Halo Server Secure Features

CWPP Features: Everything you need in a comprehensive cloud workload protection platform from CloudPassage Halounified security controls for cloud security and compliance.

Cloud Servers

Automated Cloud Server Inventory

Key use cases

Gain visibility to Windows and Linux server workloads residing in IaaS and other data center environments, consolidated in a single view.

Maintain an up-to-date inventory as servers are deployed and decommissioned. Halo scales to 100’s of thousands of workloads without requiring customers to scale or manage any additional infrastructure as they continue to grow.

Query the inventory to report on servers by 40+ data attributes such as operating system, operating system version, IaaS account, availability zone, region, and tags, no matter where they are hosted.

Extensive search capabilities with 40+ data attributes can be combined into powerful inventory views that can be saved for repeated use. Includes server metadata and user-defined tags for AWS, Azure, GCP, and OpenStack. 

See summarizations of servers and server components (architecture, kernel, operating system distribution, installed packages, running processes, local user accounts and privileges, network services, network traffic patterns, local firewall policies, IaaS platform metadata, user-defined IaaS tags, and more) across cloud and data center environments.

How it works

The Halo microagent is installed on each server workload, usually by building it into server images. It can also be deployed to existing workloads using automation tools. Unlike other products, Halo requires only a single agent for any Linux distribution instead of one per distribution. A separate agent is provided for Windows Server.

When a server is instantiated, the Halo microagent continuously monitors the server and its internal components from inside the operating system.

Facts about the server’s operating system and operating system version, kernel version, architecture, configured interfaces, IP addresses, and cloud provider metadata are collected hourly and transmitted to the Halo Portal.

Related Features

Requires Cloud Secure to query by tags and to identify server workloads deployed without a Halo microagent.

Policies Used

No policy required.

Server Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of server workloads based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems and for many applications such as Apache and MySQL. These policy templates allow rapid compliance with a number of standards while allowing customization for the individual environment.

Custom policies can also be created from scratch by the user.

Policies can be stacked so that all the right policies apply to each server workload. For example, a global OS policy can be applied to all Linux workloads, while an additional policy could be added for servers in the PCI cardholder data environment.

At workload boot time, the Halo microagent runs applicable policy checks and reports findings to the Halo Cloud.

The Halo Cloud analyzes the findings against the policy and provides a report of the results.

The report includes the pass/fail results for each policy rule.

For each failed finding, Halo optionally alerts the right user, provides remediation advice and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS Benchmark for Amazon Linux
  • CIS Benchmark CentOS
  • CIS Benchmark Debian
  • CIS Benchmark for
  • Windows Server 2008 R2 through 2019
  • CIS Benchmark for Oracle Linux
  • CIS Benchmark Red Hat Enterprise Linux
  • CIS Benchmark for Ubuntu

Server Software Inventory

Key use cases

Obtain a software vulnerability assessment for each workload’s operating system and installed applications that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation.

View software package inventories across all servers or for a single server.

Find any workloads with a specific software/version installed, those having a specific CVE, or missing a specific Windows KB (patch).

Continuously monitor and assess for software vulnerabilities over the lifetime of the server workload.

Get reports of all CVEs in the environment with counts of affected assets, all CVEs per group of assets, or per IaaS account and other attributes.

How it works

At workload boot time, the Halo microagent inventories the operating system and its installed applications, and provides this data to the Halo Cloud.

In turn, the Halo Cloud evaluates the reported operating system and applications for CVEs according to the NVD and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE.

For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated. Exceptions can be created for those CVEs that the user cannot fix.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo detects added and removed software, reassesses for applicable CVEs, and updates existing issues with the latest findings; if existing CVEs have been remediated, their corresponding issues are marked as resolved.

Related Features

Not applicable.

Policies Used

No policies required.

Server Software Vulnerability Assessment

Key use cases

Obtain a software vulnerability assessment for each workload’s operating system and installed applications that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation.

View software package inventories across all servers or for a single server.

Find any workloads with a specific software/version installed, those having a specific CVE, or missing a specific Windows KB (patch).

Continuously monitor and assess for software vulnerabilities over the lifetime of the server workload.

