github natlas/natlas v0.6.11
v0.6.11 - Major improvements

latest release: v0.6.12
3 years ago

V0.6.11 introduces a number of major improvements as well as significant changes to the deployment workflow. This is meant to be the last stable release in the v0.6.x series, as we make many needed architectural changes that will break backwards compatibility for 0.7.0.

You'll also notice that we do not provide separate agent and server tarballs with this release, as the standard deployment going forward will be via Docker releases.

Added

  • (Both) Default natlas-services file has been updated to include common dockerd, kubeadm, elastic, and minecraft ports. (#423)
  • (Server) Support for Elasticsearch 7 (#263)
  • (Server) There is now an optional consistent scan cycle option, via CONSISTENT_SCAN_CYCLE. This will still traverse the scope in a random order, but after a cycle is completed it will reuse the same order. This produces more consistent time deltas between scans of a given host. (#337)
  • (Server) New landing page instead of automatically redirecting to /browse or /auth/login depending on your configuration. (#343)
  • (Server) Support for dark mode via the prefers-color-scheme media query. (#343)
  • (Server) Support for reduced motion across the application via prefers-reduced-motion media query. (#343)
  • (Server) Support for MySQL databases (#358)
  • (Agent) Uses dumb-init to ensure chromium processes get cleaned up rather than left around as zombies. (#302)

Changed

  • (Both) Natlas now uses a docker-only deployment, which makes it easier to produce consistent running environments. (#281)
  • (Both) Dependency versions updated significantly (Dependabot activity)
  • (Server) Web assets (js/css) are compiled via webpack (#254)
  • (Server) System status page automatically refreshes (#258)
  • (Server) Secure default settings for new deployments - User login required and agent authentication are now the default. (#279)
  • (Server) add-user.py and add-scope.py have been replaced with flask cli commands, flask user new and flask scope import, respectively. (#216)
  • (Server) Default mail settings have been changed to use port 587 with STARTTLS, rather than port 25 with no TLS (#409)
  • (Agent) Agent scanning threads now stagger their start time to alleviate some strain on both the agent and the server when an agent starts up. (#312)

Fixed

  • (Both) Fix file handles that don't get closed (#338)
  • (Both) Targeting IPv6 addresses should behave like IPv4 addresses now, instead of throwing errors at random points in the stack (#61, #355)
  • (Both) Image verification takes place to ensure that empty or otherwise malformed images aren't being passed from agent -> server or from server -> disk. (#412)
  • (Server) You can no longer visit /search without a search query, which previously showed an empty search results page. It now redirects you to /browse. (#267)
  • (Server) Significant performance improvements to the scope manager when using a large number of distinct cidr ranges (#351)
  • (Server) Screenshots don't automatically assume .png file format, enabling the jpg VNC screenshots. (#365)
  • (Server) SSL Certificates with malformed dates now ignore the malformed fields rather than abandoning the entire scan document (#261)
  • (Server) Initial database population is now handled by the database migrations rather than at application initialization. This fixes a bug where you can't have 0 scripts defined for the agent. (#400)
  • (Server) Server no longer uses cached data when loading admin panel webpages, which could occasionally lead to bugs with loading the agent config page (#326)
  • (Agent) VNC Screenshots don't rely on DISPLAY environment variable anymore since it uses vxfb-run. (#364)
  • (Agent) No longer echo huge xml files to the command line to pipe into aquatone (#420)

Removed

  • (Server) add-scope.py, add-user.py scripts have been removed in favor of the new cli commands (#216)
  • (Server) elastic-snapshot.py script has been removed. It was barely functional to begin with and was largely unmaintained. (#373)

Security

  • (Agent) Use a seccomp profile when launching the agent container so that chrome can take screenshots without requiring --no-sandbox or SYS_ADMIN capability. (#285)
  • (Server) Removed referrer redirects to avoid potential redirect vulnerabilities (#305)
  • (Both) XML parsing is now defused via the natlas-libnmap library (#318)

Known Bugs

  • flask scope import behaves abnormally in that it imports as blacklist by default and awkwardly, to import scope you have to do flask scope import --blacklist. There's a pending fix for this for a 0.6.12 release. #436
  • flask scope export fails if any scope items are tagged. There's a pending fix for this for a 0.6.12 release. #426

Don't miss a new natlas release

NewReleases is sending notifications on new releases.