| Info |
|---|
This article explains security controls that Cloudaware designed and implemented into Breeze Agent and Breeze Server. |
| Table of Contents |
|---|
Breeze Agent
Breeze runs as a scheduled task on Windows and Linux hosts every 15 minutes. Breeze agent Agent retrieves list of plugins to execute from the breeze server Breeze Server and then executes these plugins every time it runs. Each plugin includes additional logic.
Breeze Server
Is Breeze Server is part of the CMDB and acts as a classifier to Breeze Agents agents by returning the list of the Breeze Plugins plugins available for each Breeze Agentagent. Breeze Server also acts as a certificate authority by issuing, revoking and verifying certificates used for server agent communications.
...
This set of plugins can install and uninstall software, configure it and maintain service status by attempting to start or to stop it. Currently available security plugins are:
Vulnerability Scanning: Tenable
Vulnerability Scanning: Qualys
Vulnerability Scanning: Rapid7
Vulnerability Scanning: Yara
IDS: TrendMicro
EDP: CarbonBlack
EDP: ESET
Software Authenticity
Cloudaware uses code signing certificate issued by Digicert to sign the Breeze Agent installer. This eliminates warnings from OS security software packages like Windows Defender, etc. and allows users to establish that the installer has not been hijacked by the 3rd party.
...
There is a bi-directional authentication between Breeze Agent and the Breeze Server. First Breeze Agent must present a valid certificate signed earlier by the Breeze Server. If the agent authenticated successfully, Breeze Server also presents its own server certificate and the agent has to match it to the certificate that has been included with the installer. Pair The pair can continue to communicate only if both certificates have matched and both parties have authenticated each other successfully.
...
All communications between Breeze Agent and Breeze Server happen over HTTPS with FIPS 197 compliant encryption and signing algorithms.
Cryptographic Operations
All operations between Breeze Agent and Server are additionally cryptographically signed to ensure data and request authenticity and eliminate man-in-the-middle attacks where an attacker can modify plugin code, add new plugins or alter plugin execution response.
Auditing
Extensive logging is enabled by default on the breeze serverBreeze Server. All agent communications are logged and stored for 18 months. Agent supports 3 levels of logging verbosity which can be configured in agent.conf.
Change Control
Cloudaware maintains separate version for each Breeze Plugin, Breeze Agent Installer and Breeze Server. We cryptographically sign each new version of breeze Breeze plugin and the agent. Cloudaware maintains separate teams with isolated privileges and responsibilities in order to ensure secure operation and distribution of Breeze software.
Breeze Server Developers
Breeze Installer Developers
Breeze Plugin Developers
Security Review Engineers
CA Trust Team
Technical Account Manager
Three development teams work on various components of the breeze Breeze architecture and are able to commit new code towards a release. Security review engineers do not have the ability to commit new code but do inspect each release for potential backdoors and other security vulnerabilities. They perform both manual code review as well as algorithmic scan using Checkmarx tool. CA Trust Team upon recommendation for from the security engineers will cryptographically sign each plugin, installer and version of the Breeze Server. Technical account managers configure which plugins are available to which customer based on specific customer requirements.
...
Agent can run on the operating system either as root or under specific identity selected by the user. However if customer wishes to use Breeze Agent to deploy security plugins, the agent must run under root or Administrator privileges. For discovery purposes alone, breeze agent Breeze Agent does not need to operate under root.
...
In order to build better transparency and trust between software vendor and customer, Cloudaware does not ship any binaries. Customer can review all the code for the installer, agent and plugins. Customers can additionally request read-only access to the breeze server Breeze Server software as well.
Directory Structure
| Contains the application configuration file in JSON format. | ||
| Contains the Breeze agent certificate and the private key. | ||
| Contains the scheduler configuration files for crond and systemd which are used during the agent installation. | ||
| The agent core libraries. This directory is synchronized with the server. | ||
| The agent core Facts. | ||
| The plugins directory which is synchronized with the Breeze server. |