New Cloud and Cloudspace Maintenance Modes allow site and cloud Admins to isolate maintenance work to specific resources without affecting all users. Requests submitted during maintenance are queued up, and they are executed when the resources are ready.
We have reduced the number of Asset States and simplified the workflow. Please see the Knowledge Base for more details.
Users are now asked to present their certificate for authentication only after they attempt to sign in. This will allow users having trouble with their certificates to reach the Support resources.
Remote Access Enhancements
There have been several enhancements in order to better understand and prevent Remote Access issues. These include hiding the Connect button if the system is turned off,disabling re-connect retries if there is a password problem, preventing attempts to make a connection when someone else is on the system, improving disconnect messages, and implementing browser behavior changes. These should help reduce user side problems that appeared as “disconnects.”
We have added a speed test to the site to help users identify possible network issues that might affect performance. Clicking the Speedtest link at the bottom of the page will collect results from the user’s System to the site.
More Approved Certificate Authorities
Additional Certificate Authorities (CAs) have been added to support more users.
All code and infrastructure have been updated to support Java 10 and its new coding and security standards. This included multiple optimizations for better performance as well.
New granular checking and downloading of Certificate Revocation Lists (CRLs) to increase robustness and eliminate unnecessary reloads.
Cloud Network Management
Create and Manage Networks
Cloudspace Admins can create and manage additional routable and/or internal networks. This includes defining IP Space, Gateway, Connectivity, and so on.
At launch time, the network connections on each system can be selected from the Cloudspace pool.
IP Address Assignment
Users can now specify static IPs at run launch time for any and all user interfaces on each system.
More Cloud Networks and ElasticTest Nessus Improvements
More Cloud Networks
Clouds can now contain more than two networks as part of their configuration. All networks defined for a Cloud are added to each Cloudspace at creation time.
ElasticTest Nessus Improvements
Changes to the monitoring of Nessus tasks to increase reliability.
A new Workspace for a user’s Hosts with a view across all Runs that includes real-time Deployment and install status. This view can be filtered by Cloudspace, state and OS Family.
Permanent Agent Disable
The CONS3RT Agent is now disabled when the system is Available and stays disabled through all subsequent reboots.
Automated ElasticTest Updates
Users no longer have to worry about approving updates to ElasticTest tools; it is done automatically. For existing runs, this means selecting
RETEST will execute with the same version of the tool as originally installed; selecting
RERUN will relaunch all Systems and create a new ElasticTest with the new version of the tool. See the Knowledge Base for more details.
Cloud & Cloudspace Security
AWS Cloud Admins can enable log collection (CloudTrail) and storage (S3) for their Clouds. When Cloudspaces are created, traffic logging (FlowLogs) is enabled, and data are persisted.
User can change the CPU and RAM resources on active Runs with a single step that handles the power-off, resize, and power-on actions.
Detailed Asset Install Information
All Software and Source Code Assets display their current status in the workflow along with timestamps and estimated durations. Users can select a Host in the Run section and immediately see where it is at in the process, making troubleshooting and monitoring much easier.
Azure Template Support
Azure Systems are now built from templates instead of from VHD file for faster provisioning and improved sharing.
Certified Assets are fully developed, validated, and include a POC for support. Users can include them in their designs with confidence. There is a Certified label on the card view, and users can search and sort on Certified state. Designated Certifiers can review and promote assets.
More Slack Notifications
More options for notifications have been added to the integrated Slack channel.
Large teams can sign up for a dedicated landing page with custom theme and content.
Asset Counts and IDs
In the list view of Assets the card shows how many times that Asset has been used. The view can also be sorted to show the most popular Assets at the top.
Assets are often referenced by their ID in log messages and some emails. The Asset ID is now displayed as part of the data in the left side column.
Asset Wizard and Referenced Asset Media
Users can now create Software and Source Code Assets directly in the new Asset Wizard. It will walk users through the collection of the information and files necessary for building up an Asset.
Referenced Asset Media
Asset media can either be uploaded directly or referenced by a URL. External (URL) media will be background downloaded, scanned, and placed in the library for future use.
Automatic Disk Mounting
All additional Disks defined in the System Builder are now formatted and mounted automatically. More information can be found in this Knowledge Base article.
Systems are now deployed with their Firewalls enabled. All outbound traffic is allowed; inbound traffic is only allowed on the CONS3RT management network for the supported Remote Access connections (i.e. RDP, VNC, SSH). Additional changes to the Firewall can be managed via Assets.
The BIG-IP from F5 is now a supported OS type, including the installation of Software Assets. Check the template notes for any known limitations.
The expiration date on PKI certificates is displayed and users can delete exiting certificates from an account.
Users can apply filters on the collections page by type (Software, Test, System, etc.).
Remote Access Connections Clean Up
Users can now delete old custom Remote Access connection from the list of options.
VyOS as a Supported OS
VyOS is now an officially supported Operating System type.
Asset Debugging Exit Code
Assets can now use an exit code of
255 on errors, which will log the error but will not fail the Asset. In this case, the installation and Run will continue.
Automatic Project Creation
When a new Team is created, an initial Project will be created with the same name.
Embedded Application Server
To improve performance and support future features, the CONS3RT application uses a new embedded web application server.
