HUBBLE SECURITY FOR DEVOPS
OVERVIEW
QuickStart
AuditModules(Nova)
AuditProfiles(Nova)
File-IntegrityEvents(Pulsar)
Snapshots(Nebula)
Reporting(Quasar)
Roadmap
AUDITMODULES
• grep
• iptables
• netstat
• openscap
• openssl
• pkg
• service
• stat
• sysctl
• vulners.com
PROFILES
• ProfilesarewritteninYAML
• Novaauditsareprofiledriven
• Auditmodulesreadprofilesforinstructions
• Sampleprofilesshippedinhubblestack_nova/samples
• Profilesaremeanttobecustomized
• Customizetomatchyour securitypolicy
PULSAR
Pulsar’sinotifymodulewatchesforfilesystemeventsinreal-time.WhenPulsardetectsaCREATE,MODIFYorDELETEfilesystemeventittakesasnapshotofthefileattributes.ThisdatacanbetrackedandanalyzedusingSplunk (orsimilar).SeeQuasarformoredetails.
PULSARFAQ
Monitoreddirectoriesareconfigurable
Exceptionsaresupported(ie;monitor/var/butnot/var/log)
MultipleQuasarmodulesaresupported(ie;Splunk +Slack)
Notcurrentlycompatiblewithprelinking
Gatheredfileattributesareconfigurable(checksumtype,filestats)
NEBULA
Nebula’sosquerymoduleallowsyoutoqueryyoursystemsforinformationjustlikeadatabase.Runningthesequeriesonacadenceallowsforregular,scheduledsnapshotsofactivityonyourrunningsystems.ThisdatacanthenbetrackedandanalyzedusingSplunk (orsimilar).SeeQuasarformoredetails.
NEBULAQUERIES
• runningprocesses
• establishedoutboundconnections
• listeningprocesses
• suid binaries
• crontab
• installedpackages
• ...anythingelseyou’dliketoquery
QUASAR
QuasarisacollectionofcustommodulesthatcollectdatafromNova,NebulaandPulsaranddeliveritforprocessing.Quasarmodulescanconnecttojustaboutanything,includingSplunk,Slack,email,SMS,etc.
ROADMAP2017
• addtriggerfunctionalitytoNova(remediation)
• addalertfunctionalitytoNova(slack,sms,email,jabber)
• extendPulsartoincludeloginevents
• extendPulsartoincludeshellevents
• template(jinja,includes)supportinNovaprofiles
• extendNovaprofiletemplates(CISlevel2,STIG,etc)
• extendWindowssupport
• containers,containers,containers!