Skip to content

Release Notes 4.3.2

Overview

This document outlines the updates, improvements, and fixes introduced between versions 4.2.0 (released on Sep 9) and 4.3.2 (released on Nov 22) of the Excalibur v4 software.

New Features

3rd party integration support

  • The Excalibur v4 API uses the OAuth 2.0 client credentials flow for authentication and authorization of clients. This flow is specifically designed for server-to-server (also known as machine-to-machine) interactions, allowing applications to access resources on behalf of themselves, rather than on behalf of individual users
  • Integration manual available for partners

OAuth Clients

image

Figure 1. OAuth Clients page

Configurable factors

  • An administrator can set the level of security and customize factors which are used for registration, authentication and authorization
  • By navigating to “Security Policies -> Rule Sets” and editing a rule set

image

Figure 2. Rule Sets

image

Figure 3. Rule Sets - Edit

Recording notification in PAM sessions

  • During a PAM session for both SSH and RDP targets, all activities are recorded. We have included user-friendly indicators and notifications to inform the user of this.
  • This includes a navigation bar icon, a browser tab icon, a warning message, and a side-bar icon.

image

Figure 4.PAM session recording notification

image

Figure 5. Notification in browser tab

image

Figure 6.PAM session recording notification in side-bar

Audit logs for PAM targets

  • The system provides the ability to log activities for audit purposes, securely store them, and display them in the UI for users with the appropriate permissions.
  • Note: temporarily hidden from UI

image

Figure 7. Audit logs for PAM targets

Handling of expired PAM target credentials

  • When initiating a session to a PAM target, the system first verifies whether the account being used for authentication has expired. To do this, the system queries the identity store to retrieve the user from Active Directory (AD). If the returned user has the "expired" flag set, the dashboard handles this scenario by displaying a dialog with two input fields, allowing the user to set a new password.

Added optional trusted device check

  • Token integrity check is optional and can be disabled system-wide.
  • By default, the integrity check is enabled (EXC_TOKEN_INTEGRITY_CHECK_ENABLED is set to true unless configured otherwise).
  • In the token app, set the environment variable EXC_TOKEN_INTEGRITY_CHECK_ENABLED to false to disable it. Restart the token app for the environment variable to take effect.

image

Figure 8. Token integrity check

Security Updates

  • Added caching for JWT and OAuth permissions
  • Implemented Content Security Policy
    • Content Security Policy (CSP) is designed to restrict the web application from accessing resources outside of its domain, except for trusted sources such as Google Maps. This measure enhances the application's security by preventing the loading of untrusted external resources, reducing the risk of vulnerabilities like cross-site scripting (XSS) attacks.

  • PAM target audits permissions utilization

    • Permissions include specific scopes, acting as an additional validation layer. This enhancement enables more granular control when retrieving PAM target audit records.

  • Integrated security policies with token (mobile application)

    • Aligned token logic with PAM security policies to offer more granular and secure authentication options.
    • When connecting to a PAM target, you can use a QR code as an additional verification layer.

image

Figure 9.PAM QR Authentication

Performance Improvements

HealthCheck status update

  • Monitor gRPC connection status for every service. The system is used to update health checks within Excalibur stack.

Improved compilation speed

Update ESLint rules

  • By enforcing stricter ESLint rules, we aim to catch issues during development, improving code reliability and maintainability.

Usability Improvements

Added management of terminated actions in token

Manage error localization

  • System to fetch, cache and manage error localization JSON from the backend. Enables the mobile application to display localized error messages specific for each deployment, improving the user experience.

Added better handling of expired QR codes in token

Apple Silicon Mac support update

  • MacOS 12.0 is required to ensure proper functionality on Apple Silicon devices and to comply with App Store requirements.

Added copy button to invitations

image

Figure 10. Invitation copy button

Changed default sorting for PAM sessions starting with most recent 1st

Added “Enter” key press confirmation to password fields

  • The "Enter" key press now confirms entries in the password fields.

Added “Last connected” information to token detail

image

Figure 11. Token last connected information

Improved error messages displayed for account statuses

  • Enhanced error messages are displayed for account statuses, providing clearer information to users.

…and more minor fixes and improvements