Information about the IMPEX release 5.0.0
The IMPEX 5.0.0 release
Sysctl proudly presents our latest technology, the Impex 5 release.
This release contains a complete rebase of the IMPEX product on a modern Linux distribution, which, with our changes, we officially call Sysctl Linux. This change brings with it a lot of security improvements introduced in newer kernels and OS packages.
The repo component, which is responsible for handling upgrades and package management, has been rearchitected. Different setup and topologies are possible for the repo server: to be placed at DMZ, to be co-hosted on the server as ICC, to be on another host, etc. The repo server now also supports network proxies.
The 5.0 release of Impex is the first version with official cloud support. For those customers that want to run the Impex back-end systems (ICC, repo) in their Azure tenant, we now distribute new Azure images. These must be used to integrate with the Azure infrastructure.
With the upgrade to 5.0, support for many file systems have been enhanced. Newer versions of filesystems are now recognized by the product.
With the 5.0 release we also provide a Software Bill of Materials, SBOM. This is available for customers with active service contracts.
We also retire one AV engine (F-Secure) and bring in another (TrendMicro).
5.0 is not an automatic update for existing customers
Please note that this release is not an automatic update. The 5.0 rollout will be implemented in phases. First, the server components need to be upgraded, and when those are in place, then Impex USB Protect and Impex DataLock can be upgraded to Impex 5. Because of major changes in internal setup, all upgrades to 5.0 need to involve you, our customer, to decide when and how you will do this transition.
For ICC and REPO installations, you will need to migrate to this release.
Before installing the 5.0.0, make sure that you are on the latest 4.1.4 release on the ICC. Follow the instructions in the installation manual on how to perform this. https://sysctl.se/impex/documentation/installation-manual/#migrating-icc-to-new-server
That is, install new 5.0.0 versions and then restore an ICC backup to the ICC. The REPO server is then automatically configured when you edit the RepoSettings card in the ICC GUI.
Stations can be manually upgraded from 4.1.4 to 5.0.0 by booting our 5.0.0 USBProtect ISO downloaded from our customer portal.
We will add automatic update functionality for the stations later on when customers have upgraded their server base.
ICC changes
- ICC now runs in a separate process, locked down with SELinux and systemd unit security pragmas.
- We added a new icc-helper process that ICC talks to for doing system changes requiring higher privileges, locked down with SELinux.
- Add/update station identities were changed so that the identification field now needs to be unique.
- The ICC server now supports TLS1.3.
- ICC GUI Repository configuration view has several new fields since the ICC is now, except for the TLS certificates, controlling the Repo server, including upstream credentials and Repo username/passwords used by stations.
- Network edit signify bundle link was moved from the Server settings view to the Station card.
Repo changes
- Major architecture changes of the repo server, to allow different setups and network topologies.
- The Repo server is now configured from the ICC server. The only configuration that must be done in the repo is the IP address configuration and certificate installation.
- The Repo server now supports TLS1.3.
- The Repo server now has proxy support.
Station and Datalock fixes
- Stunnel proxy used internally did not validate the server certificate.
- Bitlocker vfat containers was not mounted with utf8 support, this is now corrected.
Station changes
- Many adaptation changes were done because of newer OS package’s API/behaviour changes.
Engine changes
- Change the Yara rule encrypted zip to only find a single encrypted zip file.
- Added a Yara rule to find encrypted zip in nested zip files. This rule can have false positives.
Datalock changes
- Datalock now has a modern “scp” which means it uses the SFTP protocol on upload to remote a flow destination. This allows users to either use “sftp” or “scp” commands to transfer files.
- The remote ssh user no longer needs to have a shell, adding an extra security protection feature to the file transfer setup.
Cloud support
- This release has been enhanced to support installation on Microsoft cloud infrastructure. This allows customers to have an ICC running in their Azure tenant instead of on-prem. There is a new installation iso available for this type of install that must be used.
Operating system packages
- As usual, this new release also brings upstream operating system updates and fixes.
Known issues
- Documentation has not yet been updated to match the ICC changes.
- The sound on station does not work.
Information
Upgrade instructions
This release requires a new installation of the ICC server and the Repo server due to operating system changes.
To upgrade contact sysctl for detailed instructions and technical support during the upgrade.
SBOM
This release also provide a Software Bill of Materials, SBOM, a structured data format describing components making up the Impex product. This is available for customers with active service contracts.
Portal
https://portal.sysctl.se is now available for Sysctl customers. The portal is used to distribute files and information that have restricted distribution. In this initial release, the portal provides specific program files for IMPEX customers, and especially those customers that have standalone or offline USB Protect. From the portal customers can download offline updates and AntiVirus definitions updates. It is also possible to download installation media for
- ICC server.
- Repository server.
- IMPEX USB Protect.
- IMPEX DataLock.
Email SYSCTL support to get access to the portal.
Atom (RSS-like) feed
The feed includes sysctl news and release information