HUBBLE - SCALE 16x · INTRODUCTION Hubble is a modular, open-source security & compliance auditing...

HUBBLESECURITYFORDEVOPS

INTRODUCTION

Hubbleisamodular,open-sourcesecurity&complianceauditingframework.

BuiltonSaltStack.

OVERVIEW

QuickStart

AuditModules(Nova)

AuditProfiles(Nova)

File-IntegrityEvents(Pulsar)

Snapshots(Nebula)

Reporting(Quasar)

Roadmap

QUICKSTART- SALTSTACK

INSTALLATION

QUICKSTART- STANDALONERPM/DEB

NOWWITH50%LESSSALT!

STANDALONESCHEDULER

AUDITMODULESHUBBLESTACK NOVA

AUDITMODULES

• grep

• iptables

• netstat

• openscap

• openssl

• pkg

• service

• stat

• sysctl

• vulners.com

AUDITPROFILESHUBBLESTACK NOVA

PROFILES

• ProfilesarewritteninYAML

• Novaauditsareprofiledriven

• Auditmodulesreadprofilesforinstructions

• Sampleprofilesshippedinhubblestack_nova/samples

• Profilesaremeanttobecustomized

• Customizetomatchyour securitypolicy

FILE-INTEGRITYEVENTSHUBBLESTACK PULSAR

PULSAR

Pulsar’sinotifymodulewatchesforfilesystemeventsinreal-time.WhenPulsardetectsaCREATE,MODIFYorDELETEfilesystemeventittakesasnapshotofthefileattributes.ThisdatacanbetrackedandanalyzedusingSplunk (orsimilar).SeeQuasarformoredetails.

PULSARFAQ

Monitoreddirectoriesareconfigurable

Exceptionsaresupported(ie;monitor/var/butnot/var/log)

MultipleQuasarmodulesaresupported(ie;Splunk +Slack)

Notcurrentlycompatiblewithprelinking

Gatheredfileattributesareconfigurable(checksumtype,filestats)

SNAPSHOTSHUBBLESTACK NEBULA

NEBULA

Nebula’sosquerymoduleallowsyoutoqueryyoursystemsforinformationjustlikeadatabase.Runningthesequeriesonacadenceallowsforregular,scheduledsnapshotsofactivityonyourrunningsystems.ThisdatacanthenbetrackedandanalyzedusingSplunk (orsimilar).SeeQuasarformoredetails.

NEBULAQUERIES

• runningprocesses

• establishedoutboundconnections

• listeningprocesses

• suid binaries

• crontab

• installedpackages

• ...anythingelseyou’dliketoquery

REPORTINGHUBBLESTACK QUASAR

QUASAR

QuasarisacollectionofcustommodulesthatcollectdatafromNova,NebulaandPulsaranddeliveritforprocessing.Quasarmodulescanconnecttojustaboutanything,includingSplunk,Slack,email,SMS,etc.

QUASARMODULES

• NovatoSplunk• NebulatoSplunk• PulsartoSplunk• PulsartoSlack

ROADMAP2017

ROADMAP2017

• addtriggerfunctionalitytoNova(remediation)

• addalertfunctionalitytoNova(slack,sms,email,jabber)

• extendPulsartoincludeloginevents

• extendPulsartoincludeshellevents

• template(jinja,includes)supportinNovaprofiles

• extendNovaprofiletemplates(CISlevel2,STIG,etc)

• extendWindowssupport

• containers,containers,containers!

HUBBLESTACK

Hubbleisamodular,open-sourcesecurity&complianceauditingframework.

BuiltonSaltStack.

Formoreinformationpleasevisit:

https://hubblestack.io

https://github.com/hubblestack

HUBBLE - SCALE 16x · INTRODUCTION Hubble is a modular, open-source security & compliance auditing...

Documents

Transcript of HUBBLE - SCALE 16x · INTRODUCTION Hubble is a modular, open-source security & compliance auditing...