Get reports of all CVEs in the environment with counts of affected assets, all CVEs per group of assets, or per IaaS account and other attributes.

How it works

At workload boot time, the Halo microagent inventories the operating system and its installed applications, and provides this data to the Halo Cloud.

In turn, the Halo Cloud evaluates the reported operating system and applications for CVEs according to the NVD, and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE.

For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated. Exceptions can be created for those CVEs that the user cannot fix.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo detects added and removed software, reassesses for applicable CVEs, and updates existing issues with the latest findings; if existing CVEs have been remediated, their corresponding issues are marked as resolved.

Related Features

Not applicable.

Policies Used

No policies required.

Server File Integrity Monitoring

Key use cases

Confirm the integrity of new workloads against their source image, and detect unauthorized changes made to a running workload by checking for changes to important system files and registry keys.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems that specify critical system files and registry keys to monitor in order to detect unauthorized changes. These policy templates allow you to quickly configure integrity monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

For each policy, baselines can be created based on the source image. As workloads are deployed, the Halo microagent creates SHA-256 cryptographic hashes of the files and registry keys specified by the policy, in addition to permissions for each object, and sends the information to Halo. These are compared to baselines and a report is provided with the results.

The report includes the pass/fail results for each object in the scan. Files that have had permissions or data modified, have been added, or have been removed as compared to the baseline will generate failed findings.

For each failed finding, Halo optionally alerts the right user and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • Core Registry Keys (Windows Server 2008 R2 through 2019)
  • Core System Files (Amazon Linux)
  • Core System Files (CentOS)
  • Core System Files (Debian)
  • Core System Files (Oracle Linux)
  • Core System Files (Red Hat)
  • Core System Files (Ubuntu)
  • Linux Privilege Escalation Detection

Server Event Monitoring

Key use cases

Automatically monitor and collect significant security-related events from server operating systems and running applications that could indicate misuse, misconfiguration, or compromise.

Detect unwanted behavior such as attempted logins to immutable systems, logins as specific users such as “root” or “administrator”, privileged changes, addition/deletion/modification of user accounts, changes to audit policies, installation/de-installation of software.

Integrate event monitoring with your Security Information Event Management (SIEM) tools for long term storage and correlation with events from other devices.

Comply with PCI and other regulations and standards which require continuous monitoring of system logs.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems that specify log files and events to collect in order to detect and alert on unwanted activity. These policies allow you to quickly configure server event monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

When the workload is active, the Halo microagent scans the specified logs for events matching the policy every 5 minutes. Events matching the policy are collected and sent to the Halo Cloud where they are enriched with other information collected about the server including facts and IaaS metadata.

Halo optionally alerts the user and creates an issue indicating that the event should be investigated.

Users can view and obtain a history of significant server events using the Event viewer in the Portal, or through the REST API.

Related Features

Not applicable.

Policies Used

  • Core System (Amazon Linux)
  • Core System (CentOS)
  • Core System (Debian)
  • Core System (Red Hat)
  • Core System (Ubuntu)
  • Core System (Windows Server 2008 R2 through 2019)
  • Auditd – Integrity policy
  • Auditd – Abnormal behavior policy
  • Auditd – Access policy
  • Auditd – Configuration policy
  • Auditd – Cryptographic policy
  • Auditd – Daemon policy
  • Auditd – Storage policy
  • Auditd – System policy
  • Auditd – Malicious Activity policy
  • Cross Site Scripting (XSS) Detection

Installed Applications

Installed Application Discovery

Key use cases

Continuously monitor server instances deployed in IaaS and other data center environments for installed software.

Maintain an updated inventory of installed applications as servers are updated, deployed, and decommissioned.

How it works

At workload boot time, the Halo microagent inventories the Windows or Linux operating system to discover installed applications, version numbers, and patches, and provides this data to the Halo Cloud.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, the Halo microagent re-inventories the installed applications, and again provides the data to the Halo Cloud, which updates the inventory available to users in the Halo Portal.

Related Features

Not applicable.

Policies Used

No policies required.

Installed Application Inventory

Key use cases

Obtain a software inventory of each server workload.

Find server workloads having a specific installed application or version of an installed application.

Understand the inventory of applications installed across all servers in the monitored environment.

