@basepi basepi released this Sep 27, 2018 · 118 commits to develop since this release

Assets 18

Features

  • Deprecate old cve scanners. vulners_scanner.py is the only officially supported cve scanner at this time.
  • Masking support for nebula data. This way you can collect environment variables and similar, but use regex to mask known secret formats to prevent secrets from getting into splunk/logstash.
  • New sphinx-built docs
  • Support for docker-built windows packages
  • Change the timestamp in hubble logs in splunk to epoch time
  • Add hubble version to grains
  • Refactor vulners scanner to use vulners library
  • Add min_splay support to scheduler
  • Add ability to modify console logger options

Fixes

  • Fix regression in nova (hubble.py) imports that prevented audits from being run
  • Stop hubble when package is uninstalled
  • Dockerfile-based packaging fixes for Windows
  • Removed hangtime wrapper from windows, as we can't use signals there.
  • Fix hubble --version when the hubble daemon is running
  • Disable potentially-problematic queries in osquery containing ATTACH or CURL
  • Write the pidfile once per minute for the running daemon in an attempt to prevent it from being lost (should improve restart success rate)
Pre-release
Pre-release

@basepi basepi released this Sep 21, 2018 · 131 commits to develop since this release

Assets 2

Fixes

  • Dockerfile-based packaging fixes for Windows
  • Removed hangtime wrapper from windows, as we can't use signals there.
Pre-release
Pre-release

@basepi basepi released this Sep 18, 2018 · 151 commits to develop since this release

Assets 2

Features

  • Refactor cve scanner to use vulners library
  • Add min_splay support to scheduler
  • Add ability to modify console logger options

Fixes

  • Stop hubble when package is uninstalled
Pre-release
Pre-release

@basepi basepi released this Aug 27, 2018 · 175 commits to develop since this release

Assets 2

Features

  • Change the timestamp in hubble logs in splunk to epoch time
  • Add hubble version to grains

Fixes

  • Fix regression in nova (hubble.py) imports that prevented audits from being run
Pre-release
Pre-release

@basepi basepi released this Aug 21, 2018 · 183 commits to develop since this release

Assets 2

Major Features

  • Masking support for nebula data. This way you can collect environment variables and similar, but use regex to mask known secret formats to prevent secrets from getting into splunk/logstash.
  • New sphinx-built docs
  • Support for docker-built windows packages

@basepi basepi released this Aug 2, 2018 · 214 commits to develop since this release

Assets 14

Fixes since 2.4.0

  • Fix an issue with merging the v2-style nebula queries using a top.nebula file

Version 2.4.x release notes

Major Features

New format for nebula queries

Allows for overriding on a per-query basis via topfiles. The new version of the nebula_osquery.py module now looks for nebula data in hubblestack_nebula_v2 in the fileserver. Please take note of this and migrate if you're not using our hubblestack_data repo.

Graylog GELF returners

Modeled after the logstash returners, but GELF-specific

Better error reporting and optional retries for splunk returners

Set returner_retry: True on a scheduled job that uses the splunk returners to enable retries (by default, 3 retries with 15 seconds between each). Additionally, errors from splunk requests will be more informative (instead of the existing "marked as bad" errors).

Persist transiently-available grains

If a grain is available at some point and then stops being generated later, we keep it across grain refreshes. This is to prevent us from losing useful grain data due to metadata server outages or issues.

Major fixes

Move daemonization to pre-grains

Daemonize earlier, so that long custom grains don't result in an unhappy service system

Fixes for lack of s3 timeouts

In some cases, hubble could hang with open sockets to s3. There were no timeouts specified in the underlying salt util module, so we include it ourselves now and have timeouts.

Upper limit for osquery runs

In some cases, osquery can hang due to network issues. Now hubble will eventually kill osquery and continue operations.

Upper limit for grains refreshes

We were worried about the potential for grains refreshes causing some of the uncommon hangs we were seeing, so we now use signals and timers to interrupt grains if they are taking too long.

Remove default file_roots setting

Some users were seeing issues due to conflicts with salt files on their system in /srv/salt. We now scrub those default paths from file_roots.

New osquery version

We've updated to a newer SHA of osquery for fixes and features there.

@basepi basepi released this Jul 31, 2018 · 219 commits to develop since this release

Assets 16

Major Features

New format for nebula queries

Allows for overriding on a per-query basis via topfiles. The new version of the nebula_osquery.py module now looks for nebula data in hubblestack_nebula_v2 in the fileserver. Please take note of this and migrate if you're not using our hubblestack_data repo.

Graylog GELF returners

Modeled after the logstash returners, but GELF-specific

Better error reporting and optional retries for splunk returners

Set returner_retry: True on a scheduled job that uses the splunk returners to enable retries (by default, 3 retries with 15 seconds between each). Additionally, errors from splunk requests will be more informative (instead of the existing "marked as bad" errors).

Persist transiently-available grains

If a grain is available at some point and then stops being generated later, we keep it across grain refreshes. This is to prevent us from losing useful grain data due to metadata server outages or issues.

Major fixes

Move daemonization to pre-grains

Daemonize earlier, so that long custom grains don't result in an unhappy service system

Fixes for lack of s3 timeouts

In some cases, hubble could hang with open sockets to s3. There were no timeouts specified in the underlying salt util module, so we include it ourselves now and have timeouts.

Upper limit for osquery runs

In some cases, osquery can hang due to network issues. Now hubble will eventually kill osquery and continue operations.

Upper limit for grains refreshes

We were worried about the potential for grains refreshes causing some of the uncommon hangs we were seeing, so we now use signals and timers to interrupt grains if they are taking too long.

Remove default file_roots setting

Some users were seeing issues due to conflicts with salt files on their system in /srv/salt. We now scrub those default paths from file_roots.

New osquery version

We've updated to a newer SHA of osquery for fixes and features there.