Security 🔐

Security coverage across cloud providers, Kubernetes, Linux hardening, SIEM, and incident response. This section consolidates security knowledge from your Wazuh SIEM expertise, AWS multi-account security monitoring, and homelab Kubernetes environment.

Sections

SIEM — Security Information & Event Management

Centralized security monitoring, detection, and alerting across all sources.

• SIEM Hub — Overview, tool comparison, Wazuh vs Elastic vs Splunk
• Wazuh — Open-source SIEM/XDR, your primary tool
  • Deployment — Single-node, distributed, agents, agentless
  • Rules & Decoders — Custom AWS CloudTrail, K8s, Linux rules
  • Integrations — n8n → Planio → PagerDuty/Slack
  • Threat Hunting — Queries, playbooks, MITRE matrix
• Alerting — Alert design, thresholds, fatigue metrics
• Elastic Security — ELK-based SIEM
• Splunk — SPL queries, Enterprise Security

Cloud Security — AWS, Azure, GCP

Security tooling and configuration per cloud provider.

• Cloud Security Hub — AWS, Azure, GCP security tooling
• AWS Security — Security Hub, GuardDuty, CloudTrail, SCPs, multi-account
• Azure Security — Defender for Cloud, Entra ID
• GCP Security — Security Command Center, Chronicle

Kubernetes Security

Security for your EKS clusters and homelab K8s environment.

• K8s Security Hub
• RBAC — Role-based access control
• Network Policies — Micro-segmentation
• Pod Security — PodSecurityStandards, security contexts
• Secrets Management — Sealed Secrets, Vault, ESO
• Vulnerability Scanning — Trivy, Grype, Snyk

Endpoint Security

Host-based security — Linux hardening, IDS/IPS, runtime security.

• Endpoint Security Hub
• Linux Hardening — AppArmor, SELinux, sysctl, PAM
• IPS — Suricata (NIDS), Wazuh HIDS
• Falco — Runtime security, K8s syscall monitoring

Application Security

Auth, secrets, dependency scanning, supply chain.

• Application Security Hub
• Authentication — OAuth2/OIDC/JWT
• Secrets Management — Vault, AWS Secrets Manager, K8s secrets
• Dependency Scanning — Trivy, Snyk, Grype
• Supply Chain — SBOM, Sigstore, SLSA

Network Security

TLS/mTLS, zero trust, VPN, firewall.

• Network Security Hub
• mTLS — Certificate management, mutual TLS
• Zero Trust — BeyondCorp model, identity-based access
• VPN — WireGuard, OpenVPN, IPSec

DevSecOps

Shift-left security, CI/CD pipeline security, container hardening.

• DevSecOps Hub
• Pipeline Security — Securing GitHub Actions, Tekton, supply chain security
• Container Security — Distroless, rootless, capabilities, seccomp

Incident Response

Playbooks, forensics, threat hunting, postmortems.

• Incident Response Hub
• Playbooks — AWS cred compromise, malware, phishing
• Forensics — Memory dump, disk imaging, log analysis
• Threat Hunting — Proactive hunting methodology
• Postmortem — Blameless review template

Your Security Stack

Layer	Tool	Status
SIEM	Wazuh	Primary
Cloud Monitoring	Wazuh agentless (CloudTrail, GuardDuty)	Multi-account (40+ org)
Automation	n8n + Planio	Incident response workflow
K8s Security	Falco + Wazuh agent	EKS clusters
Container Scanning	Trivy	CI/CD
Secrets	Vault (existing notes)	Homelab

Key Vault References

Your existing notes that inform this section:

• IAM — Identity and access management
• EKS Security — Cluster hardening, network policies
• PAM — Pluggable authentication modules
• IPS — Network and host intrusion detection
• Zero Trust — Network architecture
• Supply Chain — SBOM, Sigstore

Quick Navigation

SIEM          → Wazuh deployment, rules, n8n integrations, threat hunting
Cloud         → AWS Security Hub, GuardDuty, multi-account SCPs, CloudTrail
K8s           → RBAC, network policies, pod security, secrets, Trivy
Linux         → AppArmor, SELinux, PAM, sysctl hardening
IR            → Playbooks, forensics, postmortems, n8n automation

Contributing

This section is actively expanded. Key areas to develop:

• Add Wazuh agent deployment on EKS with IRSA
• Add AWS SCP examples for security baseline
• Add Falco → n8n → Planio workflow
• Add Vault deployment guide for secrets
• Add K8s audit log analysis with Wazuh