How it works

At workload boot time, and periodically thereafter, the Halo microagent inventories the operating system and its installed applications, and provides this data to the Halo Cloud.

In turn, the Halo Cloud updates the application inventory as it receives the information from the Halo microagent.

Users can view the installed applications of a single server, search for servers having a specific application, and view the entire inventory of installed software using the Halo Portal and API.

Related Features

Not applicable.

Policies Used

No policies required.

Installed Application Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of server applications based on industry best practices.

Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems and for many applications such as Apache, and MySQL. These policy templates allow rapid compliance with a number of standards while allowing customization for the individual environment.

Custom policies can also be created from scratch by the user.

Policies can be stacked so that all the right policies apply to each server workload. For example, a global OS policy can be applied to all Linux workloads, while an additional policy could be added for servers in the PCI cardholder data environment.

At workload boot time, the Halo microagent runs applicable policy checks and reports findings to the Halo Cloud. The Halo Cloud analyzes the findings against the policy and provides a report of the results.

The report includes the pass/fail results for each policy rule. For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • Apache
  • Cassandra
  • Docker
  • Kubernetes MasterNode & WorkerNode
  • Microsoft Internet Information Server (IIS)
  • Microsoft SQL Server
  • MongoDB
  • MySQL
  • Nginx
  • PostgreSQL
  • Tomcat
  • WordPress

Installed Application Software Vulnerability Assessment

Key use cases

Obtain a software vulnerability assessment for each workload’s operating system and installed applications that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation.

Find any workloads with a specific software/version installed, those having a specific CVE, or missing a specific Windows KB (patch).

Continuously monitor and assess for software vulnerabilities over the lifetime of the server workload.

Get reports of all CVEs in the environment with counts of affected assets, all CVEs per group of assets, or per IaaS account and other attributes.

How it works

At workload boot time, the Halo microagent inventories the operating system to discover its installed applications, and provides this data to the Halo Cloud.

In turn, the Halo Cloud evaluates the reported operating system and applications for CVEs according to the NVD, and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE.

For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated. Exceptions can be created for those CVEs that the user cannot fix.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo detects added and removed software, reassesses for applicable CVEs, and updates existing issues with the latest findings; if existing CVEs have been remediated, their corresponding issues are marked as resolved.

Related Features

Not applicable.

Policies Used

No policies required

Installed Application File Integrity Monitoring

Key use cases

Confirm the integrity of applications on new workloads against their source image, and detect unauthorized changes made to workload applications by checking for changes to important files and registry keys.

How it works

Policy templates are provided for Windows and Linux applications that specify critical files and registry keys to monitor in order to detect unauthorized changes. These policy templates allow you to quickly configure integrity monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

For each policy, baselines can be created based on the source image. As workloads are deployed, the Halo microagent creates SHA-256 cryptographic hashes of the files and registry keys specified by the policy, in addition to permissions for each object, and sends the information to Halo. These are compared to baselines and a report is provided with the results.

The report includes the pass/fail results for each object in the scan. Files that have had permissions or data modified, have been added, or have been removed as compared to the baseline will generate failed findings.

For each failed finding, Halo optionally alerts the right user and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • HAProxy
  • Kubernetes MasterNode and Workernode
  • Microsoft Internet Information Server (IIS)
  • Microsoft SQL Server
  • MongoDB
  • WordPress

Installed Application Event Monitoring

Key use cases

Automatically monitor and collect significant security-related events from Windows and Linux applications that could indicate misuse, misconfiguration, or compromise.

Detect unwanted behavior such as modification of application-level objects, changes to audit policies, errors, and cross-site scripting (xss) attacks.

Integrate event monitoring with your Security Information Event Management (SIEM) tools for long term storage and correlation with events from other devices.

Comply with PCI and other regulations and standards which require continuous monitoring of system logs.

How it works

Policies can be created for Windows and Linux applications that specify log files and events to collect in order to detect and alert on unwanted activity. These policies allow you to quickly configure server event monitoring for compliance and intrusion detection initiatives.

When the workload is active, the Halo microagent scans the specified logs for events matching the policy every 5 minutes. Events matching the policy are collected and sent to the Halo Cloud where they are enriched with other information collected about the server including facts and IaaS metadata.

