Versions Compared

Old Version 2

changes.mady.by.user Daria Lebedeva

Saved on

compared with

New Version Current

changes.mady.by.user Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This

...

article explains security controls that Cloudaware designed and implemented into Breeze Agent and Breeze Server.

Table of Contents

Breeze Agent

Breeze runs as a scheduled task on Windows and Linux hosts every 15 minutes. Breeze agent Agent retrieves list of plugins to execute from the breeze server Breeze Server and then executes these plugins every time it runs. Each plugin includes additional logic.

Breeze Server

Is Breeze Server is part of the CMDB and acts as a classifier to Breeze Agents agents by returning the list of the Breeze Plugins plugins available for each Breeze Agentagent. Breeze Server also acts as a certificate authority by issuing, revoking and verifying certificates used for server agent communications.

...

This set of plugins can install and uninstall software, configure it and maintain service status by attempting to start or to stop it. Currently available security plugins are:

  • Vulnerability Scanning: Tenable

  • Vulnerability Scanning: Qualys

  • Vulnerability Scanning: Rapid7

  • Vulnerability Scanning: Yara

  • IDS: TrendMicro

  • EDP: CarbonBlack

  • EDP: ESET

Software Authenticity

Cloudaware uses code signing certificate issued by Digicert to sign the Breeze Agent installer. This eliminates warnings from OS security software packages like Windows Defender, etc. and allows users to establish that the installer has not been hijacked by the 3rd party.

...

There is a bi-directional authentication between Breeze Agent and the Breeze Server. First Breeze Agent must present a valid certificate signed earlier by the Breeze Server. If the agent authenticated successfully, Breeze Server also presents its own server certificate and the agent has to match it to the certificate that has been included with the installer. Pair The pair can continue to communicate only if both certificates have matched and both parties have authenticated each other successfully.

...

All communications between Breeze Agent and Breeze Server happen over HTTPS with FIPS 197 compliant encryption and signing algorithms.  

Cryptographic Operations

All operations between Breeze Agent and Server are additionally cryptographically signed to ensure data and request authenticity and eliminate man-in-the-middle attacks where an attacker can modify plugin code, add new plugins or alter plugin execution response.  

Auditing

Extensive logging is enabled by default on the breeze serverBreeze Server. All agent communications are logged and stored for 18 months. Agent supports 3 levels of logging verbosity which can be configured in agent.conf.

Change Control

Cloudaware maintains separate version for each Breeze Plugin, Breeze Agent Installer and Breeze Server. We cryptographically sign each new version of breeze Breeze plugin and the agent. Cloudaware maintains separate teams   with isolated privileges and responsibilities in order to ensure secure operation and distribution of Breeze software.

  • Breeze Server Developers

  • Breeze Installer Developers

  • Breeze Plugin Developers

  • Security Review Engineers

  • CA Trust Team

  • Technical Account Manager

Three development teams work on various components of the breeze Breeze architecture and are able to commit new code towards a release. Security review engineers do not have the ability to commit new code but do inspect each release for potential backdoors and other security vulnerabilities. They perform both manual code review as well as algorithmic scan using Checkmarx tool. CA Trust Team upon recommendation for from the security engineers will cryptographically sign each plugin, installer and version of the Breeze Server. Technical account managers configure which plugins are available to which customer based on specific customer requirements.

...

Agent can run on the operating system either as root or under specific identity selected by the user.   However if customer wishes to use Breeze Agent to deploy security plugins, the agent must run under root or Administrator privileges. For discovery purposes alone, breeze agent Breeze Agent does not need to operate under root.

...

In order to build better transparency and trust between software vendor and customer, Cloudaware does not ship any binaries. Customer can review all the code for the installer, agent and plugins. Customers can additionally request read-only access to the breeze server Breeze Server software as well. 

Directory Structure

Code Block
etc/

Contains the application configuration file in JSON format.

Code Block
etc/ssl/

Contains the Breeze agent certificate and the private key.

Code Block
install/

Contains the scheduler configuration files for crond and systemd which are used during the agent installation.

Code Block
lib/

The agent core libraries. This directory is synchronized with the server.

Code Block
lib/breeze/facter/facts.d

The agent core Facts.

Code Block
plugins/

The plugins directory which is synchronized with the Breeze server.