According to statistics, 83% of enterprises and organizations save costs and improve efficiency by "going to the cloud", but cloud security issues follow closely. The cloud security open source tools recommended in this issue are applicable to various cloud service models such as SaaS, PaaS, and IaaS.
1. Wazuh
Wazuh is a security protection platform that integrates SIEM, HIDS and XDR. Adhering to the spirit of open source, the Wazuh community is developing very rapidly, where users can obtain technical support, submit suggestions and feedback. It is said that Wazuh has more than 200,000 corporate users, including some Fortune 100 companies. In addition to supporting local deployment, Wazuh is also suitable for cloud environments, with flexible infrastructure and strong scalability.
Portal: https://wazuh.com/
2. Osquery
Osquery is an open source monitoring and analysis tool for the operating system. It supports querying various indicators of the system like SQL statements, such as running processes, open network connections, hardware events, browser plug-ins, etc. It is suitable for Windows and MacOS , Linux, FreeBSD, to help improve system performance.
Osquery was created and put into use by Facebook in 2014, and engineers say it has benefited from it. Osquery logs can catch unknown malware, but require additional deployment and human threat handling.
Portal: https://github.com/osquery/osquery
3. GoAudit
This is a Linux auditing system that includes kernel source code and monitoring system calls. The monitoring system call is the userspace protection process responsible for auditing writes and logging. Released in 2016, the tool stands out for its multi-line logging capabilities and JSON Blob analysis. Therefore, users can directly call the kernel through Netlink, and implement threat filtering according to specific services.
Portal: https://github.com/slackhq/go-audit
4. Grapl
Grapl was released in March 2022. It is a graph analysis platform with security detection, incident response and forensics. It is good at collecting security logs and converting them into subgraphs, and then merging the subgraphs into the Master Graph to restore the entire environment attack action. Therefore, Grapl can make corresponding defenses according to the attacker's intentions, similar to the defense of real people. As soon as a suspicious pattern emerges, Grapl fires up the analyzer and investigates.
Portal: https://github.com/grapl-security/grapl
5. OSSEC
OSSEC is a security detection and monitoring platform released in 2004. It is also used for log analysis, web server, firewall analysis, etc. It can monitor the integrity of the SIEM platform in real time and adapt to Microsoft windows, Linux, OpenBSD, FreeBSD, Solaris and other environments . OSSEC has a centralized manager responsible for monitoring and receiving information from agents. It can also store files after performing integrity checks on databases, logs, system audits, events, etc.
Portal: https://github.com/ossec/ossec-hids
6. Suricata
Suricata combines intrusion detection, intrusion prevention, and network monitoring. When it was released in 2009, it had a traffic monitoring function, and it is currently able to monitor large traffic at a speed of 10G. It also supports file extraction, as well as provisioning bare metal and virtual machine servers in AWS, enabling traffic monitoring functions and discovering advanced threats.
Portal: https://github.com/OISF/suricata
7. Zeek/Bro
Like Suricata, this is a traffic monitoring tool that can spot anomalous behavior and suspicious activity, so it differs from traditional rule-based IDS. Zeek supports users to view the attack activities before and during the event, and has certain intelligent interaction functions. Zeek's programming language can be customized according to user needs, so complex logic conditions can be constructed through some operators (such as AND, OR, NOT, etc.).
Portal: https://zeek.org/
8. Panther
Panther is an automated solution open sourced by Airbnb. Its main function is to make up for the shortcomings of traditional SIEM. It can be set to match the actual security detection environment and scale of the user to achieve centralized detection. Each of its detections is transparent, which not only determines the detection rules but also reduces false positives.
Panther can automatically repair misconfigurations and allow users to store data that they do not want to be corrupted. Panther has been deployed using its own AWS cloud and AWS CloudFormation, ensuring that the data is under the control of the user itself.
Portal: https://github.com/panther-labs/panther-analysis
9. Kali Linux
Kali Linux is an open source system that provides network security utilities and penetration testing tools. This is one of the few Linux distributions that focuses on hacking. On Kali Linux, users can run a Linux executable that can also be executed in Windows 10. Kali Linux supports installation on most devices, such as Raspberry Pi, Odroid, HP and Samsung Chromebook, Beaglebone, etc.
Portal: https://www.kali.org
10. PacBot
PacBot is a compliance monitoring and cloud security automation tool. PacBot (Policy as Code Bot) scans and evaluates target resources according to policies. It includes an auto-healing framework that enables automatic response and handling of violations through some predefined behaviors. The tool also includes visualization capabilities that allow users to view compliance and simplify the analysis and resolution of policy violations.Portal: https://github.com/tmobile/pacbot
References:https://cybersecuritynews.com/opensource-cloud-security-tools/