Halo optionally alerts the user and creates an issue indicating that the event should be investigated. Users can view and obtain a history of significant server events using the Event viewer in the Portal, or through the REST API.

Related Features

Not applicable.

Policies Used

  • Kubernetes kube-apiserver audit log policy
  • Custom policies to monitor log files for specific applications

Processes

Process Discovery

Key use cases

Continuously monitor server instances deployed in IaaS and other data center environments for running processes.

Maintain an updated inventory of running processes as servers are updated, deployed, and decommissioned.

How it works

At workload boot time, the Halo microagent inventories the Windows or Linux operating system to discover running processes, and provides this data to the Halo Cloud.

Subsequent scans occur periodically every hour. On subsequent scans, the Halo microagent re-inventories the server’s processes, and again provides the data to the halo Cloud, which updates the inventory available to users in the Halo Portal. Halo detects added and removed processes and updates the information in the Portal.

Related Features

Not applicable.

Policies Used

No policies required.

Process Inventory

Key use cases

Obtain an inventory of the processes on each server workload.

Understand the inventory of processes running on individual servers and across the environment.

Find servers having specific processes.

How it works

At workload boot time, and hourly thereafter, the Halo microagent inventories the operating system to discover running processes, and provides this data to the Halo Cloud.

The Halo Portal provides a report of the processes running on each server workload, including process id (pid), command, running user, and other attributes.

Users can query this information across the environment to find specific processes running in the environment.

Related Features

Not applicable.

Policies Used

No policies required.

Process Configuration Assessment

Key use cases

Ensure that processes are properly configured on server workloads.

Blacklist disallowed processes, whitelist processes that are ok, or specify processes that must be running at all times.

Ensure processes open only the correct network ports and are executed by the correct user account.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

How it works

Policies can be configured for Linux servers to ensure that processes are run with the correct parameters, such as user and group ownership and port bindings. In addition, blacklists and whitelists can be created for processes that should or should not be running.

At workload boot time, the Halo microagent runs applicable policy checks and reports findings to the Halo Cloud.  The Halo Cloud analyzes the findings against the policy and provides a report of the results.

The report includes the pass/fail results for each policy rule. For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

Users can create policies with desired specifications for processes.

Process Event Monitoring

Key use cases

Automatically monitor and collect significant security-related events from Windows and Linux processes that could indicate misuse, misconfiguration, or compromise.

Detect unwanted behavior such as modification of application-level objects, changes to audit policies, errors, and cross-site scripting (xss) attacks.

Integrate event monitoring with your Security Information Event Management (SIEM) tools for long term storage and correlation with events from other devices.

Comply with PCI and other regulations and standards which require continuous monitoring of system logs.

How it works

Policies can be created for Windows and Linux applications that specify log files and events to collect in order to detect and alert on unwanted activity. These policies allow you to quickly configure server event monitoring for compliance and intrusion detection initiatives.

When the workload is active, the Halo microagent scans the specified logs for events matching the policy every 5 minutes. Events matching the policy are collected and sent to the Halo Cloud where they are enriched with other information collected about the server including facts and IaaS metadata.

Halo optionally alerts the user and creates an issue indicating that the event should be investigated. Users can view and obtain a history of significant server events using the Event viewer in the Portal, or through the REST API.

Related Features

Not applicable.

Policies Used

Custom policies to monitor events for specific processes.

Operating Systems

Operating System Discovery

Key use cases

Continuously collect operating system data from server instances deployed in IaaS and other data center environments.

Maintain an up-to-date operating system inventory as servers are deployed and decommissioned.

How it works

The Halo microagent is installed on each server workload, usually by building it into server images. It can also be deployed to existing workloads using automation tools. Unlike other products, Halo only requires a single agent for any Linux distribution instead of one per distribution. A separate agent is provided for Windows Servers.

When a server is instantiated, the Halo microagent continuously monitors the server and its internal components from inside the operating system.

Facts about the server’s operating system and operating system version, kernel version, architecture, configured interfaces, IP addresses, and cloud provider metadata are collected hourly and transmitted to the Halo Cloud.

