Breeze Security Overview
This article explains security controls that Cloudaware designed and implemented into Breeze Agent and Breeze Server.
Breeze runs as a scheduled task on Windows and Linux hosts every 15 minutes. Breeze Agent retrieves list of plugins to execute from the Breeze Server and then executes these plugins every time it runs. Each plugin includes additional logic.
Breeze Server is part of the CMDB and acts as a classifier to Breeze agents by returning the list of the Breeze plugins available for each Breeze agent. Breeze Server also acts as a certificate authority by issuing, revoking and verifying certificates used for server agent communications.
Each plugin contains a set of instructions in Ruby programming language to either discover information about the host or to enforce a desired state by ensuring certain packages are installed and configured. Breeze plugins are designed to work similarly to Puppet Cookbooks and Chef Recipes but with emphasis on security, reliability and plugin portability. There are two types of plugins:
Discovery Plugins or Read-Only Mode
These plugins perform non-destructive operations only and discover information about the host such as mount points, list of users and last login dates, CPU Processor and Memory, installed software and services, LVM partitions, etc.
This set of plugins can install and uninstall software, configure it and maintain service status by attempting to start or to stop it. Currently available security plugins are:
Vulnerability Scanning: Tenable
Vulnerability Scanning: Qualys
Vulnerability Scanning: Rapid7
Vulnerability Scanning: Yara
Cloudaware uses code signing certificate issued by Digicert to sign the Breeze Agent installer. This eliminates warnings from OS security software packages like Windows Defender, etc. and allows users to establish that the installer has not been hijacked by the 3rd party.
There is a bi-directional authentication between Breeze Agent and the Breeze Server. First Breeze Agent must present a valid certificate signed earlier by the Breeze Server. If the agent authenticated successfully, Breeze Server also presents its own server certificate and the agent has to match it to the certificate that has been included with the installer. The pair can continue to communicate only if both certificates have matched and both parties have authenticated each other successfully.
All communications between Breeze Agent and Breeze Server happen over HTTPS with FIPS 197 compliant encryption and signing algorithms.
All operations between Breeze Agent and Server are additionally cryptographically signed to ensure data and request authenticity and eliminate man-in-the-middle attacks where an attacker can modify plugin code, add new plugins or alter plugin execution response.
Extensive logging is enabled by default on the Breeze Server. All agent communications are logged and stored for 18 months. Agent supports 3 levels of logging verbosity which can be configured in agent.conf.
Cloudaware maintains separate version for each Breeze Plugin, Breeze Agent Installer and Breeze Server. We cryptographically sign each new version of Breeze plugin and the agent. Cloudaware maintains separate teams with isolated privileges and responsibilities in order to ensure secure operation and distribution of Breeze software.
Breeze Server Developers
Breeze Installer Developers
Breeze Plugin Developers
Security Review Engineers
CA Trust Team
Technical Account Manager
Three development teams work on various components of the Breeze architecture and are able to commit new code towards a release. Security review engineers do not have the ability to commit new code but do inspect each release for potential backdoors and other security vulnerabilities. They perform both manual code review as well as algorithmic scan using Checkmarx tool. CA Trust Team upon recommendation for from the security engineers will cryptographically sign each plugin, installer and version of the Breeze Server. Technical account managers configure which plugins are available to which customer based on specific customer requirements.
Breeze Agent OS Operations
Agent can run on the operating system either as root or under specific identity selected by the user. However if customer wishes to use Breeze Agent to deploy security plugins, the agent must run under root or Administrator privileges. For discovery purposes alone, Breeze Agent does not need to operate under root.
In order to build better transparency and trust between software vendor and customer, Cloudaware does not ship any binaries. Customer can review all the code for the installer, agent and plugins. Customers can additionally request read-only access to the Breeze Server software as well.
Contains the application configuration file in JSON format.
Contains the Breeze agent certificate and the private key.
Contains the scheduler configuration files for crond and systemd which are used during the agent installation.
The agent core libraries. This directory is synchronized with the server.
The agent core Facts.
The plugins directory which is synchronized with the Breeze server.