| Info |
|---|
This article explains security controls that Cloudaware designed and implemented into Breeze Agent and Breeze Server. |
| Table of Contents |
|---|
Breeze Agent
Breeze runs as a scheduled task on Windows and Linux hosts every 15 minutes. Breeze Agent retrieves list of plugins to execute from the Breeze Server and then executes these plugins every time it runs. Each plugin includes additional logic.
...
This set of plugins can install and uninstall software, configure it and maintain service status by attempting to start or to stop it. Currently available security plugins are:
Vulnerability Scanning: Tenable
Vulnerability Scanning: Qualys
Vulnerability Scanning: Rapid7
Vulnerability Scanning: Yara
IDS: TrendMicro
EDP: CarbonBlack
EDP: ESET
Software Authenticity
Cloudaware uses code signing certificate issued by Digicert to sign the Breeze Agent installer. This eliminates warnings from OS security software packages like Windows Defender, etc. and allows users to establish that the installer has not been hijacked by the 3rd party.
...
All communications between Breeze Agent and Breeze Server happen over HTTPS with FIPS 197 compliant encryption and signing algorithms.
Cryptographic Operations
All operations between Breeze Agent and Server are additionally cryptographically signed to ensure data and request authenticity and eliminate man-in-the-middle attacks where an attacker can modify plugin code, add new plugins or alter plugin execution response.
Auditing
Extensive logging is enabled by default on the Breeze Server. All agent communications are logged and stored for 18 months. Agent supports 3 levels of logging verbosity which can be configured in agent.conf.
...
Cloudaware maintains separate version for each Breeze Plugin, Breeze Agent Installer and Breeze Server. We cryptographically sign each new version of Breeze plugin and the agent. Cloudaware maintains separate teams with isolated privileges and responsibilities in order to ensure secure operation and distribution of Breeze software.
Breeze Server Developers
Breeze Installer Developers
Breeze Plugin Developers
Security Review Engineers
CA Trust Team
Technical Account Manager
Three development teams work on various components of the Breeze architecture and are able to commit new code towards a release. Security review engineers do not have the ability to commit new code but do inspect each release for potential backdoors and other security vulnerabilities. They perform both manual code review as well as algorithmic scan using Checkmarx tool. CA Trust Team upon recommendation for from the security engineers will cryptographically sign each plugin, installer and version of the Breeze Server. Technical account managers configure which plugins are available to which customer based on specific customer requirements.
...
In order to build better transparency and trust between software vendor and customer, Cloudaware does not ship any binaries. Customer can review all the code for the installer, agent and plugins. Customers can additionally request read-only access to the Breeze Server software as well.
Directory Structure
| Contains the application configuration file in JSON format. | ||
| Contains the Breeze agent certificate and the private key. | ||
| Contains the scheduler configuration files for crond and systemd which are used during the agent installation. | ||
| The agent core libraries. This directory is synchronized with the server. | ||
| The agent core Facts. | ||
| The plugins directory which is synchronized with the Breeze server. |