Related Features

Requires Cloud Secure to query by tags.

Policies Used

No policies required.

Operating System Inventory

Key use cases

Gain visibility to server workloads residing in IaaS and other data center environments, consolidated in a single view.

Maintain an up-to-date inventory as servers are deployed and decommissioned.

Query the inventory to report on servers by 40+ data attributes such as operating system, operating system version, IaaS account, availability zone, region, and tags, no matter where they are hosted. Extensive search capabilities with 40+ data attributes can be combined into powerful inventory views that can be saved for repeated use. Includes server metadata and user-defined tags for AWS, Azure, GCP, and OpenStack.

See summarizations of servers and server components (architecture, kernel, operating system distribution, installed packages, running processes, local user accounts and privileges, network services, network traffic patterns, local firewall policies, IaaS platform metadata, user-defined IaaS tags, and more) across cloud and data center environments.

How it works

The Halo microagent is installed on each server workload, usually by building it into server images.It can also be deployed to existing workloads using automation tools. Unlike other products, Halo requires only a single agent for any Linux distribution instead of one per distribution. A separate agent is provided for Windows Servers.

When a server is instantiated, the Halo microagent continuously monitors the server and its internal components from inside the operating system.

Facts about the server’s operating system and operating system version, kernel version, architecture, configured interfaces, IP addresses, and cloud provider metadata are collected hourly and transmitted to the Halo Portal. Users can view, query, and export the inventory via the Halo Portal and API.

Related Features

Requires Cloud Secure to query by tags.

Policies Used

No policies required.

Operating System Configuration Assessment

Key use cases

Obtain a configuration security posture assessment of server workloads based on industry best practices. Use predefined policy templates to get started, and customize best practices policies to suit the environment.

Comply with PCI, HIPAA, SOX, and other regulations and standards.

Uncover insecure configurations, configuration drift, and unauthorized changes—and get remediation advice.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems and for many applications such as Apache and MySQL. These policy templates allow rapid compliance with a number of standards while allowing customization for the individual environment.

Custom policies can also be created from scratch by the user.

Policies can be stacked so that all the right policies apply to each server workload. For example, a global OS policy can be applied to all Linux workloads, while an additional policy could be added for servers in the PCI cardholder data environment.

At workload boot time, the Halo microagent runs applicable policy checks and reports findings to the Halo Cloud. The Halo Cloud analyzes the findings against the policy and provides a report of the results.

The report includes the pass/fail results for each policy rule. For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS Benchmark for Amazon Linux
  • CIS Benchmark CentOS
  • CIS Benchmark Debian
  • CIS Benchmark for Windows Server 2008 R2 through 2019
  • CIS Benchmark for Oracle Linux
  • CIS Benchmark Red Hat Enterprise Linux
  • CIS Benchmark for Ubuntu

Operating System Software Vulnerability Assessment

Key use cases

Obtain a software vulnerability assessment for each workload’s operating system and installed applications that is based on Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD).

Prioritize the most critical issues for remediation.

View software package inventories across all servers or for a single server.

Find any workloads with a specific software/version installed, those having a specific CVE, or missing a specific Windows KB (patch).

Continuously monitor and assess for software vulnerabilities over the lifetime of the server workload.

Get reports of all CVEs in the environment with counts of affected assets, all CVEs per group of assets, or per IaaS account and other attributes.

How it works

At workload boot time, the Halo microagent inventories the operating system and its installed applications, and provides this data to the Halo Cloud.

In turn, the Halo Cloud evaluates the reported operating system and applications for CVEs according to the NVD, and provides a report of the results.

The report includes the inventory of software and any CVEs that apply, along with the Common Vulnerability Scoring System (CVSS) score for each CVE.

For each software having one or more CVEs, Halo logs an event, alerts the right user, and creates an issue to track the problem until it is remediated.

Exceptions can be created for those CVEs that the user cannot fix.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates issues with the latest findings; if existing CVEs have been remediated, their corresponding issues are marked as resolved.

Related Features

Not applicable.

Policies Used

No policies required.

