I'm curious about use cases for SEC. I know from reading the man page, using
SEC and viewing the documentation that SEC is obviously a correlation tool and
that it can perform actions in response to state of the system (monitored in
log files etc.). I've been having a discussion with some colleagues about a
particular SEC use case and I am wondering if anyone can say if they've run
across it before and what their general opinion of it was.
Specifically SEC can be setup to perform SHELLCMD actions, which can in theory
probably do anything as it's a shell (assuming permissions). Do you know of
anyone using SEC to modify the state of the world? To add more clarity, I
don't mean just writing a log file, or sending a notification, or adding a
value to a whitelist or blacklist, but some sort of action that more
fundamentally changes how the system operates.
An abstracted and very hypothetical example might be, the system detects higher
than normal power usage in a hard drive and uses the shell to forcibly unmount
the drive and kill the power to it. This action would be taken to prevent
physical drive destruction, but is considered a dangerous action as it may
cause some data loss, for the sake of preserving the drive. And for sake of
argument let's pretend that if a human operator received a notification about
such an event that they would be highly likely to do the same action.
Maybe a different hypothetical example is: SEC notices that user X has tried to
modify a protected part of the operating system repeatedly, so the SEC launches
a SHELLCMD to find all active process by user X and forcibly Kill them and
disconnect his session.
Does anyone know of usages where 'state changing actions' are taken? Is it
generally considered in the use case for SEC, or is it just something that SEC
"can do" using your own best judgement.
The reason why I ask this is, from an architectural point of view if the system
has this SEC daemon running that may be configured to actually modify the state
of the system based on event correlations, it increases the overall risk of an
admin potentially not having visibility into 'what really running' on the
system and could certainly lead to an increase in system complexity. It is my
position that 'actions that modify the actual state of the world' should be
done by a different application, and not just 'pushed into SEC' because it has
the capacity to run shell commands.
Any response is appreciated.
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Simple-evcorr-users mailing list