Wow! It's really nice this post got that much attention :D
Since Laszlo has some pre-existing knowledge on the LogVM idea I will try to focus on the other two and keep communications with him to test and coordinate. To reply in total, I know the Wayland support is the hardest of the three, but I'd like to give it a shot. Within the next days I'll instrument my research on both In-VM configurations and Wayland support and create a standalone post on the idea details for feedback. Regards, Harry On Mon, Apr 15, 2019 at 9:32 AM unman <[email protected]> wrote: > On Mon, Apr 15, 2019 at 12:26:43PM +0200, Scarpafo Scarpafo wrote: > > Ok, > > Read your blog. Nice. > > I think before everything of technique we have to define the Supervision > > Policy. > > What we are facing? > > Where? > > ..... > > > > Le lun. 15 avr. 2019 à 11:54, Scarpafo Scarpafo <[email protected]> a > > écrit : > > > > > Ok i will check your blog to night. > > > rsyslog is already inside each system. Better to use it instead of > install > > > syslog-ng. Event if ng is better :) > > > > > > Le lun. 15 avr. 2019 à 09:37, Zrubi <[email protected]> a écrit : > > > > > >> -----BEGIN PGP SIGNED MESSAGE----- > > >> Hash: SHA256 > > >> > > >> On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote: > > >> > Ahah i suggest it to Frederic one years ago. But we need to salt > > >> > all VM with auditd policy, rsyslog forward, hids, build a repo > > >> > syslog-ng and the most difficult part... did you know any siem > > >> > without eating the power? xD. > > >> Well, we should not aim to create a full SIEM in this project, but > > >> "only" a log collecting (and parsing) VM, and the stuff needed for > this. > > >> > > >> As log collecting (and parsing) is the very first requirement of every > > >> SIEM, we can't skip this part. As I already did (see my blog) it: > > >> basic log parsing can be done by syslog-ng (or maybe rsyslog, or > > >> nxlog) with only very small resources needed. > > >> > > >> The Qubes specific part would be the "special" log forwarding, instead > > >> of using TCP/UDP network. But the solution is already here: see the > > >> current template network access method. > > >> > > >> Then, if we have the architecture and the Qubes specific log > > >> collecting solution we can start extending it by defining what kind > > >> of logs we need, and what we can do with them... > > >> > > >> But to jump ahead, and answer your question: > > >> As you may read on my blog, I started a tiny SIEM like project which > > >> runs on my home NAS. And this thing has only 512Mb RAM total. :) > > >> > > >> Of course it is not works like the big huge ELK/Splunk/Qradar, but > > >> something like well defined daily statistics instead. I would say that > > >> is a good start by seeing what happened in our home network. And I > > >> think the same should apply for a Qubes box. > > >> > > >> - -- > > >> Zrubi > > Please don't top post. It makes it much more difficult to follow the > thread. > > -- > You received this message because you are subscribed to the Google Groups > "qubes-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-devel/20190415133201.lkzmpwppancfyhwp%40thirdeyesecurity.org > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CAFXTyT_QL8cJGLNztXjS77bwjT77kxrnU4Sv290W9HyO9raY9Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