Operating System File Integrity Monitoring

Key use cases

Confirm the integrity of new workloads against their source image, and detect unauthorized changes made to a running workload by checking for changes to important system files and registry keys.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems that specify critical system files and registry keys to monitor in order to detect unauthorized changes. These policy templates allow you to quickly configure integrity monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

For each policy, baselines can be created based on the source image. As workloads are deployed, the Halo microagent creates SHA-256 cryptographic hashes of the files and registry keys specified by the policy, in addition to permissions for each object, and sends the information to Halo. These are compared to baselines and a report is provided with the results.

The report includes the pass/fail results for each object in the scan. Files that have had permissions or data modified, have been added, or have been removed as compared to the baseline will generate failed findings.

For each failed finding, Halo optionally alerts the right user and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • Core Registry Keys (Windows Server 2008 R2 through 2019)
  • Core System Files (Amazon Linux)
  • Core System Files (CentOS)
  • Core System Files (Debian)
  • Core System Files (Oracle Linux)
  • Core System Files (Red Hat)
  • Core System Files (Ubuntu)
  • Linux Privilege Escalation Detection

Operating System Event Monitoring

Key use cases

Automatically monitor and collect significant security-related events from server operating systems and running applications that could indicate misuse, misconfiguration, or compromise.

Detect unwanted behavior such as attempted logins to immutable systems, logins as specific users such as “root” or “administrator”, privileged changes, addition/deletion/modification of user accounts, changes to audit policies, installation/de-installation of software. Integrate event monitoring with your Security Information Event Management (SIEM) tools for long term storage and correlation with events from other devices.

Comply with PCI and other regulations and standards which require continuous monitoring of system logs.

How it works

Policy templates are provided for different versions of Windows and Linux operating systems that specify log files and events to collect in order to detect and alert on unwanted activity. These policies allow you to quickly configure server event monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

When the workload is active, the Halo microagent scans the specified logs for events matching the policy every 5 minutes. Events matching the policy are collected and sent to the Halo Cloud where they are enriched with other information collected about the server including facts and IaaS metadata.

Halo optionally alerts the user and creates an issue indicating that the event should be investigated. Users can view and obtain a history of significant server events using the Event viewer in the Portal, or through the REST API.

Related Features

Not applicable.

Policies Used

  • Core System (Amazon Linux)
  • Core System (CentOS)
  • Core System (Debian)
  • Core System (Red Hat)
  • Core System (Ubuntu)
  • Core System (Windows Server 2008 R2 through 2019)
  • Auditd – Integrity policy
  • Auditd – Abnormal behavior policy
  • Auditd – Access policy
  • Auditd – Configuration policy
  • Auditd – Cryptographic policy
  • Auditd – Daemon policy
  • Auditd – Storage policy
  • Auditd – System policy
  • Auditd – Malicious Activity policy

User Accounts

User Account Discovery

Key use cases

Continuously monitor server instances deployed in IaaS and other data center environments for local user accounts.

Maintain an updated inventory of local user accounts as servers are updated, deployed, and decommissioned

How it works

At workload boot time, the Halo microagent inventories the Windows or Linux operating system to discover configured local user accounts and groups, and provides this data to the Halo Cloud.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, the Halo microagent re-inventories the local user accounts, and again provides the data to the Halo Cloud, which updates the inventory available to users in the Halo Portal.

Halo detects added and removed local accounts, alerts the user, and updates the information in the Portal.

Related Features

Not applicable.

Policies Used

No policies required.

User Account Inventory

Key use cases

Obtain an inventory of the local user accounts on each server workload.

Understand the inventory of local user accounts configured on individual servers and across the environment.

Find server workloads having a specific configured local user account, such as “Guest”.

Find privileged accounts, locked accounts, accounts that are expiring or have not logged in.

How it works

At workload boot time, and periodically thereafter, the Halo microagent inventories the operating system to discover configured local user accounts and groups, and provides this data to the Halo Cloud.

In turn, the Halo Cloud updates the local user account inventory as it receives the information from the Halo microagent. The Halo Portal provides a report of the local user accounts and groups on each server workload, including account status, GUIDs, UIDs and SIDs, last login date, and other attributes. Users can create policies that alert when user accounts are added or deleted.

Users can query this information across the environment to find specific user accounts that should not be configured, those that have expired passwords, unused or locked accounts, and other criteria.

