I'm curious about use cases for SEC.  I know from reading the man page, using 
SEC and viewing the documentation that SEC is obviously a correlation tool and 
that it can perform actions in response to state of the system (monitored in 
log files etc.).  I've been having a discussion with some colleagues about a 
particular SEC use case and I am wondering if anyone can say if they've run 
across it before and what their general opinion of it was.

Specifically SEC can be setup to perform SHELLCMD actions, which can in theory 
probably do anything as it's a shell (assuming permissions).  Do you know of 
anyone using SEC to modify the state of the world?  To add more clarity, I 
don't mean just writing a log file, or sending a notification, or adding a 
value to a whitelist or blacklist, but some sort of action that more 
fundamentally changes how the system operates.

An abstracted and very hypothetical example might be, the system detects higher 
than normal power usage in a hard drive and uses the shell to forcibly unmount 
the drive and kill the power to it.   This action would be taken to prevent 
physical drive destruction, but is considered a dangerous action as it may 
cause some data loss, for the sake of preserving the drive.  And for sake of 
argument let's pretend that if a human operator received a notification about 
such an event that they would be highly likely to do the same action.

Maybe a different hypothetical example is: SEC notices that user X has tried to 
modify a protected part of the operating system repeatedly, so the SEC launches 
a SHELLCMD to find all active process by user X and forcibly Kill them and 
disconnect his session.

Does anyone know of usages where 'state changing actions' are taken?  Is it 
generally considered in the use case for SEC, or is it just something that SEC 
"can do" using your own best judgement.

The reason why I ask this is, from an architectural point of view if the system 
has this SEC daemon running that may be configured to actually modify the state 
of the system based on event correlations, it increases the overall risk of an 
admin potentially not having visibility into 'what really running' on the 
system and could certainly lead to an increase in system complexity.  It is my 
position that 'actions that modify the actual state of the world' should be 
done by a different application, and not just 'pushed into SEC' because it has 
the capacity to run shell commands.

Any response is appreciated.

Andrew Nieuwsma

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Simple-evcorr-users mailing list

Reply via email to