🎤 Announcement

This is the first release of Zentral under the new licensing scheme. After nearly 7 years, we have decided to concentrate our business on Zentral as a product. Most of the code stays under the Apache license but some modules, like the SAML authentication or the Splunk event store are licensed under a new source available license and require a subscription when used in production.

Do not hesitate to contact us if you need more information!

🥁 Some highlights

• GitHub workflow to build and push three flavours of the docker container to the docker hub.
• sumo logic event store module.
• Extra API endpoints for the new verified terraform provider.
• Automated MDM payload renewals.
• Flexible SCEP configuration for the MDM payloads.
• Separated OpenSearch and Elasticsearch store modules for higher compatibility.
• Upgrade to python3.10 bullseye docker base images.

See the CHANGELOG for more details and breaking changes.

🥁 Long overdue new release

It is time to cut a release, after so many new features have been implemented. Here are some of the highlights:

• Osquery and inventory based compliance checks, with Prometheus metrics
• Munki / Monolith metrics and sharding for package installs
• Santa team ID rules
• Event routing keys for the event stores
• Secrets engines to encrypt secrets in PostgreSQL

See the CHANGELOG for a more complete list.

🎤 Announcement

This is probably the last fully opensource release of Zentral (if no patch release is necessary). After nearly 7 years, we have decided to concentrate our business on Zentral as a product. To support this new orientation, we are going to change the license scheme in the coming weeks. Most of the code is going to stay under the Apache license, but some modules, like the SAML authentication, or the Splunk event store are going to be licensed under a new source available license, and will require a subscription when used in production. Do not hesitate to contact us if you need more information!

🚀 Santa module overhaul

The Santa module has been completely overhauled.

Breaking changes

Rules are not managed in the Probes anymore. They are managed under each Configuration in the Santa Setup.

If you upgrade from a previous Zentral release, please, make a backup! The existing rules in the Santa probes will be automatically migrated to each existing Zentral Santa Configuration. You need to carefully review them afterwards.

You can read more about it in the updated documentation.

🚀 Santa module overhaul

The Santa module has been completely overhauled.

Breaking changes

Rules are not managed in the Probes anymore. They are managed under each Configuration in the Santa Setup.

If you upgrade from a previous Zentral release, please, make a backup! The existing rules in the Santa probes will be automatically migrated to each existing Zentral Santa Configuration. You need to carefully review them afterwards.

You can read more about it in the updated documentation – Sorry, still a work in progress.

Main new features:

• Implementation of the Bundle info/events part of the Santa sync
• ALLOWLIST_COMPILER rules
• API endpoint to apply sets of rules to one or many Santa configurations
• API endpoint to ingest the santactl fileinfo JSON output to populate the sha256 and apps in Zentral

Main things

• Realms for SSO (LDAP / OpenID Connect / SAML)
• MDM / DEP authentication using the realms, and auto user setup

Smaller thing

• Santa EnableBadSignatureProtection

Fixes

• Santa enrollment packages

Small things

• Link from incident to Kibana linked events
• Better enrollment package download buttons

Fixes

• Timestamp in Azure Log Analytics
• probe payload filters
• osquery release choices

New feature

• new xnumon event type for the agent stats

Fixes

• jamf and santa app dependencies on the filebeat app.
• separate FQDN for the client cert authentication

New features

• inventory exporters
• Okta webhook events
• Azure Log Analytics as event store
• osquery powershell enrollment script
• jamf client log shipping

Fixes

• jamf server log ingestion
• santa log event parsing
• filebeat enrollment on linux

New features

• unified filebeat enrollment (with micromdm scepserver and scepclient), configuration, and event processing for the santa logs, the xnumon logs and the jamf server logs.
• API to export the inventory reports as XLSX and zipped CSV files
• Better jamf webhooks events:
  • computer policy finished events are enriched via an extra API call
  • fixed issues with the v10.12 changes
• celery worker for the background tasks:
  • inventory exports
  • osquery file carving archive building
  • MDM device push notifications
• refactoring of all the event pre-processors in one zentral worker.

Breaking changes

• The zentral.contrib.jamf and zentral.contrib.santa apps depend on the zentral.contrib.filebeat app. You may need to include it in the base.json.
• Some tasks which use to happen in dedicated workers have been migrated to celery tasks. You need to run a celery worker (see the docker-compose.yml file for example).
• You need to restart the workers and the gunicorn processes after the update. A reload is not enough.
• The zentral.contrib.audit app has been removed.

See the Wiki for the release notes.