To better support management of storage resources, the display of storage usage has changed from rounded TB values to the full value, rounded to one decimal place.
Asset Script Safety
To prevent errors that occur when scripts are written on one platform and deployed on another, all scripts now have their line endings set when uploaded or updated. If the script is
.ps1, OR if the asset platform is Windows, the line endings will be set to CR/LF; on all other scripts the line endings will be set to LF.
Native System Accounts
The password for all existing accounts in a System (e.g. root, administrator, x_administrator, etc.) is now set to the same as the password that the user had created at the time of launching the Deployment Run. Users can use an asset if they want to make further changes.
Users now only see the links and management boxes for the credential type (username/password or certificate) supported in the site. In certificate sites, users can see the certificates registered to their account.
The frontend (GUI, ReST) is now a separate module in development. This change will allow for faster rollout of new features and shorter maintenance windows.
Dashboards now include a list of all ElasticTest tools available to the Project with links to the available test cases.
New Deployment properties for the default user, CONS3RT-installed user, and vGPU status.
Asset State Management
The management of Asset States has been moved from the gear icon to its own section.
Multiple Networks on Physical Hosts
Physical Hosts now support multiple networks.
Perimeter Security Configurations
Cloudspace perimeter firewalls/gateways have been updated with tighter System-level lockdowns and controls.
AWS Security Credentials
Allocated Virtual Private Clouds (VPCs) in AWS now use generated, unique, scope-limited credentials for CONS3RT driven actions.
Physical System Remote Access
Remote Access is now supported on Physical Hosts and Devices.
Solaris 11 has been added back as a supported Operating System for deployed Systems.
Power On Delay Management
Cloudspace Admins can manage the Power-on-Delay parameters to optimize System deploy times.
Simple & Custom Remote Access Connections
Remote Access connections will now auto-complete the user’s defined account and credentials for making a quicker connection. Alternatively, the user can select a custom connection to enter an alternate set of credentials.
Remote Access Collaboration
Users can invite other Project members to share their Remote Access sessions. The Host can provide Read Only access to their screens to support collaboration, troubleshooting, training, and more.
Upon login, users land on their Project dashboard. This dashboard includes a list of Runs, graphs of resource usage, links to documentation and help, site alerts, and more.
Windows 2016 Server
Windows 2K16 is now a fully supported Operating System for Systems and Appliances.
Remote Access Tab
When opening a Remote Access connection, the name and ID are displayed on the browser tab for easier navigation and management.
Usage and storage metrics for VMs, vCPU, vRAM, and vGPU are collected and displayed at the Project, Cloudspace, and Site level. The built-in graph shows 24 hour, 7 day, and 30 day snapshots. Historical data has been back-filled for existing Projects. Metrics can also be queried via the ReST API.
In Remote Access sessions, a user can open the sidebar where they can browse, upload, and download files from the remote System.
Closed (i.e. Expired) Projects are now labeled as such in order to prevent sign-ups by new users.
Deployment Run Changes - New View and User Account Creation
New Deployment Run View
We have reworked the Deployment Run display to make it easier and faster for users to get the information they need.
User Account Creation
To increase security and standardize behavior across Cloud technologies, users now create an account and password for each Deployment Run. Doing so will create that user account all Systems within the Run.
Asset Download Hash
Users who are downloading Assets will be given the hash value (SHA-256) for thst Asset such that they can confirm the integrity of the download.
User Card Updates
The card view of the user now includes their email address.
Network Cloud Configuration and Database Auditing
This release includes:
Network Cloud Configuration
New network Cloud object for managing configurations per Cloud.
Native database transaction auditing.
Enhanced Data Encryption
Increased encryption across the application. Stronger FIPS algorithms and hashes; many more data fields encrypted by default.
My Asset Views and Windows XP
My Asset Views
Users can now browse their Software and Test Assets (under My Assets), Project Assets, and Community-Shared Assets separately.
What’s old is new! Windows XP has been re-added to the supported Operating System types to support cyber training needs.
Power State Warning
Remote Access now checks that the System is powered-on before attempting to make a connection.
Power On Delay Reset
Cloudspace Admins can re-baseline the Power-On Delay setting for their Cloudspace.
Full Azure Support
This release includes all user (provisioning, Remote Access, ElasticTest) and management features.
Active Site Security Configuration
CONS3RT actively manages the access control lists for ancillary services directly.
CONS3RT Agent Removal and Appliance Settings
CONS3RT Agent Removal
The CONS3RT Agent on deployed Systems now shuts down by default when the System goes to Reserved. The user can override this removal if needed. If the user chooses to retain the Agent, there is a option to disable it after the System goes to Reserved.
Users can now edit the resources (CPU, RAM) on appliances at deployment launch time.
Cloud Network Management
Cloud Admins can set and manage a default CONS3RT network (IPs, firewalls, NAT, etc.) per Cloud, not just per site.
Remote Access Sizing and Redeploy Management
Remote Access Sizing
Cloudspace Administrators can now choose from three different sizes for their Remote Access server - Small (1 CPU x 2 GB RAM), Medium (2 x 4) or Large (4 x 16).
Remote Access Redeploy Management
Site Administrators can define the window and distribution of the automated redeployment of Remote Access servers.