To this end, CloudPassage also has selectable multi-authentication API, which closes the administrative ports on clients, opening them only when a user has a Yubikey (USB single key security device) and the CloudPassage password or has an SMS authentication token sent through GhostPorts. In our opinion, GhostPorts should be mandatory.
As mentioned, Halo doesn't fix problems it finds, as some can't be fixed and others require the discretion, skills, or active acknowledgement of the IT administrator. It's possible to use Puppet (tested), Chef, or Rightscale app logic to alter or manage image/instance settings to address all of the dirt that Halo finds. It's better, we found, to consider stripping images of vulnerable apps if they're not used and get rid of your sludge before you start — retrofitting can become gruesome.
The testing/parsing/configuration-problems engine Halo uses is claimed by CloudPassage to meet various regulatory mandates for a multitude of compliance testing, as well as meeting various international systems benchmarks. As we don't perform these compliance tests, we can't vouch for Halo's claims. We do, however, like their methodology. We believe Halo goes a long way towards allying configuration and security efforts for systems administrators at the "street level".
We found it possible to perform a baseline scan of up to 10,000 objects per server. Objects can be files, folders, and even Windows Registry objects, and a SHA-256 hash is created in doing so. Files larger than a gigabyte can't be scanned, unfortunately, but objects like kernel files and most folders can be scanned for change in hash and in metadata (with some limitations). The integrity of important files, once the baseline is established, can then be the crux of errors and warnings. These are user-defined. Updates and patches and fixes, of course, will trigger problem management that must be resolved in terms of establishing new baselines for subsequent watches during the polled scans.
CloudPassage also supports the deployment of pre-built server hardening policies in all versions. These emerge from stock policies, added by editing/adding additional policies, then deploying the policies — in either the free or "Professional" version.
How it works
Using Halo requires establishing an account with CloudPassage, then one downloads and configures the daemon software into either operating system. The daemon runs on schedule, collecting information, which then runs through an analysis engine at CloudPassage, then, by default, the results will then show all of the policy violations it found. And it finds plenty of them. We found for compliance sake, it's best to heavily examine excepting policies — and this will be documented.
There is accessibility control to Halo. We could limit the authorized IPv4 (not IPv6!) addresses or a CIDR block of address that can login to the portal. The daemon registration keys can also be revoked and regenerated — should someone leave an organization as mentioned. The Halo daemons/services check into Halo's portal as a sign of internal life (rather than an IPMG "ping" return) for the hosts via an assigned interval.
Sign up for CIO Asia eNewsletters.