Related Features

Not applicable.

Policies Used

No policies required.

User Account Configuration Assessment

Key use cases

Ensure that local user accounts are properly configured on server workloads. Uncover insecure configurations, discover unused accounts and those that are members of the wrong group, and make sure servers are deployed with a specific set of user accounts.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

How it works

Policies can be configured for Linux servers to ensure that user accounts are created with the proper UIDs, umasks, home directories, and permissions. In addition, policies can be configured to ensure no unsafe files are included in users’ home directories. For Windows, policies can be configured to ensure that local security policy settings related to user accounts are properly configured. Policy templates are provided for both Windows and Linux to get started.

At workload boot time, the Halo microagent runs applicable policy checks and reports findings to the Halo Cloud. The Halo Cloud analyzes the findings against the policy and provides a report of the results.

The report includes the pass/fail results for each policy rule. For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS Benchmark for Amazon Linux
  • CIS Benchmark CentOS
  • CIS Benchmark Debian
  • CIS Benchmark for Windows Server 2008 R2 through 2019
  • CIS Benchmark for Oracle Linux
  • CIS Benchmark Red Hat Enterprise Linux
  • CIS Benchmark for Ubuntu

User Account Integrity Montoring

Key use cases

Continuously monitor Windows and Linux servers to ensure that local user accounts remain properly configured.

Uncover insecure configurations, configuration drift, and unauthorized changes.

Discover unused accounts and those that are members of the wrong group, and make sure servers are deployed with a specific set of user accounts.

Be alerted when new issues are detected, and automatically detect and update when issues are remediated.

How it works

Policies can be configured for Linux servers to ensure that user accounts are created with the proper UIDs, umasks, home directories, and permissions. In addition, policies can be configured to ensure no unsafe files are included in users’ home directories. For Windows servers, policies can be configured to ensure that local security policy settings related to user accounts are properly configured. Policy templates are provided for both Windows and Linux to get started.

At workload boot time, the Halo microagent runs applicable policy checks and reports findings to the Halo Cloud. The Halo Cloud analyzes the findings against the policy and provides a report of the results.

The report includes the pass/fail results for each policy rule. For each failed finding, Halo optionally alerts the right user, provides remediation advice, and creates an issue to track the problem until it is remediated.

Subsequent scans occur periodically on user-defined intervals. On subsequent scans, Halo updates the issue with the latest findings; if the findings pass, the issue is marked as resolved.

Related Features

Not applicable.

Policies Used

  • CIS Benchmark for Amazon Linux
  • CIS Benchmark CentOS
  • CIS Benchmark Debian
  • CIS Benchmark for Windows Server 2008 R2 through 2019
  • CIS Benchmark for Oracle Linux
  • CIS Benchmark Red Hat Enterprise Linux
  • CIS Benchmark for Ubuntu

User Account Event Montoring

Key use cases

Automatically monitor and collect significant events related to user activity and management of user accounts from server operating systems and running applications.

Ensure audit settings are configured to properly log such activity, and detect unwanted behavior such as attempted logins to immutable systems, logins as specific users such as “root” or “administrator”, privileged changes, addition/deletion/modification of user accounts.

Integrate event monitoring with your Security Information Event Management (SIEM) tools for long term storage and correlation with events from other devices.

Comply with PCI and other regulations and standards which require continuous monitoring of system logs.

How it works

Configuration security monitoring policies can be created to ensure audit settings are appropriately configured for Windows and Linux operating systems so that the desired user-related events can be captured.

Configuration policy templates are included for operating systems to ensure audit settings are configured appropriately. Policy templates are provided for different versions of Windows and Linux operating systems that specify log files and events to collect in order to detect and alert on unwanted activity. These policies allow you to quickly configure event monitoring for compliance and intrusion detection initiatives.

Custom policies can also be created from scratch by the user.

When the workload is active, the Halo microagent scans the specified logs for events matching the policy every 5 minutes. Events matching the policy are collected and sent to the Halo Cloud where they are enriched with other information collected about the server including facts and IaaS metadata.

Halo optionally alerts the user and creates an issue indicating that the event should be investigated. Users can view and obtain a history of significant server events using the Event viewer in the Portal, or through the REST API.

