Features

• Fixed code where number of s3 calls are reduced to slow down s3 access rate.

Bug Fixes

• Fixed a TLS version where windows pkg wasn't able to download chocolatey.

Features

• Added support for AWS instance metadata service version 2 (IMDSv2)

Bug Fixes

• Fixed s3 fileserver bug
• Hubble will now load config in hubble.d directory correctly in alphabetical (unicode) order
• Pinned salt-ssh version to 2019.2.0 for linux

Features

• Certificate discovery support in FDG. FDG can now be used to verify installed ssl certificates on a server

Fixes

• Added support for overriding splunk configuration via global parameters splunk_index, splunk_token and splunk_port
• Fixed sourcetype generation of fdg
• Fixing osqueryd safe permissions in Windows server 2012 and 2016
• Improved performance of disk queuing feature
• Fix fdg module bug related to readfile
• Enabling hubble service post install for systemd
• Fixed s3fs defaults

Features

• Users can now specify proxy using a single paramter https_proxy in config file to configure proxy for azurefs fileserver as well as for splunk APIs
• Added support for Debian 10

Fixes

• Fixed cloud_details grain when http_proxy is set in environment variable
• Fixed intermediate return handling for splunk_fdg_return
• Fixed import issue in fdg.process
• Fixed default sourcetype issue

Fixes

• Fixed service management on Windows via 'nssm'

Fixes

• Fix an issue in win_pulsar in reporting renames correctly
• Fix an inconsistency in the hostname generation for the splunk_generic_return

Fixes

• Restored previous behavior of splunk returners dynamically loading new splunk config from hubble.d/*.conf files via grains
• Pulled in a fix (from upstream salt) for generating the fqdn grain in spite of DNS outage
• Fixed issue where cloud_details grain was being emitted to syslog twice
• Fixed the generation of the splunkindex grain to be automatic (no longer needs config to work)
• Added secrets filtering for grains_report to splunk

Fixes

• Fixed an issue with proxy settings in the splunk returners (#662)

• Upgrade osquery to 3.4.0 on Windows
• Fix buildinfo to report the actual tag instead of TAGGED_BUILD

Features

FDG

• Flexible Data Gathering (FDG for short) is designed to allow security engineers more flexibility in their data gathering, without allowing arbitrary command execution from hubblestack_data. You can think of it like a read-only, sandboxed shell.
• FDG can also be used for Nova (audit) checks

osqueryd Support (experimental)

• osqueryd is osquery's daemon mode. It allows for additional data gathering from the audit interface to the kernel, as well as real time gathering of data like processes. Additionally, it can be used to report deltas in addition to periodic snapshots of data, which can drastically reduce the amount of data reported to splunk or other endpoints, especially for queries with mostly-static data.
• Hubble now has the ability to manage osqueryd, including starting and restarting as needed, deploying osqueryd config from hubblestack_data, and collecting osqueryd logs to send to splunk. See the module for more information.

Disk queueing for splunk returners

• If you enable disk queueing with the following options, then Hubble will queue events to disk when splunk is unreachable due to overload issues or network issues. When splunk later becomes available, the queued events will be reported as normal, negating the loss of data.

disk_queue: /var/cache/hubble/splunk_disk_queue
disk_queue_size: 104857600
disk_queue_compression: 9

Vulners module utilizing approved API

• The Vulners team asked us to modify our Vulners cve scanner such that it uses their approved API. Unfortunately this means we no longer support offline scans for now. You can find the updated module here: https://github.com/hubblestack/hubble/blob/develop/hubblestack/files/hubblestack_nova/vulners_scanner.py

sigusr1 status reporting

• If you send a sigusr1 to the hubble daemon, it will output a file with basic status information about the running hubble daemon's health. More info here: https://github.com/jettero/hubble/blob/3.0/hubblestack/status.py

Other

• We now emit a subset of grains to syslog for system identification and correlation between log reporting and hubble reporting.
• Added more entries to the cloud_details grains (platform-specific metadata, mostly, for AWS and GCP)
• Improved, topfile-based secret masking in Nebula (osquery)
• Added hec summary reporting to splunk returners. Hubble will count the events it sends to splunk, and can be configured to periodically send those counts to splunk, so we can check for data loss. https://github.com/hubblestack/hubble/blob/develop/hubblestack/extmods/modules/hstatus.py
• Added a safecommand module for updating the arguments to cmd.run jobs in the scheduler from hubblestack_data in a safe way: https://github.com/hubblestack/hubble/blob/develop/hubblestack/extmods/modules/safecommand.py

Fixes

• Fixed a memory leak in the logging system provided by the Salt library -- memory should be much more stable in the new release.
• Fixed a default config issue with the open source windows installer that would prevent hubble from starting
• Hubble will now inspect /proc for other running Hubble processes in addition to the pidfile.
• Fixed s3fs to use cached metadata and files during a network outage
• Updated included curl and git versions due to CVEs
• Removed the StartLimit directives from our systemd unit files for compatibility across systemd versions