Related Features

Configuration security monitoring policies should be leveraged in order to make sure workloads are properly configured to audit user-related activity; having done so, LIDS policies can be used to capture the events.

Policies Used

  • Core System (Amazon Linux)
  • Core System (CentOS)
  • Core System (Debian)
  • Core System (Red Hat)
  • Core System (Ubuntu)
  • Core System (Windows Server 2008 R2 through 2019)
  • Auditd – Integrity policy
  • Auditd – Abnormal behavior policy
  • Auditd – Access policy
  • Auditd – Configuration policy
  • Auditd – Cryptographic policy
  • Auditd – Daemon policy
  • Auditd – Storage policy
  • Auditd – System policy
  • Auditd – Malicious Activity policy

Network Traffic

Network Traffic Discovery

Key use cases

Obtain an inventory of network traffic to and from each workload.

Obtain an inventory of network traffic for a group of workloads that are part of the same application.

How it works

At workload boot time, the Halo microagent begins to periodically sample the network traffic to and from the Windows or Linux workload and keeps a history of all TCP and UDP traffic flows observed for 30 days.

The Halo Portal provides a report of the traffic observed, including the responsible user, process, local and destination ports, local and destination IP addresses, and IP address geolocations.

Users can query this information across the environment to find server workloads using unauthorized ports or communicating with unauthorized IP addresses.

Subsequent scans occur periodically every 15 minutes. On subsequent scans, Halo detects added and removed processes and updates the information in the Portal.

Related Features

Not applicable.

Policies Used

No policies required.

Network Traffic Inventory

Key use cases

Obtain an inventory of network traffic to and from each workload.

Obtain an inventory of network traffic for a group of workloads that are part of the same application.

How it works

At workload boot time, the Halo microagent begins to periodically sample the network traffic to and from the Windows or Linux workload and keeps a history of all TCP and UDP traffic flows observed for 30 days.

The Halo Portal provides a report of the traffic observed, including the responsible user, process, local and destination ports, local and destination IP addresses, and IP address geolocations.

Users can query this information across the environment to find server workloads using unauthorized ports or communicating with unauthorized IP addresses.

Subsequent scans occur periodically every 15 minutes.

Related Features

Not applicable.

Policies Used

No policies required.

Network Traffic Visualization

Key use cases

Obtain an inventory of network traffic to and from each workload.

Visualize the inventory of network traffic for a group of workloads that are part of the same application.

Identify anomalous traffic per workload or across a group of workloads.

How it works

At workload boot time, the Halo microagent begins to periodically sample the network traffic to and from the Windows or Linux workload and keeps a history of all TCP and UDP traffic flows observed for 30 days.

The Halo Portal provides a report of the traffic observed, including the responsible user, process, local and destination ports, local and destination IP addresses, and IP address geolocations.

This information can be visualized in a graph to see common or anomalous patterns either per-workload or across a group of workloads.

Users can query this information across the environment to find server workloads using unauthorized ports or communicating with unauthorized IP addresses.

Subsequent scans occur periodically every 15 minutes.

Related Features

Not applicable.

Policies Used

No policies required.

IaaS Instance Metadata Collection

Key use cases

Gain visibility to server workloads residing in IaaS and other data center environments, consolidated in a single view.

Maintain an up-to-date inventory as servers are deployed and decommissioned.

View IaaS metadata for each asset, including IaaS provider, instance type, instance ID, account ID, availability zone, region, security groups, and tags, for assets in AWS, Azure, GCP, and Openstack datacenters.

Query the inventory by IaaS metadata to obtain inventory, by various metadata attributes.

How it works

The Halo microagent is installed on each server workload, usually by building it into server images.

When a server is instantiated, the Halo microagent continuously monitors the server and its internal components from inside the operating system.

Facts about the server’s operating system and operating system version, kernel version, architecture, configured interfaces, IP addresses, and cloud provider metadata are collected hourly and transmitted to the Halo Portal.

Related Features

While IaaS metadata can be collected from the Server Secure Halo microagent directly, retrieval of IaaS tags requires Cloud Secure to combine instance tags with other IaaS metadata.

Policies Used

No policies required.